topic Tracert and Ping to 8.8.8.8 works but cant access the Internet in Network Security

Tracert and Ping to 8.8.8.8 works but cant access the Internet

mamoussou — Wed, 09 Oct 2024 14:59:41 GMT

Please help. I have an ASA 5506-x connected to a 3750 swich. I cant ping 8.8.8.8 or anything external from the switch. I cant ping the other vlan subnets either ( the ASA has the route back to these). However, I can ping 8.8.8.8 and tracert successfully from client connected to the switch, but cant access the internet. What could be the problem?

ASA CONFIG

interface GigabitEthernet1/1
nameif OUTSIDE
security-level 0
ip address 154.113.70.206 255.255.255.252
!
interface GigabitEthernet1/2
nameif INSIDE
security-level 100
ip address 192.168.100.1 255.255.255.252
!
interface GigabitEthernet1/3
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet1/4
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet1/5
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet1/6
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet1/7
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet1/8
shutdown
no nameif
no security-level
no ip address
!
interface Management1/1
management-only
shutdown
no nameif
no security-level
no ip address
!
ftp mode passive
dns domain-lookup OUTSIDE
dns server-group DefaultDNS
name-server 8.8.8.8
name-server 41.75.80.84
name-server 8.8.4.4
domain-name gaclos.local
object network obj_DATA_128
subnet 192.168.200.128 255.255.255.128
description DATA network
object network obj_VOICE_32
subnet 192.168.200.32 255.255.255.224
object network obj_PSEC_16
subnet 192.168.200.16 255.255.255.240
description PSEC network
object network obj_CUCME_0
subnet 192.168.200.0 255.255.255.248
description CUCME
object network obj_APAPA_44
subnet 10.251.44.0 255.255.255.0
description Apapa Mgmt
object network obj_APAPA_45
subnet 10.251.45.0 255.255.255.0
description Apapa CUCME
object network obj_APAPA_46
subnet 10.251.46.0 255.255.255.0
object network obj_APAPA_47
subnet 10.251.47.0 255.255.255.0
description Apapa WiFi
object network obj_APAPA_48
subnet 10.251.48.0 255.255.255.0
description Apapa LAN
object network obj_APAPA_49
subnet 10.251.49.0 255.255.255.0
description Apapa Voice
object network obj_APAPA_50
subnet 10.251.50.0 255.255.255.0
description Apapa Servers
object-group network GAC_PHC_NETWORK
description PHC_NETWORK
network-object 192.168.100.0 255.255.255.252
network-object object obj_CUCME_0
network-object object obj_DATA_128
network-object object obj_PSEC_16
network-object object obj_VOICE_32
object-group network GAC_APAPA_NETWORK
description APAPA Network
network-object object obj_APAPA_44
network-object object obj_APAPA_45
network-object object obj_APAPA_46
network-object object obj_APAPA_47
network-object object obj_APAPA_48
network-object object obj_APAPA_49
network-object object obj_APAPA_50
object-group service TCPUDP tcp
port-object eq 587
access-list OUTSIDE_cryptomap extended permit ip object-group GAC_PHC_NETWORK object-group GAC_APAPA_NETWORK
access-list INSIDE_access_in extended permit tcp any any eq domain
access-list INSIDE_access_in extended permit icmp any any
access-list INSIDE_access_in extended permit tcp any any eq www
access-list INSIDE_access_in extended permit tcp any any eq https
access-list INSIDE_access_in extended permit tcp any any eq 587
access-list INSIDE_access_in extended permit udp any any eq isakmp
access-list INSIDE_access_in extended permit tcp any any eq pop3
access-list OUTSIDE_access_in extended permit icmp any any
access-list OUTSIDE_access_in extended permit ip any any
access-list INSIDE extended permit ip any any
pager lines 24
mtu OUTSIDE 1500
mtu INSIDE 1500
no failover
no monitor-interface service-module
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
arp rate-limit 16384
nat (INSIDE,OUTSIDE) source static GAC_PHC_NETWORK GAC_PHC_NETWORK destination static GAC_APAPA_NETWORK GAC_APAPA_NETWORK no-proxy-arp route-lookup
!
object network obj_DATA_128
nat (any,OUTSIDE) dynamic interface
object network obj_PSEC_16
nat (any,OUTSIDE) dynamic interface
access-group OUTSIDE_access_in in interface OUTSIDE
access-group INSIDE_access_in in interface INSIDE
route OUTSIDE 0.0.0.0 0.0.0.0 154.113.70.205 1
route INSIDE 192.168.200.0 255.255.255.248 192.168.100.2 1
route INSIDE 192.168.200.16 255.255.255.240 192.168.100.2 1
route INSIDE 192.168.200.32 255.255.255.224 192.168.100.2 1
route INSIDE 192.168.200.128 255.255.255.128 192.168.100.2 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 sctp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
timeout conn-holddown 0:00:15
timeout igp stale-route 0:01:10
user-identity default-domain LOCAL
aaa authentication ssh console LOCAL
aaa authentication enable console LOCAL
aaa authentication http console LOCAL
aaa authentication serial console LOCAL
aaa authentication login-history
http server enable 8080
http 0.0.0.0 0.0.0.0 OUTSIDE
http 0.0.0.0 0.0.0.0 INSIDE
no snmp-server location
no snmp-server contact
service sw-reset-button
crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-128-MD5-TRANS esp-aes esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS esp-aes-192 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-192-MD5-TRANS esp-aes-192 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-256-MD5-TRANS esp-aes-256 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-3DES-MD5-TRANS esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS esp-des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-DES-MD5-TRANS esp-des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-DES-MD5-TRANS mode transport
crypto ipsec ikev2 ipsec-proposal AES256
protocol esp encryption aes-256
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES192
protocol esp encryption aes-192
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES
protocol esp encryption aes
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal 3DES
protocol esp encryption 3des
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal DES
protocol esp encryption des
protocol esp integrity sha-1 md5
crypto ipsec security-association pmtu-aging infinite
crypto map OUTSIDE_map 1 match address OUTSIDE_cryptomap
crypto map OUTSIDE_map 1 set peer 197.253.33.66
crypto map OUTSIDE_map 1 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map OUTSIDE_map interface OUTSIDE
crypto ca trustpool policy
crypto ikev2 policy 1
encryption aes-256
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 10
encryption aes-192
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 20
encryption aes
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 30
encryption 3des
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 40
encryption des
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 enable OUTSIDE
crypto ikev1 enable OUTSIDE
crypto ikev1 policy 10
authentication pre-share
encryption aes-256
hash sha
group 2
lifetime 86400
crypto ikev1 policy 20
authentication rsa-sig
encryption aes-256
hash sha
group 2
lifetime 86400
crypto ikev1 policy 40
authentication pre-share
encryption aes-192
hash sha
group 2
lifetime 86400
crypto ikev1 policy 50
authentication rsa-sig
encryption aes-192
hash sha
group 2
lifetime 86400
crypto ikev1 policy 70
authentication pre-share
encryption aes
hash sha
group 2
lifetime 86400
crypto ikev1 policy 80
authentication rsa-sig
encryption aes
hash sha
group 2
lifetime 86400
crypto ikev1 policy 100
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 110
authentication rsa-sig
encryption 3des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 130
authentication pre-share
encryption des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 140
authentication rsa-sig
encryption des
hash sha
group 2
lifetime 86400
telnet timeout 5
ssh stricthostkeycheck
ssh 0.0.0.0 0.0.0.0 OUTSIDE
ssh 0.0.0.0 0.0.0.0 INSIDE
ssh timeout 15
ssh version 2
ssh key-exchange group dh-group1-sha1
console timeout 0

threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ssl cipher default custom "AES256-SHA:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA"
ssl cipher tlsv1 custom "AES256-SHA:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA"
ssl cipher dtlsv1 custom "AES256-SHA:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA"
group-policy GroupPolicy_197.253.33.66 internal
group-policy GroupPolicy_197.253.33.66 attributes
vpn-tunnel-protocol ikev1
group-policy GroupPolicy_41.75.82.94 internal
dynamic-access-policy-record DfltAccessPolicy
username mamoussou password $sha512$5000$+0/X7IbvSP+ZET/aSSnjXg==$2YHiAXAsFLlOsrbIte63lA== pbkdf2 privilege 15
tunnel-group 197.253.33.66 type ipsec-l2l
tunnel-group 197.253.33.66 general-attributes
default-group-policy GroupPolicy_197.253.33.66
tunnel-group 197.253.33.66 ipsec-attributes
ikev1 pre-shared-key *****
ikev2 remote-authentication pre-shared-key *****
ikev2 local-authentication pre-shared-key *****
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
no tcp-inspection
policy-map global_policy
class inspection_default
inspect ftp
inspect h323 h225
inspect h323 ras
inspect ip-options
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
inspect dns preset_dns_map
inspect icmp
policy-map type inspect dns migrated_dns_map_2
parameters
message-length maximum client auto
message-length maximum 512
no tcp-inspection
policy-map type inspect dns migrated_dns_map_1
parameters
message-length maximum client auto
message-length maximum 512
no tcp-inspection

