Solved

Unable to connect to Internet

Posted on 2008-10-01
23
226 Views
Last Modified: 2012-05-05
Hi Experts,

Below is my running config from Cisco ASA 5505 and unable to connect to the internet.

My rules aren't sufficient hence what should be added in order to connect to www?

       
ciscoasa# show running-config                            
: Saved      
:
ASA Version 7.2(3)                  
!
hostname ciscoasa                
domain-name default.domain.invalid                                  
                   
names    
!
interface Vlan1              
 nameif inside              
 security-level 100                  
 ip address 10.49.0.5 255.255                          
!
interface Vlan2              
 nameif outside              
 security-level 0                
 ip address dhcp                
!
interface Ethernet0/0                    
 switchport access vlan 2                        
!
interface Ethernet0/1                    
!
interface Ethernet0/2                    
!
interface Ethernet0/3                    
!
interface Ethernet0/4                    
!
interface Ethernet0/5                    
!
interface Ethernet0/6                    
!
interface Ethernet0/7                    
!
                           
ftp mode passive                
dns server-group DefaultDNS                          
 domain-name default.domain.invalid                                  
access-list inside_access_in extended permit tcp any any                                                        
access-list outside_access_out extended permit tcp interface outs                                                                
nside    
pager lines 24              
logging asdm informational                          
mtu inside 1500              
mtu outside 1500                
icmp unreachable rate-limit 1 burst-size 1                                          
asdm image disk0:/asdm-523.bin                              
no asdm history enable                      
arp timeout 14400                
global (outside) 1 interface                            
nat (inside) 1 0.0.0.0 0.0.0.0                              
access-group inside_access_in in interface inside                                                
access-group outside_access_out out interface outside                                                    
timeout xlate 3:00:00                    
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02                                                                
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0                                                                      
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00                                                                              
timeout uauth 0:05:00 absolute                              
http server enable                  
http 10.49.0.0 255.255.255.0 inside                                  
no snmp-server location                      
no snmp-server contact                      
snmp-server enable traps snmp authentication linkup linkdown coldstart                                                                      
telnet timeout 5                
ssh timeout 5            
console timeout 0                
dhcpd auto_config outside                        
!
dhcpd address 10.49.0.6-10.49.0.133 inside                                          
dhcpd enable inside                  
!

!
class-map inspection_default                            
 match default-inspection-traffic                                
!
!
policy-map type inspect dns                        
 parameters
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:14cb597f1816f134b8cbe25ab7d6e991
: end
ciscoasa#

apprciate any help

mcse2007
0
Comment
Question by:mcse2007
  • 11
  • 8
  • 4
23 Comments
 
LVL 12

Expert Comment

by:Pugglewuggle
ID: 22621656
Your config looks good except for one thing... run this:
interface vlan 2
ip address dhcp setroute
 
 The problem is you have no default route - this command will automatically set it!
BTW: you don't need these lines:
access-group inside_access_in in interface inside                                                
access-group outside_access_out out interface outside    
access-list inside_access_in extended permit tcp any any
access-list outside_access_out extended permit tcp interface outside  
0
 
LVL 7

Author Comment

by:mcse2007
ID: 22621736
Although, the setroute has been set, see below, cannot still connect to the internet.

interface Vlan2              
 nameif outside              
 security-level 0                
 ip address dhcp setroute                        
!
0
 
LVL 12

Expert Comment

by:Pugglewuggle
ID: 22621753
do a shut command on vlan 2 interface and wait 5 seconds then run a no shut
If you still cannot get to the web post a copy of sh int vlan 2
Cheers!
0
 
LVL 7

Author Comment

by:mcse2007
ID: 22621777
copy of sh int vlan 2 is shown below

ciscoasa(config-if)# sh int vlan2
Interface Vlan2 "outside", is up, line protocol is up
  Hardware is EtherSVI
        MAC address 001f.ca08.13ed, MTU 1500
        IP address 192.168.0.50, subnet mask 255.255.255.0
  Traffic Statistics for "outside":
        1006 packets input, 104090 bytes
        6 packets output, 2360 bytes
        931 packets dropped
      1 minute input rate 0 pkts/sec,  31 bytes/sec
      1 minute output rate 0 pkts/sec,  9 bytes/sec
      1 minute drop rate, 0 pkts/sec
      5 minute input rate 0 pkts/sec,  21 bytes/sec
      5 minute output rate 0 pkts/sec,  1 bytes/sec
      5 minute drop rate, 0 pkts/sec
0
 
LVL 12

Expert Comment

by:Pugglewuggle
ID: 22621799
This shows that your internet line is up - do you have it connected to the internet of to a router or something? Try pining 4.2.2.2 from the ASA and tell me if you get !!!!! or ?????.
0
 
LVL 7

Author Comment

by:mcse2007
ID: 22621823
Below is the ping results:

ciscoasa# ping 4.2.2.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 4.2.2.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 190/192/200 ms
ciscoasa#
0
 
LVL 12

Expert Comment

by:Pugglewuggle
ID: 22621866
That means that you are online - there is no problem with your internet access.
Are you having trouble getting online with your PCs? Are they using DHCP or static IPs?
0
 
LVL 14

Expert Comment

by:Kutyi
ID: 22621917
I am not a PiX expert but it looks that you have restricted the outbound traffic by your access-list only allowing TCP traffic, whereas DNS requires UDP 53 to do name resolution.

