Go Premium for a chance to win a PS4. Enter to Win

x
?
Solved

Cisco ASA- can't connet to internet

Posted on 2009-07-08
10
Medium Priority
?
663 Views
Last Modified: 2012-06-27
Hello all,

Just been tasked with implementing 5510 firewall for our company. I'm trying to test it with a bare minimum setup which includes:

 HOST-----ASA-------ROUTER (with usb 3G dongle)

+I can ping the router from the host.
+I can access the admin page of the router from the host
- Cannot acess the internet

The 10.2.150.0 host network is natted to 10.254.254.0.

I have a few ACL's which i have been playing around with but to no sucess. Anyone have any ideas why its not working? I've spent too long trying to do the simplest thing.
ASA Version 8.0(2)
!
hostname ciscoasa
enable password umg.ZnnYJgki8FK/ encrypted
names
!
interface Ethernet0/0
 nameif inside
 security-level 100
 ip address 10.2.150.1 255.255.255.0
!
interface Ethernet0/1
 nameif outside
 security-level 0
 ip address 10.254.254.2 255.255.255.0
!
interface Ethernet0/2
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Ethernet0/3
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Management0/0
 nameif management
 security-level 100
 ip address 192.168.1.1 255.255.255.0
 management-only
!
passwd 2KFQnbNIdI.2KYOU encrypted
ftp mode passive
access-list INSIDE-OUT extended permit icmp any any
access-list INSIDE-OUT extended permit tcp any any
access-list INSIDE-OUT extended permit tcp any any eq www
access-list INSIDE-OUT extended permit ip any any
access-list OUTSIDE_IN extended permit tcp any any
access-list OUTSIDE-IN extended permit icmp any any
access-list OUTSIDE-IN extended permit tcp any any eq www
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
mtu management 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-611.bin
no asdm history enable
arp timeout 14400
global (outside) 1 10.254.254.10-10.254.254.100
nat (inside) 1 0.0.0.0 0.0.0.0
access-group INSIDE-OUT in interface inside
access-group OUTSIDE-IN in interface outside
access-group OUTSIDE-IN out interface outside
route outside 0.0.0.0 0.0.0.0 10.254.254.0 1
route outside 0.0.0.0 0.0.0.0 10.254.254.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 192.168.1.0 255.255.255.0 management
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
no crypto isakmp nat-traversal
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd address 192.168.1.2-192.168.1.254 management
dhcpd enable management
!
threat-detection basic-threat
threat-detection statistics access-list
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:1f7d8d79bedc3ba7d6b992625a97bde3
: end
ciscoasa(config)#

Open in new window

0
Comment
Question by:Jmsdunn85
  • 4
  • 3
  • 2
  • +1
10 Comments
 
LVL 10

Expert Comment

by:atlas_shuddered
ID: 24807015
on line 59:  change the ACL to INSIDE-OUT
line 60 and 61 - you've got two default routes established - remove one of them.

next, can you ping from the ASA to the router inside interface?

If so, can you ping from the ASA to the ip 4.2.2.1 (public name server)

You're basic config looks okay on brief look, check the above and then we can go from there.
0
 
LVL 1

Author Comment

by:Jmsdunn85
ID: 24807185
atlas,

Thanks for the advice. I'll have a go at making those changes at work tomorrow.


0
 
LVL 15

Expert Comment

by:bignewf
ID: 24808123
just a note here --- by default the asa allows all traffic from inside to outside unless access lists restrict outbound traffic
no access-list INSIDE-OUT extended permit icmp any any
no access-list INSIDE-OUT extended permit tcp any any
no access-list INSIDE-OUT extended permit tcp any any eq www
no access-group INSIDE-OUT in interface inside

I have seen the above cause issues with outbound internet traffic


remove this:
no route outside 0.0.0.0 0.0.0.0 10.254.254.0 1  (this is the network itself, not the router interface)
keep this:
route outside 0.0.0.0 0.0.0.0 10.254.254.1 1  (if this is the public "inside" ip address of your internet router)

you must be able to ping the above ip of the router before checking other internet connectivity issues




