topic This sounds like a DNS issue in Network Security

Workstation behind asa cant browse the internet

radarbackwards — Tue, 12 Mar 2019 06:16:35 GMT

Hi, i'm newbie to cisco asa, but i have an experience in administering different firewall before (freebsd, watchguard)..I thought this setup would be a piece of cake in ASA but im stuck on this one for 2 days already

so here is my topology, Internal network is 10.0.0.0/24, external is 192.168.254.0/24

Firewall IP is: 10.0.0.1 (internal) 192.168.254.171 (external)

Workstation behind the firewall (10.0.0.2) is able to ping the IP 8.8.8.8 but cannot browse the internet

I already configured the NAT/PAT, Access Rules (i configured any-to-any since i cant get it work just by simply allowing port 80/443)

here is my config

hostname ciscoasa
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface GigabitEthernet0
nameif INSIDE
security-level 100
ip address 10.0.0.1 255.255.255.0
!
interface GigabitEthernet1
nameif OUTSIDE
security-level 0
ip address 192.168.254.171 255.255.255.0
!
interface GigabitEthernet2
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet3
shutdown
no nameif
no security-level
no ip address
!
ftp mode passive
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
access-list global_access extended permit ip any any
pager lines 24
logging enable
logging asdm informational
mtu INSIDE 1500
mtu OUTSIDE 1500
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
!
nat (INSIDE,OUTSIDE) after-auto source dynamic any interface
access-group global_access global
route OUTSIDE 0.0.0.0 0.0.0.0 192.168.254.254 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
http server enable
http 10.0.0.0 255.255.255.0 INSIDE
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
telnet timeout 5
ssh timeout 5
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
!
!
prompt hostname context
call-home reporting anonymous prompt 1
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email callhome@cisco.com
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
crashinfo save disable
Cryptochecksum:2fd0136763ed374daee31263c9544c1b

Attached is the logs that im getting

Thanks in Advance

up!

radarbackwards — Fri, 17 Jul 2015 02:56:41 GMT

up!

Hi,Could you provide the

prateek.verma — Fri, 17 Jul 2015 06:02:20 GMT

Hi,

Could you provide the output of following packet-tracer:

packet-tracer input inside tcp 10.0.0.2 1025 4.2.2.2 80 de

Regards,

Prateek Verma

Hi, as I can see from log PAT

Igor Mordiuk — Fri, 17 Jul 2015 07:57:17 GMT

Hi,

as I can see from log PAT is ok. Please, provide the following information:

- as prateek.verma asked: packet-tracer result

- sh run policy-map global_policy

- during connection show conn address 10.0.0.2 detail

ciscoasa(config)# sh run

radarbackwards — Fri, 17 Jul 2015 09:37:47 GMT

ciscoasa(config)# sh run policy-map global_policy
ERROR: % policy-map global_policy does not exist

ciscoasa(config)# show conn address 10.0.0.2 detail

UDP OUTSIDE:8.8.8.8/53 INSIDE:10.0.0.2/55533,
flags -, idle 18s, uptime 25s, timeout 2m0s, bytes 105
UDP OUTSIDE:4.2.2.2/53 INSIDE:10.0.0.2/55533,
flags -, idle 18s, uptime 26s, timeout 2m0s, bytes 140
TCP OUTSIDE:74.125.130.106/80 INSIDE:10.0.0.2/49250,
flags UIO, idle 26s, uptime 1m25s, timeout 1h0m, bytes 2983

ciscoasa(config)# packet-tracer input inside tcp 10.0.0.2 1025 4.2.2.2 80 de

Phase: 1
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
Forward Flow based lookup yields rule:
in id=0xbbd64340, priority=1, domain=permit, deny=false
hits=40150, user_data=0x0, cs_id=0x0, l3_type=0x8
src mac=0000.0000.0000, mask=0000.0000.0000
dst mac=0000.0000.0000, mask=0100.0000.0000
input_ifc=INSIDE, output_ifc=any

Phase: 2
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 0.0.0.0 0.0.0.0 OUTSIDE

Phase: 3
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group global_access global
access-list global_access extended permit ip any any
Additional Information:
Forward Flow based lookup yields rule:
in id=0xbc89f900, priority=12, domain=permit, deny=false
hits=35, user_data=0xb9466ac0, cs_id=0x0, use_real_addr, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
input_ifc=any, output_ifc=any

Phase: 4
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0xbc29c430, priority=0, domain=inspect-ip-options, deny=true
hits=293, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
input_ifc=INSIDE, output_ifc=any

