?
Solved

Can't Browse the Internet with ASA5505

Posted on 2011-03-07
10
Medium Priority
?
1,236 Views
Last Modified: 2012-05-11
I have a new ASA 5505 that I thought was all setup, but when I put it in place, although I can ping the inside int and run ASDM to see it's configuration, I cannot browse or connect through it to the Internet. The outside interface was setup to use DHCP, and I could see that it had aquired a legitimate IP address.  I'll paste the running config below... preference would be given to IDing the solution via the ASDM gui.. I want to learn to use that...
thanks,

ASA Version 8.2(1)
!
hostname ciscoasa
domain-name GettoWork
enable password fhBiljvtJfXQfzkR encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface Vlan1
 nameif inside
 security-level 100
 ip address 10.0.0.1 255.255.255.0
!
interface Vlan2
 nameif outside
 security-level 0
 ip address dhcp
!
interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
ftp mode passive
clock timezone PST -8
clock summer-time PDT recurring
dns server-group DefaultDNS
 domain-name imagine
access-list name extended permit icmp any interface outside
pager lines 24
logging asdm informational
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 192.168.1.0 255.255.255.0 inside
http 10.0.0.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd auto_config outside
!
dhcpd address 10.0.0.50-10.0.0.70 inside
!

threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
username alan password 7oy/1PcLK9T5X6MY encrypted
!
!
prompt hostname context
Cryptochecksum:672f2173725d9cd2f9c0a222bbd93f53
: end
0
Comment
Question by:jab56
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 5
  • 4
10 Comments
 
LVL 4

Expert Comment

by:CHutchins
ID: 35062819
FYI asdm is awful.  from a quick look as I am about to leave it looks good.  You might try to ping 4.2.2.3 and see what happens.. if you get a reply you have a DNS issue.
On another quick glance it appears you created the inside vlan but did not assign it to any ports.
0
 
LVL 1

Author Comment

by:jab56
ID: 35063007

Does DNS need to be setup within the firewall?? No I can't ping anything beyond the inside interface.. not the outside interface, not the internet.  I have seen some kind of DNS error, but cannot tell you now, as the box is at home..
0
 
LVL 1

Expert Comment

by:question01
ID: 35064368
you havn't applied that access-list to the outside interface.
logon to your asa cli

#conf t
#int vlan 2
#access-group name in

You might need to add an access list to the inside before is starts passing traffic.

#access-list inside permit ip any any
#int vlan 1
#access-group inside in

DNS does not need to be setup with the firewall. Your local computer or a web proxy should be doing that. Do you have a dns server set in your ipv4 connection?
0
Microsoft Certification Exam 74-409

Veeam® is happy to provide the Microsoft community with a study guide prepared by MVP and MCT, Orin Thomas. This guide will take you through each of the exam objectives, helping you to prepare for and pass the examination.

 
LVL 1

Author Comment

by:jab56
ID: 35065790

I'll try that question01.. I put that acl in because someone asked me to, but I don't know what it does...  Can you explain it for me please...
0
 
LVL 1

Expert Comment

by:question01
ID: 35090079
The ACL determines what traffic can pass through the interface it is applied to.  It is a way to restrict traffic.

So for example  

The following ACL applied the outside interface inbound

deny ip host 10.0.10.1 host 192.168.1.1
deny ip host 10.0.10.2 host 192.168.1.1
deny ip host 10.0.10.3 host 192.168.1.1
permit ip any any

Would deny the three hosts 10.0.10.1, 10.0.10.2 and 10.0.10.3 from talking to the inside host 192.168.1.1 but permit all other traffic.

So if you want to open up all traffic for the interface you apply the access list

permit ip any any

So permit any host to talk to any host on the protocol IP.

This would allow all traffic to flow through that interface.

Does that make sense?





0
 
LVL 1

Author Comment

by:jab56
ID: 35105924

I think I'm getting this...but not totally.
In my case, the firewall is the boundry to my home.. I want everything outside kept OUT - so what I want to say is deny any outside followed by permit any inside? Is that right?
Now, how do I say that in CLI.

And just a comment too -  when I wrote "access-list name extended permit icmp any interface outside " I took someone literally. In place of name above wouldn't it be more appropriate, and still syntactically correct to say "access-list keepout extended permit icmp any interface outside ". And frankly, I really don't care about icmp. I just want the outside kept out.

I appreciate the feedback.. much thanks.
0
 
LVL 1

Accepted Solution

by:
question01 earned 1000 total points
ID: 35161408
Hi Jab,

Sorry for the late reply.
Yep you are correct 'name' can be any word. It is what the list is named.  

On the outside interface you want the following.

firewall(config)# access-list keepout deny ip any any*
This creates an access list with one entry which denies all traffic which originates from the outside

firewall(config#access-group keepout in interface outside*
This applies access list 'keepout' to the outside interface. Now all traffic orginating from the outside of the firewall will be blocked.  Note: Return traffic will be allowed to return into the firewall. So if you visit a web server from a computer on the inside, the return traffic will be allowed despite the outside access list saying deny all traffic. This is because the firewall keeps a connection table and allows return traffic on sessions established from the inside.

Have you got it all working?

One other thing I noticed is that you might need a route in there.
firewall(config)#route outside 0.0.0.0 0.0.0.0 next hop.
This will say ' route all traffic to the outside via nexthop. The 0.0.0.0 0.0.0.0 means any network. You have to enter the next hop ip address of your ISP.
Because your internal network is connected and connected routes overide static routes it will route appropriate traffic to the inside and the rest to the outside.

The other thing is what are you connecting to? The firewall won't connect to a DSL or Cable connection or anything like that. You will need a router to do that.

 


0
 
LVL 1

Author Comment

by:jab56
ID: 35161458

Great reply... On the other hand I'm quite surprised. I'm connecting to a DSL modem, so the IP address on the outside comes from my ISP (And has been successful at receiving that)..

i've been so swamped that I haven't had the time to do anything, but I have 3 off days coming up, so I hope to get some time for that this weekend...
Thanks Question
0
 
LVL 1

Expert Comment

by:question01
ID: 35162816
no worries.

With the connection I mean the firewall wont connect straight to a a dsl connection as into the socket in the wall. That connection needs to be terminated by a modem and your firewall is plugged into the modem which I think you have obviously figured out ;)
 
0
 
LVL 1

Author Comment

by:jab56
ID: 35184880
I'm gonna just award points and officially finish this post, although, I still haven't had the chance to do more work on the configuration.. If I still have problems I'll post here again...
thanks again
Alan
0

Featured Post

Veeam Task Manager for Hyper-V

Task Manager for Hyper-V provides critical information that allows you to monitor Hyper-V performance by displaying real-time views of CPU and memory at the individual VM-level, so you can quickly identify which VMs are using host resources.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Concerto Cloud Services, a provider of fully managed private, public and hybrid cloud solutions, announced today it was named to the 20 Coolest Cloud Infrastructure Vendors Of The 2017 Cloud  (http://www.concertocloud.com/about/in-the-news/2017/02/0…
Many of the companies I’ve worked with have embraced cloud solutions due to their desire to “get out of the datacenter business.” The ability to achieve better security and availability, and the speed with which they are able to deploy, is far grea…
As a trusted technology advisor to your customers you are likely getting the daily question of, ‘should I put this in the cloud?’ As customer demands for cloud services increases, companies will see a shift from traditional buying patterns to new…
Both in life and business – not all partnerships are created equal. Spend 30 short minutes with us to learn:   • Key questions to ask when considering a partnership to accelerate your business into the cloud • Pitfalls and mistakes other partners…
Suggested Courses

771 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question