Solved

Cisco router/firewall issues

Posted on 2014-03-19
14
550 Views
Last Modified: 2014-04-07
Hi,

I recently had one of your collegues (Soulja) to help me out on DNS issues with my router & firewall using double nat but unfortunately I had a power failure and seem to have lost some of the settings and can't seem to ping anything connected to the ASA 5505 firewall although everything connected to it has internet access.
I would really like some help relating to this as I run my aquarium controller remotely when I'm away from home but unfortunately I can't see anything past the router internally when I ping from putty.??

Ideally if Soulja could pick this one up would be great as he probably has a better idea of the history with previously working about a month or so ago.
Either way I would appreciate a resolve from anyone to get this up a running again.
I can't figure out if its the router or firewall config that's corrupted.
0
Comment
Question by:cannonz
  • 7
  • 4
  • 3
14 Comments
 

Author Comment

by:cannonz
ID: 39940597
Ok I have an update on my problem it seems to be my dyndns that's not updating for my aquarium controller which I take it would be the router rather than the firewall.
-------------------------
Router>
Translating "members.dyndns.org"...domain server (8.8.8.8) [OK]

Translating "members.dyndns.org"...domain server (8.8.8.8) [OK]

Translating "members.dyndns.org"...domain server (8.8.8.8) [OK]

-------------------------


Hope this helps
0
 
LVL 17

Expert Comment

by:Garry-G
ID: 39941589
Posting at least some excerpts from both configs might help ...
0
 
LVL 17

Expert Comment

by:pergr
ID: 39941594
In which of your devices to you have your dyndns setting configured in?
0
 

Author Comment

by:cannonz
ID: 39948982
my dyndns setting is on my router see below config:-

-----------------------------------------
Current configuration : 5157 bytes
!
! Last configuration change at 17:49:18 UTC Wed Mar 19 2014
! NVRAM config last updated at 17:38:16 UTC Wed Mar 19 2014
! NVRAM config last updated at 17:38:16 UTC Wed Mar 19 2014
version 15.1
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Router
!
boot-start-marker
boot config flash:usbflash0
boot-end-marker
!
!
no logging console
!
no aaa new-model
!
memory-size iomem 10
 --More--
Translating "members.dyndns.org"...domain server (8.8.8.8) [OK]       crypto pki token default removal timeout 0
!
crypto pki trustpoint TP-self-signed-3233774123
 enrollment selfsigned
 subject-name cn=IOS-Self-Signed-Certificate-3233774123
 revocation-check none
 rsakeypair TP-self-signed-3233774123
!
!
crypto pki certificate chain TP-self-signed-3233774123
 certificate self-signed 01
  3082022B 30820194 A0030201 02020101 300D0609 2A864886 F70D0101 05050030
  31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
  69666963 6174652D 33323333 37373431 3233301E 170D3133 30393137 31333338
  30345A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
  4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D33 32333337
  37343132 3330819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
  8100B254 C04208D2 ABF68D18 5B77C54E 7AE24FE2 6493A65E 3D67BDFA AC05CAAD
  2209BE2E DC621CE2 5682517E 3CA06F61 0C0FC713 2C0F84D8 FEBBF5CC 81A6EF17
  B768E110 C5FC6FB2 2750875C 7203BC16 39335314 CCF32034 5E042C2C 15F03FF1
  1BDF97A0 DBA757F9 42783E39 6AF59906 ACA416B4 3EC1E4D5 C935799B 9167D1FC
  AB850203 010001A3 53305130 0F060355 1D130101 FF040530 030101FF 301F0603
  551D2304 18301680 1403A635 385A6809 603E2C4A FF6F439B 6995E393 A2301D06
  03551D0E 04160414 03A63538 5A680960 3E2C4AFF 6F439B69 95E393A2 300D0609
  2A864886 F70D0101 05050003 81810073 3157A85E 120A5B1D 6C25453C 0DFB0F82
  9156EFF7 64E1A26B 4675C488 EF291E25 6C6C25CB 8CA95AB1 1FF6C2EB C12636D7
  50E2B83C A87225B3 87AC7CE1 679B1801 49E4B859 4BED67E2 6783EFB6 A50CC616
  C32228AD 625331FD 85361CEC 11E196E9 26D9638E 98D3235A 9D425AE8 1F06FEE0
  D332ED58 E0504C61 03F8939E 1EEF55
        quit
ip source-route
!
!
!
ip dhcp excluded-address 192.168.1.1 192.168.1.99
ip dhcp excluded-address 192.168.2.1 192.168.2.99
!
ip dhcp pool VLAN10
 import all
 network 192.168.1.0 255.255.255.0
 default-router 192.168.1.1
 domain-name cannonz.dyndns.org
 dns-server 208.67.220.220
 lease 4
!
ip dhcp pool VLAN20
 import all
 network 192.168.2.0 255.255.255.0
 default-router 192.168.2.1
 domain-name cannonz.dyndns.org
 lease 4
!
!
ip cef
ip domain lookup source-interface Vlan10
ip name-server 8.8.8.8
ip name-server 8.8.4.4
ip inspect name MYFW tcp
ip inspect name MYFW udp
ip ddns update method dyndns
 HTTP
  add http://cannonz:alissa23@members.dyndns.org/nic/updatesystem=dyndns&hostname=&myip=
 interval maximum 0 0 1 0
!
no ipv6 cef
!
!
multilink bundle-name authenticated
license udi pid CISCO887VA-SEC-K9 sn FCZ160592RB
!
!
username sysop privilege 15 password 7 08254E455D4C5D14
!
!
!
!
controller VDSL 0
!
!
!
!
!
!
!
!
interface Ethernet0
 no ip address
 shutdown
 no fair-queue
!
interface ATM0
 no ip address
 no atm ilmi-keepalive
 pvc 0/38
  encapsulation aal5mux ppp dialer
  dialer pool-member 1
 !
!
interface FastEthernet0
 switchport access vlan 20
 no ip address
 spanning-tree portfast
!
interface FastEthernet1
 switchport access vlan 10
 no ip address
 spanning-tree portfast
!
interface FastEthernet2
 switchport access vlan 10
 no ip address
 spanning-tree portfast
!
interface FastEthernet3
 no ip address
!
interface Vlan1
 no ip address
!
interface Vlan10
 description Internal Network
 ip address 192.168.1.1 255.255.255.0
 ip nat inside
 ip virtual-reassembly in
!
interface Vlan20
 description Guest Network
 ip address 192.168.2.1 255.255.255.0
!
interface Dialer0
 ip ddns update hostname cannonz.dyndns.org
 ip ddns update dyndns
 ip address negotiated
 ip access-group Internet-inbound-ACL in
 ip nat outside
 ip inspect MYFW out
 ip virtual-reassembly in
 encapsulation ppp
 ip tcp adjust-mss 1452
 dialer pool 1
 dialer idle-timeout 0
 dialer persistent
 dialer-group 1
 ppp authentication chap callin
 ppp chap hostname bthomehub@btbroadband.com
 ppp chap password 0 bthomehub@btbroadband.com
 ppp ipcp dns request
 ppp ipcp address accept
!
ip forward-protocol nd
ip http server
ip http secure-server
!
!
ip dns server
ip nat inside source list 1 interface Dialer0 overload
ip nat inside source static tcp 192.168.1.2 80 interface Dialer0 80
ip route 0.0.0.0 0.0.0.0 Dialer0
!
ip access-list extended Guest-ACL
 deny   ip any 192.168.1.0 0.0.0.255
 permit ip any any
ip access-list extended Internet-inbound-ACL
 permit udp any eq domain any
 permit udp any eq bootps any eq bootpc
 permit icmp any any echo
 permit icmp any any echo-reply
 permit icmp any any traceroute
 permit gre any any
 permit esp any any
 permit tcp any any
 permit tcp any any eq www
!
access-list 1 permit 192.168.1.0 0.0.0.255
access-list 1 permit 192.168.2.0 0.0.0.255
!
!
!
!
!
control-plane
!
!
line con 0
 password 7 09484C024D504F11
line aux 0
line vty 0 4
 password 7 070B23471A5C4106
 login
 transport input all
!
end
0
 
