Solved

Can't Browse the Internet with ASA5505

Posted on 2011-03-07
10
1,228 Views
Last Modified: 2012-05-11
I have a new ASA 5505 that I thought was all setup, but when I put it in place, although I can ping the inside int and run ASDM to see it's configuration, I cannot browse or connect through it to the Internet. The outside interface was setup to use DHCP, and I could see that it had aquired a legitimate IP address.  I'll paste the running config below... preference would be given to IDing the solution via the ASDM gui.. I want to learn to use that...
thanks,

ASA Version 8.2(1)
!
hostname ciscoasa
domain-name GettoWork
enable password fhBiljvtJfXQfzkR encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface Vlan1
 nameif inside
 security-level 100
 ip address 10.0.0.1 255.255.255.0
!
interface Vlan2
 nameif outside
 security-level 0
 ip address dhcp
!
interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
ftp mode passive
clock timezone PST -8
clock summer-time PDT recurring
dns server-group DefaultDNS
 domain-name imagine
access-list name extended permit icmp any interface outside
pager lines 24
logging asdm informational
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 192.168.1.0 255.255.255.0 inside
http 10.0.0.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd auto_config outside
!
dhcpd address 10.0.0.50-10.0.0.70 inside
!

threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
username alan password 7oy/1PcLK9T5X6MY encrypted
!
!
prompt hostname context
Cryptochecksum:672f2173725d9cd2f9c0a222bbd93f53
: end
0
Comment
Question by:jab56
  • 5
  • 4
10 Comments
 
LVL 4

Expert Comment

by:CHutchins
ID: 35062819
FYI asdm is awful.  from a quick look as I am about to leave it looks good.  You might try to ping 4.2.2.3 and see what happens.. if you get a reply you have a DNS issue.
On another quick glance it appears you created the inside vlan but did not assign it to any ports.
0
 
LVL 1

Author Comment

by:jab56
ID: 35063007

Does DNS need to be setup within the firewall?? No I can't ping anything beyond the inside interface.. not the outside interface, not the internet.  I have seen some kind of DNS error, but cannot tell you now, as the box is at home..
0
 
LVL 1

Expert Comment

by:question01
ID: 35064368
you havn't applied that access-list to the outside interface.
logon to your asa cli

#conf t
#int vlan 2
#access-group name in

You might need to add an access list to the inside before is starts passing traffic.

#access-list inside permit ip any any
#int vlan 1
#access-group inside in

DNS does not need to be setup with the firewall. Your local computer or a web proxy should be doing that. Do you have a dns server set in your ipv4 connection?
0
 
LVL 1

Author Comment

by:jab56
ID: 35065790

I'll try that question01.. I put that acl in because someone asked me to, but I don't know what it does...  Can you explain it for me please...
0
 
LVL 1

Expert Comment

by:question01
ID: 35090079
The ACL determines what traffic can pass through the interface it is applied to.  It is a way to restrict traffic.

So for example  

The following ACL applied the outside interface inbound

deny ip host 10.0.10.1 host 192.168.1.1
deny ip host 10.0.10.2 host 192.168.1.1
deny ip host 10.0.10.3 host 192.168.1.1
permit ip any any

Would deny the three hosts 10.0.10.1, 10.0.10.2 and 10.0.10.3 from talking to the inside host 192.168.1.1 but permit all other traffic.

So if you want to open up all traffic for the interface you apply the access list

permit ip any any

So permit any host to talk to any host on the protocol IP.

This would allow all traffic to flow through that interface.

Does that make sense?





0
IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

 
LVL 1

Author Comment

by:jab56
ID: 35105924

I think I'm getting this...but not totally.
In my case, the firewall is the boundry to my home.. I want everything outside kept OUT - so what I want to say is deny any outside followed by permit any inside? Is that right?
Now, how do I say that in CLI.

And just a comment too -  when I wrote "access-list name extended permit icmp any interface outside " I took someone literally. In place of name above wouldn't it be more appropriate, and still syntactically correct to say "access-list keepout extended permit icmp any interface outside ". And frankly, I really don't care about icmp. I just want the outside kept out.

I appreciate the feedback.. much thanks.
0
 
LVL 1

Accepted Solution

by:
question01 earned 250 total points
ID: 35161408
Hi Jab,

Sorry for the late reply.
Yep you are correct 'name' can be any word. It is what the list is named.  

On the outside interface you want the following.

firewall(config)# access-list keepout deny ip any any*
This creates an access list with one entry which denies all traffic which originates from the outside

firewall(config#access-group keepout in interface outside*
This applies access list 'keepout' to the outside interface. Now all traffic orginating from the outside of the firewall will be blocked.  Note: Return traffic will be allowed to return into the firewall. So if you visit a web server from a computer on the inside, the return traffic will be allowed despite the outside access list saying deny all traffic. This is because the firewall keeps a connection table and allows return traffic on sessions established from the inside.

Have you got it all working?

One other thing I noticed is that you might need a route in there.
firewall(config)#route outside 0.0.0.0 0.0.0.0 next hop.
This will say ' route all traffic to the outside via nexthop. The 0.0.0.0 0.0.0.0 means any network. You have to enter the next hop ip address of your ISP.
Because your internal network is connected and connected routes overide static routes it will route appropriate traffic to the inside and the rest to the outside.

The other thing is what are you connecting to? The firewall won't connect to a DSL or Cable connection or anything like that. You will need a router to do that.

 


0
 
LVL 1

Author Comment

by:jab56
ID: 35161458

Great reply... On the other hand I'm quite surprised. I'm connecting to a DSL modem, so the IP address on the outside comes from my ISP (And has been successful at receiving that)..

i've been so swamped that I haven't had the time to do anything, but I have 3 off days coming up, so I hope to get some time for that this weekend...
Thanks Question
0
 
LVL 1

Expert Comment

by:question01
ID: 35162816
no worries.

With the connection I mean the firewall wont connect straight to a a dsl connection as into the socket in the wall. That connection needs to be terminated by a modem and your firewall is plugged into the modem which I think you have obviously figured out ;)
 
0
 
LVL 1

Author Comment

by:jab56
ID: 35184880
I'm gonna just award points and officially finish this post, although, I still haven't had the chance to do more work on the configuration.. If I still have problems I'll post here again...
thanks again
Alan
0

Featured Post

6 Surprising Benefits of Threat Intelligence

All sorts of threat intelligence is available on the web. Intelligence you can learn from, and use to anticipate and prepare for future attacks.

Join & Write a Comment

Cisco Pix/ASA hairpinning The term, hairpinning, comes from the fact that the traffic comes from one source into a router or similar device, makes a U-turn, and goes back the same way it came. Visualize this and you will see something that looks …
I recently attended Cisco Live! in Las Vegas, a conference that boasted over 28,000 techies in attendance, and a week of hands-on learning hosted by a solid partner with which Concerto goes to market.  Every year, Cisco displays cutting-edge technol…
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.
When you create an app prototype with Adobe XD, you can insert system screens -- sharing or Control Center, for example -- with just a few clicks. This video shows you how. You can take the full course on Experts Exchange at http://bit.ly/XDcourse.

747 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

9 Experts available now in Live!

Get 1:1 Help Now