Solved

Unable to connect to Internet

Posted on 2008-10-01
23
233 Views
Last Modified: 2012-05-05
Hi Experts,

Below is my running config from Cisco ASA 5505 and unable to connect to the internet.

My rules aren't sufficient hence what should be added in order to connect to www?

       
ciscoasa# show running-config                            
: Saved      
:
ASA Version 7.2(3)                  
!
hostname ciscoasa                
domain-name default.domain.invalid                                  
                   
names    
!
interface Vlan1              
 nameif inside              
 security-level 100                  
 ip address 10.49.0.5 255.255                          
!
interface Vlan2              
 nameif outside              
 security-level 0                
 ip address dhcp                
!
interface Ethernet0/0                    
 switchport access vlan 2                        
!
interface Ethernet0/1                    
!
interface Ethernet0/2                    
!
interface Ethernet0/3                    
!
interface Ethernet0/4                    
!
interface Ethernet0/5                    
!
interface Ethernet0/6                    
!
interface Ethernet0/7                    
!
                           
ftp mode passive                
dns server-group DefaultDNS                          
 domain-name default.domain.invalid                                  
access-list inside_access_in extended permit tcp any any                                                        
access-list outside_access_out extended permit tcp interface outs                                                                
nside    
pager lines 24              
logging asdm informational                          
mtu inside 1500              
mtu outside 1500                
icmp unreachable rate-limit 1 burst-size 1                                          
asdm image disk0:/asdm-523.bin                              
no asdm history enable                      
arp timeout 14400                
global (outside) 1 interface                            
nat (inside) 1 0.0.0.0 0.0.0.0                              
access-group inside_access_in in interface inside                                                
access-group outside_access_out out interface outside                                                    
timeout xlate 3:00:00                    
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02                                                                
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0                                                                      
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00                                                                              
timeout uauth 0:05:00 absolute                              
http server enable                  
http 10.49.0.0 255.255.255.0 inside                                  
no snmp-server location                      
no snmp-server contact                      
snmp-server enable traps snmp authentication linkup linkdown coldstart                                                                      
telnet timeout 5                
ssh timeout 5            
console timeout 0                
dhcpd auto_config outside                        
!
dhcpd address 10.49.0.6-10.49.0.133 inside                                          
dhcpd enable inside                  
!

!
class-map inspection_default                            
 match default-inspection-traffic                                
!
!
policy-map type inspect dns                        
 parameters
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:14cb597f1816f134b8cbe25ab7d6e991
: end
ciscoasa#

apprciate any help

mcse2007
0
Comment
Question by:mcse2007
  • 11
  • 8
  • 4
23 Comments
 
LVL 12

Expert Comment

by:Pugglewuggle
ID: 22621656
Your config looks good except for one thing... run this:
interface vlan 2
ip address dhcp setroute
 
 The problem is you have no default route - this command will automatically set it!
BTW: you don't need these lines:
access-group inside_access_in in interface inside                                                
access-group outside_access_out out interface outside    
access-list inside_access_in extended permit tcp any any
access-list outside_access_out extended permit tcp interface outside  
0
 
LVL 7

Author Comment

by:mcse2007
ID: 22621736
Although, the setroute has been set, see below, cannot still connect to the internet.

interface Vlan2              
 nameif outside              
 security-level 0                
 ip address dhcp setroute                        
!
0
 
LVL 12

Expert Comment

by:Pugglewuggle
ID: 22621753
do a shut command on vlan 2 interface and wait 5 seconds then run a no shut
If you still cannot get to the web post a copy of sh int vlan 2
Cheers!
0
Efficient way to get backups off site to Azure

This user guide provides instructions on how to deploy and configure both a StoneFly Scale Out NAS Enterprise Cloud Drive virtual machine and Veeam Cloud Connect in the Microsoft Azure Cloud.

 
LVL 7

Author Comment

by:mcse2007
ID: 22621777
copy of sh int vlan 2 is shown below

ciscoasa(config-if)# sh int vlan2
Interface Vlan2 "outside", is up, line protocol is up
  Hardware is EtherSVI
        MAC address 001f.ca08.13ed, MTU 1500
        IP address 192.168.0.50, subnet mask 255.255.255.0
  Traffic Statistics for "outside":
        1006 packets input, 104090 bytes
        6 packets output, 2360 bytes
        931 packets dropped
      1 minute input rate 0 pkts/sec,  31 bytes/sec
      1 minute output rate 0 pkts/sec,  9 bytes/sec
      1 minute drop rate, 0 pkts/sec
      5 minute input rate 0 pkts/sec,  21 bytes/sec
      5 minute output rate 0 pkts/sec,  1 bytes/sec
      5 minute drop rate, 0 pkts/sec
0
 
LVL 12

Expert Comment

by:Pugglewuggle
ID: 22621799
This shows that your internet line is up - do you have it connected to the internet of to a router or something? Try pining 4.2.2.2 from the ASA and tell me if you get !!!!! or ?????.
0
 
LVL 7

Author Comment

by:mcse2007
ID: 22621823
Below is the ping results:

ciscoasa# ping 4.2.2.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 4.2.2.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 190/192/200 ms
ciscoasa#
0
 
LVL 12

Expert Comment

by:Pugglewuggle
ID: 22621866
That means that you are online - there is no problem with your internet access.
Are you having trouble getting online with your PCs? Are they using DHCP or static IPs?
0
 
LVL 14

Expert Comment

by:Kutyi
ID: 22621917
I am not a PiX expert but it looks that you have restricted the outbound traffic by your access-list only allowing TCP traffic, whereas DNS requires UDP 53 to do name resolution.

