asa5505 does not provide windows 7 desktop with internet access

hi I am running a win 2008 domain network plugged into my cisco 2950 switches and connected to my asa5505 firewall and my internal master dc/ad/dns/dhcp server provides my dhcp ip allocation as usual.

- fileserver member server - allows win 7 desktop below to logon as expected

note: currently I have no gpo configured and all machines are located by default in the default computer container by default as expected

- my master dc as above receives internet access - as expected currently

win 7 desktop:

- my win 7 can ping the master dc & fileserver & default-gateway 192.168.0.1 successfully

note:  I have removed the 'dhcpd' as I do not wish to use asa5505 dhcpd feature as I already have a functioning internal dhcp

- my win 7 desktop receives an ip address via my master dc/ad/dns/dhcp server as expected - successfully

qns1.

my issue:

- my same win 7 desktop above does not receive internet access, why  ?
asa5505configp1.txt
mikey250Asked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Thomas GrassiSystems AdministratorCommented:
Does any computer work?
How many Windows 7 computers on this network?
Does the Windows 2008 Server work?
How about ipconfig /all from server and this computer.

On the Windows 7 computer open Network and Sharing Center what does it show?

try changing the access-list to this

access-list outside_access_in extended permit icmp any any echo-reply
access-list outside_access_in extended permit icmp any any time-exceeded
access-list outside_access_in extended permit tcp any interface outside eq smtp
access-list outside_access_in extended permit tcp any interface outside eq www
access-list outside_access_in extended permit tcp any interface outside eq 8080
access-list outside_access_in extended permit tcp any interface outside eq https
access-list inside_access_in extended permit ip any any
0
mikey250Author Commented:
hi I will eventually have 50 win 7 machines plugged in but check 1 win 7 1st.

my win 2008 is working fine but now I have added the asa5505 firewall but not sure what I am supposed to add for internet access.

yes of course ipconfig /all - correct on all internal machines.

yes I have checked my win 7 and the network sharing for 'domain' is set to 'turn on network discovery'.

I did not add the below as I did not realise this needed to be done:

access-list outside_access_in extended permit icmp any any echo-reply
 access-list outside_access_in extended permit icmp any any time-exceeded
 access-list outside_access_in extended permit tcp any interface outside eq smtp
 access-list outside_access_in extended permit tcp any interface outside eq www
 access-list outside_access_in extended permit tcp any interface outside eq 8080
 access-list outside_access_in extended permit tcp any interface outside eq https
 access-list inside_access_in extended permit ip any any
0
Thomas GrassiSystems AdministratorCommented:
So you able to access the web on the 2008 server?

On the Windows 7 I wanted to know what it shows on the Network and Sharing Center

It shows the Map of the Network at the top  is it connected to the internet or do you have a RED X
0
Get Certified for a Job in Cybersecurity

Want an exciting career in an emerging field? Earn your MS in Cybersecurity and get certified in ethical hacking or computer forensic investigation. WGU’s MSCSIA degree program was designed to meet the most recent U.S. Department of Homeland Security (DHS) and NSA guidelines.  

MattCommented:
Hi!


What is the default gateway for your clients? Did you set it up to internal interface of ASA 5505 - I assume 192.168.0.1 ?

Can you verify and then try to ping:

ping 8.8.8.8

Post your results please and also "ipconfig /all".
0
mikey250Author Commented:
I have set asa5505 back to factory default

- I have reconfigured inside vlan 1 & outside vlan2 which are the default vlans
- yes my inside is set to: 192.168.0.1 /24
- yes I have set the inside to: 192.168.0.0 /24
- yes my master dc server can receive internet access
- no I cannot ping 8.8.8.8 from my asa5505 or my master dc
- yes I can ping default gateway: 192.168.0.1 from all machines successfully


I have just manually added ip addresses as below instead of screenshot.

when I do: ipconfig /all on master dc I receive my internal master dc/ad/dns/dhcp dynamic settings as usual

yes my Network and Sharing Center is showing globe for internet access

ip: 192.168.0.254 /24 - static
dg: 192.168.0.1
dns: 127.0.0.1 - as only 1 dns server as expected

win 7

the 'network and sharing center' globe is greyed out & not showing as internet access as expected & yes a (red x) is showing

ip: 192.168.0.13/24
dg: 192.168.0.1
lease obtained: 27 sep 2014
lease expires: 03 oct 2014
dhcp: 192.168.0.254
dns: 192.168.0.254

after testing the above for internet access but unsuccessful I then added the below 'access-list' but same issue not internet via win 7 desktop, but internet via master dc - successful

access-list outside_access_in extended permit icmp any any echo-reply
  access-list outside_access_in extended permit icmp any any time-exceeded
  access-list outside_access_in extended permit tcp any interface outside eq smtp
  access-list outside_access_in extended permit tcp any interface outside eq www
  access-list outside_access_in extended permit tcp any interface outside eq 8080
  access-list outside_access_in extended permit tcp any interface outside eq https
  access-list inside_access_in extended permit ip any any
asaconfig.TXT
0
MattCommented:
On ASA, type this:


show ip

post results. Do you receive public IP?

