Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations TouchToneTommy on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

cant access internet

Status
Not open for further replies.
ekke

ekke

MIS
Feb 27, 2002
100
SE
Hi, im pretty new to ASA. so here it is. i cant access the internet, have have checked everything i can think of but i still wont work so im posting the config in hope for some to help me.


!
interface Ethernet0/0
nameif Outside
security-level 0
ip address 194.237.*.* 255.255.255.0
ospf cost 10
!
interface Ethernet0/1
nameif Inside
security-level 100
ip address 192.168.1.254 255.255.255.0
ospf cost 10
!
interface Ethernet0/2
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
nameif management
security-level 100
ip address 192.168.100.1 255.255.255.0
ospf cost 10
management-only
!
passwd 2KFQnbNIdI.2KYOU encrypted
boot system disk0:/asa802-k8.bin
ftp mode passive
clock timezone CEST 1
clock summer-time CEDT recurring last Sun Mar 2:00 last Sun Oct 3:00
dns server-group DefaultDNS
domain-name *
object-group service Tomcat tcp
port-object eq 8080
access-list Outside_access_in extended permit tcp any host 192.168.1.23 eq smtp
access-list Outside_access_in extended permit tcp any host 192.168.1.8 eq www
access-list Outside_access_in extended permit tcp any host 192.168.1.8 eq https
access-list Outside_access_in extended permit tcp any host 192.168.1.8 eq pop3
access-list Outside_access_in extended permit tcp any host 192.168.1.13 eq 8080
access-list Outside_access_in extended permit tcp any host 192.168.1.13 eq ftp
access-list outside_in extended permit tcp any host 194.237.*.* eq www
pager lines 24
logging enable
logging asdm informational
mtu Outside 1499
mtu Inside 1499
mtu management 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-602.bin
no asdm history enable
arp timeout 14400
global (Outside) 101 interface
nat (Inside) 0 0.0.0.0 0.0.0.0
nat (management) 101 0.0.0.0 0.0.0.0
static (Inside,Outside) tcp 194.237.*.* 255.255.255.255
access-group Outside_access_in in interface Outside
route Outside 0.0.0.0 0.0.0.0 194.237.*.*
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 192.168.1.0 255.255.255.0 Inside
http 192.168.2.0 255.255.255.0 Inside
http 192.168.100.0 255.255.255.0 management
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
no crypto isakmp nat-traversal
telnet 192.168.2.0 255.255.255.255 Inside
telnet 192.168.1.0 255.255.255.0 management
telnet timeout 5
ssh 192.168.1.0 255.255.255.0 management
ssh timeout 5
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns migrated_dns_map_1
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns migrated_dns_map_1
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp

//:tech-man
 
Sort by date Sort by votes
Your NAT anf Global statements have to have the same IDs. Change this
nat (Inside) 0 0.0.0.0 0.0.0.0
to
nat (Inside) 101 0.0.0.0 0.0.0.0



Brent
Systems Engineer / Consultant
CCNP, CCSP
 
Upvote 0 Downvote
Hi and thanks for the reply. after i submitted my config a made some changes, and of course did not get it to work.

i also tried your way but no luck, so here is the new config
to take a look at.

interface Ethernet0/0
nameif Outside
security-level 0
ip address 194.237.*.* 255.255.255.0
ospf cost 10
!
interface Ethernet0/1
nameif Inside
security-level 100
ip address 192.168.1.254 255.255.255.0
ospf cost 10
!
interface Ethernet0/2
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
nameif management
security-level 100
ip address 192.168.100.1 255.255.255.0
ospf cost 10
management-only
!
passwd 2KFQnbNIdI.2KYOU encrypted
boot system disk0:/asa802-k8.bin
ftp mode passive
clock timezone CEST 1
clock summer-time CEDT recurring last Sun Mar 2:00 last Sun Oct 3:00
dns server-group DefaultDNS
domain-name slgint.com
object-group service Tomcat tcp
port-object eq 8080
access-list Outside_access_in extended permit tcp any host 192.168.1.23 eq smtp
access-list Outside_access_in extended permit tcp any host 192.168.1.8 eq www
access-list Outside_access_in extended permit tcp any host 192.168.1.8 eq https
access-list Outside_access_in extended permit tcp any host 192.168.1.8 eq pop3
access-list Outside_access_in extended permit tcp any host 192.168.1.13 eq 8080
access-list Outside_access_in extended permit tcp any host 192.168.1.13 eq ftp
access-list Outside_access_in extended permit tcp any host 194.237.*.* eq www
pager lines 24
logging enable
logging asdm informational
mtu Outside 1500
mtu Inside 1500
mtu management 1500
ip local pool web_vpn_pool 10.10.10.1-10.10.10.99 mask 255.255.255.0
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-602.bin
no asdm history enable
arp timeout 14400
global (Outside) 101 interface
nat (Inside) 101 0.0.0.0 0.0.0.0
static (Inside,Outside) tcp 194.237.*.* 255.255.255.255
static (Inside,Outside) 194.237.*.* 192.168.1.10 netmask 255.255.255.255
access-group Outside_access_in in interface Outside
route Outside 0.0.0.0 0.0.0.0 194.237.*.* 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
aaa-server ldap_web_vpn protocol ldap
aaa-server ldap_web_vpn host 192.168.1.8
ldap-base-dn OU=ftp,OU=*,DC=*,DC=com
ldap-scope onelevel
ldap-naming-attribute sAMAccountName
ldap-login-password *
ldap-login-dn CN=Administrator,CN=Users,DC=*,DC=com
server-type microsoft
http server enable
http 192.168.1.0 255.255.255.0 Inside
http 192.168.2.0 255.255.255.0 Inside
http 192.168.100.0 255.255.255.0 management
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
no crypto isakmp nat-traversal
telnet 192.168.2.0 255.255.255.255 Inside
telnet 192.168.1.0 255.255.255.0 management
telnet timeout 5
ssh 192.168.1.0 255.255.255.0 management
ssh timeout 5
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns migrated_dns_map_1
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns migrated_dns_map_1
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
!
service-policy global_policy global
webvpn
enable Outside
 
