Cisco ASA cannot get “inside” vlan to internet through “outside” vlan

ciscocisco-asafirewallnat;routing

I just got my outside vlan configured up-and-running See Post Here. I was able to get vlan 2 pinging to the internet 8.8.8.8 specifically. However, now I honestly think I am misunderstanding what parameters I should be using … Here is my config so far:

interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
interface Vlan1
 nameif inside
 security-level 100
 ip address 10.1.10.100 255.255.255.0
!
interface Vlan2
 nameif outside
 security-level 0
 ip address 74.xx.xx.225 255.255.255.248
!
ftp mode passive
pager lines 24
logging asdm informational
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 10 10.1.10.0 255.255.255.0
nat (inside) 1 0.0.0.0 0.0.0.0
route outside 0.0.0.0 0.0.0.0 74.xx.xx.230 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 10.1.10.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd auto_config outside
!
dhcpd address 10.1.10.104-10.1.10.254 inside
dhcpd enable inside
!

threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum client auto
  message-length maximum 512
 policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
  inspect ip-options
!
service-policy global_policy global
prompt hostname context
: end

As you can see, I have a PC connected and assigned 10.1.10.104. So dhcp is working correctly .. It just can't see the outside world!!

Best Answer

All you should need is...

conf t
no nat (inside) 10 10.1.10.0 255.255.255.0
dhcpd dns 75.75.75.75 75.75.76.76
end
wr mem

Since your inside interface is already a higher security level than outside interface and you are nating everthing, you should not need an internal or external acl.

Do a release / renew to pick up the dns setting, and then start surfing...

Your ASA configuration:

route outside 0.0.0.0 0.0.0.0 172.16.1.1 1

This will provide a default route via the outside interface, but how will the ASA know how to reach subnets residing behind the Layer 3 Distribution Switch?

You'll need to add routes to the internal subnets via the inside interface using the Layer 3 Distribution Switch as the next-hop IP address.

ASA static routing example:

route inside 172.19.12.0 255.255.255.240 172.16.2.2
route inside 172.19.3.0 255.255.255.0 172.16.2.2
route inside 172.20.100.0 255.255.255.224 172.16.2.2

Your Cisco Router's configuration:

ip route 0.0.0.0 0.0.0.0 200.200.200.200

Additionally, how will your border router know how to reach subnets other than it's connected routes, and the catch all default route via the outside interface's next-hop address 200.200.200.200?

Router static routing example:

ip route 172.19.12.0 255.255.255.240 172.16.1.10
ip route 172.19.3.0 255.255.255.0 172.16.1.10
ip route 172.19.100.0 255.255.255.224 172.16.1.10
ip route 172.16.2.0 255.255.255.224 172.16.1.10

Cisco ASA 5505 – Troubleshooting Configuration Issues

The "outside" vlan seems to be misconfigured, and I've tried so many permeations, that I am sure I am overlooking something major, and obvious. When I am able to ping 8.8.8.8, from the ASA, I'll be happy!

Basic Config

As others have mentioned, your configuration is "suboptimal"... ~~the biggest problem you have is that you're not using DHCP on the outside Vlan interface~~ the biggest problem is that your default gw address is assigned to Vlan2... to recover, login to the console and...

copy runn flash:foobar.cfg
config t
configure factory-default 10.1.10.100 255.255.255.0

While you're in config mode, use this configuration...

hostname DTS-ASA
password ChangeMeNow
enable password ChangeMeNow
!
interface Ethernet0/0
 switchport access vlan 2
!
interface Vlan2
 ! I don't think you need this, since it's an SMC MAC addr
 ! However, this illustrates how you can manually change the mac
 ! on your outside Vlan, if Comcast is restricting you
 ! to one mac (and now refuses to change it)
 ! mac-address 78cd.8ed9.fb37
 nameif outside
 security-level 0
 ip address 74.xx.xx.225 255.255.255.248
!
route outside 0.0.0.0 0.0.0.0 74.xx.xx.230
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
end
wr mem

Please change the password :-)... now you need fw rules, but that's a different issue

WAN Validation

Make sure you really do have the Comcast modem attached to Eth0/0... After you're up and running, you should be able to check the address you got from Comcast like this...

DTS-ASA# sh int vlan2
Interface Vlan2 "outside", is up, line protocol is up
  Hardware is EtherSVI, BW 100 Mbps, DLY 100 usec
        MAC address 0030.dead.beef, MTU 1500
        IP address 74.xx.xx.225, subnet mask 255.255.255.248     <------------
  Traffic Statistics for "outside":
        108703406 packets input, 119199091796 bytes
        69134254 packets output, 8083775282 bytes
        1654709 packets dropped
      1 minute input rate 2 pkts/sec,  280 bytes/sec
      1 minute output rate 3 pkts/sec,  414 bytes/sec
      1 minute drop rate, 0 pkts/sec
      5 minute input rate 3 pkts/sec,  716 bytes/sec
      5 minute output rate 4 pkts/sec,  520 bytes/sec
      5 minute drop rate, 0 pkts/sec
DTS-ASA#

Then check your ping to google's DNS...

DTS-ASA# ping 8.8.8.8
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 8.8.8.8, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 10/18/20 ms
DTS-ASA#

If not, be sure you can ping your default-gw...

DTS-ASA# sh route

Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP
       i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
       * - candidate default, U - per-user static route, o - ODR
       P - periodic downloaded static route

Gateway of last resort is 74.xx.xx.230 to network 0.0.0.0

C    74.xx.xx.230 255.255.255.248 is directly connected, outside
C    10.1.10.0 255.255.255.0 is directly connected, inside
d*   0.0.0.0 0.0.0.0 [1/0] via 74.xx.xx.230, outside          <------
DTS-ASA#
DTS-ASA# ping 74.xx.xx.230