Solved

Cisco ASA

Posted on 2010-08-26
23
750 Views
Last Modified: 2012-05-10
Hi.

I got an Cisco ASA 5505 and have configured it as simple as possible
just for use in a test-network.

I got the IP-address from my provider
The DNS is the one we normaly use (it works in my other router)
The PC I connect to the ASA get's the 10.100.2.x IP-address, the gateway
and the DNS, but no connection to the internet.

Setup is attached.....

Thanks
ASA.txt
0
Comment
Question by:ok-fonden
  • 12
  • 6
  • 5
23 Comments
 
LVL 14

Expert Comment

by:anoopkmr
ID: 33534559
show ip --> and check u got the IP address from ISP?

show route --> and see  u get the correct gateway ?

try to ping that gateway ip from the ASA ?

try to ping the ISP DNS server IP from ASA ?

how u r testing the internet connection from the PC ?

from the PC try nslookup and see name resolution is happening / or  use the  IP address to browse.
0
 
LVL 43

Expert Comment

by:JFrederick29
ID: 33534572
How are you testing? By pinging something?  If so, ICMP (ping) isn't allowed by default.

policy-map global_policy
 class inspection_default
  inspect icmp
0
 

Author Comment

by:ok-fonden
ID: 33534597
Got the IP and the gateway
Can't ping the DNS from ASA.
Try access website by IP
Will try the NSlookup

Thanks
0
 
LVL 14

Expert Comment

by:anoopkmr
ID: 33534706
can u able to ping the gw of ASA  from ASA ?

give me the output of below commands from ASA

show route
show ip

0
 

Author Comment

by:ok-fonden
ID: 33534736
I'l do that.
Has to switch ASA so my connection will be lost :-)
Return in a while
0
 

Author Comment

by:ok-fonden
ID: 33534822
stema# sh route

Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP
       i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
       * - candidate default, U - per-user static route, o - ODR
       P - periodic downloaded static route

Gateway of last resort is 81.161.188.1 to network 0.0.0.0

C    81.161.188.0 255.255.252.0 is directly connected, outside
C    127.1.0.0 255.255.0.0 is directly connected, _internal_loopback
C    10.100.20.0 255.255.255.0 is directly connected, inside
d*   0.0.0.0 0.0.0.0 [1/0] via 81.161.188.1, outside
stema# sh ip
System IP Addresses:
Interface                Name                   IP address      Subnet mask     Method
Vlan1                    inside                 10.100.20.1     255.255.255.0   CONFIG
Vlan2                    outside                81.161.188.174  255.255.252.0   DHCP  
Current IP Addresses:
Interface                Name                   IP address      Subnet mask     Method
Vlan1                    inside                 10.100.20.1     255.255.255.0   CONFIG
Vlan2                    outside                81.161.188.174  255.255.252.0   DHCP  
0
 
LVL 14

Expert Comment

by:anoopkmr
ID: 33534858
show me the  nslookup from ur PC ( www.google.com)

0
 
LVL 43

Expert Comment

by:JFrederick29
ID: 33534884
Your original config had 10.100.2.1 for the inside interface yet your "show ip" has 10.100.20.1.  If you changed addresses for the inside, did you update the DHCP config also?

no dhcpd address 10.100.2.100-10.100.2.120 inside
dhcpd address 10.100.20.100-10.100.20.120 inside

Make sure to do a ipconfig /release and ipconfig /renew afterwards.
0
 

Author Comment

by:ok-fonden
ID: 33534904
Sorry, yes I updated dhcpd and renewed IP
0
 

Author Comment

by:ok-fonden
ID: 33535012
C:\Documents and Settings\okfsma>nslookup www.google.dk
*** Can't find server name for address 194.239.134.83: Query refused
*** Can't find server name for address 193.162.153.164: Query refused
*** Default servers are not available
Server:  UnKnown
Address:  194.239.134.83

*** UnKnown can't find www.google.dk: Query refused
0
 

Author Comment

by:ok-fonden
ID: 33535020
On the asa that is OK, the gateway and IP gives the same result
withe the SH ROUTE and SH IP command
0
Why You Should Analyze Threat Actor TTPs

After years of analyzing threat actor behavior, it’s become clear that at any given time there are specific tactics, techniques, and procedures (TTPs) that are particularly prevalent. By analyzing and understanding these TTPs, you can dramatically enhance your security program.

 
LVL 43

Expert Comment

by:JFrederick29
ID: 33535027
Try different DNS servers.  Try 4.4.4.2.
0
 

Author Comment

by:ok-fonden
ID: 33535089
Have tried other DNS servers with no result.
Returned to this ones, because we are using them in the intire org.
0
 
LVL 14

Expert Comment

by:anoopkmr
ID: 33535228
try to browse with IP ; for eg:

http://173.194.37.104/

ur  DNS servers are not responding to query.
0
 

Author Comment

by:ok-fonden
ID: 33535302
Try that in a minut, but spooky, because our DNS-server in the org
has those forwarders in the DNS-server, and it works - wierd
0
 
LVL 43

Expert Comment

by:JFrederick29
ID: 33535313
By the way, you can always try plugging this connection into a PC/Laptop and see if you can browse to verify the connection is fine.
0
 

Author Comment

by:ok-fonden
ID: 33535382
Think I look me blind, cause I allways try that
but nor this time cause this DNS works everywhere.
It worked by using direct IP.
Any suggest why DNS dosn't work ?

Thank a lot - feels a little stupid :-)
0
 
LVL 43

Expert Comment

by:JFrederick29
ID: 33535419
Have you tried using the DNS servers your ISP gave you?

You can turn off the DNS inspection just in case the ASA doesn't like something.

conf t
policy-map global_policy
 class inspection_default
  no inspect dns preset_dns_map
0
 

Author Comment

by:ok-fonden
ID: 33535534
Have tried 8 different DNS servers now, and with same result.
The NO inspect I just tried without succes
0
 
LVL 14

Expert Comment

by:anoopkmr
ID: 33535627
just check with ur ISP ?
0
 
LVL 43

Expert Comment

by:JFrederick29
ID: 33535647
Did the 8 different DNS servers contain the ones provided to you by your ISP?
0
 

Author Comment

by:ok-fonden
ID: 33535650
Oki - thanks. These are closed now so I try in the morning
0
 

Accepted Solution

by:
ok-fonden earned 0 total points
ID: 33535666
No, the 8 DNS is some that I have tried before with succes
The funny thing is that we use those in our DNS server
0

Featured Post

Windows Server 2016: All you need to know

Learn about Hyper-V features that increase functionality and usability of Microsoft Windows Server 2016. Also, throughout this eBook, you’ll find some basic PowerShell examples that will help you leverage the scripts in your environments!

Join & Write a Comment

Suggested Solutions

We've been using the Cisco/Linksys RV042 for years as: - an internet Gateway - a site-to-site VPN device - a leased line site-to-site subnet-to-subnet interface (And, here I'm assuming that any RV0xx behaves the same way as an RV042.  So that's …
The Cisco RV042 router is a popular small network interfacing device that is often used as an internet gateway. Network administrators need to get at the management interface to make settings, change passwords, etc. This access is generally done usi…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

707 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

15 Experts available now in Live!

Get 1:1 Help Now