mshaikh22
asked on
Having issues browsing the internet on my pc, that is connected to a cisco asa 5505
Hi Experts,
I am having issues browsing to the internet on my pc that is connected to a cisco asa 5505. Can you please have a look at my config as I believe I might be missing something,
my pc ip is 10.68.0.15
Thank you,
mshaikh22
Config
ASA Version 8.4(3)
!
terminal width 511
hostname fw0
enable password
passwd
no names
name 10.68.0.18 dc1
name 10.68.0.19 dc2
name 10.68.0.15 mgmt-server_inside
name 10.68.0.20 e1
name 10.68.0.21 e2
name 10.68.0.30 vc
dns-guard
!
interface Ethernet0/0
description outside
switchport access vlan 20
!
interface Ethernet0/1
description inside
!
interface Ethernet0/2
description san
switchport access vlan 10
!
interface Ethernet0/3
shutdown
!
interface Ethernet0/4
switchport trunk allowed vlan 1
shutdown
!
interface Ethernet0/5
shutdown
!
interface Ethernet0/6
shutdown
!
interface Ethernet0/7
shutdown
!
interface Vlan1
nameif inside
security-level 100
ip address 10.68.0.5 255.255.255.0
!
interface Vlan10
nameif SAN
security-level 50
ip address 10.0.0.1 255.255.255.0
!
interface Vlan20
nameif outside
security-level 0
ip address dhcp setroute
!
boot system disk0:/asa843-k8.bin
ftp mode passive
clock timezone GMT/BST 0
clock summer-time GMT/BDT recurring last Sun Mar 1:00 last Sun Oct 2:00
dns domain-lookup outside
dns server-group DefaultDNS
name-server 194.168.4.100
name-server 194.168.8.100
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object network mgmt-server_inside
host 10.68.0.15
object network sw0_inside
host 10.68.0.200
object network vcenter_inside
host 10.68.0.30
object network NETWORK_OBJ_10.68.0.96_28
subnet 10.68.0.96 255.255.255.240
object network san_subnet
subnet 10.0.0.0 255.255.255.0
object network inside_anysubnet
subnet 10.68.0.0 255.255.255.0
object network inside_subnet
subnet 10.68.0.0 255.255.255.0
object network excas01_inside
host 10.68.0.61
object-group network esxi-hosts_inside
network-object host 10.68.0.20
network-object host 10.68.0.21
object-group network inside-subnet
network-object 10.68.0.0 255.255.255.0
object-group network san1-subnet
network-object 10.0.0.0 255.255.255.0
access-list inside_in extended permit icmp any any
access-list outside_in extended permit icmp any any echo-reply
access-list outside_in extended permit tcp any host 10.68.0.15 eq 3389
access-list outside_in extended permit tcp any host 10.68.0.61 eq smtp
access-list outside_in extended permit tcp any host 10.68.0.22 eq 5480
access-list outside_in extended permit tcp any host 10.68.0.200 eq telnet
access-list outside_in extended deny ip any any log
access-list san_in extended permit icmp any any echo-reply
pager lines 30
logging enable
logging asdm informational
mtu inside 1500
mtu SAN 1500
mtu outside 1500
ip local pool Inside 10.68.0.100-10.68.0.110 mask 255.255.255.0
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-647.bin
asdm history enable
arp timeout 2400
nat (inside,inside) source static any any destination static NETWORK_OBJ_10.68.0.96_28 NETWORK_OBJ_10.68.0.96_28 no-proxy-arp route-lookup
!
object network mgmt-server_inside
nat (inside,outside) static interface service tcp 3389 3389
object network sw0_inside
nat (inside,outside) static interface service tcp telnet telnet
object network vcenter_inside
nat (inside,outside) static interface service tcp 5480 5480
object network inside_anysubnet
nat (inside,SAN) dynamic interface
object network inside_subnet
nat (inside,outside) dynamic interface
object network excas01_inside
nat (inside,outside) static interface service tcp smtp smtp
access-group san_in in interface SAN
access-group outside_in in interface outside
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-reco rd DfltAccessPolicy
user-identity default-domain LOCAL
aaa authentication ssh console LOCAL
http server enable
http 10.68.0.0 255.255.255.0 inside
http 192.168.0.0 255.255.255.0 outside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
telnet timeout 5
ssh 10.68.0.0 255.255.255.0 inside
ssh 0.0.0.0 0.0.0.0 outside
ssh timeout 60
ssh version 2
console timeout 0
management-access inside
dhcpd dns 10.68.0.5
dhcpd auto_config outside
!
dhcpd address 10.68.0.100-10.68.0.131 inside
dhcpd enable inside
!