0
Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
LVL 15

Accepted Solution

by:
bignewf earned 500 total points
ID: 24808223
to allow pings through the firewall from the outside to the inside (this should be removed after testing)

these commands allow retrun messages thru the firewall when an inside user pings to an outsdie host. Other types of icmp messages are considered hostile by the asa and it will block all ohters

access-list outside-in permit icmp any any echo-reply
access-list outside-in permit icmp any any source-quench
access-list outside-in permit icmp any any unreachable
access-list outside-in permit icmp any any time-exceeded

access-group outside-in in interface outside

also, you can configure icmp inspection , which allows a trusted ip address to traverse the asa and allows a reply back to this trusted address only

policy-map global_policy
class inspection_default
inspect icmp

the above allows monitoring for icmp traffic traversing the asa (i.e ping of death attacks)

so you don't need this:
no access-list INSIDE-OUT extended permit icmp any any




0
 
LVL 1

Author Comment

by:Jmsdunn85
ID: 24811368
Ok,

Well i've made the changes recommended.

I can ping 4.2.2.1 from the ASA
I can ping 4.2.2.1 from the host
I can ping the inside router interface 10.254.254.1 from the ASA
I can ping the inside router interface 10.254.254.1 from the host.

I removed the ACL's that bignewf suggested which didn't solve the problem but at least cleaned up my ACL's. But still no web access.

Any ideas?
0
 
LVL 1

Author Comment

by:Jmsdunn85
ID: 24811461
Ok to update you guys. Every time i had been testing the web from the host i had just clicked on IE and had google load up. However, i then tried browsing to google by its IP address instead of its DNS name and it worked!

Can you explain why DNS does not resolve www.google.com for anything behind the ASA? If i plug the host into the 10.254.254.x network it does resolve.
0
 
LVL 1

Expert Comment

by:munir_hayat
ID: 24811888
Apply this one will solve your problem of accessing internet

access-list OUTSIDE_IN extended permit ip any any
access-group OUTSIDE_IN in interface outside
0
 
LVL 15

Expert Comment

by:bignewf
ID: 24813135
As for DNS, you can do the following:

If you are using a windows network, on the dns server (usually the domain controller) on the forwarders tab on the properties of the dns server place the external ip addresses of the isp dns servers. Clear the dns cache, start and stop dns
Make sure all your dhcp clients have the dns server(s) in the dhcp scope
you might have to run ipconfig/flushdns  /registerdns on the clients afterwards to clear the dns resolver cache
make sure the asa has the dns servers in the config

as for an access-list outside_in permit ip any any  ---  you never want this statement in a firewall!
this allows all traffic from the outside to the inside and defeats the purpose of a firewall

since the asa allows all traffic from inside hosts to the outside, dns requests and http requests from clients will automatically reach the outside internet dns and webservers, unless blocked by access lists.
0
 
LVL 10

Assisted Solution

by:atlas_shuddered
atlas_shuddered earned 500 total points
ID: 24817486
The only other thing that I would note:

If you don't know your ISP DNS address, you can use 4.2.2.1/4.2.2.2/4.2.2.3/4.2.2.4

These are all root level DNS servers.  Only caution is only use them while trying to resolve ISP DNS - and depending on ISP, make sure they are giving you their commercial root server, not their residential and keep one of the 4 above as a failover/secondary.

Only thing else, newf is right, in theory the ASA architecture should allow you to send traffic from a higher to lower interface, however, depending on the version of you IOS, this can be buggy.  Keep your ACLs in the config, just not assigned, until you have validated the traffic passes as desired.
0
 
LVL 1

Author Closing Comment

by:Jmsdunn85
ID: 31601251
Thanks guys. I'll take on all this advice, you've all been most helpful.
0

Featured Post

Veeam Task Manager for Hyper-V

Task Manager for Hyper-V provides critical information that allows you to monitor Hyper-V performance by displaying real-time views of CPU and memory at the individual VM-level, so you can quickly identify which VMs are using host resources.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

There’s a movement in Information Technology (IT), and while it’s hard to define, it is gaining momentum. Some call it “stream-lined IT;” others call it “thin-model IT.”
You deserve ‘straight talk’ from your cloud provider about your risk, your costs, security, uptime and the processes that are in place to protect your mission-critical applications.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Both in life and business – not all partnerships are created equal. As the demand for cloud services increases, so do the number of self-proclaimed cloud partners. Asking the right questions up front in the partnership, will enable both parties …

963 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question