I would add more ports to you access-lists or remove access-list inside_access_in extended permit tcp any any  and it's associated access-group
0
 
LVL 12

Expert Comment

by:Pugglewuggle
ID: 22621922
Yes, I told him to get rid of that on my first post.
0
 
LVL 7

Author Comment

by:mcse2007
ID: 22621928
My TCP/IP has the right DNS ip address which is the ADLS router LAN ip address but cannot connect to the internet from a notebook. My laptop is connected physically by RJ45 cable to ASA e0/1 port, and cannot brownse the web.

   Autoconfiguration Enabled . . . . : Yes
   IP Address. . . . . . . . . . . . : 10.49.0.6
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Default Gateway . . . . . . . . . : 10.49.0.5
   DHCP Server . . . . . . . . . . . : 10.49.0.5
   DNS Servers . . . . . . . . . . . : 192.168.0.1
0
 
LVL 14

Expert Comment

by:Kutyi
ID: 22621931
Hey your right, you did, maybe he did not realize how this would impact outbound traffic and did not remove it.
0
IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

 
LVL 14

Expert Comment

by:Kutyi
ID: 22621940
Yes but when your DNS server does a request for name resolution it will not get out with your restricted access-list.  Your need to open up UDP 53 outbound.
0
 
LVL 12

Accepted Solution

by:
Pugglewuggle earned 250 total points
ID: 22621943
You need to run these commands:

no access-group inside_access_in in interface inside                                                
no access-group outside_access_out out interface outside    
no access-list inside_access_in extended permit tcp any any
no access-list outside_access_out extended permit tcp interface outside  
0
 
LVL 12

Expert Comment

by:Pugglewuggle
ID: 22621949
Kutyi - DNS uses UDP 53 by default and then fails over to TCP DNS on port 53 as well if UDP 53 is not available. Some ISPs and devices don't run TCP DNS so that's probably why it's not working.
0
 
LVL 14

Expert Comment

by:Kutyi
ID: 22621967
Pugglewuggle you are a smart man, and I too would bet dollars to donuts this is the issue, which I note you saw in your first post .....:)
0
 
LVL 12

Expert Comment

by:Pugglewuggle
ID: 22621982
:) Not so smart as having done it for a year. Thank you though! :)
0
 
LVL 7

Author Comment

by:mcse2007
ID: 22630894
Can I just ask what the below access-lists mean:

no access-group inside_access_in in interface inside                                                
no access-group outside_access_out out interface outside    
no access-list inside_access_in extended permit tcp any any
no access-list outside_access_out extended permit tcp interface outside  
0
 
LVL 12

Expert Comment

by:Pugglewuggle
ID: 22630976
no access-group inside_access_in in interface inside                                                
no access-group outside_access_out out interface outside    
no access-list inside_access_in extended permit tcp any any
no access-list outside_access_out extended permit tcp interface outside  
All of that removes the access-lists that are blocking your traffic and keeping you offline. It hurts nothing to remove.
:)
0
 
LVL 7

Author Comment

by:mcse2007
ID: 22631014
Is this how should I run these access-lists :

from e0/1
ciscoasa(config-if)# ciscoasa(config-if)#no access-group inside_access_in in interface inside  
 
from e0/0                                            
ciscoasa(config-if)#no access-group outside_access_out out interface outside    

from e0/1
ciscoasa(config-if)# no access-list inside_access_in extended permit tcp any any

from e0/0
ciscoasa(config-if)# no access-list outside_access_out extended permit tcp interface outside  
0
 
LVL 12

Expert Comment

by:Pugglewuggle
ID: 22631047
Oh, no.
Just enter conf t mode and paste what I provided as it is. This will solve your problem.
Also, make sure you use the wr mem command afterwards to save your changes.
0
 
LVL 7

Author Comment

by:mcse2007
ID: 22631058
what happened if you did? Would that comprise your security?
0
 
LVL 12

Expert Comment

by:Pugglewuggle
ID: 22631216
If I did what? Remove those access-lists?
No, it wouldn't.
Both of those happen to be filtering outgoing traffic only, which is a bit odd.
When worrying about security, its usually incoming stuff you've got to worry about... but that's blocked by default even if you don't specify it.
Go ahead and run those commands and it should fix your internet connection.
Cheers! :)
0
 
LVL 7

Author Closing Comment

by:mcse2007
ID: 31502264
Appreciate your help
0

Featured Post

What Security Threats Are You Missing?

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

Join & Write a Comment

There are many useful and sometimes not well documented or forgotten IOS or ASA/PIX commands. See IPE article here , there was also one on PacketU and on Cisco Tips & Tricks. Below are my favorites. I give also a few most often used for Cisco IPS an…
When I upgraded my ASA 8.2 to 8.3, I realized that my nonat statement was failing!   The log showed the following error:     %ASA-5-305013: Asymmetric NAT rules matched for forward and reverse flows It was caused by the config upgrade, because t…
Excel styles will make formatting consistent and let you apply and change formatting faster. In this tutorial, you'll learn how to use Excel's built-in styles, how to modify styles, and how to create your own. You'll also learn how to use your custo…
This tutorial demonstrates a quick way of adding group price to multiple Magento products.

707 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now