• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 395
  • Last Modified:

Unable to access interenet when connecting to Cisco ASA 5505 through a switch

I am able to browse the internet from a PC when connecting directly to the Cisco ASA 5505,  but I am unable to browse the internet when I connect the Cisco ASA 5505 through a switch.

I have a similar setup for a PIX 506e and that works fine. The ASA is setup with static IPs on the inside and outside ports.

Can anyone help?
0
pysak
Asked:
pysak
  • 14
  • 10
  • 4
  • +1
1 Solution
 
Ernie BeekCommented:
So what kind of switch is it and how is it configured?

BTW it seems you posted this question twice, might want to close one :)
0
 
Kruno DžoićSystem EngineerCommented:
when you connect asa to switch, can you ping ASA from another PC connected to same switch ?
0
 
pysakAuthor Commented:
It is a 3COM switch, default configuration.

Here is more info on the setup.

Leased line from BT connected to the network through Cisco 1800

                                Cisco 1800 internal port: (Subnet A)
                                                                     |
     _______________________   3COM switch ______________
     |                                                         |                                       |
ASA outside (Subnet A)     ASA inside port (Subnet B)     PC (Subnet B)

From the ASA I can ping a Google IP address and the local PC IP address

From the local PC I can ping the ASA inside port, but the Google IP address
0
How to change the world, one degree at a time.

By embracing technology, we can solve even the biggest problems—including the gender gap.  By earning a degree from WGU, you have an opportunity to gain the knowledge, credentials, and experience it takes to thrive in today’s high-growth IT industry.

 
anoopkmrCommented:
kindly show the  ASA config
0
 
pysakAuthor Commented:
ASA Version 8.3(1)
!
hostname ciscoasa
enable password XXXXXX encrypted
passwd XXXXXX encrypted
names
!
interface Vlan1
 nameif inside
 security-level 100
 ip address 192.168.0.9 255.255.255.0
!
interface Vlan2
 nameif outside
 security-level 0
 ip address 62.XXX.XXX.83 255.255.255.240
!
interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
ftp mode passive
object network obj_any
 subnet 0.0.0.0 0.0.0.0
object network HTTPServer
 host 192.168.0.8
 description HTTP Server
access-list outside_access_in remark HTTP access
access-list outside_access_in extended permit tcp any object HTTPServer eq www
pager lines 24
logging asdm informational
mtu outside 1500
mtu inside 1500
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
!
object network obj_any
 nat (inside,outside) dynamic interface
object network HTTPServer
 nat (inside,outside) static interface service tcp www www
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 62.XXX.XXX.81 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 192.168.1.0 255.255.255.0 inside
http 192.168.0.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
telnet timeout 5
ssh timeout 5
console timeout 0

threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum client auto
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
  inspect ip-options
!
service-policy global_policy global
prompt hostname context
0
 
anoopkmrCommented:
try like this

object network obj_any
subnet 0.0.0.0 0.0.0.0
 nat (inside,outside) dynamic interface

0
 
anoopkmrCommented:
also for the  internal web server

object network HTTPServer
host x.x.x.x ( internal server IP)
 nat (inside,outside) static interface service tcp www www

0
 
pysakAuthor Commented:
Ran those commands through hypertrm but this has not allowed me to browse the web when using the inside ASA port as a default gateway.
0
 
pysakAuthor Commented:
Ran those commands through hypertrm but this has not allowed me to browse the web when using the inside ASA port as a default gateway.
0
 
anoopkmrCommented:
post ur new config
0
 
pysakAuthor Commented:
ASA Version 8.3(1)
!
hostname ciscoasa
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface Vlan1
 nameif inside
 security-level 100
 ip address 192.168.0.9 255.255.255.0
!
interface Vlan2
 nameif outside
 security-level 0
 ip address 62.172.32.83 255.255.255.240
!
interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
ftp mode passive
object network obj_any
 subnet 0.0.0.0 0.0.0.0
object network HTTPServer
 host 192.168.0.8
 description HTTP Server
access-list outside_access_in remark HTTP access
access-list outside_access_in extended permit tcp any object HTTPServer eq www
pager lines 24
logging asdm informational
mtu outside 1500
mtu inside 1500
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
!
object network obj_any
 nat (inside,outside) dynamic interface
object network HTTPServer
 nat (inside,outside) static interface service tcp www www
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 62.172.32.81 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 192.168.1.0 255.255.255.0 inside
http 192.168.0.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
telnet timeout 5
ssh timeout 5
console timeout 0

threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum client auto
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
  inspect ip-options
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:55b987a5098ca3d739b707e1a9a1292f
: end
0
 
pysakAuthor Commented:
Anyone?
0
 
Ernie BeekCommented:
So you have connected the in- and outside ports of the ASA through the 3Com (atleast so it looks from your drawing)?
Any specific reason for that?
0
 
pysakAuthor Commented:
The BT leased line is connected to the 3Com switch.

