Solved

Having issues browsing the internet on my pc, that is connected to a cisco asa 5505

Posted on 2012-12-29
7
371 Views
Last Modified: 2013-07-03
Hi Experts,

I am having issues browsing to the internet on my pc that is connected to a cisco asa 5505. Can you please have a look at my config as I believe I might be missing something,

my pc ip is 10.68.0.15

Thank you,

mshaikh22

Config
ASA Version 8.4(3)
!
terminal width 511
hostname fw0
enable password
passwd
no names
name 10.68.0.18 dc1
name 10.68.0.19 dc2
name 10.68.0.15 mgmt-server_inside
name 10.68.0.20 e1
name 10.68.0.21 e2
name 10.68.0.30 vc
dns-guard
!
interface Ethernet0/0
 description outside
 switchport access vlan 20
!
interface Ethernet0/1
 description inside
!
interface Ethernet0/2
 description san
 switchport access vlan 10
!
interface Ethernet0/3
 shutdown
!
interface Ethernet0/4
 switchport trunk allowed vlan 1
 shutdown
!
interface Ethernet0/5
 shutdown
!
interface Ethernet0/6
 shutdown
!
interface Ethernet0/7
 shutdown
!
interface Vlan1
 nameif inside
 security-level 100
 ip address 10.68.0.5 255.255.255.0
!
interface Vlan10
 nameif SAN
 security-level 50
 ip address 10.0.0.1 255.255.255.0
!
interface Vlan20
 nameif outside
 security-level 0
 ip address dhcp setroute
!
boot system disk0:/asa843-k8.bin
ftp mode passive
clock timezone GMT/BST 0
clock summer-time GMT/BDT recurring last Sun Mar 1:00 last Sun Oct 2:00
dns domain-lookup outside
dns server-group DefaultDNS
 name-server 194.168.4.100
 name-server 194.168.8.100
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object network mgmt-server_inside
 host 10.68.0.15
object network sw0_inside
 host 10.68.0.200
object network vcenter_inside
 host 10.68.0.30
object network NETWORK_OBJ_10.68.0.96_28
 subnet 10.68.0.96 255.255.255.240
object network san_subnet
 subnet 10.0.0.0 255.255.255.0
object network inside_anysubnet
 subnet 10.68.0.0 255.255.255.0
object network inside_subnet
 subnet 10.68.0.0 255.255.255.0
object network excas01_inside
 host 10.68.0.61
object-group network esxi-hosts_inside
 network-object host 10.68.0.20
 network-object host 10.68.0.21
object-group network inside-subnet
 network-object 10.68.0.0 255.255.255.0
object-group network san1-subnet
 network-object 10.0.0.0 255.255.255.0
access-list inside_in extended permit icmp any any
access-list outside_in extended permit icmp any any echo-reply
access-list outside_in extended permit tcp any host 10.68.0.15 eq 3389
access-list outside_in extended permit tcp any host 10.68.0.61 eq smtp
access-list outside_in extended permit tcp any host 10.68.0.22 eq 5480
access-list outside_in extended permit tcp any host 10.68.0.200 eq telnet
access-list outside_in extended deny ip any any log
access-list san_in extended permit icmp any any echo-reply
pager lines 30
logging enable
logging asdm informational
mtu inside 1500
mtu SAN 1500
mtu outside 1500
ip local pool Inside 10.68.0.100-10.68.0.110 mask 255.255.255.0
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-647.bin
asdm history enable
arp timeout 2400
nat (inside,inside) source static any any destination static NETWORK_OBJ_10.68.0.96_28 NETWORK_OBJ_10.68.0.96_28 no-proxy-arp route-lookup
!
object network mgmt-server_inside
 nat (inside,outside) static interface service tcp 3389 3389
object network sw0_inside
 nat (inside,outside) static interface service tcp telnet telnet
object network vcenter_inside
 nat (inside,outside) static interface service tcp 5480 5480
object network inside_anysubnet
 nat (inside,SAN) dynamic interface
object network inside_subnet
 nat (inside,outside) dynamic interface
object network excas01_inside
 nat (inside,outside) static interface service tcp smtp smtp
access-group san_in in interface SAN
access-group outside_in in interface outside
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
aaa authentication ssh console LOCAL
http server enable
http 10.68.0.0 255.255.255.0 inside
http 192.168.0.0 255.255.255.0 outside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
telnet timeout 5
ssh 10.68.0.0 255.255.255.0 inside
ssh 0.0.0.0 0.0.0.0 outside
ssh timeout 60
ssh version 2
console timeout 0
management-access inside

