topic Hi,Thanks for your answer in Network Security

ASA 5520 ping to internet work fine but access by http denied.

r.randriamanana — Tue, 12 Mar 2019 06:13:49 GMT

Hi all,

I tried to ping to a host in the internet it work fine but http doesn't work, please help me expert. see the config below.

show run
: Saved
:
ASA Version 8.4(2)
!
hostname ciscoasa
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface GigabitEthernet0
nameif inside
security-level 100
ip address 172.16.1.1 255.255.255.0
!
interface GigabitEthernet1
nameif outside
security-level 0
ip address 192.168.1.60 255.255.255.0
!
interface GigabitEthernet2
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet3
shutdown
no nameif
no security-level
no ip address
!
ftp mode passive
object network LAN
subnet 172.16.1.0 255.255.255.0
object-group service internet tcp
port-object eq www
port-object eq https
port-object eq smtp
port-object eq pop3
port-object eq 465
port-object eq 995
port-object eq ftp
port-object eq ftp-data
port-object eq domain
port-object eq ssh
port-object eq telnet
access-list allowping extended permit icmp any any echo
access-list allowping extended permit icmp any any echo-reply
access-list allowping extended permit icmp any any source-quench
access-list allowping extended permit icmp any any unreachable
access-list allowping extended permit icmp any any time-exceeded
access-list access-internet extended permit tcp 172.16.0.0 255.255.0.0 any object-group internet
access-list access-internet extended permit icmp 172.16.0.0 255.255.0.0 any
access-list internet-inside extended permit ip 172.16.1.0 255.255.255.0 any
pager lines 24
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
!
object network LAN
nat (inside,outside) dynamic interface
access-group internet-inside in interface inside
access-group allowping in interface outside
access-group access-internet out interface outside
route outside 0.0.0.0 0.0.0.0 192.168.1.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
telnet timeout 5
ssh timeout 5
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
inspect http
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email callhome@cisco.com
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
crashinfo save disable
Cryptochecksum:0323f4941453d6e5e4e778a40ec6eaf4
: end
ciscoasa#

hi,do you have DNS configured

johnlloyd_13 — Tue, 07 Jul 2015 06:29:06 GMT

hi,

do you have DNS configured (or getting via DHCP) on inside client?

could you please post your PC's ipconfig /all output?

also, do you have a router (or modem) in front of the ASA? please provide a brief network diagram.

Hi,Thanks for your answer

r.randriamanana — Tue, 07 Jul 2015 07:07:57 GMT

Hi,

Thanks for your answer.

Please find the screen sh.

Regards.

hi,could you verify if the

johnlloyd_13 — Tue, 07 Jul 2015 07:36:18 GMT

hi,

could you verify if the modem doing NAT/PAT?

if yes, then you'll need to do an identity NAT on the ASA.

object network LAN
no nat (inside,outside) dynamic interface

object network IDENTITY-NAT-INSIDE
subnet 172.16.1.0 255.255.255.0
nat (inside,outside) static LAN

also, you don't need these lines since there's an HTTP inspection (http inspect) configured on the ASA.

no access-list access-internet extended permit icmp 172.16.0.0 255.255.0.0 any

no access-list internet-inside extended permit ip 172.16.1.0 255.255.255.0 any

no access-group access-internet out interface outside
no access-group internet-inside in interface inside

hi,after changing to an

r.randriamanana — Tue, 07 Jul 2015 08:07:04 GMT

hi,

after changing to an identity NAT the lan host cannot ping 192.168.1.1 (adsl modem) and the external host in the internet otherwise we can ping an external host from the ASA.

The modem is doing NAT, I tried to replace the asa with c1841 all user can connect to the internet.

Regards.

Hi,Could you try to do telnet

prateek.verma — Tue, 07 Jul 2015 10:13:03 GMT

Hi,

Could you provide me with the source and destination ip's as I could see you have put access group for both incoming and outgoing traffic on outside interface so that may be causing problem.

Regards,

Prateek Verma

Hi Prateek,Please find the

r.randriamanana — Tue, 07 Jul 2015 12:23:13 GMT

Hi Prateek,

Please find the attached file, I changed the config like below, just removed the ACL.

show run
: Saved
:
ASA Version 8.4(2)
!
hostname FW
domain-name bbm
enable password BGogFIdB6jmwTyg7 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface GigabitEthernet0
nameif inside
security-level 100
ip address 172.16.1.1 255.255.255.0
!
interface GigabitEthernet1
nameif outside
security-level 0
ip address 192.168.1.61 255.255.255.0
!
interface GigabitEthernet2
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet3
shutdown
no nameif
no security-level
no ip address
!
ftp mode passive
dns server-group DefaultDNS
domain-name bbm
object network LAN
subnet 172.16.1.0 255.255.255.0
object network ID-NAT-INSIDE
subnet 172.16.1.0 255.255.255.0
access-list allowping extended permit icmp any any echo
access-list allowping extended permit icmp any any echo-reply
access-list allowping extended permit icmp any any source-quench
access-list allowping extended permit icmp any any unreachable
access-list allowping extended permit icmp any any time-exceeded
pager lines 24
mtu inside 1500
mtu outside 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-649.bin
no asdm history enable
arp timeout 14400
!
object network ID-NAT-INSIDE
nat (inside,outside) dynamic interface
access-group allowping in interface outside
access-group allowping out interface outside
route outside 0.0.0.0 0.0.0.0 192.168.1.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
aaa authentication ssh console LOCAL
aaa authentication telnet console LOCAL
http server enable
http 172.16.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
telnet 172.16.1.0 255.255.255.0 inside
telnet timeout 5
ssh 172.16.1.0 255.255.255.0 inside
ssh timeout 5
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
username root password N7HlIItY8AVJppkQ encrypted
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect ip-options
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
inspect http
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email callhome@cisco.com
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
crashinfo save disable
Cryptochecksum:8c9a994d2cb8c0a4e651c758551d2a1c
: end
FW(config)#

Hi, Try adding these two

prateek.verma — Wed, 08 Jul 2015 05:39:00 GMT

Hi,

Try adding these two commands and then check whether it works or not:

access-list allowping extended permit tcp 172.16.1.0 255.255.255.0 any
access-list allowping extended permit tcp any 172.16.1.0 255.255.255.0

Regards,

Prateek Verma