I would add more ports to you access-lists or remove access-list inside_access_in extended permit tcp any any  and it's associated access-group
0
 
LVL 12

Expert Comment

by:Pugglewuggle
ID: 22621922
Yes, I told him to get rid of that on my first post.
0
 
LVL 7

Author Comment

by:mcse2007
ID: 22621928
My TCP/IP has the right DNS ip address which is the ADLS router LAN ip address but cannot connect to the internet from a notebook. My laptop is connected physically by RJ45 cable to ASA e0/1 port, and cannot brownse the web.

   Autoconfiguration Enabled . . . . : Yes
   IP Address. . . . . . . . . . . . : 10.49.0.6
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Default Gateway . . . . . . . . . : 10.49.0.5
   DHCP Server . . . . . . . . . . . : 10.49.0.5
   DNS Servers . . . . . . . . . . . : 192.168.0.1
0
 
LVL 14

Expert Comment

by:Kutyi
ID: 22621931
Hey your right, you did, maybe he did not realize how this would impact outbound traffic and did not remove it.
0
 
LVL 14

Expert Comment

by:Kutyi
ID: 22621940
Yes but when your DNS server does a request for name resolution it will not get out with your restricted access-list.  Your need to open up UDP 53 outbound.
0
 
LVL 12

Accepted Solution

by:
Pugglewuggle earned 250 total points
ID: 22621943
You need to run these commands:

no access-group inside_access_in in interface inside                                                
no access-group outside_access_out out interface outside    
no access-list inside_access_in extended permit tcp any any
no access-list outside_access_out extended permit tcp interface outside  
0
 
LVL 12

Expert Comment

by:Pugglewuggle
ID: 22621949
Kutyi - DNS uses UDP 53 by default and then fails over to TCP DNS on port 53 as well if UDP 53 is not available. Some ISPs and devices don't run TCP DNS so that's probably why it's not working.
0
 
LVL 14

Expert Comment

by:Kutyi
ID: 22621967
Pugglewuggle you are a smart man, and I too would bet dollars to donuts this is the issue, which I note you saw in your first post .....:)
0
 
LVL 12

Expert Comment

by:Pugglewuggle
ID: 22621982
:) Not so smart as having done it for a year. Thank you though! :)
0
 
LVL 7

Author Comment

by:mcse2007
ID: 22630894
Can I just ask what the below access-lists mean:

no access-group inside_access_in in interface inside                                                
no access-group outside_access_out out interface outside    
no access-list inside_access_in extended permit tcp any any
no access-list outside_access_out extended permit tcp interface outside  
0
 
LVL 12

Expert Comment

by:Pugglewuggle
ID: 22630976
no access-group inside_access_in in interface inside                                                
no access-group outside_access_out out interface outside    
no access-list inside_access_in extended permit tcp any any
no access-list outside_access_out extended permit tcp interface outside  
All of that removes the access-lists that are blocking your traffic and keeping you offline. It hurts nothing to remove.
:)
0
 
LVL 7

Author Comment

by:mcse2007
ID: 22631014
Is this how should I run these access-lists :

from e0/1
ciscoasa(config-if)# ciscoasa(config-if)#no access-group inside_access_in in interface inside  
 
from e0/0                                            
ciscoasa(config-if)#no access-group outside_access_out out interface outside    

from e0/1
ciscoasa(config-if)# no access-list inside_access_in extended permit tcp any any

from e0/0
ciscoasa(config-if)# no access-list outside_access_out extended permit tcp interface outside  
0
 
LVL 12

Expert Comment

by:Pugglewuggle
ID: 22631047
Oh, no.
Just enter conf t mode and paste what I provided as it is. This will solve your problem.
Also, make sure you use the wr mem command afterwards to save your changes.
0
 
LVL 7

Author Comment

by:mcse2007
ID: 22631058
what happened if you did? Would that comprise your security?
0
 
LVL 12

Expert Comment

by:Pugglewuggle
ID: 22631216
If I did what? Remove those access-lists?
No, it wouldn't.
Both of those happen to be filtering outgoing traffic only, which is a bit odd.
When worrying about security, its usually incoming stuff you've got to worry about... but that's blocked by default even if you don't specify it.
Go ahead and run those commands and it should fix your internet connection.
Cheers! :)
0
 
LVL 7

Author Closing Comment

by:mcse2007
ID: 31502264
Appreciate your help
0

Featured Post

PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Cisco Pix/ASA hairpinning The term, hairpinning, comes from the fact that the traffic comes from one source into a router or similar device, makes a U-turn, and goes back the same way it came. Visualize this and you will see something that looks …
This is about downgrading PIX Version 8.0(4) & ASDM 6.1(5) to PIX 7.2(4) and ASDM 5.2(4) but with only 64MB RAM and 16MB flash. Background: You have a Cisco Pix 515E which was running on PIX 7.2(4) and its supporting ASDM 5.2(4) without any i…
Both in life and business – not all partnerships are created equal. As the demand for cloud services increases, so do the number of self-proclaimed cloud partners. Asking the right questions up front in the partnership, will enable both parties …
Both in life and business – not all partnerships are created equal. Spend 30 short minutes with us to learn:   • Key questions to ask when considering a partnership to accelerate your business into the cloud • Pitfalls and mistakes other partners…

860 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question