ROUTES

nat (INSIDE,OUTSIDE) source static GAC_PHC_NETWORK GAC_PHC_NETWORK destination static GAC_APAPA_NETWORK GAC_APAPA_NETWORK no-proxy-arp route-lookup
route OUTSIDE 0.0.0.0 0.0.0.0 154.113.70.205 1
route INSIDE 192.168.200.0 255.255.255.248 192.168.100.2 1
route INSIDE 192.168.200.16 255.255.255.240 192.168.100.2 1
route INSIDE 192.168.200.32 255.255.255.224 192.168.100.2 1
route INSIDE 192.168.200.128 255.255.255.128 192.168.100.2 1
timeout igp stale-route 0:01:10

NAT and ACLs

sh nat
Manual NAT Policies (Section 1)
1 (INSIDE) to (OUTSIDE) source static GAC_PHC_NETWORK GAC_PHC_NETWORK destination static GAC_APAPA_NETWORK GAC_APAPA_NETWORK no-proxy-arp route-lookup
translate_hits = 8, untranslate_hits = 8

Auto NAT Policies (Section 2)
1 (any) to (OUTSIDE) source dynamic obj_PSEC_16 interface
translate_hits = 0, untranslate_hits = 0
2 (any) to (OUTSIDE) source dynamic obj_DATA_128 interface
translate_hits = 15217, untranslate_hits = 1081

