I have a remote client with an ASA 5200. They are going to get fiber, but for now are using their building's internet. The ASA config is below (edited for anonymity). It is able to ping the gateway (10.133.30.177), as well as 8.8.8.8 and other IPs. When attached to the 0/2 interface, a machine gets an IP in the 192.168.220.0/24 and can ping 192.168.220.1, but no further (not even 10.144.30.190). I've run "packet-tracer input inside icmp 192.168.220.102 8 0 8.8.8.8 detailed"
Here is my config:
ASA Version 8.3(2)
!
hostname NY-ASA5200
names
!
interface GigabitEthernet0/0
shutdown
nameif FIBER
security-level 0
ip address 172.16.0.1 255.255.255.0
!
interface GigabitEthernet0/1
nameif INET
security-level 0
ip address 10.144.30.190 255.255.255.240
!
interface GigabitEthernet0/2
nameif INSIDE
security-level 100
ip address 192.168.220.1 255.255.255.0
!
interface GigabitEthernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
shutdown
no nameif
no security-level
no ip address
!
ftp mode passive
dns server-group DefaultDNS
object network inside-subnet
subnet 192.168.220.0 255.255.255.0
object network outside
host 10.144.30.190
access-list inside_out_acl extended permit ip any any
access-list inside_out_acl extended permit icmp any any
pager lines 24
mtu FIBER 1500
mtu INET 1500
mtu INSIDE 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
!
object network inside-subnet
nat (INSIDE,INET) dynamic interface
route Regis 0.0.0.0 0.0.0.0 10.144.30.177 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
sla monitor 123
type echo protocol ipIcmpEcho 8.8.8.8 interface FIBER
num-packets 4
frequency 15
sla monitor schedule 123 life forever start-time now
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
!
track 1 rtr 123 reachability
telnet 192.168.220.0 255.255.255.0 INSIDE
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd address 192.168.220.100-192.168.220.150 INSIDE
dhcpd enable INSIDE
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ssl encryption aes256-sha1
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect ip-options
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
!
service-policy global_policy global
prompt hostname context
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email callhome@cisco.com
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:1bf8d353c86639077a01cf3ee2762a42
: end
Here is the building's internet info:
Vlan ID: 33
Public IPs: N/A
Dynamic IPs: 10.144.30.178-10.144.30.189
Local Network: 10.144.30.176/28
Netmask: 255.255.255.240
Gateway IP: 10.144.30.177
DNS1: 66.194.134.66
DNS2: 66.194.134.65
Static IPs: 10.144.30.190
DHCP Enabled: Yes
Address Translations: N/A
Bandwidth Type: Shared
Finally, here's the packet-tracer output:
Phase: 1
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 0.0.0.0 0.0.0.0 INET
Phase: 2
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0x738aa2e8, priority=0, domain=inspect-ip-options, deny=true
hits=564, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
input_ifc=INSIDE, output_ifc=any
Phase: 3
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0x738a9f50, priority=66, domain=inspect-icmp-error, deny=false
hits=280, user_data=0x738a9e38, cs_id=0x0, use_real_addr, flags=0x0, protocol=1
src ip/id=0.0.0.0, mask=0.0.0.0, port=0
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
input_ifc=INSIDE, output_ifc=any
Phase: 4
Type: NAT
Subtype:
Result: ALLOW
Config:
object network inside-subnet
nat (INSIDE,INET) dynamic interface
Additional Information:
Dynamic translate 192.168.220.102/0 to 10.144.30.190/16722
Forward Flow based lookup yields rule:
in id=0x735116e0, priority=6, domain=nat, deny=false
hits=215, user_data=0x6c7766e0, cs_id=0x0, use_real_addr, flags=0x0, protocol=0
src ip/id=192.168.220.0, mask=255.255.255.0, port=0
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
input_ifc=INSIDE, output_ifc=INET
Phase: 5
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 592, packet dispatched to next module
Module information for forward flow ...
snp_fp_tracer_drop
snp_fp_inspect_ip_options
snp_fp_translate
snp_fp_adjacency
snp_fp_fragment
snp_ifc_stat
Module information for reverse flow ...
Result:
input-interface: INSIDE
input-status: up
input-line-status: up
output-interface: INET
output-status: up
output-line-status: up
Action: allow
