topic Re: LAN USERS UNABLE TO BROWSE INTERNET AFTER CISCO ROUTER WITH CISCO ASA FOR INTERNET ACCESS CONFIGURATION in Network Security

LAN USERS UNABLE TO BROWSE INTERNET AFTER CISCO ROUTER WITH CISCO ASA FOR INTERNET ACCESS CONFIGURATION

ladilayo — Mon, 29 Mar 2021 19:03:41 GMT

Hi All,

After configuring both the router and firewall for LAN internet access the LAN computers was able to ping 8.8.8.8, 4.2.2.2 and 172.217.171.196 from their systems but was unable to load any page from the browser on the same system. I cannot ping the above IP from the firewall but can ping them from the router. Below are my router and firewall configuration, Also the packet tracer done.

I will appreciate if somebody can assist on what I have done wrong.

Router Configurations:

Building configuration...

Current configuration : 2508 bytes
!
! Last configuration change at 17:24:20 UTC Mon Mar 29 2021
! NVRAM config last updated at 17:24:33 UTC Mon Mar 29 2021
! NVRAM config last updated at 17:24:33 UTC Mon Mar 29 2021
version 15.1
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname ********_HQINTERNET
!
boot-start-marker
boot-end-marker
!

!
no aaa new-model
!
no ipv6 cef
ip source-route
ip cef
!
!
!
!
!
ip name-server 8.8.8.8
ip name-server 4.2.2.2
multilink bundle-name authenticated
!
crypto pki token default removal timeout 0
!
!
license udi pid CISCO1941/K9
!
!
!
interface Embedded-Service-Engine0/0
no ip address
shutdown
!
interface GigabitEthernet0/0
description ***_INTERNET
ip address *.*.*.58 255.255.255.252
ip nat outside
ip virtual-reassembly in
duplex auto
speed auto
!
interface GigabitEthernet0/1
description ********_TOINTERNETASA
ip address 10.0.0.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
duplex auto
speed auto
!
interface GigabitEthernet0/0/0
no ip address
!
interface GigabitEthernet0/0/1
no ip address
!
interface GigabitEthernet0/0/2
no ip address
!
interface GigabitEthernet0/0/3
no ip address
!
interface Vlan1
no ip address
!
ip forward-protocol nd
!
no ip http server
no ip http secure-server
!
ip nat inside source list 1 interface GigabitEthernet0/0 overload
ip nat inside source static tcp 192.168.1.6 491 *.*.*.58 491 extendable
ip nat inside source static tcp 192.168.1.4 9996 *.*.*.58 9996 extendable
ip route 0.0.0.0 0.0.0.0 *.*.*.57

ip route 192.168.1.0 255.255.255.0 10.0.0.2
!
access-list 1 permit 192.168.1.0 0.0.0.255
control-plane

Firewall Configurations:

Saved

:
: Serial Number: JAD24071TW5
: Hardware: ASA5506, 4096 MB RAM, CPU Atom C2000 series 1250 MHz, 1 CPU (4 cores)
:
ASA Version 9.8(2)
!
hostname ******internetasa
domain-name *********.com

xlate per-session deny tcp any4 any4
xlate per-session deny tcp any4 any6
xlate per-session deny tcp any6 any4
xlate per-session deny tcp any6 any6
xlate per-session deny udp any4 any4 eq domain
xlate per-session deny udp any4 any6 eq domain
xlate per-session deny udp any6 any4 eq domain
xlate per-session deny udp any6 any6 eq domain
names

!
interface GigabitEthernet1/1
description CONNECTION FROM ROUTER
nameif outside
security-level 0
ip address 10.0.0.2 255.255.255.0
!
interface GigabitEthernet1/2
description CONNECTION TO INTERNAL LAN SWITCH
nameif inside
security-level 100
ip address 192.168.1.1 255.255.255.0