# sh access-list
access-list cached ACL log flows: total 0, denied 0 (deny-flow-max 4096)
alert-interval 300
access-list OUTSIDE_cryptomap; 35 elements; name hash: 0x7d0700c2
access-list OUTSIDE_cryptomap line 1 extended permit ip object-group GAC_PHC_NETWORK object-group GAC_APAPA_NETWORK (hitcnt=3) 0xb50a5623
access-list OUTSIDE_cryptomap line 1 extended permit ip 192.168.100.0 255.255.255.252 10.251.44.0 255.255.255.0 (hitcnt=0) 0xfdc1b3c4
access-list OUTSIDE_cryptomap line 1 extended permit ip 192.168.100.0 255.255.255.252 10.251.45.0 255.255.255.0 (hitcnt=0) 0xe23249c8
access-list OUTSIDE_cryptomap line 1 extended permit ip 192.168.100.0 255.255.255.252 10.251.46.0 255.255.255.0 (hitcnt=0) 0x1e0dfffc
access-list OUTSIDE_cryptomap line 1 extended permit ip 192.168.100.0 255.255.255.252 10.251.47.0 255.255.255.0 (hitcnt=0) 0x4e8676cf
access-list OUTSIDE_cryptomap line 1 extended permit ip 192.168.100.0 255.255.255.252 10.251.48.0 255.255.255.0 (hitcnt=0) 0xbd8d6abd
access-list OUTSIDE_cryptomap line 1 extended permit ip 192.168.100.0 255.255.255.252 10.251.49.0 255.255.255.0 (hitcnt=0) 0xb361e7d4
access-list OUTSIDE_cryptomap line 1 extended permit ip 192.168.100.0 255.255.255.252 10.251.50.0 255.255.255.0 (hitcnt=0) 0xa4061b7b
access-list OUTSIDE_cryptomap line 1 extended permit ip 192.168.200.0 255.255.255.248 10.251.44.0 255.255.255.0 (hitcnt=0) 0xea33b872
access-list OUTSIDE_cryptomap line 1 extended permit ip 192.168.200.0 255.255.255.248 10.251.45.0 255.255.255.0 (hitcnt=0) 0xc7e8b504
access-list OUTSIDE_cryptomap line 1 extended permit ip 192.168.200.0 255.255.255.248 10.251.46.0 255.255.255.0 (hitcnt=0) 0xffbf71e6
access-list OUTSIDE_cryptomap line 1 extended permit ip 192.168.200.0 255.255.255.248 10.251.47.0 255.255.255.0 (hitcnt=0) 0x95338c3e
access-list OUTSIDE_cryptomap line 1 extended permit ip 192.168.200.0 255.255.255.248 10.251.48.0 255.255.255.0 (hitcnt=0) 0x73eca7c5
access-list OUTSIDE_cryptomap line 1 extended permit ip 192.168.200.0 255.255.255.248 10.251.49.0 255.255.255.0 (hitcnt=0) 0x1bdc78e8
access-list OUTSIDE_cryptomap line 1 extended permit ip 192.168.200.0 255.255.255.248 10.251.50.0 255.255.255.0 (hitcnt=0) 0x9d5e40a3
access-list OUTSIDE_cryptomap line 1 extended permit ip 192.168.200.128 255.255.255.128 10.251.44.0 255.255.255.0 (hitcnt=0) 0x6b57bb41
access-list OUTSIDE_cryptomap line 1 extended permit ip 192.168.200.128 255.255.255.128 10.251.45.0 255.255.255.0 (hitcnt=0) 0x2a48cff0
access-list OUTSIDE_cryptomap line 1 extended permit ip 192.168.200.128 255.255.255.128 10.251.46.0 255.255.255.0 (hitcnt=0) 0x346c1302
access-list OUTSIDE_cryptomap line 1 extended permit ip 192.168.200.128 255.255.255.128 10.251.47.0 255.255.255.0 (hitcnt=15) 0x62fabae7
access-list OUTSIDE_cryptomap line 1 extended permit ip 192.168.200.128 255.255.255.128 10.251.48.0 255.255.255.0 (hitcnt=0) 0x3da20527
access-list OUTSIDE_cryptomap line 1 extended permit ip 192.168.200.128 255.255.255.128 10.251.49.0 255.255.255.0 (hitcnt=0) 0x6594c1b1
