Solved

Unable to download from Windows Update site after installing ASA 5505

Posted on 2008-10-11
11
2,554 Views
Last Modified: 2012-06-21
I just installed a Cisco ASA 5505 on my network. I haven't changed any of the default access rules or filter rules. I can access the Internet just fine including the Microsoft Windows Update site. I can't download any updates from the site. I receive error 0x80072F78 "a problem with the proxy or firewall settings".  Does anyone know what I need to change on the ASA to allow traffic from the Windows Update site?
0
Comment
Question by:duncantech
  • 6
  • 2
  • 2
  • +1
11 Comments
 
LVL 12

Expert Comment

by:Pugglewuggle
ID: 22693015
Can you please post your config? Also, do you have any other routers between the ASA and your computer?
0
 

Author Comment

by:duncantech
ID: 22697940
Running config is below. I'm also having problems getting remote VPN to work.  The Cisco VPN client logs show REASON_PEER_NOT_RESPONDING after the connection fails. I used the ASDM VPN wizard to set it up.  That's shown in the running config below too.

ASA Version 7.2(4)
!
!
interface Vlan1
 nameif inside
 security-level 100
 ip address 192.1.1.1 255.255.0.0
!
interface Vlan2
 nameif outside
 security-level 0
 ip address dhcp setroute
!
interface Vlan3
 shutdown
 no forward interface Vlan1
 nameif dmz
 security-level 50
 ip address dhcp
!
interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
dns server-group DefaultDNS
 domain-name bfdental.local
access-list VPNGROUP_splitTunnelAcl standard permit host 192.1.1.100
access-list inside_nat0_outbound extended permit ip host 192.1.1.100 192.1.0.96 255.255.255.240
pager lines 24
logging asdm informational
mtu inside 1500
mtu outside 1500
mtu dmz 1500
ip local pool RemoteClientPool 192.1.0.100-192.1.0.105 mask 255.255.0.0
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-524.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
http server enable
http 192.1.0.0 255.255.0.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto dynamic-map outside_dyn_map 20 set pfs group1
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd auto_config outside
!

group-policy VPNGROUP internal
group-policy VPNGROUP attributes
 vpn-tunnel-protocol IPSec
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value VPNGROUP_splitTunnelAcl
username user4 password 36v0HANL7wm3Cs/5 encrypted privilege 0
username user4 attributes
 vpn-group-policy VPNGROUP
username user1 password cmWimaq3pJRvsSCR encrypted privilege 0
username user1 attributes
 vpn-group-policy VPNGROUP
username user2 password 7Gx9sQ6jwwet/vzC encrypted privilege 0
username user2 attributes
 vpn-group-policy VPNGROUP
username user3 password AERLuj4w8oVizsAb encrypted privilege 0
username user3 attributes
 vpn-group-policy VPNGROUP
tunnel-group VPNGROUP type ipsec-ra
tunnel-group VPNGROUP general-attributes
 address-pool RemoteClientPool
 default-group-policy VPNGROUP
tunnel-group VPNGROUP ipsec-attributes
 pre-shared-key *
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:2b06feb97c97a155eb78549bbb0e1963
: end
asdm image disk0:/asdm-524.bin
no asdm history enable


 
0
 

Author Comment

by:duncantech
ID: 22697958
Also there are no other routers between the ASA and the computers.
0
 
LVL 10

Accepted Solution

by:
cstosgale earned 75 total points
ID: 22698850
Although I'm not certain which IP addresses are used by windows update, there's one big thing wrong with the config above, you are not using a private IP range on your local network.

You are using 192.1.0.0 255.255.0.0 This means that you won't be able to reach anything on the internet on any of these IP addresses (which is a fair chunk!) I would strongly recommend changing this to something like 192.168.1.0 255.255.255.0

With regards to your VPN, I would recommend changing your VPN pool, perhaps to 192.168.2.0 255.255.255.0. You will then need to correct the nonat access list whih is curently wrong to read:-

access-list inside_nat0_outbound extended permit ip any 192.168.2.0 255.255.255.0

and the split tunnel ACL to read:-

access-list VPNGROUP_splitTunnelAcl standard permit 192.168.1.0 255.255.255.0 any
0
 

Author Comment

by:duncantech
ID: 22700371
The client's internal network is using 192.1.0.0/16.  I had to change the ASA from 192.168.1.0/24 in order to use it, and I have access to the Internet.  I just can't download updates from the Windows Update site.
0
PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

 
LVL 12

Assisted Solution

by:Pugglewuggle
Pugglewuggle earned 50 total points
ID: 22704054
The thing is that you MUST change your internal IPs on the network to a private range - for the internet to work, public addresses CANNOT exist more that once or there will be problems - the addresses you have on the inside of the ASA are public addresses. You MUST use a private addressing scheme such as 192.168.1.x. There is no way around this if you want everything to work.
Whoever setup the client's network that way is an idiot and clearly had no idea how the internet works.
Cheers!
0
 
LVL 10

Expert Comment

by:cstosgale
ID: 22704600
I totally aggree with Pugglewuggle on this, using a public range on your LAN is a bad idea.