I have a Cisco PIX 506e which has both interfaces connected to the 3Com switch and forwards port 80 traffic to Web Server A. The outside interface of the PIX has a publically available IP, the inside interface is part of the LAN.

I now have a new Web Server - Web Server B. I appear to have configured the ASA to function in the same was as the PIX, but for some reason it does not work.

I presume there is something I can do to make it function in the same way as the PIX, the ASA is supposed to be a replacement for the PIX after all.

0
 
Ernie BeekCommented:
When you look at the (ASDM) logs when trying to browse, is anything showing up in there?
0
 
pysakAuthor Commented:
Here is the entry.

2      Oct 10 2011      03:49:31      106007      192.168.0.39      52146      DNS            Deny inbound UDP from 192.168.0.39/52146 to 194.72.6.57/53 due to DNS Query
0
 
Ernie BeekCommented:
DNS, ok.

So you can't connect/ping by name (like www.google.com).
Can you connect/ping by ip (like 8.8.8.8)?
0
 
Ernie BeekCommented:
Oh, for pinging you might want to add:

policy-map global_policy
 class inspection_default
  inspect icmp
0
 
Ernie BeekCommented:
Looking at it, perhaps http as well:

policy-map global_policy
 class inspection_default
  inspect http
0
 
pysakAuthor Commented:
I get this message when pinging from my PC
6      Oct 10 2011      04:15:54      302021      209.85.169.147      0      192.168.0.39      1      Teardown ICMP connection for faddr 209.85.169.147/0 gaddr 62.172.32.83/33793 laddr 192.168.0.39/1

This is what I get when pinging from the ASA via ASDM
Sending 5, 100-byte ICMP Echos to 209.85.169.147, timeout is 2 seconds:
?!!!!
Success rate is 80 percent (4/5), round-trip min/avg/max = 10/15/20 ms
0
 
Ernie BeekCommented:
Just to check, you did add the inspect rules?
0
 
pysakAuthor Commented:
Yes I have,

Here is the section from the running config:

policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
  inspect ip-options
  inspect icmp
  inspect http

I have tried setting the internal interface of ASA as the default gateway and set the domain controller as the DNS server and I am still unable to browse the web:

3      Oct 10 2011      04:47:55      710003      192.168.0.39      52055      192.168.0.9      443      TCP access denied by ACL from 192.168.0.39/52055 to outside:192.168.0.9/443

4      Oct 10 2011      04:47:57      106023      192.168.0.39      53621      209.85.169.99      80      Deny tcp src outside:192.168.0.39/53621 dst outside:209.85.169.99/80 by access-group "outside_access_in" [0x0, 0x0]
0
 
Ernie BeekCommented:
Mmmh, looks like you inside traffic is hitting the outside interface. You might want to have a look at the configuration of the 3Com...
Or just hook up the outside interface of the ASA directly to the 1800.
Like I asked before, any specific reason why you set it up like this?
0
 
pysakAuthor Commented:
If I connect the outside interface to the 1800, I will only be able to forward port 80 traffic to one server won't I?

I need to be able to host websites on two different servers on the leased line.
0
 
Ernie BeekCommented:
Looking at your config it seems you have multiple public addresses. Isn't it a possibility to use a second public for the second website?
0
 
pysakAuthor Commented:
Do you mean using two ethernet adapters on each server? one for local access and one for external access?
0
 
Ernie BeekCommented:
Not quite.
I see you already have setup a nat for one webserver that is at the inside network (the 192.168.0.8)right?
So you can create a similar nat for the second webserver.
I'm assuming here that the webservers indeed are at the inside network.
0
 
pysakAuthor Commented:
It's working correctly now.

The network spans across two switches: A Mitel switch for telephony and 3Com for PCs. The two switches are connected via ethernet, in the past it has not mattered which switch you connect a device to, it just works as one switch.

In this case I had to ensure the inside interface went into the 3Com switch (same switch as leased line connection) and that the inside interface and web server went into the Mitel switch. I don't think I'll ever understand why that makes a difference, but it does.

Thanks for all your help.
0
 
pysakAuthor Commented:
Issue resolved.
0

Featured Post

Prepare for an Exciting Career in Cybersecurity

Help prevent cyber-threats and provide solutions to safeguard our global digital economy. Earn your MS in Cybersecurity. WGU’s MSCSIA degree program curriculum features two internationally recognized certifications from the EC-Council at no additional time or cost.

  • 14
  • 10
  • 4
  • +1
Tackle projects and never again get stuck behind a technical roadblock.
Join Now