Solved

asa5505 does not provide windows 7 desktop with internet access

Posted on 2014-09-27
19
360 Views
Last Modified: 2014-09-27
hi I am running a win 2008 domain network plugged into my cisco 2950 switches and connected to my asa5505 firewall and my internal master dc/ad/dns/dhcp server provides my dhcp ip allocation as usual.

- fileserver member server - allows win 7 desktop below to logon as expected

note: currently I have no gpo configured and all machines are located by default in the default computer container by default as expected

- my master dc as above receives internet access - as expected currently

win 7 desktop:

- my win 7 can ping the master dc & fileserver & default-gateway 192.168.0.1 successfully

note:  I have removed the 'dhcpd' as I do not wish to use asa5505 dhcpd feature as I already have a functioning internal dhcp

- my win 7 desktop receives an ip address via my master dc/ad/dns/dhcp server as expected - successfully

qns1.

my issue:

- my same win 7 desktop above does not receive internet access, why  ?
asa5505configp1.txt
0
Comment
Question by:mikey250
  • 9
  • 8
  • 2
19 Comments
 
LVL 23

Expert Comment

by:Thomas Grassi
ID: 40347576
Does any computer work?
How many Windows 7 computers on this network?
Does the Windows 2008 Server work?
How about ipconfig /all from server and this computer.

On the Windows 7 computer open Network and Sharing Center what does it show?

try changing the access-list to this

access-list outside_access_in extended permit icmp any any echo-reply
access-list outside_access_in extended permit icmp any any time-exceeded
access-list outside_access_in extended permit tcp any interface outside eq smtp
access-list outside_access_in extended permit tcp any interface outside eq www
access-list outside_access_in extended permit tcp any interface outside eq 8080
access-list outside_access_in extended permit tcp any interface outside eq https
access-list inside_access_in extended permit ip any any
0
 

Author Comment

by:mikey250
ID: 40347591
hi I will eventually have 50 win 7 machines plugged in but check 1 win 7 1st.

my win 2008 is working fine but now I have added the asa5505 firewall but not sure what I am supposed to add for internet access.

yes of course ipconfig /all - correct on all internal machines.

yes I have checked my win 7 and the network sharing for 'domain' is set to 'turn on network discovery'.

I did not add the below as I did not realise this needed to be done:

access-list outside_access_in extended permit icmp any any echo-reply
 access-list outside_access_in extended permit icmp any any time-exceeded
 access-list outside_access_in extended permit tcp any interface outside eq smtp
 access-list outside_access_in extended permit tcp any interface outside eq www
 access-list outside_access_in extended permit tcp any interface outside eq 8080
 access-list outside_access_in extended permit tcp any interface outside eq https
 access-list inside_access_in extended permit ip any any
0
 
LVL 23

Expert Comment

by:Thomas Grassi
ID: 40347605
So you able to access the web on the 2008 server?

On the Windows 7 I wanted to know what it shows on the Network and Sharing Center

It shows the Map of the Network at the top  is it connected to the internet or do you have a RED X
0
 
LVL 6

Expert Comment

by:Matt
ID: 40347689
Hi!


What is the default gateway for your clients? Did you set it up to internal interface of ASA 5505 - I assume 192.168.0.1 ?

Can you verify and then try to ping:

ping 8.8.8.8

Post your results please and also "ipconfig /all".
0
 

Author Comment

by:mikey250
ID: 40347735
I have set asa5505 back to factory default

- I have reconfigured inside vlan 1 & outside vlan2 which are the default vlans
- yes my inside is set to: 192.168.0.1 /24
- yes I have set the inside to: 192.168.0.0 /24
- yes my master dc server can receive internet access
- no I cannot ping 8.8.8.8 from my asa5505 or my master dc
- yes I can ping default gateway: 192.168.0.1 from all machines successfully


I have just manually added ip addresses as below instead of screenshot.

when I do: ipconfig /all on master dc I receive my internal master dc/ad/dns/dhcp dynamic settings as usual

yes my Network and Sharing Center is showing globe for internet access

ip: 192.168.0.254 /24 - static
dg: 192.168.0.1
dns: 127.0.0.1 - as only 1 dns server as expected

win 7

the 'network and sharing center' globe is greyed out & not showing as internet access as expected & yes a (red x) is showing

ip: 192.168.0.13/24
dg: 192.168.0.1
lease obtained: 27 sep 2014
lease expires: 03 oct 2014
dhcp: 192.168.0.254
dns: 192.168.0.254

after testing the above for internet access but unsuccessful I then added the below 'access-list' but same issue not internet via win 7 desktop, but internet via master dc - successful

access-list outside_access_in extended permit icmp any any echo-reply
  access-list outside_access_in extended permit icmp any any time-exceeded
  access-list outside_access_in extended permit tcp any interface outside eq smtp
  access-list outside_access_in extended permit tcp any interface outside eq www
  access-list outside_access_in extended permit tcp any interface outside eq 8080
  access-list outside_access_in extended permit tcp any interface outside eq https
  access-list inside_access_in extended permit ip any any
asaconfig.TXT
0
 
LVL 6

Expert Comment

by:Matt
ID: 40347739
On ASA, type this:


show ip

post results. Do you receive public IP?

