topic Re: Unable to browse websites from inside LAN 5506-X in Network Security

Unable to browse websites from inside LAN 5506-X

noelcox — Wed, 07 Feb 2024 07:33:22 GMT

Hi All,

I am currently configuring a 5506-X for my home network. Currently, I can ping outside IP addresses, but cannot browse to any websites. Browser messages like "Can't reach this page" or "took too long to respond".

DNS is configured, NSlookup works fine

Any assistance would be greatly appreciated

Config below:

hostname ciscoasa
domain-name ciscoasa
enable password xxx
xlate per-session deny tcp any4 any4
xlate per-session deny tcp any4 any6
xlate per-session deny tcp any6 any4
xlate per-session deny tcp any6 any6
xlate per-session deny udp any4 any4 eq domain
xlate per-session deny udp any4 any6 eq domain
xlate per-session deny udp any6 any4 eq domain
xlate per-session deny udp any6 any6 eq domain
passwd lz0KX8ev8B0kt0XS encrypted
names

!
interface GigabitEthernet1/1
nameif WAN
security-level 100
ip address 192.168.15.50 255.255.255.0
!
interface GigabitEthernet1/2
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet1/2.10
shutdown
no vlan
no nameif
security-level 100
ip address 192.168.10.1 255.255.255.0
!
interface GigabitEthernet1/2.20
shutdown
no vlan
no nameif
security-level 100
ip address 192.168.20.1 255.255.255.0
!
interface GigabitEthernet1/2.30
shutdown
no vlan
no nameif
security-level 100
ip address 192.168.30.1 255.255.255.0
!
interface GigabitEthernet1/2.40
shutdown
no vlan
no nameif
security-level 100
ip address 192.168.40.1 255.255.255.0
!
interface GigabitEthernet1/2.50
shutdown
no vlan
no nameif
security-level 100
ip address 192.168.50.1 255.255.255.0
!
interface GigabitEthernet1/3
nameif Inside
security-level 100
ip address 10.14.153.2 255.255.255.0
!
interface GigabitEthernet1/4
nameif DMZ
security-level 50
ip address 192.168.1.150 255.255.255.0
!
interface GigabitEthernet1/5
nameif test
security-level 90
ip address 10.0.1.1 255.255.255.0
!
interface GigabitEthernet1/6
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet1/7
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet1/8
shutdown
no nameif
no security-level
no ip address
!
interface Management1/1
management-only
shutdown
no nameif
no security-level
ip address 172.16.1.1 255.255.255.0
!
boot system disk0:/asa982-lfbff-k8.SPA
boot system disk0:/asa981-lfbff-k8.SPA
boot system disk0:/asdm-782.bin
ftp mode passive
dns server-group DefaultDNS
domain-name ciscoasa
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object network obj_any
subnet 0.0.0.0 0.0.0.0
object network obj_vlan_10
subnet 192.168.10.0 255.255.255.0
object network obj_vlan_20
subnet 192.168.20.0 255.255.255.0
object network obj_vlan_30
subnet 192.168.30.0 255.255.255.0
object network obj_vlan_40
subnet 192.168.40.0 255.255.255.0
object network obj_vlan_50
subnet 192.168.50.0 255.255.255.0
object network DMZ
subnet 192.168.1.0 255.255.255.0
object network inside
subnet 10.14.153.0 255.255.255.0
access-list inside extended permit icmp any any
access-list INSIDE extended permit tcp any any eq www
access-list INSIDE extended permit tcp any any eq https
pager lines 24
logging enable
logging asdm informational
mtu WAN 1500
mtu Inside 1500
mtu DMZ 1500
mtu test 1500
no failover
no monitor-interface service-module
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-782.bin
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
arp rate-limit 16384
!
nat (Inside,WAN) after-auto source dynamic any interface
nat (DMZ,WAN) after-auto source dynamic any interface
route WAN 0.0.0.0 0.0.0.0 192.168.15.1 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 sctp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
timeout conn-holddown 0:00:15
timeout igp stale-route 0:01:10
user-identity default-domain LOCAL
aaa authentication http console LOCAL
aaa authentication ssh console LOCAL
aaa authentication login-history
http server enable
http 0.0.0.0 0.0.0.0 Inside
http 10.14.153.0 255.255.255.0 test
no snmp-server location
no snmp-server contact
service sw-reset-button
crypto ipsec security-association pmtu-aging infinite
crypto ca trustpool policy
telnet timeout 5
no ssh stricthostkeycheck
ssh 10.14.153.0 255.255.255.0 Inside
ssh timeout 5
ssh key-exchange group dh-group1-sha1
console timeout 0

dhcpd address 10.0.1.5-10.0.1.250 test
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
dynamic-access-policy-record DfltAccessPolicy
username asdm password
username admin password
username bipin password
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
no tcp-inspection
policy-map global_policy
class inspection_default
inspect ftp
inspect h323 h225
inspect h323 ras
inspect ip-options
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
inspect dns preset_dns_map
inspect icmp
policy-map type inspect dns migrated_dns_map_2
parameters
message-length maximum client auto
message-length maximum 512
no tcp-inspection
policy-map type inspect dns migrated_dns_map_1
parameters
message-length maximum client auto
message-length maximum 512
no tcp-inspection
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email callhome@cisco.com
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:86c12e853db38591da614f2ec3826c8d

