Jmsdunn85
asked on
Cisco ASA- can't connet to internet
Hello all,
Just been tasked with implementing 5510 firewall for our company. I'm trying to test it with a bare minimum setup which includes:
HOST-----ASA-------ROUTER (with usb 3G dongle)
+I can ping the router from the host.
+I can access the admin page of the router from the host
- Cannot acess the internet
The 10.2.150.0 host network is natted to 10.254.254.0.
I have a few ACL's which i have been playing around with but to no sucess. Anyone have any ideas why its not working? I've spent too long trying to do the simplest thing.
Just been tasked with implementing 5510 firewall for our company. I'm trying to test it with a bare minimum setup which includes:
HOST-----ASA-------ROUTER (with usb 3G dongle)
+I can ping the router from the host.
+I can access the admin page of the router from the host
- Cannot acess the internet
The 10.2.150.0 host network is natted to 10.254.254.0.
I have a few ACL's which i have been playing around with but to no sucess. Anyone have any ideas why its not working? I've spent too long trying to do the simplest thing.
ASA Version 8.0(2)
!
hostname ciscoasa
enable password umg.ZnnYJgki8FK/ encrypted
names
!
interface Ethernet0/0
nameif inside
security-level 100
ip address 10.2.150.1 255.255.255.0
!
interface Ethernet0/1
nameif outside
security-level 0
ip address 10.254.254.2 255.255.255.0
!
interface Ethernet0/2
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
nameif management
security-level 100
ip address 192.168.1.1 255.255.255.0
management-only
!
passwd 2KFQnbNIdI.2KYOU encrypted
ftp mode passive
access-list INSIDE-OUT extended permit icmp any any
access-list INSIDE-OUT extended permit tcp any any
access-list INSIDE-OUT extended permit tcp any any eq www
access-list INSIDE-OUT extended permit ip any any
access-list OUTSIDE_IN extended permit tcp any any
access-list OUTSIDE-IN extended permit icmp any any
access-list OUTSIDE-IN extended permit tcp any any eq www
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
mtu management 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-611.bin
no asdm history enable
arp timeout 14400
global (outside) 1 10.254.254.10-10.254.254.100
nat (inside) 1 0.0.0.0 0.0.0.0
access-group INSIDE-OUT in interface inside
access-group OUTSIDE-IN in interface outside
access-group OUTSIDE-IN out interface outside
route outside 0.0.0.0 0.0.0.0 10.254.254.0 1
route outside 0.0.0.0 0.0.0.0 10.254.254.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 192.168.1.0 255.255.255.0 management
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
no crypto isakmp nat-traversal
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd address 192.168.1.2-192.168.1.254 management
dhcpd enable management
!
threat-detection basic-threat
threat-detection statistics access-list
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:1f7d8d79bedc3ba7d6b992625a97bde3
: end
ciscoasa(config)#
ASKER
atlas,
Thanks for the advice. I'll have a go at making those changes at work tomorrow.
Thanks for the advice. I'll have a go at making those changes at work tomorrow.
just a note here --- by default the asa allows all traffic from inside to outside unless access lists restrict outbound traffic
no access-list INSIDE-OUT extended permit icmp any any
no access-list INSIDE-OUT extended permit tcp any any
no access-list INSIDE-OUT extended permit tcp any any eq www
no access-group INSIDE-OUT in interface inside
I have seen the above cause issues with outbound internet traffic
remove this:
no route outside 0.0.0.0 0.0.0.0 10.254.254.0 1 (this is the network itself, not the router interface)
keep this:
route outside 0.0.0.0 0.0.0.0 10.254.254.1 1 (if this is the public "inside" ip address of your internet router)
you must be able to ping the above ip of the router before checking other internet connectivity issues
no access-list INSIDE-OUT extended permit icmp any any
no access-list INSIDE-OUT extended permit tcp any any
no access-list INSIDE-OUT extended permit tcp any any eq www
no access-group INSIDE-OUT in interface inside
I have seen the above cause issues with outbound internet traffic
remove this:
no route outside 0.0.0.0 0.0.0.0 10.254.254.0 1 (this is the network itself, not the router interface)
keep this:
route outside 0.0.0.0 0.0.0.0 10.254.254.1 1 (if this is the public "inside" ip address of your internet router)
you must be able to ping the above ip of the router before checking other internet connectivity issues
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Ok,
Well i've made the changes recommended.
I can ping 4.2.2.1 from the ASA
I can ping 4.2.2.1 from the host
I can ping the inside router interface 10.254.254.1 from the ASA
I can ping the inside router interface 10.254.254.1 from the host.
I removed the ACL's that bignewf suggested which didn't solve the problem but at least cleaned up my ACL's. But still no web access.
Any ideas?
Well i've made the changes recommended.
I can ping 4.2.2.1 from the ASA
I can ping 4.2.2.1 from the host
I can ping the inside router interface 10.254.254.1 from the ASA
I can ping the inside router interface 10.254.254.1 from the host.
I removed the ACL's that bignewf suggested which didn't solve the problem but at least cleaned up my ACL's. But still no web access.
Any ideas?
ASKER
Ok to update you guys. Every time i had been testing the web from the host i had just clicked on IE and had google load up. However, i then tried browsing to google by its IP address instead of its DNS name and it worked!
Can you explain why DNS does not resolve www.google.com for anything behind the ASA? If i plug the host into the 10.254.254.x network it does resolve.
Can you explain why DNS does not resolve www.google.com for anything behind the ASA? If i plug the host into the 10.254.254.x network it does resolve.
Apply this one will solve your problem of accessing internet
access-list OUTSIDE_IN extended permit ip any any
access-group OUTSIDE_IN in interface outside
access-list OUTSIDE_IN extended permit ip any any
access-group OUTSIDE_IN in interface outside
As for DNS, you can do the following:
If you are using a windows network, on the dns server (usually the domain controller) on the forwarders tab on the properties of the dns server place the external ip addresses of the isp dns servers. Clear the dns cache, start and stop dns
Make sure all your dhcp clients have the dns server(s) in the dhcp scope
you might have to run ipconfig/flushdns /registerdns on the clients afterwards to clear the dns resolver cache
make sure the asa has the dns servers in the config
as for an access-list outside_in permit ip any any --- you never want this statement in a firewall!
this allows all traffic from the outside to the inside and defeats the purpose of a firewall
since the asa allows all traffic from inside hosts to the outside, dns requests and http requests from clients will automatically reach the outside internet dns and webservers, unless blocked by access lists.
If you are using a windows network, on the dns server (usually the domain controller) on the forwarders tab on the properties of the dns server place the external ip addresses of the isp dns servers. Clear the dns cache, start and stop dns
Make sure all your dhcp clients have the dns server(s) in the dhcp scope
you might have to run ipconfig/flushdns /registerdns on the clients afterwards to clear the dns resolver cache
make sure the asa has the dns servers in the config
as for an access-list outside_in permit ip any any --- you never want this statement in a firewall!
this allows all traffic from the outside to the inside and defeats the purpose of a firewall
since the asa allows all traffic from inside hosts to the outside, dns requests and http requests from clients will automatically reach the outside internet dns and webservers, unless blocked by access lists.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Thanks guys. I'll take on all this advice, you've all been most helpful.
line 60 and 61 - you've got two default routes established - remove one of them.
next, can you ping from the ASA to the router inside interface?
If so, can you ping from the ASA to the ip 4.2.2.1 (public name server)
You're basic config looks okay on brief look, check the above and then we can go from there.