Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

Cisco not allowing LAN to browse internet but VPN is ok

Posted on 2014-02-27
14
Medium Priority
?
466 Views
Last Modified: 2014-02-28
I'm having troubles browsing the internet behind my asa firewall.. Unsure what mistakes I make but please see running config below.

interface GigabitEthernet0/0
 nameif outside
 security-level 0
 ip address 33.35.28.138 255.255.255.248
!
interface GigabitEthernet0/1
 shutdown
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet0/2
 shutdown
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet0/3
 nameif inside
 security-level 100
 ip address 192.168.253.1 255.255.255.0
!
!
interface GigabitEthernet0/3.50
 description office-wireless
 vlan 50
 nameif office-wireless
 security-level 99
 ip address 192.168.50.1 255.255.255.0
!
interface GigabitEthernet0/3.51
 description guest-wireless
 vlan 51
 nameif -guest-wireless
 security-level 90
 ip address 192.168.51.1 255.255.255.0
!
access-list permitall extended permit ip any any
access-list outside_access_out extended permit ip any any
pager lines 24
logging enable
logging asdm informational
mtu outside 1500
mtu inside 1500
mtu pdb-office-wireless 1500
mtu pdb-guest-wireless 1500
mtu management 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-647.bin
no asdm history enable
arp timeout 14400
global (outside) 101 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 0 0.0.0.0 0.0.0.0
access-group outside_access_out out interface outside
route outside 0.0.0.0 0.0.0.0 33.35.28.142 1
0
Comment
Question by:SuperRoot
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 7
  • 7
14 Comments
 
LVL 28

Expert Comment

by:asavener
ID: 39893299
global (outside) 101 interface

This should be "global (outside) 0 interface"
0
 
LVL 1

Author Comment

by:SuperRoot
ID: 39893463
I tried it and this is what I get:

ciscoasa(config)# global (outside) 0 interface
invalid nat_id
Usage: [no] global (<ext_if_name>) <nat_id> {<global_ip>[-<global_ip>] [netmask <global_mask>]} | interface
        show running-config [all] global [(<ext_if_name>)] [<nat_id>]
        clear configure global
0
 
LVL 28

Assisted Solution

by:asavener
asavener earned 2000 total points
ID: 39893517
Sorry, I messed up.

no global (outside) 101 interface
no nat (inside) 0 0.0.0.0 0.0.0.0

global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
0
Concerto's Cloud Advisory Services

Want to avoid the missteps to gaining all the benefits of the cloud? Learn more about the different assessment options from our Cloud Advisory team.

 
LVL 1

Author Comment

by:SuperRoot
ID: 39894825
Thanks for your help! I tried it but still didn't work.. I'm confused...

interface GigabitEthernet0/0
 nameif outside
 security-level 0
 ip address 33.35.28.138 255.255.255.248
!
interface GigabitEthernet0/1
 shutdown
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet0/2
 shutdown
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet0/3
 nameif inside
 security-level 100
 ip address 192.168.253.1 255.255.255.0
!
!
interface GigabitEthernet0/3.50
 description office-wireless
 vlan 50
 nameif office-wireless
 security-level 99
 ip address 192.168.50.1 255.255.255.0
!
interface GigabitEthernet0/3.51
 description guest-wireless
 vlan 51
 nameif guest-wireless
 security-level 90
 ip address 192.168.51.1 255.255.255.0
!
access-list outside_cryptomap extended permit ip object-group DM_INLINE_NETWORK_1 object-group PDB-DC-Group
access-list outside_access_out extended permit ip any any
pager lines 24
logging enable
logging asdm informational
mtu outside 1500
mtu inside 1500
mtu office-wireless 1500
mtu guest-wireless 1500
mtu management 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-647.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
access-group outside_access_out out interface outside
route outside 0.0.0.0 0.0.0.0  33.35.28.142 1
0
 
LVL 28

Expert Comment

by:asavener
ID: 39894887
Try running "clear xlate".
0
 
LVL 1

Author Comment

by:SuperRoot
ID: 39895894
Still not good. :( I can't even yahoo.com ip address. Also, when I added the nat rules, I'm not able to go to the vpn... :(
0
 
LVL 28

Expert Comment

by:asavener
ID: 39896060
What is the subnet for your VPN?
0
 
LVL 1

Author Comment

by:SuperRoot
ID: 39896126
Thanks for your help! we have a site to site vpn setup. The subnet is 192.168.254.x 255.255.255.0. What's weird is that we can connect to vpn ok with out the nat policies but can't connect to the internet. Also even if I disabled the vpn, I still can't get to the internet.
0
 
LVL 28

Assisted Solution

by:asavener
asavener earned 2000 total points
ID: 39896135
Yes, it's an order of operations issue.  NAT occurs before crypto, so your traffic is getting NAT'd to the external address, which means it doesn't match the VPN policy.

So, next thing to do is exclude the VPN destination from the NAT rules:


access-list no-nat extended permit ip any 192.168.254.0 255.255.255.0
nat (inside) 0 access-list no-nat
0
 
LVL 28

Accepted Solution

by:
asavener earned 2000 total points
ID: 39896142
Forgot to add the "clear xlate" after that last command.


Next, can you try this:

From you workstation, "ping -t 4.2.2.2".

Then execute "show xlate" on the ASA and provide the output, here.  Also, if you could provide the output of "show version".
0
 
LVL 1

Author Comment

by:SuperRoot
ID: 39896169
got it working now.. I tried it first on the wireless I guess I can replicate on the inside interface tonight.. I'll let you know later tonight how it goes :)

nat (office-wireless) 0 access-list pdb-office-wireless_nat0_outbound
nat (office-wireless) 1 access-list pdb-office-wireless_nat_outbound

access-list office-wireless_nat_outbound extended permit ip 192.168.50.0 255.255.255.0 any

global (outside) 1 interface
0
 
LVL 28

Expert Comment

by:asavener
ID: 39896180
Yup.   Attempting it from a different interface will definitely affect your results!
0
 
LVL 1

Author Comment

by:SuperRoot
ID: 39896266
now I need help configuring the intervlan communication. I enabled the following but still didn't work. :( I'm assuming I can use one right?

cisco(config)# sh runn same-security-traffic
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
0
 
LVL 1

Author Comment

by:SuperRoot
ID: 39896559
Manage to make everything work now.. Steps I did are as follows:

1. Created the acl list nonat for inside as well as for office-wireless
2. Created the dynamic nat rule from inside to office-wireless and office-wireless to inside
3. Apply those access list to the right interface.
4. Pray to heavens that things will work. :)

Everything starts working :)

Thanks for all your help!
0

Featured Post

Free Tool: Path Explorer

An intuitive utility to help find the CSS path to UI elements on a webpage. These paths are used frequently in a variety of front-end development and QA automation tasks.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

You deserve ‘straight talk’ from your cloud provider about your risk, your costs, security, uptime and the processes that are in place to protect your mission-critical applications.
Let’s face it: one of the reasons your organization chose a SaaS solution (whether Microsoft Dynamics 365, Netsuite or SAP) is that it is subscription-based. The upkeep is done. Or so you think.
Both in life and business – not all partnerships are created equal. As the demand for cloud services increases, so do the number of self-proclaimed cloud partners. Asking the right questions up front in the partnership, will enable both parties …
As a trusted technology advisor to your customers you are likely getting the daily question of, ‘should I put this in the cloud?’ As customer demands for cloud services increases, companies will see a shift from traditional buying patterns to new…
Suggested Courses

715 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question