threat-detection basic-threat
threat-detection statistics host
threat-detection statistics port
threat-detection statistics protocol
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
tftp-server inside 10.68.0.15 fw0.txt
webvpn
enable inside
enable outside
anyconnect image disk0:/sslclient-win-1.1.0 .154.pkg 2
anyconnect enable
tunnel-group-list enable
tunnel-group-preference group-url
group-policy DfltGrpPolicy attributes
dns-server value 192.168.2.1
group-policy GroupPolicy_remote-vpn internal
group-policy GroupPolicy_remote-vpn attributes
wins-server none
dns-server value 192.168.2.1
vpn-tunnel-protocol ssl-client
default-domain none
username admin password lP6/r5JV6SQg/pjK encrypted privilege 15
username mshaikh password 2YMuQ2Ler5aiagGM encrypted
tunnel-group remote-vpn type remote-access
tunnel-group remote-vpn general-attributes
address-pool Inside
default-group-policy GroupPolicy_remote-vpn
tunnel-group remote-vpn webvpn-attributes
group-alias remote-vpn enable
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
inspect icmp
policy-map global-policy
class class-default
user-statistics accounting
!
service-policy global-policy global
prompt hostname context
no call-home reporting anonymous
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email callhome@cisco.com
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:ff9f5c1528a 0e1e5a56ac 55d68b6715 b
: end
I am having issues browsing to the internet on my pc that is connected to a cisco asa 5505. Can you please have a look at my config as I believe I might be missing something,
my pc ip is 10.68.0.15
Thank you,
mshaikh22
Config
ASA Version 8.4(3)
!
terminal width 511
hostname fw0
enable password
passwd
no names
name 10.68.0.18 dc1
name 10.68.0.19 dc2
name 10.68.0.15 mgmt-server_inside
name 10.68.0.20 e1
name 10.68.0.21 e2
name 10.68.0.30 vc
dns-guard
!
interface Ethernet0/0
description outside
switchport access vlan 20
!
interface Ethernet0/1
description inside
!
interface Ethernet0/2
description san
switchport access vlan 10
!
interface Ethernet0/3
shutdown
!
interface Ethernet0/4
switchport trunk allowed vlan 1
shutdown
!
interface Ethernet0/5
shutdown
!
interface Ethernet0/6
shutdown
!
interface Ethernet0/7
shutdown
!
interface Vlan1
nameif inside
security-level 100
ip address 10.68.0.5 255.255.255.0
!
interface Vlan10
nameif SAN
security-level 50
ip address 10.0.0.1 255.255.255.0
!
interface Vlan20
nameif outside
security-level 0
ip address dhcp setroute
!
boot system disk0:/asa843-k8.bin
ftp mode passive
clock timezone GMT/BST 0
clock summer-time GMT/BDT recurring last Sun Mar 1:00 last Sun Oct 2:00
dns domain-lookup outside
dns server-group DefaultDNS
name-server 194.168.4.100
name-server 194.168.8.100
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object network mgmt-server_inside
host 10.68.0.15
object network sw0_inside
host 10.68.0.200
object network vcenter_inside
host 10.68.0.30
object network NETWORK_OBJ_10.68.0.96_28
subnet 10.68.0.96 255.255.255.240
object network san_subnet
subnet 10.0.0.0 255.255.255.0
object network inside_anysubnet
subnet 10.68.0.0 255.255.255.0
object network inside_subnet
subnet 10.68.0.0 255.255.255.0
object network excas01_inside
host 10.68.0.61
object-group network esxi-hosts_inside
network-object host 10.68.0.20
network-object host 10.68.0.21
object-group network inside-subnet
network-object 10.68.0.0 255.255.255.0
object-group network san1-subnet
network-object 10.0.0.0 255.255.255.0
access-list inside_in extended permit icmp any any
access-list outside_in extended permit icmp any any echo-reply
access-list outside_in extended permit tcp any host 10.68.0.15 eq 3389
access-list outside_in extended permit tcp any host 10.68.0.61 eq smtp
access-list outside_in extended permit tcp any host 10.68.0.22 eq 5480
access-list outside_in extended permit tcp any host 10.68.0.200 eq telnet
access-list outside_in extended deny ip any any log
access-list san_in extended permit icmp any any echo-reply
pager lines 30
logging enable
logging asdm informational
mtu inside 1500
mtu SAN 1500
mtu outside 1500
ip local pool Inside 10.68.0.100-10.68.0.110 mask 255.255.255.0
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-647.bin
asdm history enable
arp timeout 2400
nat (inside,inside) source static any any destination static NETWORK_OBJ_10.68.0.96_28 NETWORK_OBJ_10.68.0.96_28 no-proxy-arp route-lookup
!