Upvote 0 Downvote
another not, i think im missing some access list for
inside--->out but dont know how to write it.
 
Upvote 0 Downvote
Do you only have 1 IP or do you have multiple ones?
This line
static (Inside,Outside) 194.237.*.* 192.168.1.10 netmask 255.255.255.255
says all traffic going into 194.237.*.* gets pushed to the 192.168.1.10 computer inside. If you only have 1 IP, all your traffic goes to this PC regardless of whether or not it requested it. To fix this, take this line out.

Now:
You will need to copy this line, changing the service to whatever you want, and add one for each service

static (Inside,Outside) tcp 194.237.*.* www 192.168.1.10 www netmask 255.255.255.255

- putting tcp in there only redirects that port and not all traffic - it functions as PAT instead of NAT.


You will also want to change these
access-list Outside_access_in extended permit tcp any host 192.168.1.23 eq smtp
access-list Outside_access_in extended permit tcp any host 192.168.1.8 eq www
access-list Outside_access_in extended permit tcp any host 192.168.1.8 eq https
access-list Outside_access_in extended permit tcp any host 192.168.1.8 eq pop3
access-list Outside_access_in extended permit tcp any host 192.168.1.13 eq 8080
access-list Outside_access_in extended permit tcp any host 192.168.1.13 eq ftp
so that the IP is that of your interface or use the "interface outside" option.

access-list Outside_access_in extended permit tcp any host interface outside eq ftp

Give that a whirl and see.


Brent
Systems Engineer / Consultant
CCNP, CCSP
 
Upvote 0 Downvote
Oops, change that ACL to be
access-list Outside_access_in extended permit tcp any interface outside eq ftp
or
access-list Outside_access_in extended permit tcp any host 192.237.X.X eq ftp


Brent
Systems Engineer / Consultant
CCNP, CCSP
 
Upvote 0 Downvote
Hi.
Yes we have multiple ip's
the main one is 194.237.A.B
and the secondary is 194.237.A.C
and GW = 194.237.A.A

i have made the changes but cant test the config beacuse i made the changes remotly and there is no one to switch the cable for me.

so maybe you can take a look at it and see if there is anything else wrong.

we are using external ip 194.237.A.B as main ip
for mail,https, etc and internet surf.
all the other ip is supposed to work as a mapped ip.