dhcpd dns 10.68.0.5
dhcpd auto_config outside
!
dhcpd address 10.68.0.100-10.68.0.131 inside
dhcpd enable inside
!
threat-detection basic-threat
threat-detection statistics host
threat-detection statistics port
threat-detection statistics protocol
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
tftp-server inside 10.68.0.15 fw0.txt
webvpn
 enable inside
 enable outside
 anyconnect image disk0:/sslclient-win-1.1.0.154.pkg 2
 anyconnect enable
 tunnel-group-list enable
 tunnel-group-preference group-url
group-policy DfltGrpPolicy attributes
 dns-server value 192.168.2.1
group-policy GroupPolicy_remote-vpn internal
group-policy GroupPolicy_remote-vpn attributes
 wins-server none
 dns-server value 192.168.2.1
 vpn-tunnel-protocol ssl-client
 default-domain none
username admin password lP6/r5JV6SQg/pjK encrypted privilege 15
username mshaikh password 2YMuQ2Ler5aiagGM encrypted
tunnel-group remote-vpn type remote-access
tunnel-group remote-vpn general-attributes
 address-pool Inside
 default-group-policy GroupPolicy_remote-vpn
tunnel-group remote-vpn webvpn-attributes
 group-alias remote-vpn enable
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
  inspect ip-options
  inspect icmp
policy-map global-policy
 class class-default
  user-statistics accounting
!
service-policy global-policy global
prompt hostname context
no call-home reporting anonymous
call-home
 profile CiscoTAC-1
  no active
  destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
  destination address email callhome@cisco.com
  destination transport-method http
  subscribe-to-alert-group diagnostic
  subscribe-to-alert-group environment
  subscribe-to-alert-group inventory periodic monthly
  subscribe-to-alert-group configuration periodic monthly
  subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:ff9f5c1528a0e1e5a56ac55d68b6715b
: end
0
Comment
Question by:mshaikh22
  • 3
  • 2
  • 2
7 Comments
 
LVL 20

Accepted Solution

by:
rauenpc earned 500 total points
Comment Utility
Your nonat / twice nat should be (inside,outside). Also, I don't recommend using a VPN pool that overlaps any inside network.
0
 

Author Comment

by:mshaikh22
Comment Utility
Hi Rauenpc,

Thanks a lot for that. I have managed to remove the twice nat rule and the vpn pool. I am still having issues accessing the internet from 10.68.0.15.

Would really appreciate your help on this. Plus, could you please tell me the no nat rules from the config that need to be removed.


thank you,

mshaikh



heres the latest config

fw0# sh run
: Saved
:
ASA Version 8.4(3)
!
terminal width 511
hostname fw0
enable password Tsl/J9j8WiXkNxtS encrypted
passwd Tsl/J9j8WiXkNxtS encrypted
no names
name 10.68.0.18 dc1
name 10.68.0.19 dc2
name 10.68.0.15 mgmt-server_inside
name 10.68.0.20 e1
name 10.68.0.21 e2
name 10.68.0.30 vc
dns-guard
!
interface Ethernet0/0
 description outside
 switchport access vlan 20
!
interface Ethernet0/1
 description inside
!
interface Ethernet0/2
 description san
 switchport access vlan 10
!
interface Ethernet0/3
 shutdown
!
interface Ethernet0/4
 switchport trunk allowed vlan 1
 shutdown
!
interface Ethernet0/5
 shutdown
!
interface Ethernet0/6
 shutdown
!
interface Ethernet0/7
 shutdown
!
interface Vlan1
 nameif inside
 security-level 100
 ip address 10.68.0.5 255.255.255.0
!
interface Vlan10
 nameif SAN
 security-level 50
 ip address 10.0.0.1 255.255.255.0
!
interface Vlan20
 nameif outside
 security-level 0
 ip address dhcp setroute
!
boot system disk0:/asa843-k8.bin
ftp mode passive
clock timezone GMT/BST 0
clock summer-time GMT/BDT recurring last Sun Mar 1:00 last Sun Oct 2:00
dns domain-lookup outside
dns server-group DefaultDNS
 name-server 194.168.4.100
 name-server 194.168.8.100
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object network mgmt-server_inside
 host 10.68.0.15
object network sw0_inside
 host 10.68.0.200
object network vcenter_inside
 host 10.68.0.30
object network san_subnet
 subnet 10.0.0.0 255.255.255.0
object network inside_anysubnet
 subnet 10.68.0.0 255.255.255.0
object network inside_subnet
 subnet 10.68.0.0 255.255.255.0
object network excas01_inside
 host 10.68.0.61
object-group network esxi-hosts_inside
 network-object host 10.68.0.20
 network-object host 10.68.0.21
object-group network inside-subnet
 network-object 10.68.0.0 255.255.255.0
object-group network san1-subnet
 network-object 10.0.0.0 255.255.255.0
access-list inside_in extended permit icmp any any
access-list outside_in extended permit icmp any any echo-reply
access-list outside_in extended permit tcp any host 10.68.0.15 eq 3389
access-list outside_in extended permit tcp any host 10.68.0.61 eq smtp
access-list outside_in extended permit tcp any host 10.68.0.22 eq 5480
access-list outside_in extended permit tcp any host 10.68.0.200 eq telnet
access-list outside_in extended deny ip any any log
access-list san_in extended permit icmp any any echo-reply
pager lines 30
logging enable
logging asdm informational
mtu inside 1500
mtu SAN 1500
mtu outside 1500
ip local pool Inside 10.68.0.100-10.68.0.110 mask 255.255.255.0
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-647.bin
asdm history enable
arp timeout 2400
!
object network mgmt-server_inside
 nat (inside,outside) static interface service tcp 3389 3389
object network sw0_inside
 nat (inside,outside) static interface service tcp telnet telnet
object network vcenter_inside
 nat (inside,outside) static interface service tcp 5480 5480
object network inside_anysubnet
 nat (inside,SAN) dynamic interface
object network inside_subnet
 nat (inside,outside) dynamic interface
object network excas01_inside
 nat (inside,outside) static interface service tcp smtp smtp
access-group san_in in interface SAN
access-group outside_in in interface outside
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
aaa authentication ssh console LOCAL
http server enable
http 10.68.0.0 255.255.255.0 inside
http 192.168.0.0 255.255.255.0 outside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
telnet timeout 5
ssh 10.68.0.0 255.255.255.0 inside
ssh 0.0.0.0 0.0.0.0 outside
ssh timeout 60
ssh version 2
console timeout 0
management-access inside

