topic I can ping, but not browse the internet.. ASA 5505 in Network Security

I can ping, but not browse the internet.. ASA 5505

Shane Riley — Tue, 12 Mar 2019 02:58:48 GMT

Hey Folks

I am trying to setup a DMZ on a 5505 (Security plus license)

Interface DMZ

Security level 50

Vlan 43

I am using the DMZ with public ip x.x.x.x 255.255.255.224

And there is a server configured with a static ip (Public address) x.x.x.x subnet:255.255.255.224 gw: the DMZ interface..

Everything seems to work fine i can ping the gw from the server, i can ping 8.8.8.8 www.google.se etc..

Ping and Dns resolutions seems to work fine.

But that is the only thing working. I can't browse the internet any ideas?

sh run | in DMZ

nameif DMZ

access-list DMZ_nat0_outbound extended permit ip x.x.x.x 255.255.255.224 any

access-list DMZ_nat0_outbound_1 extended permit ip x.x.x.x 255.255.255.224 any

access-list DMZ_access_in extended permit ip any any

access-list DMZ_nat0_outbound_2 extended permit ip x.x.x.x 255.255.255.224 any

access-list DMZ_access_in_1 extended permit ip 1 x.x.x.x 255.255.255.224 any log debugging

mtu DMZ 1500

nat (DMZ) 0 access-list DMZ_nat0_outbound_2

access-group DMZ_access_in_1 in interface DMZ

sh nat

NAT policies on Interface DMZ:

match ip DMZ x.x.x.x 255.255.255.224 outside any

NAT exempt

translate_hits = 13562, untranslate_hits = 0

match ip DMZ x.x.x.x 255.255.255.224 DMZ any

NAT exempt

translate_hits = 0, untranslate_hits = 1

What is the issue? Any ideas?

Appreciate your help

/Shane

I can ping, but not browse the internet.. ASA 5505

jumora — Thu, 31 Oct 2013 18:09:06 GMT

Ok, what is the gateway of the ASA and does that gateway know how to route the DMZ network that you have configured.

If the gateway of the ASA (ISP) knows how to route for this network then we need to confirm if they can ARP or see packets coming from the server.

Put this IP on your browser:

98.139.183.24

Let me know if you can reach it, is so it could be related to DNS, try to change DNS server setting from the TCP/IP setting on the NIC of the server to 4.2.2.2.

Another way to test this out is opening up an ACL to permit ICMP to the IP address of the server on the outside or interface that is facing the ASA gateway.

After this, it would be checking ASA logs and captures.

logging on

logging buffered 7

logging buffer-size 1048576

show log | in server_ip

access-list capture permit IP host server_ip any

access-list capture permit IP any host server_ip

capture in interface dmz access-list capture

capture out interface outside access-list capture

show cap out

show cap in

You can downlaod the captures through http if you have defined ASDM access:

https://ASA_interface_ip/capture/in/pcap

https://ASA_interface_ip/capture/out/pcap

I can ping, but not browse the internet.. ASA 5505

Marius Gunnerud — Thu, 31 Oct 2013 18:49:06 GMT

I agree with jumora as this does sound like a DNS issue. Though I would do a packet tracer before doing any of the other suggestions he made as it will save you a lot of time.

packet-tracer input DMZ tcp 12345 8.8.8.8 80 detail

If the packet tracer completes successfully the traffic is allowed though the firewall and the issue most likely lies elsewhere.

I can ping, but not browse the internet.. ASA 5505

jumora — Thu, 31 Oct 2013 18:52:35 GMT

Yeah he is right, it would even give us the rpf check well everything we need at the ASA level.

Thanks Marius!!!

I can ping, but not browse the internet.. ASA 5505

Shane Riley — Fri, 01 Nov 2013 08:47:22 GMT

The packet is allowed..

Packet-tracer input DMZ tcp 188.122.147.113 12345 8.8.8.8 80 detail

Phase: 1

Type: FLOW-LOOKUP

Subtype:

Result: ALLOW

Config:

Additional Information:

Found no matching flow, creating a new flow

Phase: 2

Type: ROUTE-LOOKUP

Subtype: input

Result: ALLOW

Config:

Additional Information:

in 0.0.0.0 0.0.0.0 outside

Phase: 3

Type: ACCESS-LIST

Subtype: log

Result: ALLOW

Config:

access-group DMZ_access_in_1 in interface DMZ

access-list DMZ_access_in_1 extended permit ip x.x.x.x 255.255.255.224 any log debugging

Additional Information:

Forward Flow based lookup yields rule:

in id=0xccf518f8, priority=12, domain=permit, deny=false

hits=40614, user_data=0xc78e4090, cs_id=0x0, flags=0x0, protocol=0

src ip=x.x.x.x, mask=255.255.255.224, port=0

dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0

Phase: 4

Type: IP-OPTIONS

Subtype:

Result: ALLOW

Config:

Additional Information:

Forward Flow based lookup yields rule:

in id=0xccdecd48, priority=0, domain=permit-ip-option, deny=true

hits=46609, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0

src ip=0.0.0.0, mask=0.0.0.0, port=0

dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0

Phase: 5

Type: NAT-EXEMPT

Subtype:

Result: ALLOW

Config:

match ip DMZ x.x.x.x 255.255.255.224 outside any

NAT exempt

translate_hits = 46685, untranslate_hits = 0

Additional Information:

Forward Flow based lookup yields rule:

in id=0xc9773d98, priority=6, domain=nat-exempt, deny=false

hits=46592, user_data=0xccddd970, cs_id=0x0, use_real_addr, flags=0x0, protocol=0

src ip=x.x.x.x, mask=255.255.255.224, port=0

dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0

Phase: 6

Type: HOST-LIMIT

Subtype:

Result: ALLOW

Config:

Additional Information:

Forward Flow based lookup yields rule:

in id=0xccda3f80, priority=0, domain=host-limit, deny=false

hits=46593, user_data=0x0, cs_id=0x0, flags=0x0, protocol=0

src ip=0.0.0.0, mask=0.0.0.0, port=0

dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0

Phase: 7

Type: IP-OPTIONS

Subtype:

Result: ALLOW

Config:

Additional Information:

Reverse Flow based lookup yields rule:

in id=0xc96b6558, priority=0, domain=permit-ip-option, deny=true

hits=1524730, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0

src ip=0.0.0.0, mask=0.0.0.0, port=0

dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0

Phase: 8

Type: FLOW-CREATION

Subtype:

Result: ALLOW

Config:

Additional Information:

New flow created with id 1608324, packet dispatched to next module

Module information for forward flow ...

snp_fp_tracer_drop

snp_fp_inspect_ip_options

snp_fp_tcp_normalizer

snp_fp_translate

snp_fp_adjacency

snp_fp_fragment

snp_ifc_stat

Module information for reverse flow ...

snp_fp_tracer_drop

snp_fp_inspect_ip_options

snp_fp_translate

snp_fp_tcp_normalizer

snp_fp_adjacency

snp_fp_fragment

snp_ifc_stat

Result:

input-interface: DMZ

input-status: up

input-line-status: up

output-interface: outside

output-status: up

output-line-status: up

Action: allow

I can ping, but not browse the internet.. ASA 5505

Shane Riley — Fri, 01 Nov 2013 12:09:30 GMT

Here is the capture from the host server ip (Out) to http://192.241.216.107..

A bunch of RST packets

Broken TCP, The acknowledge field is nonzero while the ACk flas is not set etc..

And here is ping from the same server:

sh route

Gateway of last resort is x.x.x.1 to network 0.0.0.0

C 172.17.100.0 255.255.255.0 is directly connected, inside

C x.x.x.0 255.255.255.128 is directly connected, outside

C x.x.x.128 255.255.255.224 is directly connected, DMZ

S* 0.0.0.0 0.0.0.0 [1/0] via x.x.x.x.1, outside

/shane

I can ping, but not browse the internet.. ASA 5505

jumora — Sun, 03 Nov 2013 02:31:52 GMT

Can you please answer the questions that I also posted on the request to run the wireshark on the server that was on the dmz?

Does the gateway of the ASA (ISP) knows how to route for this network that is behind the DMZ?

Can you do a track down of the MAC address that shows on the reply with RST.

I have never seen this newlexengine but did read on it:

http://www.corrupteddatarecovery.com/Port/2075tcp-Port-Type-newlixengine-newlixengine.asp

I can ping, but not browse the internet.. ASA 5505

Shane Riley — Sun, 03 Nov 2013 02:47:19 GMT

Well i got it to work finally, just needed a static Nat entry, and everything went fine

But i learned alot from this, thank u all for your help!

Cheers

Shane

I can ping, but not browse the internet.. ASA 5505

jumora — Sun, 03 Nov 2013 02:50:06 GMT

Ok, great to know, please rate the assistance or the knowledge that you experienced from our assistance.

I can ping, but not browse the internet.. ASA 5505

jumora — Mon, 04 Nov 2013 19:24:39 GMT

Reason why you might have needed to add a static NAT:

•1. You had to run a static NAT mapping with an IP that was routable for your ISP.

•2. The layer 3 device that connects to the ASA had an interface within the same IP scheme thus needed to be able to see an ARP entry and NAT exemption does not ARP.

•3. Identity NAT, mapping the IP address of the server on the DMZ to itself will produce ARP entry.

The ASA is able to ARP for static NAT entries with the sysopt noproxyarp

When a host sends IP traffic to another device on the same Ethernet network, the host needs to know the MAC address of the device. ARP is a Layer 2 protocol that resolves an IP address to a MAC address. A host sends an ARP request asking "Who is this IP address?" The device owning the IP address replies, "I own that IP address; here is my MAC address."

Proxy ARP is when a device responds to an ARP request with its own MAC address, even though the device does not own the IP address. The adaptive security appliance uses proxy ARP when you configure NAT and specify a global address that is on the same network as the adaptive security appliance interface. The only way traffic can reach the hosts is if the adaptive security appliance uses proxy ARP to claim that the adaptive security appliance MAC address is assigned to destination global addresses.

http://www.cisco.com/en/US/docs/security/asa/asa82/command/reference/s8.html#wp1517975

Please rate our answers.