Solved

Cisco not allowing LAN to browse internet but VPN is ok

Posted on 2014-02-27
14
464 Views
Last Modified: 2014-02-28
I'm having troubles browsing the internet behind my asa firewall.. Unsure what mistakes I make but please see running config below.

interface GigabitEthernet0/0
 nameif outside
 security-level 0
 ip address 33.35.28.138 255.255.255.248
!
interface GigabitEthernet0/1
 shutdown
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet0/2
 shutdown
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet0/3
 nameif inside
 security-level 100
 ip address 192.168.253.1 255.255.255.0
!
!
interface GigabitEthernet0/3.50
 description office-wireless
 vlan 50
 nameif office-wireless
 security-level 99
 ip address 192.168.50.1 255.255.255.0
!
interface GigabitEthernet0/3.51
 description guest-wireless
 vlan 51
 nameif -guest-wireless
 security-level 90
 ip address 192.168.51.1 255.255.255.0
!
access-list permitall extended permit ip any any
access-list outside_access_out extended permit ip any any
pager lines 24
logging enable
logging asdm informational
mtu outside 1500
mtu inside 1500
mtu pdb-office-wireless 1500
mtu pdb-guest-wireless 1500
mtu management 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-647.bin
no asdm history enable
arp timeout 14400
global (outside) 101 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 0 0.0.0.0 0.0.0.0
access-group outside_access_out out interface outside
route outside 0.0.0.0 0.0.0.0 33.35.28.142 1
0
Comment
Question by:SuperRoot
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 7
  • 7
14 Comments
 
LVL 28

Expert Comment

by:asavener
ID: 39893299
global (outside) 101 interface

This should be "global (outside) 0 interface"
0
 
LVL 1

Author Comment

by:SuperRoot
ID: 39893463
I tried it and this is what I get:

ciscoasa(config)# global (outside) 0 interface
invalid nat_id
Usage: [no] global (<ext_if_name>) <nat_id> {<global_ip>[-<global_ip>] [netmask <global_mask>]} | interface
        show running-config [all] global [(<ext_if_name>)] [<nat_id>]
        clear configure global
0
 
LVL 28

Assisted Solution

by:asavener
asavener earned 500 total points
ID: 39893517
Sorry, I messed up.

no global (outside) 101 interface
no nat (inside) 0 0.0.0.0 0.0.0.0

global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
0
What, When and Where - Security Threats from Q1

Join Corey Nachreiner, CTO, and Marc Laliberte, Information Security Threat Analyst, on July 26th as they explore their key findings from the first quarter of 2017.

 
LVL 1

Author Comment

by:SuperRoot
ID: 39894825
Thanks for your help! I tried it but still didn't work.. I'm confused...

interface GigabitEthernet0/0
 nameif outside
 security-level 0
 ip address 33.35.28.138 255.255.255.248
!
interface GigabitEthernet0/1
 shutdown
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet0/2
 shutdown
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet0/3
 nameif inside
 security-level 100
 ip address 192.168.253.1 255.255.255.0
!
!
interface GigabitEthernet0/3.50
 description office-wireless
 vlan 50
 nameif office-wireless
 security-level 99
 ip address 192.168.50.1 255.255.255.0
!
interface GigabitEthernet0/3.51
 description guest-wireless
 vlan 51
 nameif guest-wireless
 security-level 90
 ip address 192.168.51.1 255.255.255.0
!
access-list outside_cryptomap extended permit ip object-group DM_INLINE_NETWORK_1 object-group PDB-DC-Group
access-list outside_access_out extended permit ip any any
pager lines 24
logging enable
logging asdm informational
mtu outside 1500
mtu inside 1500
mtu office-wireless 1500
mtu guest-wireless 1500
mtu management 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-647.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
access-group outside_access_out out interface outside
route outside 0.0.0.0 0.0.0.0  33.35.28.142 1
0
 
LVL 28

Expert Comment

by:asavener
ID: 39894887
Try running "clear xlate".
0
 
LVL 1

Author Comment

by:SuperRoot
ID: 39895894
Still not good. :( I can't even yahoo.com ip address. Also, when I added the nat rules, I'm not able to go to the vpn... :(
0
 
LVL 28

Expert Comment

by:asavener
ID: 39896060
What is the subnet for your VPN?
0
 
LVL 1

Author Comment

by:SuperRoot
ID: 39896126
Thanks for your help! we have a site to site vpn setup. The subnet is 192.168.254.x 255.255.255.0. What's weird is that we can connect to vpn ok with out the nat policies but can't connect to the internet. Also even if I disabled the vpn, I still can't get to the internet.
0
 
LVL 28

Assisted Solution

by:asavener
asavener earned 500 total points
ID: 39896135
Yes, it's an order of operations issue.  NAT occurs before crypto, so your traffic is getting NAT'd to the external address, which means it doesn't match the VPN policy.

So, next thing to do is exclude the VPN destination from the NAT rules:


access-list no-nat extended permit ip any 192.168.254.0 255.255.255.0
nat (inside) 0 access-list no-nat
0
 
LVL 28

Accepted Solution

by:
asavener earned 500 total points
ID: 39896142
Forgot to add the "clear xlate" after that last command.


Next, can you try this:

From you workstation, "ping -t 4.2.2.2".

Then execute "show xlate" on the ASA and provide the output, here.  Also, if you could provide the output of "show version".
0
 
LVL 1

Author Comment

by:SuperRoot
ID: 39896169
got it working now.. I tried it first on the wireless I guess I can replicate on the inside interface tonight.. I'll let you know later tonight how it goes :)

nat (office-wireless) 0 access-list pdb-office-wireless_nat0_outbound
nat (office-wireless) 1 access-list pdb-office-wireless_nat_outbound

access-list office-wireless_nat_outbound extended permit ip 192.168.50.0 255.255.255.0 any

global (outside) 1 interface
0
 
LVL 28

Expert Comment

by:asavener
ID: 39896180
Yup.   Attempting it from a different interface will definitely affect your results!
0
 
LVL 1

Author Comment

by:SuperRoot
ID: 39896266
now I need help configuring the intervlan communication. I enabled the following but still didn't work. :( I'm assuming I can use one right?

cisco(config)# sh runn same-security-traffic
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
0
 
LVL 1

Author Comment

by:SuperRoot
ID: 39896559
Manage to make everything work now.. Steps I did are as follows:

1. Created the acl list nonat for inside as well as for office-wireless
2. Created the dynamic nat rule from inside to office-wireless and office-wireless to inside
3. Apply those access list to the right interface.
4. Pray to heavens that things will work. :)

Everything starts working :)

Thanks for all your help!
0

Featured Post

What, When and Where - Security Threats from Q1

Join Corey Nachreiner, CTO, and Marc Laliberte, Information Security Threat Analyst, on July 26th as they explore their key findings from the first quarter of 2017.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Use of TCL script on Cisco devices:  - create file and merge it with running configuration to apply configuration changes
Arrow Electronics was searching for a KVM  (Keyboard/Video/Mouse) switch that could display on one single monitor the current status of all units being tested on the rack.
As a trusted technology advisor to your customers you are likely getting the daily question of, ‘should I put this in the cloud?’ As customer demands for cloud services increases, companies will see a shift from traditional buying patterns to new…
Both in life and business – not all partnerships are created equal. Spend 30 short minutes with us to learn:   • Key questions to ask when considering a partnership to accelerate your business into the cloud • Pitfalls and mistakes other partners…
Suggested Courses

628 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question