!
interface Management1/1
management-only
nameif management
security-level 0
ip address 10.1.1.1 255.255.255.0
!
ftp mode passive
dns domain-lookup outside
dns server-group DefaultDNS
name-server 4.2.2.2 outside
name-server 8.8.8.8 outside
name-server 192.168.1.5 inside
domain-name ********.com
object network inside_mapped
subnet 192.168.1.0 255.255.255.0
object network internal-lan
subnet 192.168.1.0 255.255.255.0
object network 192.168.1.6
host 192.168.1.6
object network 192.168.1.4
host 192.168.1.4
object-group service Goglobal tcp
port-object eq 491
object-group network DM_INLINE_NETWORK_1
network-object object 192.168.1.6
network-object object internal-lan
object-group network DM_INLINE_NETWORK_2
network-object object 192.168.1.4
network-object object internal-lan
object-group service Mobile tcp
port-object eq 9996
object-group network DM_INLINE_NETWORK_3
network-object 192.168.1.0 255.255.255.0
network-object object internal-lan
access-list OUTSIDE-IN extended permit icmp any any echo-reply
access-list OUTSIDE-IN extended deny ip any any log
access-list inside_access_in extended permit ip object-group DM_INLINE_NETWORK_3 any log
access-list outside_access_in extended permit tcp any object-group DM_INLINE_NETWORK_1 eq 491 log
access-list outside_access_in extended permit tcp any object-group DM_INLINE_NETWORK_2 eq 9996 log
pager lines 24
logging enable
logging asdm informational
mtu outside 1500
mtu inside 1500
mtu management 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
arp rate-limit 16384
!
object network internal-lan
nat (inside,outside) static inside_mapped
access-group outside_access_in in interface outside
access-group inside_access_in in interface inside
route outside 0.0.0.0 0.0.0.0 10.0.0.1 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 sctp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
timeout conn-holddown 0:00:15
timeout igp stale-route 0:01:10
user-identity default-domain LOCAL
aaa authentication login-history
http server enable
http 10.1.1.0 255.255.255.0 management
no snmp-server location
no snmp-server contact
service sw-reset-button
crypto ipsec security-association pmtu-aging infinite
crypto ca trustpoint _SmartCallHome_ServerCA
no validation-usage
crl configure
crypto ca trustpool policy
crypto ca certificate chain _SmartCallHome_ServerCA
certificate ca 513fb9743870b73440418d30930699ff

quit

dhcpd address 10.1.1.2-10.1.1.254 management
dhcpd enable management
!
threat-detection basic-threat
threat-detection statistics port
threat-detection statistics protocol
threat-detection statistics access-list
threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
dynamic-access-policy-record DfltAccessPolicy
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
no tcp-inspection
policy-map global_policy
class inspection_default
inspect ftp
inspect h323 h225
inspect h323 ras
inspect ip-options
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
inspect dns preset_dns_map
inspect icmp
policy-map type inspect dns migrated_dns_map_2
parameters
message-length maximum client auto
message-length maximum 512
no tcp-inspection
policy-map type inspect dns migrated_dns_map_1
parameters
message-length maximum client auto
message-length maximum 512
no tcp-inspection
!
service-policy global_policy global
prompt hostname context
call-home reporting anonymous
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email callhome@cisco.com
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
hpm topN enable

Packet tracer Result

*******internetasa# packet-tracer input inside tcp 192.168.1.1 80 172.217.171.$

Phase: 1
Type: ROUTE-LOOKUP
Subtype: Resolve Egress Interface
Result: ALLOW
Config:
Additional Information:
found next-hop 10.0.0.1 using egress ifc outside

Phase: 2
Type: ACCESS-LIST
Subtype:
Result: DROP
Config:
Implicit Rule
Additional Information:

Result:
input-interface: inside
input-status: up
input-line-status: up
output-interface: outside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule

*******internetasa# packet-tracer input inside tcp 192.168.1.9 80 172.217.171.$

Phase: 1
Type: ROUTE-LOOKUP
Subtype: Resolve Egress Interface
Result: ALLOW
Config:
Additional Information:
found next-hop 10.0.0.1 using egress ifc outside

