[Last Call] Learn how to a build a cloud-first strategyRegister Now

x
?
Solved

Cisco ASA and internet browsing.

Posted on 2007-07-23
8
Medium Priority
?
400 Views
Last Modified: 2013-11-16
I have a new Cisco ASA 5505 that we've setup on a T1 and Im having issues getting the pc's to browse the internet.  My servers are all browsing the web, but they have static mappings in the firewall.  I've had this issue before but can't figure why my pc's on the network can't browse the internet.  They can ping out to the web but not browse.  Where did i go wrong? What should I be checking here?
0
Comment
Question by:procsol
  • 5
  • 3
8 Comments
 
LVL 57

Expert Comment

by:Pete Long
ID: 19548751
Hello procsol,

Are the clients looking at the servers fo their DNS (network card Properties)? if so thay will need port 80 TCP open outbound (and 443 for https) providing that have either a static mapping  or a nat and global command they should be able to get out  - can you post the config and we will take a look for you :)

Regards,

PeteLong
0
 

Author Comment

by:procsol
ID: 19548794
The clients are looking at the local DC for DNS resolution...

: Written by enable_15 at 08:50:19.774 UTC Mon Jul 23 2007
!
ASA Version 7.2(2)
!
hostname ciscoasa
domain-name hcfs
enable password XXXXX
names
!
interface Vlan1
 nameif inside
 security-level 100
 ip address 192.168.1.1 255.255.255.0
!
interface Vlan2
 nameif outside
 security-level 0
 ip address 111.222.333.226 255.255.255.248
!
interface Vlan3
 no forward interface Vlan1
 nameif dmz
 security-level 50
 no ip address
!
interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
passwd XXXXX
ftp mode passive
dns server-group DefaultDNS
 domain-name hcfs
access-list outside_acl extended permit tcp any host 111.222.333.227 eq 3389
access-list outside_acl extended permit tcp any host 111.222.333.228 eq 3389
access-list outside_acl extended permit tcp any host 111.222.333.228 eq citrix-ica
access-list outside_acl extended permit tcp any host 111.222.333.228 eq www
access-list outside_acl extended permit tcp any host 111.222.333.229 eq ftp
access-list outside_acl extended permit tcp any host 111.222.333.229 eq ssh
access-list outside_acl extended permit tcp any host 111.222.333.227 eq ftp
access-list outside_acl extended permit tcp any host 111.222.333.227 eq ftp-data
access-list outside_acl extended permit ip any any
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
mtu dmz 1500
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-522.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) 111.222.333.227 192.168.1.250 netmask 255.255.255.255
static (inside,outside) 111.222.333.228 192.168.1.251 netmask 255.255.255.255
static (inside,outside) 111.222.333.229 192.168.1.252 netmask 255.255.255.255
access-group outside_acl in interface outside
route outside 0.0.0.0 0.0.0.0 111.222.333.225 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
telnet 0.0.0.0 0.0.0.0 inside
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 outside
ssh timeout 10
console timeout 0

!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
!
service-policy global_policy global
prompt hostname context
0
 
LVL 57

Expert Comment

by:Pete Long
ID: 19548821
access-list outside_acl extended permit ip any any
access-group outside_acl in interface outside

^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

Are you sure? this negates having a firewall? youve just opened everything inbound?
0
Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
LVL 57

Accepted Solution

by:
Pete Long earned 2000 total points
ID: 19548849
Well you have no OUTBOUND ACL's so thats NOT your problem as by default all traffic will be allowed out, on a client can you do the following

start > run > cmd {enter} nslookup www.google.com {enter}

does it give you something like

Non-authoritative answer:
Name:    www.l.google.com
Addresses:  64.233.183.104, 64.233.183.103, 64.233.183.147, 64.233.183.99
Aliases:  www.google.com
0
 

Author Comment

by:procsol
ID: 19548857
Your absolutely right... I meant, I think I meant to put ICMP...
0
 
LVL 57

Expert Comment

by:Pete Long
ID: 19548880
>>Your absolutely right... I meant, I think I meant to put ICMP...

You dont need to do this on version 7 my friend - you just need to turn ON icmp inspection and ping replies will come back in
Version 7 introduced an ICMP inspection engine so that it could track ICMP requests like other protocols. Its NOT turned on by default. And the command is inspect icmp but you need to enter the default map first, use the following commands from config terminal mode.

Policy-map global_policy
class inspection_default
inspect icmp
0
 

Author Comment

by:procsol
ID: 19548886
I'm such an idiot. I forgot to put the DNS fowarders in my DNS servers.  Once I did that everything worked.  DUH!!!  Thanks for your help anyway.
0
 
LVL 57

Expert Comment

by:Pete Long
ID: 19549833
:) Easy enough mistake to make - the DNS servers would still work cause they would use root hints :)
Glad you are working again
ThanQ
0

Featured Post

Veeam Disaster Recovery in Microsoft Azure

Veeam PN for Microsoft Azure is a FREE solution designed to simplify and automate the setup of a DR site in Microsoft Azure using lightweight software-defined networking. It reduces the complexity of VPN deployments and is designed for businesses of ALL sizes.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

If you’re involved with your company’s wide area network (WAN), you’ve probably heard about SD-WANs. They’re the “boy wonder” of networking, ostensibly allowing companies to replace expensive MPLS lines with low-cost Internet access. But, are they …
Considering cloud tradeoffs and determining the right mix for your organization.
In this brief tutorial Pawel from AdRem Software explains how you can quickly find out which services are running on your network, or what are the IP addresses of servers responsible for each service. Software used is freeware NetCrunch Tools (https…
Monitoring a network: why having a policy is the best policy? Michael Kulchisky, MCSE, MCSA, MCP, VTSP, VSP, CCSP outlines the enormous benefits of having a policy-based approach when monitoring medium and large networks. Software utilized in this v…

834 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question