Solved

Cisco not allowing LAN to browse internet but VPN is ok

Posted on 2014-02-27
14
429 Views
Last Modified: 2014-02-28
I'm having troubles browsing the internet behind my asa firewall.. Unsure what mistakes I make but please see running config below.

interface GigabitEthernet0/0
 nameif outside
 security-level 0
 ip address 33.35.28.138 255.255.255.248
!
interface GigabitEthernet0/1
 shutdown
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet0/2
 shutdown
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet0/3
 nameif inside
 security-level 100
 ip address 192.168.253.1 255.255.255.0
!
!
interface GigabitEthernet0/3.50
 description office-wireless
 vlan 50
 nameif office-wireless
 security-level 99
 ip address 192.168.50.1 255.255.255.0
!
interface GigabitEthernet0/3.51
 description guest-wireless
 vlan 51
 nameif -guest-wireless
 security-level 90
 ip address 192.168.51.1 255.255.255.0
!
access-list permitall extended permit ip any any
access-list outside_access_out extended permit ip any any
pager lines 24
logging enable
logging asdm informational
mtu outside 1500
mtu inside 1500
mtu pdb-office-wireless 1500
mtu pdb-guest-wireless 1500
mtu management 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-647.bin
no asdm history enable
arp timeout 14400
global (outside) 101 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 0 0.0.0.0 0.0.0.0
access-group outside_access_out out interface outside
route outside 0.0.0.0 0.0.0.0 33.35.28.142 1
0
Comment
Question by:SuperRoot
  • 7
  • 7
14 Comments
 
LVL 28

Expert Comment

by:asavener
Comment Utility
global (outside) 101 interface

This should be "global (outside) 0 interface"
0
 
LVL 1

Author Comment

by:SuperRoot
Comment Utility
I tried it and this is what I get:

ciscoasa(config)# global (outside) 0 interface
invalid nat_id
Usage: [no] global (<ext_if_name>) <nat_id> {<global_ip>[-<global_ip>] [netmask <global_mask>]} | interface
        show running-config [all] global [(<ext_if_name>)] [<nat_id>]
        clear configure global
0
 
LVL 28

Assisted Solution

by:asavener
asavener earned 500 total points
Comment Utility
Sorry, I messed up.

no global (outside) 101 interface
no nat (inside) 0 0.0.0.0 0.0.0.0

global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
0
 
LVL 1

Author Comment

by:SuperRoot
Comment Utility
Thanks for your help! I tried it but still didn't work.. I'm confused...

interface GigabitEthernet0/0
 nameif outside
 security-level 0
 ip address 33.35.28.138 255.255.255.248
!
interface GigabitEthernet0/1
 shutdown
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet0/2
 shutdown
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet0/3
 nameif inside
 security-level 100
 ip address 192.168.253.1 255.255.255.0
!
!
interface GigabitEthernet0/3.50
 description office-wireless
 vlan 50
 nameif office-wireless
 security-level 99
 ip address 192.168.50.1 255.255.255.0
!
interface GigabitEthernet0/3.51
 description guest-wireless
 vlan 51
 nameif guest-wireless
 security-level 90
 ip address 192.168.51.1 255.255.255.0
!
access-list outside_cryptomap extended permit ip object-group DM_INLINE_NETWORK_1 object-group PDB-DC-Group
access-list outside_access_out extended permit ip any any
pager lines 24
logging enable
logging asdm informational
mtu outside 1500
mtu inside 1500
mtu office-wireless 1500
mtu guest-wireless 1500
mtu management 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-647.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
access-group outside_access_out out interface outside
route outside 0.0.0.0 0.0.0.0  33.35.28.142 1
0
 
LVL 28

Expert Comment

by:asavener
Comment Utility
Try running "clear xlate".
0
 
LVL 1

Author Comment

by:SuperRoot
Comment Utility
Still not good. :( I can't even yahoo.com ip address. Also, when I added the nat rules, I'm not able to go to the vpn... :(
0
 
LVL 28

Expert Comment

by:asavener
Comment Utility
What is the subnet for your VPN?
0
Control application downtime with dependency maps

Visualize the interdependencies between application components better with Applications Manager's automated application discovery and dependency mapping feature. Resolve performance issues faster by quickly isolating problematic components.

 
LVL 1

Author Comment

by:SuperRoot
Comment Utility
Thanks for your help! we have a site to site vpn setup. The subnet is 192.168.254.x 255.255.255.0. What's weird is that we can connect to vpn ok with out the nat policies but can't connect to the internet. Also even if I disabled the vpn, I still can't get to the internet.
0
 
LVL 28

Assisted Solution

by:asavener
asavener earned 500 total points
Comment Utility
Yes, it's an order of operations issue.  NAT occurs before crypto, so your traffic is getting NAT'd to the external address, which means it doesn't match the VPN policy.

So, next thing to do is exclude the VPN destination from the NAT rules:


access-list no-nat extended permit ip any 192.168.254.0 255.255.255.0
nat (inside) 0 access-list no-nat
0
 
LVL 28

Accepted Solution

by:
asavener earned 500 total points
Comment Utility
Forgot to add the "clear xlate" after that last command.


Next, can you try this:

From you workstation, "ping -t 4.2.2.2".

Then execute "show xlate" on the ASA and provide the output, here.  Also, if you could provide the output of "show version".
0
 
LVL 1

Author Comment

by:SuperRoot
Comment Utility
got it working now.. I tried it first on the wireless I guess I can replicate on the inside interface tonight.. I'll let you know later tonight how it goes :)

nat (office-wireless) 0 access-list pdb-office-wireless_nat0_outbound
nat (office-wireless) 1 access-list pdb-office-wireless_nat_outbound

access-list office-wireless_nat_outbound extended permit ip 192.168.50.0 255.255.255.0 any

global (outside) 1 interface
0
 
LVL 28

Expert Comment

by:asavener
Comment Utility
Yup.   Attempting it from a different interface will definitely affect your results!
0
 
LVL 1

Author Comment

by:SuperRoot
Comment Utility
now I need help configuring the intervlan communication. I enabled the following but still didn't work. :( I'm assuming I can use one right?

cisco(config)# sh runn same-security-traffic
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
0
 
LVL 1

Author Comment

by:SuperRoot
Comment Utility
Manage to make everything work now.. Steps I did are as follows:

1. Created the acl list nonat for inside as well as for office-wireless
2. Created the dynamic nat rule from inside to office-wireless and office-wireless to inside
3. Apply those access list to the right interface.
4. Pray to heavens that things will work. :)

Everything starts working :)

Thanks for all your help!
0

Featured Post

Scale it in WD Gold

With up to ten times the workload capacity of desktop drives, WD Gold hard drives employ advanced technology to deliver among the best in reliability, capacity, power efficiency and performance.

Join & Write a Comment

Imagine you have a shopping list of items you need to get at the grocery store. You have two options: A. Take one trip to the grocery store and get everything you need for the week, or B. Take multiple trips, buying an item at a time, to achieve t…
#Citrix #Citrix Netscaler #HTTP Compression #Load Balance
Internet Business Fax to Email Made Easy - With eFax Corporate (http://www.enterprise.efax.com), you'll receive a dedicated online fax number, which is used the same way as a typical analog fax number. You'll receive secure faxes in your email, fr…
Illustrator's Shape Builder tool will let you combine shapes visually and interactively. This video shows the Mac version, but the tool works the same way in Windows. To follow along with this video, you can draw your own shapes or download the file…

772 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

15 Experts available now in Live!

Get 1:1 Help Now