LVL 17

Expert Comment

by:Garry-G
ID: 39948998
... you may want to change your password ASAP ...
0
 
LVL 17

Expert Comment

by:Garry-G
ID: 39949002
Just to make sure - doing something like "ping <some symbolic address>" will result in the router correctly resolving the name, or?
0
 

Author Comment

by:cannonz
ID: 39949011
if I ping google this is what I get:-

----------------------------
Router#ping google.com
Translating "google.com"...domain server (8.8.8.8) [OK]

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 31.55.167.180, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 24/24/28 ms
0
What Should I Do With This Threat Intelligence?

Are you wondering if you actually need threat intelligence? The answer is yes. We explain the basics for creating useful threat intelligence.

 
LVL 17

Expert Comment

by:Garry-G
ID: 39949014
what do you get if you run DDNS debugging?

->   debug ip ddns update
->   term mon

Then try to disconnect/reconnect and see what the router says ...
0
 

Author Comment

by:cannonz
ID: 39949068
I have typed in what you said but I'm unsure of what it should be showing.?

--------------------------------------------
Router#debug ip ddns update
Dynamic DNS debugging is on
Router#term mon
% Use "logging console" instead
Router#
0
 

Author Comment

by:cannonz
ID: 39981200
Is there any follow up on what I should be looking for with this debug
As I'm still no further forward yet my dns still doesn't update.  ?
0
 
LVL 17

Expert Comment

by:pergr
ID: 39981291
I suspect your Internet is working, and that the dyndns update is working too- unless you can show that it does not.

Also, an http connection to the public ip (the dyndns name) will be translated to 192.168.1.2 on the inside, which I assume is the aquarium controller.

Is it possible that the aquarium controller has taken a different ip address?
0
 

Author Comment

by:cannonz
ID: 39981307
No I have assigned a static IP to the Aquarium controller.
If I logon to dyndns.org and manually update my wan IP then I can connect to the aquarium controller no problem until my wan IP changes again so I know it's the dns server that appears to not be working.
0
 
LVL 17

Accepted Solution

by:
pergr earned 500 total points
ID: 39981628
Your http string does not look healthy, but perhaps it is a copy/paste issue.

Please compare it with this:

http://packetlife.net/blog/2009/dec/28/dynamic-dns-ios/
0
 

Author Closing Comment

by:cannonz
ID: 39984465
Thanks for your help it appears I had a type in the http string just as you said.

Thanks again
0

Featured Post

Better Security Awareness With Threat Intelligence

See how one of the leading financial services organizations uses Recorded Future as part of a holistic threat intelligence program to promote security awareness and proactively and efficiently identify threats.

Join & Write a Comment

Hi All,  Recently I have installed and configured a Sonicwall NS220 in the network as a firewall and Internet access gateway. All was working fine until users started reporting that they cannot use the Cisco VPN client to connect to the customer'…
Quality of Service (QoS) options are nearly endless when it comes to networks today. This article is merely one example of how it can be handled in a hub-n-spoke design using a 3-tier configuration.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

759 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

18 Experts available now in Live!

Get 1:1 Help Now