Solved

Cisco ASA- can't connet to internet

Posted on 2009-07-08
10
648 Views
Last Modified: 2012-06-27
Hello all,

Just been tasked with implementing 5510 firewall for our company. I'm trying to test it with a bare minimum setup which includes:

 HOST-----ASA-------ROUTER (with usb 3G dongle)

+I can ping the router from the host.
+I can access the admin page of the router from the host
- Cannot acess the internet

The 10.2.150.0 host network is natted to 10.254.254.0.

I have a few ACL's which i have been playing around with but to no sucess. Anyone have any ideas why its not working? I've spent too long trying to do the simplest thing.
ASA Version 8.0(2)

!

hostname ciscoasa

enable password umg.ZnnYJgki8FK/ encrypted

names

!

interface Ethernet0/0

 nameif inside

 security-level 100

 ip address 10.2.150.1 255.255.255.0

!

interface Ethernet0/1

 nameif outside

 security-level 0

 ip address 10.254.254.2 255.255.255.0

!

interface Ethernet0/2

 shutdown

 no nameif

 no security-level

 no ip address

!

interface Ethernet0/3

 shutdown

 no nameif

 no security-level

 no ip address

!

interface Management0/0

 nameif management

 security-level 100

 ip address 192.168.1.1 255.255.255.0

 management-only

!

passwd 2KFQnbNIdI.2KYOU encrypted

ftp mode passive

access-list INSIDE-OUT extended permit icmp any any

access-list INSIDE-OUT extended permit tcp any any

access-list INSIDE-OUT extended permit tcp any any eq www

access-list INSIDE-OUT extended permit ip any any

access-list OUTSIDE_IN extended permit tcp any any

access-list OUTSIDE-IN extended permit icmp any any

access-list OUTSIDE-IN extended permit tcp any any eq www

pager lines 24

logging enable

logging asdm informational

mtu inside 1500

mtu outside 1500

mtu management 1500

no failover

icmp unreachable rate-limit 1 burst-size 1

asdm image disk0:/asdm-611.bin

no asdm history enable

arp timeout 14400

global (outside) 1 10.254.254.10-10.254.254.100

nat (inside) 1 0.0.0.0 0.0.0.0

access-group INSIDE-OUT in interface inside

access-group OUTSIDE-IN in interface outside

access-group OUTSIDE-IN out interface outside

route outside 0.0.0.0 0.0.0.0 10.254.254.0 1

route outside 0.0.0.0 0.0.0.0 10.254.254.1 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout uauth 0:05:00 absolute

dynamic-access-policy-record DfltAccessPolicy

http server enable

http 192.168.1.0 255.255.255.0 management

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

no crypto isakmp nat-traversal

telnet timeout 5

ssh timeout 5

console timeout 0

dhcpd address 192.168.1.2-192.168.1.254 management

dhcpd enable management

!

threat-detection basic-threat

threat-detection statistics access-list

!

class-map inspection_default

 match default-inspection-traffic

!

!

policy-map type inspect dns preset_dns_map

 parameters

  message-length maximum 512

policy-map global_policy

 class inspection_default

  inspect dns preset_dns_map

  inspect ftp

  inspect h323 h225

  inspect h323 ras

  inspect rsh

  inspect rtsp

  inspect esmtp

  inspect sqlnet

  inspect skinny

  inspect sunrpc

  inspect xdmcp

  inspect sip

  inspect netbios

  inspect tftp

!

service-policy global_policy global

prompt hostname context

Cryptochecksum:1f7d8d79bedc3ba7d6b992625a97bde3

: end

ciscoasa(config)#

Open in new window

0
Comment
Question by:Jmsdunn85
  • 4
  • 3
  • 2
  • +1
10 Comments
 
LVL 10

Expert Comment

by:atlas_shuddered
ID: 24807015
on line 59:  change the ACL to INSIDE-OUT
line 60 and 61 - you've got two default routes established - remove one of them.

next, can you ping from the ASA to the router inside interface?

If so, can you ping from the ASA to the ip 4.2.2.1 (public name server)

You're basic config looks okay on brief look, check the above and then we can go from there.
0
 
LVL 1

Author Comment

by:Jmsdunn85
ID: 24807185
atlas,

Thanks for the advice. I'll have a go at making those changes at work tomorrow.


0
 
LVL 15

Expert Comment

by:bignewf
ID: 24808123
just a note here --- by default the asa allows all traffic from inside to outside unless access lists restrict outbound traffic
no access-list INSIDE-OUT extended permit icmp any any
no access-list INSIDE-OUT extended permit tcp any any
no access-list INSIDE-OUT extended permit tcp any any eq www
no access-group INSIDE-OUT in interface inside

I have seen the above cause issues with outbound internet traffic


remove this:
no route outside 0.0.0.0 0.0.0.0 10.254.254.0 1  (this is the network itself, not the router interface)
keep this:
route outside 0.0.0.0 0.0.0.0 10.254.254.1 1  (if this is the public "inside" ip address of your internet router)

you must be able to ping the above ip of the router before checking other internet connectivity issues