Phase: 5
Type: NAT
Subtype:
Result: ALLOW
Config:
nat (INSIDE,OUTSIDE) after-auto source dynamic any interface
Additional Information:
Dynamic translate 10.0.0.2/1025 to 192.168.254.171/37074
Forward Flow based lookup yields rule:
in id=0xbc8ab278, priority=6, domain=nat, deny=false
hits=16, user_data=0xbc2cb600, cs_id=0x0, use_real_addr, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
input_ifc=INSIDE, output_ifc=OUTSIDE

Phase: 6
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Reverse Flow based lookup yields rule:
in id=0xbc2c38a8, priority=0, domain=inspect-ip-options, deny=true
hits=52, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
input_ifc=OUTSIDE, output_ifc=any

Phase: 7
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 299, packet dispatched to next module
Module information for forward flow ...
snp_fp_tracer_drop
snp_fp_inspect_ip_options
snp_fp_tcp_normalizer
snp_fp_translate
snp_fp_adjacency
snp_fp_fragment
snp_ifc_stat

Module information for reverse flow ...
snp_fp_tracer_drop
snp_fp_inspect_ip_options
snp_fp_translate
snp_fp_tcp_normalizer
snp_fp_adjacency
snp_fp_fragment
snp_ifc_stat

Result:
input-interface: INSIDE
input-status: up
input-line-status: up
output-interface: OUTSIDE
output-status: up
output-line-status: up
Action: allow

packet-tracer shows that your

Igor Mordiuk — Fri, 17 Jul 2015 09:48:10 GMT

packet-tracer shows that your requests can successfully pass firewall. Maybe on server 4.2.2.2 port 80 is not listening.

Can you initiate connect one more time and on ASA immediately run show conn address 10.0.0.2 detail (witch will show you the current state of connections through ASA)

UDP OUTSIDE:8.8.8.8/53 INSIDE

radarbackwards — Fri, 17 Jul 2015 20:35:05 GMT

UDP OUTSIDE:8.8.8.8/53 INSIDE:10.0.0.2/60564,
flags -, idle 8s, uptime 16s, timeout 2m0s, bytes 136
TCP OUTSIDE:120.28.26.242/80 INSIDE:10.0.0.2/49304,
flags saA, idle 1s, uptime 4s, timeout 30s, bytes 0
UDP OUTSIDE:4.2.2.2/53 INSIDE:10.0.0.2/60564,
flags -, idle 8s, uptime 15s, timeout 2m0s, bytes 102
TCP OUTSIDE:120.28.26.232/80 INSIDE:10.0.0.2/49303,
flags saA, idle 16s, uptime 25s, timeout 30s, bytes 0
TCP OUTSIDE:120.28.26.232/80 INSIDE:10.0.0.2/49302,
flags saA, idle 27s, uptime 27s, timeout 30s, bytes 0

hi, I tried setting up a

radarbackwards — Sat, 18 Jul 2015 01:33:53 GMT

hi, I tried setting up a local webserver and interconnecting it outside through another router, i managed to access the web server, im sorry i forgot to tell that its only a gns3 lab + virtualbox

This sounds like a DNS issue

Marius Gunnerud — Sat, 18 Jul 2015 07:09:22 GMT

This sounds like a DNS issue (considering you are able to ping to the internet but not browse). What are you using as your DHCP server and is it issuing the clients with a DNS server IP? If you configure a static DNS server on your client machine (for example 4.2.2.2 or 8.8.8.8) are you now able to browse the internet?

Please remember to select a correct answer and rate helpful posts

no, im not using an internal

radarbackwards — Sat, 18 Jul 2015 14:24:31 GMT

no, im not using an internal dns, my machine in vmware is using external dns 8.8.8.8 and 4.2.2.2 from the beginning

This could very well be a

Marius Gunnerud — Sun, 19 Jul 2015 12:44:28 GMT

This could very well be a GNS3 issue. Have you tried saving all your config and restarting GNS3 and all the devices?

Please remember to select a correct answer and rate helpful posts

TCP handshake doesn't pass

Igor Mordiuk — Mon, 20 Jul 2015 07:01:08 GMT

TCP handshake doesn't pass.
What we can see from your output:

TCP OUTSIDE:120.28.26.232/80 INSIDE:10.0.0.2/49303,
    flags saA, idle 16s, uptime 25s, timeout 30s, bytes 0

Flags:

a - awaiting outside ACK to SYN,

s - awaiting outside SYN,

A - awaiting inside ACK to SYN

So, host 10.0.0.2 (inside side) sent TCP SYN, and ASA saw this request (as proof, it creates this note in Connections Table)

But flag 'a' means that 120.28.26.232 doesn't reply on your TCP SYN with ACK and it doesn't send his own TCP SYN to 10.0.0.2.

Maybe 120.28.26.232 doesn't receive your request at all or tcp port 80 is closed on it.
But at least, we know that problem is not with ASA.

Cheers!