You have ACL list "inside_access_in". Where is this ACL applied?

Try adding this:

access-group outside_access_in in interface outside
access-group inside_access_in in interface inside
0
mikey250Author Commented:
I have also attached the 'sh ip' data. yes all looks correct.
asa5505-screenshot-show-ip.docx
0
MattCommented:
OK, from ASA device you can ping external world. Can you try this on one of your client:

ping 8.8.8.8 -t

and monitor log on your ASA 5505...
show logg | i 8.8.8.8
0
mikey250Author Commented:
yes I can ping 8.8.8.8 - from asa - successful
0
MattCommented:
Now do the same on one of the client computer or server - ping in loop


PING 8.8.8.8  -t


Does it work? If not, what can you see on ASA in log records

On ASA type this:

show logg | i 8.8.8.8
0
mikey250Author Commented:
win 7 desktop:

- yes I did do: ping 8.8.8.8 on win 7 I receive:

ping: transit failed. general failure

asa & master dc:

I can ping 8.8.8.8 via asa & master dc - successful

sh log | I 8.8.8.8 - no info

sh log - enter

facility 20
standby logging: disabled
debug-trace logging - disabled
console logging: disabled
monitor logging: disabled
buffer logging: disabled
trap logging: disabled
permit-hostdown logging:  disabled
history logging: disabled
device id: disabled
mail logging: disabled
asdm logging: level information, 0 messages logged
0
MattCommented:
Raise logging level on CISCO ASA with these commands:

logging enable
logging timestamp
logging standby
logging buffer-size 1024000
logging monitor informational
logging buffered informational
logging trap debugging
logging asdm informational
logging facility 23


Can you attach "ipconfig /all" from Domain Controller and "ipconfig /all" from one of the client... It seems as your clients don't know where to send packets with destination outside of your LAN subnet.
0
MattCommented:
Is your domain controller on the same switch as your clients?
0
mikey250Author Commented:
hi matt, I have 3 cisco 2950

asa
- eth0 cable connected to virgin hub to isp
- eth1 cabled - connected to vtp server (primary) switch int fa0/8, int vlan 1 default currently as all vlans - until I resolve this win 7 no internet access
set as below with ip default-gateway set on all 3 switches:

fault tolerance setup for both vtp servers below and works successful
- vtp server (primary) - master dc/ad/dns/dhcp server & file server attached
- vtp server (secondary) - nothing attached
- vtp client (access) - win 7 desktop attached
master-dc-ipconfig-screenshot.docx
win-7-ipconfig-screenshot.docx
0
MattCommented:
Bingo...your DHCP servers does not send info about default gateway to the clients. In your docx files - master DC has default gateway set to 192.168.0.1, win-7 clients has no default gateway. Check your DHCP server if you forget to set default gateway in your DHCP scope.

Client got IP address 192.168.0.13, DNS and DHCP is 192.168.0.254, Default Gateway is EMPTY...

If you don't use IPv6 in your network, untick IPv6 option on the TCP/IP settings of the NIC properties.

Let me know if you are now able to ping and access external world.

P.S.: Clients can always ping other clients on the SAME subnet, to do this they don't need default gateway because their packets never leave LAN subnet.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
MattCommented:
IP Default gateway on switch (C2950 is Layer-2) is here only for management purposes of the switch itself (telnet, ssh to the switch). It has nothing to do with the clients connected to the switch.
0
mikey250Author Commented:
oh my gosh, I must be blind.  yes I now have internet access via my win 7 laptop after adding router in dhcp as the default -gateway.
0
mikey250Author Commented:
I added the 'default-gateway' because I was lost for ideas but yes I did know that if on same subnet then pings are still successful.

appreciated
0
mikey250Author Commented:
even though I had assistance from another expert I think it only fair to allocate those points to this expert in this specific case.  much appreciated.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Cisco

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.