Re: Unable to browse websites from inside LAN 5506-X

Marvin Rhoads — Wed, 07 Feb 2024 07:54:45 GMT

The ASA config is pretty basic and a quick glance appears to have the necessary elements for traffic to pass. Please run the following command from the ASA cli enable mode and share the results:

packet tracer input Inside tcp 10.14.153.10 1234 8.8.8.8 443

Re: Unable to browse websites from inside LAN 5506-X

Aref Alsouqi — Wed, 07 Feb 2024 09:22:22 GMT

Your WAN interface is configured with the security level 100, is that intended? By default the ASA won't allow the traffic to pass between the interfaces that have the same security level, so I think the security level of the WAN interface should be changed to 0.

nterface GigabitEthernet1/1
nameif WAN
security-level 100 <- this should be replaced with 0
ip address 192.168.15.50 255.255.255.0

Re: Unable to browse websites from inside LAN 5506-X

MHM Cisco World — Wed, 07 Feb 2024 12:22:40 GMT

You have issue with MSS

Check this link

https://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/113137-asa-83-browse-00.html

MHM

Re: Unable to browse websites from inside LAN 5506-X

noelcox — Thu, 08 Feb 2024 23:12:49 GMT

Yes, I noticed that and it had actually been changed to 0, but still not working

Re: Unable to browse websites from inside LAN 5506-X

noelcox — Thu, 08 Feb 2024 23:14:58 GMT

ciscoasa# packet-tracer input Inside tcp 10.14.153.10 1234 8.8.8.8 443

Phase: 1
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
MAC Access list

Phase: 2
Type: ROUTE-LOOKUP
Subtype: Resolve Egress Interface
Result: ALLOW
Config:
Additional Information:
found next-hop 192.168.15.1 using egress ifc WAN

Phase: 3
Type: CONN-SETTINGS
Subtype:
Result: ALLOW
Config:
class-map http-map1
match access-list http-list2
policy-map global_policy
class http-map1
set connection advanced-options mss-map
service-policy global_policy global
Additional Information:

Phase: 4
Type: NAT
Subtype:
Result: ALLOW
Config:
nat (Inside,WAN) source static any interface
Additional Information:
Static translate 10.14.153.10/1234 to 192.168.15.50/1234

Phase: 5
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:

Phase: 6
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 7
Type: NAT
Subtype: rpf-check
Result: ALLOW
Config:
nat (Inside,WAN) source static any interface
Additional Information:

Phase: 8
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:

Phase: 9
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 10
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 32150, packet dispatched to next module

Result:
input-interface: Inside
input-status: up
input-line-status: up
output-interface: WAN
output-status: up
output-line-status: up
Action: allow

Re: Unable to browse websites from inside LAN 5506-X

noelcox — Fri, 09 Feb 2024 04:19:26 GMT

I have implemented the below from another chat, but no change:

ASA-5510-8x(config)# access-list http-list2 permit ip any any

ASA-5510-8x(config)# class-map http-map1

ASA-5510-8x(config-cmap)# match access-list http-list2

ASA-5510-8x(config-cmap)# exit

ASA-5510-8x(config)# tcp-map mss-map

ASA-5510-8x(config-tcp-map)# exceed-mss allow

ASA-5510-8x(config-tcp-map)# exit

ASA-5510-8x(config)# policy-map global_policy

ASA-5510-8x(config-pmap)# class http-map1

ASA-5510-8x(config-pmap-c)# set connection advanced-options mss-map

ASA-5510-8x(config-pmap-c)# exit

ASA-5510-8x(config-pmap)# exit

Re: Unable to browse websites from inside LAN 5506-X

MHM Cisco World — Fri, 09 Feb 2024 06:00:41 GMT

did you add this policy to service ?
MHM

Re: Unable to browse websites from inside LAN 5506-X

Aref Alsouqi — Fri, 09 Feb 2024 11:29:56 GMT

The packet capture shows that the traffic should be allowed so it should work. However, your WAN interface has a private IP (192.168.15.50), so the question is, do you have NAT applied on the ISP device for that traffic? or is it going out to the internet un-NAT'ed? if it goes without any NAT it would most likely be dropped by the ISP. Also, I'm not sure if you changed anything on the NAT config since you pasted the configs in your original post, but the packet capture is showing the "nat (Inside,WAN) source static" applied to the traffic. The NAT rule should be configured with "source dynamic" as you are doing PAT (many-to-one) in this case.

Re: Unable to browse websites from inside LAN 5506-X

johnlloyd_13 — Sat, 10 Feb 2024 02:10:11 GMT

hi,

do you have a DHCP configured for 10.14.153.0/24? do you have an internal DNS server?

can you post a ipconfig /all from a windows command prompt?

try to connect your laptop directly in g1/3, manually set your LAN IP settings:

IP: 10.14.153.3
SM: 255.255.255.0
GW: 10.14.153.2
DNS: 8.8.8.8