0
 
LVL 15

Accepted Solution

by:
bignewf earned 125 total points
ID: 24808223
to allow pings through the firewall from the outside to the inside (this should be removed after testing)

these commands allow retrun messages thru the firewall when an inside user pings to an outsdie host. Other types of icmp messages are considered hostile by the asa and it will block all ohters

access-list outside-in permit icmp any any echo-reply
access-list outside-in permit icmp any any source-quench
access-list outside-in permit icmp any any unreachable
access-list outside-in permit icmp any any time-exceeded

access-group outside-in in interface outside

also, you can configure icmp inspection , which allows a trusted ip address to traverse the asa and allows a reply back to this trusted address only

policy-map global_policy
class inspection_default
inspect icmp

the above allows monitoring for icmp traffic traversing the asa (i.e ping of death attacks)

so you don't need this:
no access-list INSIDE-OUT extended permit icmp any any




0
 
LVL 1

Author Comment

by:Jmsdunn85
ID: 24811368
Ok,

Well i've made the changes recommended.

I can ping 4.2.2.1 from the ASA
I can ping 4.2.2.1 from the host
I can ping the inside router interface 10.254.254.1 from the ASA
I can ping the inside router interface 10.254.254.1 from the host.

I removed the ACL's that bignewf suggested which didn't solve the problem but at least cleaned up my ACL's. But still no web access.

Any ideas?
0
Windows Server 2016: All you need to know

Learn about Hyper-V features that increase functionality and usability of Microsoft Windows Server 2016. Also, throughout this eBook, you’ll find some basic PowerShell examples that will help you leverage the scripts in your environments!

 
LVL 1

Author Comment

by:Jmsdunn85
ID: 24811461
Ok to update you guys. Every time i had been testing the web from the host i had just clicked on IE and had google load up. However, i then tried browsing to google by its IP address instead of its DNS name and it worked!

Can you explain why DNS does not resolve www.google.com for anything behind the ASA? If i plug the host into the 10.254.254.x network it does resolve.
0
 
LVL 1

Expert Comment

by:munir_hayat
ID: 24811888
Apply this one will solve your problem of accessing internet

access-list OUTSIDE_IN extended permit ip any any
access-group OUTSIDE_IN in interface outside
0
 
LVL 15

Expert Comment

by:bignewf
ID: 24813135
As for DNS, you can do the following:

If you are using a windows network, on the dns server (usually the domain controller) on the forwarders tab on the properties of the dns server place the external ip addresses of the isp dns servers. Clear the dns cache, start and stop dns
Make sure all your dhcp clients have the dns server(s) in the dhcp scope
you might have to run ipconfig/flushdns  /registerdns on the clients afterwards to clear the dns resolver cache
make sure the asa has the dns servers in the config

as for an access-list outside_in permit ip any any  ---  you never want this statement in a firewall!
this allows all traffic from the outside to the inside and defeats the purpose of a firewall

since the asa allows all traffic from inside hosts to the outside, dns requests and http requests from clients will automatically reach the outside internet dns and webservers, unless blocked by access lists.
0
 
LVL 10

Assisted Solution

by:atlas_shuddered
atlas_shuddered earned 125 total points
ID: 24817486
The only other thing that I would note:

If you don't know your ISP DNS address, you can use 4.2.2.1/4.2.2.2/4.2.2.3/4.2.2.4

These are all root level DNS servers.  Only caution is only use them while trying to resolve ISP DNS - and depending on ISP, make sure they are giving you their commercial root server, not their residential and keep one of the 4 above as a failover/secondary.

Only thing else, newf is right, in theory the ASA architecture should allow you to send traffic from a higher to lower interface, however, depending on the version of you IOS, this can be buggy.  Keep your ACLs in the config, just not assigned, until you have validated the traffic passes as desired.
0
 
LVL 1

Author Closing Comment

by:Jmsdunn85
ID: 31601251
Thanks guys. I'll take on all this advice, you've all been most helpful.
0

Featured Post

Microsoft Certification Exam 74-409

Veeam® is happy to provide the Microsoft community with a study guide prepared by MVP and MCT, Orin Thomas. This guide will take you through each of the exam objectives, helping you to prepare for and pass the examination.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Setup router as access point - no internet 5 59
Access List 2 18
Vlan to Vlan communication 9 73
Router assigned IP addresses 18 68
Problem Description:   Couple of months ago we upgraded the ADSL line at our branch office from Home to Business line. The purpose of transforming the service to have static public IP’s. We were in need for public IP’s to publish our web resour…
Getting hacked is no longer a matter or "if you get hacked" — the 2016 cyber threat landscape is now titled "when you get hacked." When it happens — will you be proactive, or reactive?
Both in life and business – not all partnerships are created equal. As the demand for cloud services increases, so do the number of self-proclaimed cloud partners. Asking the right questions up front in the partnership, will enable both parties …
As a trusted technology advisor to your customers you are likely getting the daily question of, ‘should I put this in the cloud?’ As customer demands for cloud services increases, companies will see a shift from traditional buying patterns to new…

911 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

20 Experts available now in Live!

Get 1:1 Help Now