object network mgmt-server_inside
nat (inside,outside) static interface service tcp 3389 3389
object network sw0_inside
nat (inside,outside) static interface service tcp telnet telnet
object network vcenter_inside
nat (inside,outside) static interface service tcp 5480 5480
object network inside_anysubnet
nat (inside,SAN) dynamic interface
object network inside_subnet
nat (inside,outside) dynamic interface
object network excas01_inside
nat (inside,outside) static interface service tcp smtp smtp
access-group san_in in interface SAN
access-group outside_in in interface outside
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-reco
user-identity default-domain LOCAL
aaa authentication ssh console LOCAL
http server enable
http 10.68.0.0 255.255.255.0 inside
http 192.168.0.0 255.255.255.0 outside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
telnet timeout 5
ssh 10.68.0.0 255.255.255.0 inside
ssh 0.0.0.0 0.0.0.0 outside
ssh timeout 60
ssh version 2
console timeout 0
management-access inside
dhcpd dns 10.68.0.5
dhcpd auto_config outside
!
dhcpd address 10.68.0.100-10.68.0.131 inside
dhcpd enable inside
!
threat-detection basic-threat
threat-detection statistics host
threat-detection statistics port
threat-detection statistics protocol
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
tftp-server inside 10.68.0.15 fw0.txt
webvpn
enable inside
enable outside
anyconnect image disk0:/sslclient-win-1.1.0
anyconnect enable
tunnel-group-list enable
tunnel-group-preference group-url
group-policy DfltGrpPolicy attributes
dns-server value 192.168.2.1
group-policy GroupPolicy_remote-vpn internal
group-policy GroupPolicy_remote-vpn attributes
wins-server none
dns-server value 192.168.2.1
vpn-tunnel-protocol ssl-client
default-domain none
username admin password lP6/r5JV6SQg/pjK encrypted privilege 15
username mshaikh password 2YMuQ2Ler5aiagGM encrypted
tunnel-group remote-vpn type remote-access
tunnel-group remote-vpn general-attributes
address-pool Inside
default-group-policy GroupPolicy_remote-vpn
tunnel-group remote-vpn webvpn-attributes
group-alias remote-vpn enable
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
inspect icmp
policy-map global-policy
class class-default
user-statistics accounting
!
service-policy global-policy global
prompt hostname context
no call-home reporting anonymous
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email callhome@cisco.com
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:ff9f5c1528a
: end
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Can you post logs or a screenshot of the packet tracer to show what might be happening when you access the Internet?
Is the 10.68.0.15 the only machine that is giving you issues?
What exactly are the issues?
When you look at the (ASDM) log when trying to browse from that machine, does anything show?
What exactly are the issues?
When you look at the (ASDM) log when trying to browse from that machine, does anything show?
ASKER
Hi rauenpc and erniebeek,
Thanks a lot for your all of your help. I have managed to get internet accesss by entering a public dns address. #
I need to reenable vpn on the cisco asa firewall since I removed it from the config. Can you please let me know how to do that as I feel a bit funny about using adsm again. It putting in nothing but garbage in the config, which screws things up.
I need to enable vpn to connect to the machines using anyconnect.
Thanks a lot for your help
mshaikh
Thanks a lot for your all of your help. I have managed to get internet accesss by entering a public dns address. #
I need to reenable vpn on the cisco asa firewall since I removed it from the config. Can you please let me know how to do that as I feel a bit funny about using adsm again. It putting in nothing but garbage in the config, which screws things up.
I need to enable vpn to connect to the machines using anyconnect.
Thanks a lot for your help
mshaikh
Best thing is to follow Cisco's instructions on that:
http://www.cisco.com/en/US/docs/security/asa/asa84/configuration/guide/vpn_anyconnect.html
http://www.cisco.com/en/US/docs/security/asa/asa80/configuration/guide/svc.html
http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00808efbd2.shtml
But there are also other good examples:
http://www.techrepublic.com/blog/networking/eight-easy-steps-to-cisco-asa-remote-access-setup/1201
http://www.cisco.com/en/US/docs/security/asa/asa84/configuration/guide/vpn_anyconnect.html
http://www.cisco.com/en/US/docs/security/asa/asa80/configuration/guide/svc.html
http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00808efbd2.shtml
But there are also other good examples:
http://www.techrepublic.com/blog/networking/eight-easy-steps-to-cisco-asa-remote-access-setup/1201
ASKER
Issue is resolved
ASKER
Thanks a lot for that. I have managed to remove the twice nat rule and the vpn pool. I am still having issues accessing the internet from 10.68.0.15.