access-list OUTSIDE_cryptomap line 1 extended permit ip 192.168.200.128 255.255.255.128 10.251.50.0 255.255.255.0 (hitcnt=0) 0x84c8e267
access-list OUTSIDE_cryptomap line 1 extended permit ip 192.168.200.16 255.255.255.240 10.251.44.0 255.255.255.0 (hitcnt=0) 0x1ffd5f19
access-list OUTSIDE_cryptomap line 1 extended permit ip 192.168.200.16 255.255.255.240 10.251.45.0 255.255.255.0 (hitcnt=0) 0xd79459ed
access-list OUTSIDE_cryptomap line 1 extended permit ip 192.168.200.16 255.255.255.240 10.251.46.0 255.255.255.0 (hitcnt=0) 0x5991a0a3
access-list OUTSIDE_cryptomap line 1 extended permit ip 192.168.200.16 255.255.255.240 10.251.47.0 255.255.255.0 (hitcnt=0) 0x392f79b2
access-list OUTSIDE_cryptomap line 1 extended permit ip 192.168.200.16 255.255.255.240 10.251.48.0 255.255.255.0 (hitcnt=0) 0xf4de6d67
access-list OUTSIDE_cryptomap line 1 extended permit ip 192.168.200.16 255.255.255.240 10.251.49.0 255.255.255.0 (hitcnt=0) 0x8befe92a
access-list OUTSIDE_cryptomap line 1 extended permit ip 192.168.200.16 255.255.255.240 10.251.50.0 255.255.255.0 (hitcnt=0) 0x25c35164
access-list OUTSIDE_cryptomap line 1 extended permit ip 192.168.200.32 255.255.255.224 10.251.44.0 255.255.255.0 (hitcnt=0) 0xc553a3ed
access-list OUTSIDE_cryptomap line 1 extended permit ip 192.168.200.32 255.255.255.224 10.251.45.0 255.255.255.0 (hitcnt=0) 0x2d015abb
access-list OUTSIDE_cryptomap line 1 extended permit ip 192.168.200.32 255.255.255.224 10.251.46.0 255.255.255.0 (hitcnt=0) 0x6de59669
access-list OUTSIDE_cryptomap line 1 extended permit ip 192.168.200.32 255.255.255.224 10.251.47.0 255.255.255.0 (hitcnt=0) 0xd4fa270a
access-list OUTSIDE_cryptomap line 1 extended permit ip 192.168.200.32 255.255.255.224 10.251.48.0 255.255.255.0 (hitcnt=0) 0x244acbba
access-list OUTSIDE_cryptomap line 1 extended permit ip 192.168.200.32 255.255.255.224 10.251.49.0 255.255.255.0 (hitcnt=0) 0xf64c5a30
access-list OUTSIDE_cryptomap line 1 extended permit ip 192.168.200.32 255.255.255.224 10.251.50.0 255.255.255.0 (hitcnt=0) 0x164acdcd
access-list INSIDE_access_in; 7 elements; name hash: 0xb71cec1d
access-list INSIDE_access_in line 1 extended permit tcp any any eq domain (hitcnt=10410) 0x6463e52f
access-list INSIDE_access_in line 2 extended permit icmp any any (hitcnt=1411) 0xbe2c8578
access-list INSIDE_access_in line 3 extended permit tcp any any eq www (hitcnt=179) 0xae7df53e
access-list INSIDE_access_in line 4 extended permit tcp any any eq https (hitcnt=3798) 0x44c047ca
access-list INSIDE_access_in line 5 extended permit tcp any any eq 587 (hitcnt=0) 0xefa402f4
access-list INSIDE_access_in line 6 extended permit udp any any eq isakmp (hitcnt=0) 0x02b7c7d8
access-list INSIDE_access_in line 7 extended permit tcp any any eq pop3 (hitcnt=0) 0x611278d2
access-list OUTSIDE_access_in; 2 elements; name hash: 0x766b1b32
access-list OUTSIDE_access_in line 1 extended permit icmp any any (hitcnt=108) 0x112340aa
access-list OUTSIDE_access_in line 2 extended permit ip any any (hitcnt=951) 0x482d024c
access-list INSIDE; 1 elements; name hash: 0xdedb237a
access-list INSIDE line 1 extended permit ip any any (hitcnt=0) 0x2a29f5f2

