Solved

Cisco ASA- can't connet to internet

Posted on 2009-07-08
10
644 Views
Last Modified: 2012-06-27
Hello all,

Just been tasked with implementing 5510 firewall for our company. I'm trying to test it with a bare minimum setup which includes:

 HOST-----ASA-------ROUTER (with usb 3G dongle)

+I can ping the router from the host.
+I can access the admin page of the router from the host
- Cannot acess the internet

The 10.2.150.0 host network is natted to 10.254.254.0.

I have a few ACL's which i have been playing around with but to no sucess. Anyone have any ideas why its not working? I've spent too long trying to do the simplest thing.
ASA Version 8.0(2)

!

hostname ciscoasa

enable password umg.ZnnYJgki8FK/ encrypted

names

!

interface Ethernet0/0

 nameif inside

 security-level 100

 ip address 10.2.150.1 255.255.255.0

!

interface Ethernet0/1

 nameif outside

 security-level 0

 ip address 10.254.254.2 255.255.255.0

!

interface Ethernet0/2

 shutdown

 no nameif

 no security-level

 no ip address

!

interface Ethernet0/3

 shutdown

 no nameif

 no security-level

 no ip address

!

interface Management0/0

 nameif management

 security-level 100

 ip address 192.168.1.1 255.255.255.0

 management-only

!

passwd 2KFQnbNIdI.2KYOU encrypted

ftp mode passive

access-list INSIDE-OUT extended permit icmp any any

access-list INSIDE-OUT extended permit tcp any any

access-list INSIDE-OUT extended permit tcp any any eq www

access-list INSIDE-OUT extended permit ip any any

access-list OUTSIDE_IN extended permit tcp any any

access-list OUTSIDE-IN extended permit icmp any any

access-list OUTSIDE-IN extended permit tcp any any eq www

pager lines 24

logging enable

logging asdm informational

mtu inside 1500

mtu outside 1500

mtu management 1500

no failover

icmp unreachable rate-limit 1 burst-size 1

asdm image disk0:/asdm-611.bin

no asdm history enable

arp timeout 14400

global (outside) 1 10.254.254.10-10.254.254.100

nat (inside) 1 0.0.0.0 0.0.0.0

access-group INSIDE-OUT in interface inside

access-group OUTSIDE-IN in interface outside

access-group OUTSIDE-IN out interface outside

route outside 0.0.0.0 0.0.0.0 10.254.254.0 1

route outside 0.0.0.0 0.0.0.0 10.254.254.1 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout uauth 0:05:00 absolute

dynamic-access-policy-record DfltAccessPolicy

http server enable

http 192.168.1.0 255.255.255.0 management

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

no crypto isakmp nat-traversal

telnet timeout 5

ssh timeout 5

console timeout 0

dhcpd address 192.168.1.2-192.168.1.254 management

dhcpd enable management

!

threat-detection basic-threat

threat-detection statistics access-list

!

class-map inspection_default

 match default-inspection-traffic

!

!

policy-map type inspect dns preset_dns_map

 parameters

  message-length maximum 512

policy-map global_policy

 class inspection_default

  inspect dns preset_dns_map

  inspect ftp

  inspect h323 h225

  inspect h323 ras

  inspect rsh

  inspect rtsp

  inspect esmtp

  inspect sqlnet

  inspect skinny

  inspect sunrpc

  inspect xdmcp

  inspect sip

  inspect netbios

  inspect tftp

!

service-policy global_policy global

prompt hostname context

Cryptochecksum:1f7d8d79bedc3ba7d6b992625a97bde3

: end

ciscoasa(config)#

Open in new window

0
Comment
Question by:Jmsdunn85
  • 4
  • 3
  • 2
  • +1
10 Comments
 
LVL 10

Expert Comment

by:atlas_shuddered
ID: 24807015
on line 59:  change the ACL to INSIDE-OUT
line 60 and 61 - you've got two default routes established - remove one of them.

next, can you ping from the ASA to the router inside interface?

If so, can you ping from the ASA to the ip 4.2.2.1 (public name server)

You're basic config looks okay on brief look, check the above and then we can go from there.
0
 
LVL 1

Author Comment

by:Jmsdunn85
ID: 24807185
atlas,

Thanks for the advice. I'll have a go at making those changes at work tomorrow.