if you want to see what is going on and confirm that this is causing the problem, load up ASDM, go to monitoring then logging and select to view the live event log. This will show you the packets flowing through the device and if anything is dropped etc. Whilst you have this up, try to download windows updates and see what you get. If the logging shows your machine trying to get to something on 192.1.x.x then this is your problem.
0
 

Author Comment

by:duncantech
ID: 22749061
Just to update: I reconfigured the client's network to a private IP addressing scheme as suggested yesterday. I reset the ASA to factory defaults and ran through the Startup wizard and VPN wizard again.  VPN still isn't working, and another colleague pointed out to me that I need to create Access-Lists for outside traffic coming in. I thought that's what the VPN wizard was for. As you can tell this is my first time working with an ASA/Pix device and it's not as easy to setup as I was led to believe. So once I figure out how to define an access-list for VPN traffic everything should be ok. I'll let you know how it goes.
0
 
LVL 3

Expert Comment

by:leonjs
ID: 22751176
With regards to Windows Update site everytime I had this problem it was 443 traffic wasnt being permitted through the firewall. If you can make it  to the site but not further most likely related try some other https site and see what happens.
I also feel this way because i dont see any inside_out access lists/groups (not assocaited with vpn), did you remove ip any any from the inside network ?
0
 

Author Comment

by:duncantech
ID: 22805345
Update: I'm starting to make some progress now. The main problem turned out to be the static IP address given to us by the ISP was incorrect. I spent time on the phone with them today confirming the address information and we discovered the error.  So now Windows Updates is working and I can establish a VPN connection.  My problem now is that when I'm connected over VPN I can't RDP to the server or ping any devices on the network.  I've attached the latest running config.  Hopefully this is the last hurdle.

: Saved
:
ASA Version 7.2(4)
!
hostname ciscoasa
domain-name bluthfamilydental.local
enable password SNhG4./T.zJe2WyB encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
name 192.168.160.5 server description server
!
interface Vlan1
 nameif inside
 security-level 100
 ip address 192.168.160.1 255.255.255.0
!
interface Vlan2
 nameif outside
 security-level 0
 ip address 173.9.141.177 255.255.255.252
!
interface Vlan3
 shutdown
 no forward interface Vlan1
 nameif dmz
 security-level 50
 ip address dhcp
!
interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
ftp mode passive
dns server-group DefaultDNS
 domain-name bluthfamilydental.local
access-list inside_nat0_outbound extended permit ip any 192.168.160.192 255.255.255.224
access-list outside_access_in extended permit icmp any any echo-reply
access-list outside_access_in extended permit icmp any any traceroute
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
mtu dmz 1500
ip local pool RemotePool 192.168.160.201-192.168.160.210 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-524.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
access-group outside_access_in in interface outside
route inside 0.0.0.0 0.0.0.0 192.168.160.1 tunneled
route outside 0.0.0.0 0.0.0.0 173.9.141.178 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
http server enable
http 0.0.0.0 0.0.0.0 outside
http 192.168.160.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto dynamic-map outside_dyn_map 20 set pfs group1
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd auto_config outside
!
dhcpd address 192.168.160.2-192.168.160.33 inside
!

group-policy VPNDBF internal
group-policy VPNDBF attributes
 vpn-tunnel-protocol IPSec
 default-domain value bluthfamilydental.local
username user4 password 36v0HANL7wm3Cs/5 encrypted privilege 0
username user4 attributes
 vpn-group-policy VPNDBF
username user1 password cmWimaq3pJRvsSCR encrypted privilege 0
username user1 attributes
 vpn-group-policy VPNDBF
username user2 password 7Gx9sQ6jwwet/vzC encrypted privilege 0
username user2 attributes
 vpn-group-policy VPNDBF
username user3 password AERLuj4w8oVizsAb encrypted privilege 0
username user3 attributes
 vpn-group-policy VPNDBF
tunnel-group VPNDBF type ipsec-ra
tunnel-group VPNDBF general-attributes
 address-pool RemotePool
 default-group-policy VPNDBF
tunnel-group VPNDBF ipsec-attributes
 pre-shared-key *
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:2e4230ba98646f066860ed94dbf56067
: end
asdm image disk0:/asdm-524.bin
asdm location server 255.255.255.255 inside
no asdm history enable
0
 

Author Comment

by:duncantech
ID: 22808123
Issue resolved. I found another post from a user with the same problem. He resolved by adding command "crypto isakmp nat-traversal 20". I tried the same command and I can RDP the server now and ping network resources.  Thanks for everyone's assistance.
0

Featured Post

How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

Join & Write a Comment

Suggested Solutions

I found an issue or “bug” in the SonicOS platform (the firmware controlling SonicWALL security appliances) that has to do with renaming Default Service Objects, which then causes a portion of the system to become uncontrollable and unstable. BACK…
Quality of Service (QoS) options are nearly endless when it comes to networks today. This article is merely one example of how it can be handled in a hub-n-spoke design using a 3-tier configuration.
This video discusses moving either the default database or any database to a new volume.
This tutorial demonstrates a quick way of adding group price to multiple Magento products.

706 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

21 Experts available now in Live!

Get 1:1 Help Now