Thanks //:EkkE

names
dns-guard
!
interface Ethernet0/0
nameif Outside
security-level 0
ip address 194.237.A.B 255.255.255.0
ospf cost 10
!
interface Ethernet0/1
nameif Inside
security-level 100
ip address 192.168.1.254 255.255.255.0
ospf cost 10
!
interface Ethernet0/2
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
nameif management
security-level 100
ip address 192.168.100.1 255.255.255.0
ospf cost 10
management-only
!
passwd 2KFQnbNIdI.2KYOU encrypted
boot system disk0:/asa802-k8.bin
ftp mode passive
clock timezone CEST 1
clock summer-time CEDT recurring last Sun Mar 2:00 last Sun Oct 3:00
dns server-group DefaultDNS
domain-name *.com
object-group service Tomcat tcp
port-object eq 8080
access-list Outside_access_in extended permit tcp any host 194.237.A.C eq www
access-list Outside_access_in extended permit tcp any host 194.237.A.B eq smtp
access-list Outside_access_in extended permit tcp any host 194.237.A.B eq www
access-list Outside_access_in extended permit tcp any host 194.237.A.B eq https
access-list Outside_access_in extended permit tcp any host 194.237.A.B eq pop3
access-list Outside_access_in extended permit tcp any host 194.237.A.B eq 8080
access-list Outside_access_in extended permit tcp any host 194.237.A.B eq ftp
pager lines 24
logging enable
logging asdm informational
mtu Outside 1500
mtu Inside 1500
mtu management 1500
ip local pool web_vpn_pool 10.10.10.1-10.10.10.99 mask 255.255.255.0
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-602.bin
no asdm history enable
arp timeout 14400
global (Outside) 101 interface
nat (Inside) 101 0.0.0.0 0.0.0.0
static (Inside,Outside) tcp 194.237.A.C 255.255.255.255
static (Inside,Outside) tcp 194.237.A.B smtp 192.168.1.8 smtp netmask 255.255.255.255
static (Inside,Outside) tcp 194.237.A.B 255.255.255.255
static (Inside,Outside) tcp 194.237.A.B https 192.168.1.8 https netmask 255.255.255.255
static (Inside,Outside) tcp 194.237.A.B pop3 192.168.1.8 pop3 netmask 255.255.255.255
static (Inside,Outside) tcp 194.237.A.B ftp 192.168.1.8 ftp netmask 255.255.255.255
static (Inside,Outside) 194.237.A.C 192.168.1.10 netmask 255.255.255.255
route Outside 0.0.0.0 0.0.0.0 194.237.A.A 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
aaa-server ldap_web_vpn protocol ldap
aaa-server ldap_web_vpn host 192.168.1.8
ldap-base-dn OU=ftp,OU=Stockholm,DC=*,DC=com
ldap-scope onelevel
ldap-naming-attribute sAMAccountName
ldap-login-password *
ldap-login-dn CN=Administrator,CN=Users,DC=*,DC=com
server-type microsoft
http server enable
http 192.168.100.0 255.255.255.0 management
http 192.168.2.0 255.255.255.0 Inside
http 192.168.1.0 255.255.255.0 Inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
no crypto isakmp nat-traversal
telnet 192.168.2.0 255.255.255.255 Inside
telnet 192.168.1.0 255.255.255.0 management
telnet timeout 5
ssh 192.168.1.0 255.255.255.0 management
ssh timeout 5
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns migrated_dns_map_1
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns migrated_dns_map_1
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
!
service-policy global_policy global
webvpn
enable Outside
tunnel-group DefaultWEBVPNGroup general-attributes
address-pool web_vpn_pool
tunnel-group DefaultWEBVPNGroup ipsec-attributes
pre-shared-key *
prompt hostname context
Cryptochecksum:771672c343e4d39e2c5db6705c62a6dd
: end
asdm image disk0:/asdm-602.bin
no asdm history enable
 
Upvote 0 Downvote
Hello again.

I have done more detective work and I also added ICPM to allow ping through The ASA and found out that I can ping external servers with IP. I also can access Servers with the RDP (remote desktop) on the internet.
So now it seems I have a DNS problem. When I added static dns to my client I was able to Surf the internet as usual no problem.

So how do we fix this.

Today we have our own dns server located on our main Active directory server that forwards Internet request.

//:EkkE
 
Upvote 0 Downvote
Check to see what's happening with the DNS server. Try to connect out from the server and test the DNS server with the query options in the DNS MMC snapin. You can add a static DNS entry to your server to see if that will connect out.

Does the server do DHCP as well? Make sure the DHCP options are set correctly - DNS servers, gateway, etc.




Brent
Systems Engineer / Consultant
CCNP, CCSP
 
Upvote 0 Downvote
Hey, Finally got it to work thanks for all the help.
but now one last problem!
i cant access our Outlook Web Access from the inside network
when typing the corrct exteranl web adress.

//:EkkE
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

Shmid
  • Locked
  • Question
Restricting Sonicwall SSL-VPN users for WAN access
Replies
7
Views
1K
Shmid
Shmid
gbayi_omo
  • Locked
  • Question
Cisco ASA 5505 not allowing access to highest security zone
Replies
0
Views
219
gbayi_omo
gbayi_omo
kythri
  • Locked
  • Question
Restrict access to SSL VPN by IP (ASA 5540 - 8.4(7))
Replies
0
Views
220
kythri
kythri
RMurr34
  • Locked
  • Question
No Internet Access if no static map
Replies
0
Views
174
RMurr34
RMurr34
ttrsux
  • Locked
  • Question
No internet access on new LAN eth0/2 1
Replies
6
Views
342
iggsterman
iggsterman

Part and Inventory Search

Sponsor

Back
Top