Go Premium for a chance to win a PS4. Enter to Win

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 758
  • Last Modified:

Cisco ASA

Hi.

I got an Cisco ASA 5505 and have configured it as simple as possible
just for use in a test-network.

I got the IP-address from my provider
The DNS is the one we normaly use (it works in my other router)
The PC I connect to the ASA get's the 10.100.2.x IP-address, the gateway
and the DNS, but no connection to the internet.

Setup is attached.....

Thanks
ASA.txt
0
ok-fonden
Asked:
ok-fonden
  • 12
  • 6
  • 5
1 Solution
 
anoopkmrCommented:
show ip --> and check u got the IP address from ISP?

show route --> and see  u get the correct gateway ?

try to ping that gateway ip from the ASA ?

try to ping the ISP DNS server IP from ASA ?

how u r testing the internet connection from the PC ?

from the PC try nslookup and see name resolution is happening / or  use the  IP address to browse.
0
 
JFrederick29Commented:
How are you testing? By pinging something?  If so, ICMP (ping) isn't allowed by default.

policy-map global_policy
 class inspection_default
  inspect icmp
0
 
ok-fondenAuthor Commented:
Got the IP and the gateway
Can't ping the DNS from ASA.
Try access website by IP
Will try the NSlookup

Thanks
0
Visualize your virtual and backup environments

Create well-organized and polished visualizations of your virtual and backup environments when planning VMware vSphere, Microsoft Hyper-V or Veeam deployments. It helps you to gain better visibility and valuable business insights.

 
anoopkmrCommented:
can u able to ping the gw of ASA  from ASA ?

give me the output of below commands from ASA

show route
show ip

0
 
ok-fondenAuthor Commented:
I'l do that.
Has to switch ASA so my connection will be lost :-)
Return in a while
0
 
ok-fondenAuthor Commented:
stema# sh route

Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP
       i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
       * - candidate default, U - per-user static route, o - ODR
       P - periodic downloaded static route

Gateway of last resort is 81.161.188.1 to network 0.0.0.0

C    81.161.188.0 255.255.252.0 is directly connected, outside
C    127.1.0.0 255.255.0.0 is directly connected, _internal_loopback
C    10.100.20.0 255.255.255.0 is directly connected, inside
d*   0.0.0.0 0.0.0.0 [1/0] via 81.161.188.1, outside
stema# sh ip
System IP Addresses:
Interface                Name                   IP address      Subnet mask     Method
Vlan1                    inside                 10.100.20.1     255.255.255.0   CONFIG
Vlan2                    outside                81.161.188.174  255.255.252.0   DHCP  
Current IP Addresses:
Interface                Name                   IP address      Subnet mask     Method
Vlan1                    inside                 10.100.20.1     255.255.255.0   CONFIG
Vlan2                    outside                81.161.188.174  255.255.252.0   DHCP  
0
 
anoopkmrCommented:
show me the  nslookup from ur PC ( www.google.com)

0
 
JFrederick29Commented:
Your original config had 10.100.2.1 for the inside interface yet your "show ip" has 10.100.20.1.  If you changed addresses for the inside, did you update the DHCP config also?

no dhcpd address 10.100.2.100-10.100.2.120 inside
dhcpd address 10.100.20.100-10.100.20.120 inside

Make sure to do a ipconfig /release and ipconfig /renew afterwards.
0
 
ok-fondenAuthor Commented:
Sorry, yes I updated dhcpd and renewed IP
0
 
ok-fondenAuthor Commented:
C:\Documents and Settings\okfsma>nslookup www.google.dk
*** Can't find server name for address 194.239.134.83: Query refused
*** Can't find server name for address 193.162.153.164: Query refused
*** Default servers are not available
Server:  UnKnown
Address:  194.239.134.83

*** UnKnown can't find www.google.dk: Query refused
0
 
ok-fondenAuthor Commented:
On the asa that is OK, the gateway and IP gives the same result
withe the SH ROUTE and SH IP command
0
 
JFrederick29Commented:
Try different DNS servers.  Try 4.4.4.2.
0
 
ok-fondenAuthor Commented:
Have tried other DNS servers with no result.
Returned to this ones, because we are using them in the intire org.
0
 
anoopkmrCommented:
try to browse with IP ; for eg:

http://173.194.37.104/

ur  DNS servers are not responding to query.
0
 
ok-fondenAuthor Commented:
Try that in a minut, but spooky, because our DNS-server in the org
has those forwarders in the DNS-server, and it works - wierd
0
 
JFrederick29Commented:
By the way, you can always try plugging this connection into a PC/Laptop and see if you can browse to verify the connection is fine.
0
 
ok-fondenAuthor Commented:
Think I look me blind, cause I allways try that
but nor this time cause this DNS works everywhere.
It worked by using direct IP.
Any suggest why DNS dosn't work ?

Thank a lot - feels a little stupid :-)
0
 
JFrederick29Commented:
Have you tried using the DNS servers your ISP gave you?

You can turn off the DNS inspection just in case the ASA doesn't like something.

conf t
policy-map global_policy
 class inspection_default
  no inspect dns preset_dns_map
0
 
ok-fondenAuthor Commented:
Have tried 8 different DNS servers now, and with same result.
The NO inspect I just tried without succes
0
 
anoopkmrCommented:
just check with ur ISP ?
0
 
JFrederick29Commented:
Did the 8 different DNS servers contain the ones provided to you by your ISP?
0
 
ok-fondenAuthor Commented:
Oki - thanks. These are closed now so I try in the morning
0
 
ok-fondenAuthor Commented:
No, the 8 DNS is some that I have tried before with succes
The funny thing is that we use those in our DNS server
0

Featured Post

Lessons on Wi-Fi & Recommendations on KRACK

Simplicity and security can be a difficult  balance for any business to tackle. Join us on December 6th for a look at your company's biggest security gap. We will also address the most recent attack, "KRACK" and provide recommendations on how to secure your Wi-Fi network today!

  • 12
  • 6
  • 5
Tackle projects and never again get stuck behind a technical roadblock.
Join Now