Cisco ASA- can't connet to internet

Hello all,

Just been tasked with implementing 5510 firewall for our company. I'm trying to test it with a bare minimum setup which includes:

 HOST-----ASA-------ROUTER (with usb 3G dongle)

+I can ping the router from the host.
+I can access the admin page of the router from the host
- Cannot acess the internet

The 10.2.150.0 host network is natted to 10.254.254.0.

I have a few ACL's which i have been playing around with but to no sucess. Anyone have any ideas why its not working? I've spent too long trying to do the simplest thing.
ASA Version 8.0(2)
!
hostname ciscoasa
enable password umg.ZnnYJgki8FK/ encrypted
names
!
interface Ethernet0/0
 nameif inside
 security-level 100
 ip address 10.2.150.1 255.255.255.0
!
interface Ethernet0/1
 nameif outside
 security-level 0
 ip address 10.254.254.2 255.255.255.0
!
interface Ethernet0/2
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Ethernet0/3
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Management0/0
 nameif management
 security-level 100
 ip address 192.168.1.1 255.255.255.0
 management-only
!
passwd 2KFQnbNIdI.2KYOU encrypted
ftp mode passive
access-list INSIDE-OUT extended permit icmp any any
access-list INSIDE-OUT extended permit tcp any any
access-list INSIDE-OUT extended permit tcp any any eq www
access-list INSIDE-OUT extended permit ip any any
access-list OUTSIDE_IN extended permit tcp any any
access-list OUTSIDE-IN extended permit icmp any any
access-list OUTSIDE-IN extended permit tcp any any eq www
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
mtu management 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-611.bin
no asdm history enable
arp timeout 14400
global (outside) 1 10.254.254.10-10.254.254.100
nat (inside) 1 0.0.0.0 0.0.0.0
access-group INSIDE-OUT in interface inside
access-group OUTSIDE-IN in interface outside
access-group OUTSIDE-IN out interface outside
route outside 0.0.0.0 0.0.0.0 10.254.254.0 1
route outside 0.0.0.0 0.0.0.0 10.254.254.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 192.168.1.0 255.255.255.0 management
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
no crypto isakmp nat-traversal
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd address 192.168.1.2-192.168.1.254 management
dhcpd enable management
!
threat-detection basic-threat
threat-detection statistics access-list
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:1f7d8d79bedc3ba7d6b992625a97bde3
: end
ciscoasa(config)#

Open in new window

LVL 1
Jmsdunn85Asked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

atlas_shudderedSr. Network EngineerCommented:
on line 59:  change the ACL to INSIDE-OUT
line 60 and 61 - you've got two default routes established - remove one of them.

next, can you ping from the ASA to the router inside interface?

If so, can you ping from the ASA to the ip 4.2.2.1 (public name server)

You're basic config looks okay on brief look, check the above and then we can go from there.
0
Jmsdunn85Author Commented:
atlas,

Thanks for the advice. I'll have a go at making those changes at work tomorrow.


0
bignewfCommented:
just a note here --- by default the asa allows all traffic from inside to outside unless access lists restrict outbound traffic
no access-list INSIDE-OUT extended permit icmp any any
no access-list INSIDE-OUT extended permit tcp any any
no access-list INSIDE-OUT extended permit tcp any any eq www
no access-group INSIDE-OUT in interface inside

I have seen the above cause issues with outbound internet traffic


remove this:
no route outside 0.0.0.0 0.0.0.0 10.254.254.0 1  (this is the network itself, not the router interface)
keep this:
route outside 0.0.0.0 0.0.0.0 10.254.254.1 1  (if this is the public "inside" ip address of your internet router)

you must be able to ping the above ip of the router before checking other internet connectivity issues




0
The Firewall Audit Checklist

Preparing for a firewall audit today is almost impossible.
AlgoSec, together with some of the largest global organizations and auditors, has created a checklist to follow when preparing for your firewall audit. Simplify risk mitigation while staying compliant all of the time!

bignewfCommented:
to allow pings through the firewall from the outside to the inside (this should be removed after testing)

these commands allow retrun messages thru the firewall when an inside user pings to an outsdie host. Other types of icmp messages are considered hostile by the asa and it will block all ohters

access-list outside-in permit icmp any any echo-reply
access-list outside-in permit icmp any any source-quench
access-list outside-in permit icmp any any unreachable
access-list outside-in permit icmp any any time-exceeded

access-group outside-in in interface outside

also, you can configure icmp inspection , which allows a trusted ip address to traverse the asa and allows a reply back to this trusted address only

policy-map global_policy
class inspection_default
inspect icmp

the above allows monitoring for icmp traffic traversing the asa (i.e ping of death attacks)

so you don't need this:
no access-list INSIDE-OUT extended permit icmp any any




0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Jmsdunn85Author Commented:
Ok,

Well i've made the changes recommended.

I can ping 4.2.2.1 from the ASA
I can ping 4.2.2.1 from the host
I can ping the inside router interface 10.254.254.1 from the ASA
I can ping the inside router interface 10.254.254.1 from the host.

I removed the ACL's that bignewf suggested which didn't solve the problem but at least cleaned up my ACL's. But still no web access.

Any ideas?
0
Jmsdunn85Author Commented:
Ok to update you guys. Every time i had been testing the web from the host i had just clicked on IE and had google load up. However, i then tried browsing to google by its IP address instead of its DNS name and it worked!

Can you explain why DNS does not resolve www.google.com for anything behind the ASA? If i plug the host into the 10.254.254.x network it does resolve.
0
munir_hayatCommented:
Apply this one will solve your problem of accessing internet

access-list OUTSIDE_IN extended permit ip any any
access-group OUTSIDE_IN in interface outside
0
bignewfCommented:
As for DNS, you can do the following:

If you are using a windows network, on the dns server (usually the domain controller) on the forwarders tab on the properties of the dns server place the external ip addresses of the isp dns servers. Clear the dns cache, start and stop dns
Make sure all your dhcp clients have the dns server(s) in the dhcp scope
you might have to run ipconfig/flushdns  /registerdns on the clients afterwards to clear the dns resolver cache
make sure the asa has the dns servers in the config

as for an access-list outside_in permit ip any any  ---  you never want this statement in a firewall!
this allows all traffic from the outside to the inside and defeats the purpose of a firewall

since the asa allows all traffic from inside hosts to the outside, dns requests and http requests from clients will automatically reach the outside internet dns and webservers, unless blocked by access lists.
0
atlas_shudderedSr. Network EngineerCommented:
The only other thing that I would note:

If you don't know your ISP DNS address, you can use 4.2.2.1/4.2.2.2/4.2.2.3/4.2.2.4

These are all root level DNS servers.  Only caution is only use them while trying to resolve ISP DNS - and depending on ISP, make sure they are giving you their commercial root server, not their residential and keep one of the 4 above as a failover/secondary.

Only thing else, newf is right, in theory the ASA architecture should allow you to send traffic from a higher to lower interface, however, depending on the version of you IOS, this can be buggy.  Keep your ACLs in the config, just not assigned, until you have validated the traffic passes as desired.
0
Jmsdunn85Author Commented:
Thanks guys. I'll take on all this advice, you've all been most helpful.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Hardware Firewalls

From novice to tech pro — start learning today.