dhcpd dns 10.68.0.5
dhcpd auto_config outside
!
dhcpd address 10.68.0.100-10.68.0.131 inside
dhcpd enable inside
!
threat-detection basic-threat
threat-detection statistics host
threat-detection statistics port
threat-detection statistics protocol
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
tftp-server inside 10.68.0.15 fw0.txt
webvpn
 enable inside
 enable outside
 anyconnect image disk0:/sslclient-win-1.1.0.154.pkg 2
 anyconnect enable
 tunnel-group-list enable
 tunnel-group-preference group-url
username admin password lP6/r5JV6SQg/pjK encrypted privilege 15
username mshaikh password 2YMuQ2Ler5aiagGM encrypted
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
  inspect ip-options
  inspect icmp
policy-map global-policy
 class class-default
  user-statistics accounting
!
service-policy global-policy global
prompt hostname context
no call-home reporting anonymous
call-home
 profile CiscoTAC-1
  no active
  destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
  destination address email callhome@cisco.com
  destination transport-method http
  subscribe-to-alert-group diagnostic
  subscribe-to-alert-group environment
  subscribe-to-alert-group inventory periodic monthly
  subscribe-to-alert-group configuration periodic monthly
  subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:8568524f53ebfed979ecaea4395024d2
: end
0
 
LVL 20

Expert Comment

by:rauenpc
Comment Utility
Can you post logs or a screenshot of the packet tracer to show what might be happening when you access the Internet?
0
Find Ransomware Secrets With All-Source Analysis

Ransomware has become a major concern for organizations; its prevalence has grown due to past successes achieved by threat actors. While each ransomware variant is different, we’ve seen some common tactics and trends used among the authors of the malware.

 
LVL 35

Expert Comment

by:Ernie Beek
Comment Utility
Is the 10.68.0.15 the only machine that is giving you issues?
What exactly are the issues?
When you look at the (ASDM) log when trying to browse from that machine, does anything show?
0
 

Author Comment

by:mshaikh22
Comment Utility
Hi rauenpc and erniebeek,

Thanks a lot for your all of your help. I have managed to get internet accesss by entering a public dns address. #

I need to reenable vpn on the cisco asa firewall since I  removed it from the config. Can you please let me know how to do that as I feel a bit funny about using adsm again. It putting in nothing but garbage in the config, which screws things up.

I need to enable vpn to connect to the machines using anyconnect.

Thanks a lot for your help

mshaikh
0
 
LVL 35

Expert Comment

by:Ernie Beek
Comment Utility
0
 

Author Closing Comment

by:mshaikh22
Comment Utility
Issue is resolved
0

Featured Post

IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

Join & Write a Comment

This article is focussed on erradicating the confusion with slash notations. This article will help you identify and understand the purpose and use of slash notations. A deep understanding of this will help you identify networks quicker especially w…
Exchange server is not supported in any cloud-hosted platform (other than Azure with Azure Premium Storage).
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

744 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now