You have ACL list "inside_access_in". Where is this ACL applied?

Try adding this:

access-group outside_access_in in interface outside
access-group inside_access_in in interface inside
0
 

Author Comment

by:mikey250
ID: 40347776
I have also attached the 'sh ip' data. yes all looks correct.
asa5505-screenshot-show-ip.docx
0
 
LVL 6

Expert Comment

by:Matt
ID: 40347778
OK, from ASA device you can ping external world. Can you try this on one of your client:

ping 8.8.8.8 -t

and monitor log on your ASA 5505...
show logg | i 8.8.8.8
0
 

Author Comment

by:mikey250
ID: 40347795
yes I can ping 8.8.8.8 - from asa - successful
0
Top 6 Sources for Identifying Threat Actor TTPs

Understanding your enemy is essential. These six sources will help you identify the most popular threat actor tactics, techniques, and procedures (TTPs).

 
LVL 6

Expert Comment

by:Matt
ID: 40347798
Now do the same on one of the client computer or server - ping in loop


PING 8.8.8.8  -t


Does it work? If not, what can you see on ASA in log records

On ASA type this:

show logg | i 8.8.8.8
0
 

Author Comment

by:mikey250
ID: 40347821
win 7 desktop:

- yes I did do: ping 8.8.8.8 on win 7 I receive:

ping: transit failed. general failure

asa & master dc:

I can ping 8.8.8.8 via asa & master dc - successful

sh log | I 8.8.8.8 - no info

sh log - enter

facility 20
standby logging: disabled
debug-trace logging - disabled
console logging: disabled
monitor logging: disabled
buffer logging: disabled
trap logging: disabled
permit-hostdown logging:  disabled
history logging: disabled
device id: disabled
mail logging: disabled
asdm logging: level information, 0 messages logged
0
 
LVL 6

Expert Comment

by:Matt
ID: 40347823
Raise logging level on CISCO ASA with these commands:

logging enable
logging timestamp
logging standby
logging buffer-size 1024000
logging monitor informational
logging buffered informational
logging trap debugging
logging asdm informational
logging facility 23


Can you attach "ipconfig /all" from Domain Controller and "ipconfig /all" from one of the client... It seems as your clients don't know where to send packets with destination outside of your LAN subnet.
0
 
LVL 6

Expert Comment

by:Matt
ID: 40347836
Is your domain controller on the same switch as your clients?
0
 

Author Comment

by:mikey250
ID: 40347851
hi matt, I have 3 cisco 2950

asa
- eth0 cable connected to virgin hub to isp
- eth1 cabled - connected to vtp server (primary) switch int fa0/8, int vlan 1 default currently as all vlans - until I resolve this win 7 no internet access
set as below with ip default-gateway set on all 3 switches:

fault tolerance setup for both vtp servers below and works successful
- vtp server (primary) - master dc/ad/dns/dhcp server & file server attached
- vtp server (secondary) - nothing attached
- vtp client (access) - win 7 desktop attached
master-dc-ipconfig-screenshot.docx
win-7-ipconfig-screenshot.docx
0
 
LVL 6

Accepted Solution

by:
Matt earned 500 total points
ID: 40347865
Bingo...your DHCP servers does not send info about default gateway to the clients. In your docx files - master DC has default gateway set to 192.168.0.1, win-7 clients has no default gateway. Check your DHCP server if you forget to set default gateway in your DHCP scope.

Client got IP address 192.168.0.13, DNS and DHCP is 192.168.0.254, Default Gateway is EMPTY...

If you don't use IPv6 in your network, untick IPv6 option on the TCP/IP settings of the NIC properties.

Let me know if you are now able to ping and access external world.

P.S.: Clients can always ping other clients on the SAME subnet, to do this they don't need default gateway because their packets never leave LAN subnet.
0
 
LVL 6

Expert Comment

by:Matt
ID: 40347903
IP Default gateway on switch (C2950 is Layer-2) is here only for management purposes of the switch itself (telnet, ssh to the switch). It has nothing to do with the clients connected to the switch.
0
 

Author Comment

by:mikey250
ID: 40347927
oh my gosh, I must be blind.  yes I now have internet access via my win 7 laptop after adding router in dhcp as the default -gateway.
0
 

Author Comment

by:mikey250
ID: 40347931
I added the 'default-gateway' because I was lost for ideas but yes I did know that if on same subnet then pings are still successful.

appreciated
0
 

Author Closing Comment

by:mikey250
ID: 40347940
even though I had assistance from another expert I think it only fair to allocate those points to this expert in this specific case.  much appreciated.
0

Featured Post

How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

Join & Write a Comment

Suggested Solutions

We've been using the Cisco/Linksys RV042 for years as: - an internet Gateway - a site-to-site VPN device - a leased line site-to-site subnet-to-subnet interface (And, here I'm assuming that any RV0xx behaves the same way as an RV042.  So that's …
Getting hacked is no longer a matter or "if you get hacked" — the 2016 cyber threat landscape is now titled "when you get hacked." When it happens — will you be proactive, or reactive?
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

760 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

18 Experts available now in Live!

Get 1:1 Help Now