Phase: 2
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group inside_access_in in interface inside
access-list inside_access_in extended permit ip object internal-lan any log
Additional Information:

Phase: 3
Type: NAT
Subtype:
Result: ALLOW
Config:
object network internal-lan
nat (inside,outside) static inside_mapped
Additional Information:
Static translate 192.168.1.9/80 to 192.168.1.9/80

Phase: 4
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:

Phase: 5
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 6
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:

Phase: 7
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 8
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 332844, packet dispatched to next module

Result:
input-interface: inside
input-status: up
input-line-status: up
output-interface: outside
output-status: up
output-line-status: up
Action: allow

I will appreciate a favorable solutions.

Re: LAN USERS UNABLE TO BROWSE INTERNET AFTER CISCO ROUTER WITH CISCO ASA FOR INTERNET ACCESS CONFIGURATION

Rob Ingram — Mon, 29 Mar 2021 19:21:51 GMT

@ladilayo

If you are natting on the ASA from 192.168.1.0 to 192.168.1.0 why not just route the traffic instead. Remove the nat rule (no object network internal-lan) on the ASA, as the router is already configured to nat the 192.168.1.0 traffic anyway.

Re: LAN USERS UNABLE TO BROWSE INTERNET AFTER CISCO ROUTER WITH CISCO ASA FOR INTERNET ACCESS CONFIGURATION

ladilayo — Mon, 29 Mar 2021 19:58:08 GMT

Hi Rob,

I got this error

internetasa(config)# no object network internal-lan
ERROR: unable to delete object (internal-lan). object is being used.

Regards

Ladilayo

Re: LAN USERS UNABLE TO BROWSE INTERNET AFTER CISCO ROUTER WITH CISCO ASA FOR INTERNET ACCESS CONFIGURATION

Rob Ingram — Mon, 29 Mar 2021 20:13:40 GMT

That object is in use by the object group DM_INLINE_NETWORK_3, perhaps just remove the nat command from it.

object network internal-lan
 no nat (inside,outside) static inside_mapped

Or remove the object internal-lan from the object-group

Re: LAN USERS UNABLE TO BROWSE INTERNET AFTER CISCO ROUTER WITH CISCO ASA FOR INTERNET ACCESS CONFIGURATION

ladilayo — Mon, 29 Mar 2021 21:08:33 GMT

Hi Rob,

The nat command was removed, but the LAN computer could not browse internet can only ping the IP.

Regards

Ladilayo

Re: LAN USERS UNABLE TO BROWSE INTERNET AFTER CISCO ROUTER WITH CISCO ASA FOR INTERNET ACCESS CONFIGURATION

Rob Ingram — Mon, 29 Mar 2021 21:22:17 GMT

@ladilayo

The LAN computer has the correct DNS servers configured?

Are you pinging the IP address or the hostname?

Provide the updated packet-tracer output simulating traffic, use the source of the LAN computer.

Re: LAN USERS UNABLE TO BROWSE INTERNET AFTER CISCO ROUTER WITH CISCO ASA FOR INTERNET ACCESS CONFIGURATION

ladilayo — Mon, 29 Mar 2021 22:24:44 GMT

Hello Rob,

The DNS was correctly done

Below is the Packet tracer result

internetasa# packet-tracer input inside tcp 192.168.1.4 80 172.217.171.$

Phase: 1
Type: ROUTE-LOOKUP
Subtype: Resolve Egress Interface
Result: ALLOW
Config:
Additional Information:
found next-hop 10.0.0.1 using egress ifc outside

Phase: 2
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group inside_access_in in interface inside
access-list inside_access_in extended permit ip object-group DM_INLINE_NETWORK_3 any log
object-group network DM_INLINE_NETWORK_3
network-object 192.168.1.0 255.255.255.0
network-object object internal-lan
Additional Information:

Phase: 3
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:

Phase: 4
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 5
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:

Phase: 6
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 7
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 361463, packet dispatched to next module

Result:
input-interface: inside
input-status: up
input-line-status: up
output-interface: outside
output-status: up
output-line-status: up
Action: allow