SWITCH CONFIG

Current configuration : 5924 bytes
!
version 12.2
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname GAC-PHC-SW1
!
boot-start-marker
boot-end-marker
!
enable secret 5 $1$11Wa$KoksYYu938zhv.kMZjYDd0
enable password N33d2kN0w#
!
username mamoussou privilege 15 password 0 mamoussou@123!
!
!
aaa new-model
!
!
aaa authentication login default local
!
!
!
aaa session-id common
system mtu routing 1500
ip routing
ip dhcp excluded-address 192.168.200.129 192.168.200.139
ip dhcp excluded-address 192.168.200.33 192.168.200.39
ip dhcp excluded-address 192.168.200.17 192.168.200.21
!
ip dhcp pool GAC-DATA
network 192.168.200.128 255.255.255.128
domain-name gaclos.local
default-router 192.168.200.129
dns-server 41.75.80.84 8.8.8.8
!
ip dhcp pool GAC-VOICE
network 192.168.200.32 255.255.255.224
domain-name gaclos.local
default-router 192.168.200.33
dns-server 41.75.80.84 8.8.8.8
!
ip dhcp pool GAC-PSEC
network 192.168.200.16 255.255.255.240
domain-name gaclos.local
default-router 192.168.200.17
dns-server 41.75.80.84 8.8.8.8
!
!
!
!
crypto pki trustpoint TP-self-signed-4096251392
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-4096251392
revocation-check none
rsakeypair TP-self-signed-4096251392
!
!
crypto pki certificate chain TP-self-signed-4096251392
certificate self-signed 01
30820244 308201AD A0030201 02020101 300D0609 2A864886 F70D0101 04050030
31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 34303936 32353133 3932301E 170D3933 30333031 30303038
33375A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D34 30393632
35313339 3230819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
8100A341 6B8C9394 C15A791F 54EC3D3B 05D1D8C7 059A1B20 EB17B504 86C9CD17
F2FDF78A 1279FDC0 8AE1FB27 36510CA3 465551EF 8ECFD28D 34F49412 F36C3332
55A2BBC0 9C378252 E9299A13 BD18A36F D56A0B9A 352C5089 0C20F883 E4B336D4
DCB5DD81 92F3B778 7FF5F3FB 8FA2A7E1 170F21B7 A9DEBA0B C72C3ED8 ABF605D9
4ED70203 010001A3 6C306A30 0F060355 1D130101 FF040530 030101FF 30170603
551D1104 10300E82 0C474143 2D504843 2D535731 2E301F06 03551D23 04183016
801434D0 32AF4F32 12CF6995 29122035 641FB29D 6C68301D 0603551D 0E041604
1434D032 AF4F3212 CF699529 12203564 1FB29D6C 68300D06 092A8648 86F70D01
01040500 03818100 500A61EC 4FCFEC83 1B99290C AD16F329 F9FEAAFB 8D9A4684
DBF9D2EE 0B463934 D86568EB F67E4073 834D04F0 CC83F211 BADDCD2C DB82BAC9
2984DDDD 45B0231D 553EF7A8 E79841D6 DC209DA8 4540A34F 75B993F0 AEB8ABB7
2EDEF3D4 D70ECA44 E2D1549C 5F505F1D 1DED7725 FB8F3A43 E79D0D84 A39DE80E
283F75D2 B6B051B8
quit
spanning-tree mode pvst
spanning-tree extend system-id
!
!
!
!
vlan internal allocation policy ascending
!
!
!
interface FastEthernet0/1
switchport access vlan 20
switchport mode access
spanning-tree portfast
!
interface FastEthernet0/2
switchport access vlan 20
switchport mode access
spanning-tree portfast
!
interface FastEthernet0/3
switchport access vlan 20
switchport mode access
spanning-tree portfast
!
interface FastEthernet0/4
switchport access vlan 20
switchport mode access
spanning-tree portfast
!
interface FastEthernet0/5
switchport access vlan 20
switchport mode access
spanning-tree portfast
!
interface FastEthernet0/6
switchport access vlan 20
switchport mode access
spanning-tree portfast
!
interface FastEthernet0/7
switchport access vlan 20
switchport mode access
spanning-tree portfast
!
interface FastEthernet0/8
switchport access vlan 20
switchport mode access
spanning-tree portfast
!
interface FastEthernet0/9
switchport access vlan 20
switchport mode access
spanning-tree portfast
!
interface FastEthernet0/10
switchport access vlan 20
switchport mode access
spanning-tree portfast
!
interface FastEthernet0/11
switchport access vlan 20
switchport mode access
spanning-tree portfast
!
interface FastEthernet0/12
switchport access vlan 40
switchport mode access
spanning-tree portfast
!
interface GigabitEthernet0/1
description ***TO FW**
no switchport
ip address 192.168.100.2 255.255.255.252
!
interface GigabitEthernet0/2
switchport access vlan 20
switchport mode access
!
interface Vlan1
no ip address
no ip mroute-cache
shutdown
!
interface Vlan10
description GAC-CUCME
ip address 192.168.200.1 255.255.255.248
no ip redirects
no ip unreachables
no ip proxy-arp
no ip mroute-cache
!
interface Vlan20
description GAC-DATA
ip address 192.168.200.129 255.255.255.128
!
interface Vlan30
description GAC-VOICE
ip address 192.168.200.33 255.255.255.224
no ip redirects
no ip unreachables
no ip proxy-arp
!
interface Vlan40
description GAC-PSEC
ip address 192.168.200.17 255.255.255.240
no ip redirects
no ip unreachables
no ip proxy-arp
!
ip default-gateway 192.168.100.2
ip classless
ip route 0.0.0.0 0.0.0.0 192.168.100.1
ip http server
ip http secure-server
!
ip sla enable reaction-alerts
!
line con 0
line vty 0 4
transport input ssh
transport output ssh
line vty 5 15
transport input ssh
transport output ssh

PING

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.100.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms
#ping 8.8.8.8

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 8.8.8.8, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)
#ping 192.168.200.129

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.200.129, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/8 ms
#ping 192.168.200.33

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.200.33, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)
#ping 192.168.200.17

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.200.17, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)