Would really appreciate your help on this. Plus, could you please tell me the no nat rules from the config that need to be removed.
thank you,
mshaikh
heres the latest config
fw0# sh run
: Saved
:
ASA Version 8.4(3)
!
terminal width 511
hostname fw0
enable password Tsl/J9j8WiXkNxtS encrypted
passwd Tsl/J9j8WiXkNxtS encrypted
no names
name 10.68.0.18 dc1
name 10.68.0.19 dc2
name 10.68.0.15 mgmt-server_inside
name 10.68.0.20 e1
name 10.68.0.21 e2
name 10.68.0.30 vc
dns-guard
!
interface Ethernet0/0
description outside
switchport access vlan 20
!
interface Ethernet0/1
description inside
!
interface Ethernet0/2
description san
switchport access vlan 10
!
interface Ethernet0/3
shutdown
!
interface Ethernet0/4
switchport trunk allowed vlan 1
shutdown
!
interface Ethernet0/5
shutdown
!
interface Ethernet0/6
shutdown
!
interface Ethernet0/7
shutdown
!
interface Vlan1
nameif inside
security-level 100
ip address 10.68.0.5 255.255.255.0
!
interface Vlan10
nameif SAN
security-level 50
ip address 10.0.0.1 255.255.255.0
!
interface Vlan20
nameif outside
security-level 0
ip address dhcp setroute
!
boot system disk0:/asa843-k8.bin
ftp mode passive
clock timezone GMT/BST 0
clock summer-time GMT/BDT recurring last Sun Mar 1:00 last Sun Oct 2:00
dns domain-lookup outside
dns server-group DefaultDNS
name-server 194.168.4.100
name-server 194.168.8.100
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object network mgmt-server_inside
host 10.68.0.15
object network sw0_inside
host 10.68.0.200
object network vcenter_inside
host 10.68.0.30
object network san_subnet
subnet 10.0.0.0 255.255.255.0
object network inside_anysubnet
subnet 10.68.0.0 255.255.255.0
object network inside_subnet
subnet 10.68.0.0 255.255.255.0
object network excas01_inside
host 10.68.0.61
object-group network esxi-hosts_inside
network-object host 10.68.0.20
network-object host 10.68.0.21
object-group network inside-subnet
network-object 10.68.0.0 255.255.255.0
object-group network san1-subnet
network-object 10.0.0.0 255.255.255.0
access-list inside_in extended permit icmp any any
access-list outside_in extended permit icmp any any echo-reply
access-list outside_in extended permit tcp any host 10.68.0.15 eq 3389
access-list outside_in extended permit tcp any host 10.68.0.61 eq smtp
access-list outside_in extended permit tcp any host 10.68.0.22 eq 5480
access-list outside_in extended permit tcp any host 10.68.0.200 eq telnet
access-list outside_in extended deny ip any any log
access-list san_in extended permit icmp any any echo-reply
pager lines 30
logging enable
logging asdm informational
mtu inside 1500
mtu SAN 1500
mtu outside 1500
ip local pool Inside 10.68.0.100-10.68.0.110 mask 255.255.255.0
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-647.bin
asdm history enable
arp timeout 2400
!
object network mgmt-server_inside
nat (inside,outside) static interface service tcp 3389 3389
object network sw0_inside
nat (inside,outside) static interface service tcp telnet telnet
object network vcenter_inside
nat (inside,outside) static interface service tcp 5480 5480
object network inside_anysubnet
nat (inside,SAN) dynamic interface
object network inside_subnet
nat (inside,outside) dynamic interface
object network excas01_inside
nat (inside,outside) static interface service tcp smtp smtp
access-group san_in in interface SAN
access-group outside_in in interface outside
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-reco
user-identity default-domain LOCAL
aaa authentication ssh console LOCAL
http server enable
http 10.68.0.0 255.255.255.0 inside
http 192.168.0.0 255.255.255.0 outside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
telnet timeout 5
ssh 10.68.0.0 255.255.255.0 inside
ssh 0.0.0.0 0.0.0.0 outside
ssh timeout 60
ssh version 2
console timeout 0
management-access inside
dhcpd dns 10.68.0.5
dhcpd auto_config outside
!
dhcpd address 10.68.0.100-10.68.0.131 inside
dhcpd enable inside
!
threat-detection basic-threat
threat-detection statistics host
threat-detection statistics port
threat-detection statistics protocol
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
tftp-server inside 10.68.0.15 fw0.txt
webvpn
enable inside
enable outside
anyconnect image disk0:/sslclient-win-1.1.0
anyconnect enable
tunnel-group-list enable
tunnel-group-preference group-url
username admin password lP6/r5JV6SQg/pjK encrypted privilege 15
username mshaikh password 2YMuQ2Ler5aiagGM encrypted
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
inspect icmp
policy-map global-policy
class class-default
user-statistics accounting
!
service-policy global-policy global
prompt hostname context
no call-home reporting anonymous
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email callhome@cisco.com
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:8568524f53e
: end