0
 
LVL 15

Expert Comment

by:bignewf
ID: 24808123
just a note here --- by default the asa allows all traffic from inside to outside unless access lists restrict outbound traffic
no access-list INSIDE-OUT extended permit icmp any any
no access-list INSIDE-OUT extended permit tcp any any
no access-list INSIDE-OUT extended permit tcp any any eq www
no access-group INSIDE-OUT in interface inside

I have seen the above cause issues with outbound internet traffic


remove this:
no route outside 0.0.0.0 0.0.0.0 10.254.254.0 1  (this is the network itself, not the router interface)
keep this:
route outside 0.0.0.0 0.0.0.0 10.254.254.1 1  (if this is the public "inside" ip address of your internet router)

you must be able to ping the above ip of the router before checking other internet connectivity issues




0
 
LVL 15

Accepted Solution

by:
bignewf earned 125 total points
ID: 24808223
to allow pings through the firewall from the outside to the inside (this should be removed after testing)

these commands allow retrun messages thru the firewall when an inside user pings to an outsdie host. Other types of icmp messages are considered hostile by the asa and it will block all ohters

access-list outside-in permit icmp any any echo-reply
access-list outside-in permit icmp any any source-quench
access-list outside-in permit icmp any any unreachable
access-list outside-in permit icmp any any time-exceeded

access-group outside-in in interface outside

also, you can configure icmp inspection , which allows a trusted ip address to traverse the asa and allows a reply back to this trusted address only

policy-map global_policy
class inspection_default
inspect icmp

the above allows monitoring for icmp traffic traversing the asa (i.e ping of death attacks)

so you don't need this:
no access-list INSIDE-OUT extended permit icmp any any




0
 
LVL 1

Author Comment

by:Jmsdunn85
ID: 24811368
Ok,

Well i've made the changes recommended.

I can ping 4.2.2.1 from the ASA
I can ping 4.2.2.1 from the host
I can ping the inside router interface 10.254.254.1 from the ASA
I can ping the inside router interface 10.254.254.1 from the host.

I removed the ACL's that bignewf suggested which didn't solve the problem but at least cleaned up my ACL's. But still no web access.

Any ideas?
0
Free Trending Threat Insights Every Day

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

 
LVL 1

Author Comment

by:Jmsdunn85
ID: 24811461
Ok to update you guys. Every time i had been testing the web from the host i had just clicked on IE and had google load up. However, i then tried browsing to google by its IP address instead of its DNS name and it worked!

Can you explain why DNS does not resolve www.google.com for anything behind the ASA? If i plug the host into the 10.254.254.x network it does resolve.
0
 
LVL 1

Expert Comment

by:munir_hayat
ID: 24811888
Apply this one will solve your problem of accessing internet

access-list OUTSIDE_IN extended permit ip any any
access-group OUTSIDE_IN in interface outside
0
 
LVL 15

Expert Comment

by:bignewf
ID: 24813135
As for DNS, you can do the following:

If you are using a windows network, on the dns server (usually the domain controller) on the forwarders tab on the properties of the dns server place the external ip addresses of the isp dns servers. Clear the dns cache, start and stop dns
Make sure all your dhcp clients have the dns server(s) in the dhcp scope
you might have to run ipconfig/flushdns  /registerdns on the clients afterwards to clear the dns resolver cache
make sure the asa has the dns servers in the config

as for an access-list outside_in permit ip any any  ---  you never want this statement in a firewall!
this allows all traffic from the outside to the inside and defeats the purpose of a firewall

since the asa allows all traffic from inside hosts to the outside, dns requests and http requests from clients will automatically reach the outside internet dns and webservers, unless blocked by access lists.
0
 
LVL 10

Assisted Solution

by:atlas_shuddered
atlas_shuddered earned 125 total points
ID: 24817486
The only other thing that I would note:

If you don't know your ISP DNS address, you can use 4.2.2.1/4.2.2.2/4.2.2.3/4.2.2.4

These are all root level DNS servers.  Only caution is only use them while trying to resolve ISP DNS - and depending on ISP, make sure they are giving you their commercial root server, not their residential and keep one of the 4 above as a failover/secondary.

Only thing else, newf is right, in theory the ASA architecture should allow you to send traffic from a higher to lower interface, however, depending on the version of you IOS, this can be buggy.  Keep your ACLs in the config, just not assigned, until you have validated the traffic passes as desired.
0
 
LVL 1

Author Closing Comment

by:Jmsdunn85
ID: 31601251
Thanks guys. I'll take on all this advice, you've all been most helpful.
0

Featured Post

Free Trending Threat Insights Every Day

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

Join & Write a Comment

Suggested Solutions

This article will cover setting up redundant ISPs for outbound connectivity on an ASA 5510 (although the same should work on the 5520s and up as well).  It’s important to note that this covers outbound connectivity only.  The ASA does not have built…
Imagine you have a shopping list of items you need to get at the grocery store. You have two options: A. Take one trip to the grocery store and get everything you need for the week, or B. Take multiple trips, buying an item at a time, to achieve t…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

746 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now