No Internet Access ASA

Home Forums Networking Cisco Security – PIX/ASA/VPN No Internet Access ASA

This topic contains 4 replies, has 3 voices, and was last updated by tehcamel tehcamel 3 years, 6 months ago.

Viewing 5 posts - 1 through 5 (of 5 total)
  • Author
    Posts
  • Avatar
    Si_Pe
    Member
    #166094

    Hi all,
    I am missing something really stupid here I think, I have an asa 5505 running 9.1 software, I am trying to use BT infinity broadband with it using an openreach modem connected on port 0. I have tested a direct connect with the openreach modem and the laptop using a pppoe connection and it connects and I can browse the internet ok.
    The only changes I have made to the factory config is below, the ASA can ping google DNS but my laptop cannot get out to the internet.
    I know it is a route issue but I cannot figure out what i need to change. I do not have a static IP from BT so I have left it to ip address pppoe
    Do i need to add a route outside? I have tried this but when I know the ip address the openreach picks up the route outside command fails with “Invalid next hop address, it belongs to one of our interfaces”
    The only changes made to factory config is below.
    !
    hostname ASA-HOME
    enable password *****
    passwd *****
    names
    !
    username Test password ****** privilege 15
    !
    interface Ethernet0/0
    switchport access vlan 2
    !
    interface Ethernet0/1
    !
    interface Ethernet0/2
    !
    interface Ethernet0/3
    !
    interface Ethernet0/4
    !
    interface Ethernet0/5
    !
    interface Ethernet0/6
    !
    interface Ethernet0/7
    !
    vpdn group BT request dialout pppoe
    vpdn group BT localname [email protected]
    vpdn group BT ppp authentication chap
    vpdn username [email protected] password ****
    !
    interface Vlan1
    nameif inside
    security-level 100
    ip address 192.168.1.1 255.255.255.0
    !
    interface Vlan2
    nameif outside
    security-level 0
    pppoe client vpdn group BT
    ip address pppoe
    !
    dhcpd dns 8.8.8.8 8.8.4.4
    !
    icmp permit any inside
    !
    icmp permit any outside
    !

    I am being stupid here but I can’t see why I can’t add the static route, I have tried to add “ip address pppoe setroute” but I then get an error of no route to host when trying to ping 8.8.8.8 from the ASA.
    Any help would be appreciated.
    Thanks!

    tehcamel
    tehcamel
    Moderator
    #360128

    you might need something like “route add default vlan2”
    I also don’t specifically see any nat enabling.. but i’m not up to dateon ASA specifically..

    Avatar
    scowles
    Member
    #331772

    Based on my understanding of your post… you are able to ping 8.8.8.8 from ASA. So that tells me that PPPOE is correctly configuring the default route on the ASA.

    The command “show route” should verify this.

    As tehcamel pointed out, I would check your NAT/PAT configuration. Also, if you are only using ICMP (ping) to validate your ASA configuration, then check the default

    global service policy and make sure it includes an “inspect” for ICMP traffic. Inspecting ICMP traffic is not configured by default. Without the ICMP inspect, ICMP reply traffic would be DENY’d on the outside interface. Even though it was initially permitted outbound from inside to outside and corectly NAT’d. The command “packet-tracer” should verify this.

    Below are a couple of snippits from some of my GNS3 ASA labs.

    ### EXAMPLE of a basic PAT configuration using outside interface IP address (in your case PPPOE) as the PAT address ####
    object network PAT-Inside2Outside
    subnet 192.168.1.0 255.255.255.0

    object network PAT-Inside2Outside
    nat (inside,outside) dynamic interface

    ### Default inpsection policy. NOTE: ICMP is not listed as an inspect method ####

    class-map inspection_default
    match default-inspection-traffic
    !
    !
    policy-map type inspect dns preset_dns_map
    parameters
    message-length maximum 512
    policy-map global_policy
    class inspection_default
    inspect dns preset_dns_map
    inspect ftp
    inspect h323 h225
    inspect h323 ras
    inspect rsh
    inspect rtsp
    inspect esmtp
    inspect sqlnet
    inspect skinny
    inspect sunrpc
    inspect xdmcp
    inspect sip
    inspect netbios
    inspect tftp
    !
    service-policy global_policy global

    ### To add ICMP to inspection policy ###

    policy-map global_policy
    class inspection_default
    inspect icmp

    Avatar
    Si_Pe
    Member
    #278285

    Thanks for the replies.

    I will have a look later on this weekend.

    Thanks!

    Avatar
    Si_Pe
    Member
    #278286

    All up and working. The changes I made were below.

    object network obj_any
    nat (inside,outside) dynamic interface

    icmp unreachable rate-limit 1 burst-size 1
    icmp permit any inside
    icmp permit any outside

    Many thanks for the help!

Viewing 5 posts - 1 through 5 (of 5 total)

You must be logged in to reply to this topic.