FROM SWITCH CONNECTED CLIENT

Tracing route to 8.8.8.8 over a maximum of 30 hops

1 2 ms 2 ms 3 ms 192.168.200.129
2 2 ms 2 ms 2 ms 154.113.70.205
3 19 ms 20 ms 19 ms 41.75.80.9
4 18 ms 17 ms 18 ms 41.75.80.9
5 16 ms 16 ms 16 ms 72.14.217.212
6 17 ms 17 ms 17 ms 192.178.106.187
7 18 ms 19 ms 18 ms 172.253.76.173
8 20 ms 20 ms 20 ms 8.8.8.8

Pinging 8.8.8.8 with 32 bytes of data:
Reply from 8.8.8.8: bytes=32 time=20ms TTL=119
Reply from 8.8.8.8: bytes=32 time=20ms TTL=119
Reply from 8.8.8.8: bytes=32 time=20ms TTL=119
Reply from 8.8.8.8: bytes=32 time=20ms TTL=119

C:\Users\martial.amoussou>ping google.com
Ping request could not find host google.com. Please check the name and try again.

Re: Tracert and Ping to 8.8.8.8 works but cant access the Internet

Flavio Miranda — Wed, 09 Oct 2024 15:06:38 GMT

@mamoussou

Your problema seems to be related to DNS. Which DNS are you using on the PC? It is local DNS or are you using the google DNS?

Re: Tracert and Ping to 8.8.8.8 works but cant access the Internet

MHM Cisco World — Wed, 09 Oct 2024 16:00:20 GMT

You apply ACL on interface IN' add to this ACL line to permit DNS any any

MHM

Re: Tracert and Ping to 8.8.8.8 works but cant access the Internet

mamoussou — Wed, 09 Oct 2024 17:18:05 GMT

I am using ISP supplied DNS and google DNS

Re: Tracert and Ping to 8.8.8.8 works but cant access the Internet

mamoussou — Wed, 09 Oct 2024 17:19:35 GMT

ok. will try that. but why cant I ping other inside subnets?

Re: Tracert and Ping to 8.8.8.8 works but cant access the Internet

MHM Cisco World — Wed, 09 Oct 2024 17:22:07 GMT

In SW

Show ip interface breif

Check if VLAN SVI is up or not

MHM

Re: Tracert and Ping to 8.8.8.8 works but cant access the Internet

balaji.bandi — Wed, 09 Oct 2024 17:27:29 GMT

Is this issue with switch and clients.

Switch side make sure you configure DNS correctly and if you looking layer 3, then remove default-router config, make sure ip routing enabled on the switch.

From client you not able to ping domain.com, seems to be resolution issue.

from client can you post ipconfig /all

nslookup google.com or cisco.com output.

Re: Tracert and Ping to 8.8.8.8 works but cant access the Internet

Flavio Miranda — Wed, 09 Oct 2024 17:51:56 GMT

But if you run "nslookup www.google.com" on your machine, what do you get?

Re: Tracert and Ping to 8.8.8.8 works but cant access the Internet

mamoussou — Wed, 09 Oct 2024 20:49:26 GMT

Yes they are up.

Re: Tracert and Ping to 8.8.8.8 works but cant access the Internet

mamoussou — Wed, 09 Oct 2024 20:51:24 GMT

ipconfig /all shows dhcp IP, gateway and dns from swich. Able to ping up to ping and trace to 8.8.8.8 over 8 hops. however nslookup does not resolve.

Re: Tracert and Ping to 8.8.8.8 works but cant access the Internet

balaji.bandi — Wed, 09 Oct 2024 21:27:37 GMT

if you like further assitance like to see the output : (if no nslookup done, then you use correct DNS resolver to get ping FQDN, some ISP do not allowed google DNS, so use ISP DNS configured on client side and test it)

from client can you post ipconfig /all

nslookup google.com or cisco.com output.

Note : ping is to test reachability, does not resolve the issue of yours, you have IP connectiviyt for the Ping, do not have DNS lookup that where you need to focus.

Re: Tracert and Ping to 8.8.8.8 works but cant access the Internet

MHM Cisco World — Thu, 10 Oct 2024 04:29:11 GMT

Two issues here

1- The VLAN SVI in SW' so check if ip routing comamnd is use or not in SW

2- DNS issue' as I mention before your need add ACL in ASA allow traffic of dns between IN and OUT interface

MHM