Firewall preventing Internet Access

seclucscon — Tue, 12 Mar 2019 01:23:25 GMT

Hi, I am having one 2800 router where the ISP link is, Another port is for ASA 5520. There are two 4503 core switches connected with firewall. When i am connect the ISP, i can ping upto ISP Gateway, but not DNS(8.8.8.8) or any public IP. as a result, from access switches i cant get internet connectivity.

When i disconnected Firewall connection from router, i got ping of DNS & Other public IP. so , i think the problem is in Firewall. there is no denial of anything in firewall, but still it is preventing dns.

Please help me in this regard, as it is an urgent issue before migration.

Here is some snapshot:

access-list external-in extended permit ip any any

access-list external-in extended permit tcp any any

access-list external-in extended permit udp any any

access-list external-in extended permit icmp any any echo

access-list external-in extended permit icmp any any echo-reply

access-list external-in extended permit icmp any any time-exceeded

access-list external-in extended permit icmp any any unreachable

access-list external-in extended permit tcp any any eq telnet

access-list external-in extended permit icmp any any

access-list internal-out extended permit ip any any

access-list internal-out extended permit tcp any any

access-list internal-out extended permit udp any any

access-list internal-out extended permit icmp any any echo

access-list internal-out extended permit icmp any any echo-reply

access-list internal-out extended permit icmp any any time-exceeded

access-list internal-out extended permit icmp any any unreachable

access-list internal-out extended permit tcp any any eq telnet

access-list internal-out extended permit icmp any any

access-list global_access extended permit ip any any

pager lines 24

logging enable

logging asdm informational

mtu outside 1500

mtu inside_1 1500

mtu inside_2 1500

mtu management 1500

no failover

icmp unreachable rate-limit 1 burst-size 1

no asdm history enable

arp timeout 14400

access-group internal-out in interface outside

access-group internal-out out interface outside

access-group external-in in interface inside_1

access-group external-in out interface inside_1

access-group external-in in interface inside_2

access-group external-in out interface inside_2

access-group global_access global

route outside 0.0.0.0 0.0.0.0 172.16.251.1 1

route inside_1 172.16.0.0 255.255.0.0 172.16.251.6 1

route inside_2 172.16.0.0 255.255.0.0 172.16.251.10 2

route inside_1 192.168.0.0 255.255.224.0 172.16.251.6 1

route inside_2 192.168.0.0 255.255.224.0 172.16.251.10 2

timeout xlate 3:00:00

timeout pat-xlate 0:00:30

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

timeout floating-conn 0:00:00

dynamic-access-policy-record DfltAccessPolicy

user-identity default-domain LOCAL

http server enable

http 192.168.1.0 255.255.255.0 management

http 172.16.251.2 255.255.255.255 outside

http 0.0.0.0 0.0.0.0 inside_1

http 172.16.251.5 255.255.255.255 inside_1

http 0.0.0.0 0.0.0.0 inside_2

http 172.16.251.9 255.255.255.255 inside_2

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart

telnet 172.16.251.0 255.255.255.252 outside

telnet 172.16.251.4 255.255.255.252 inside_1

telnet 0.0.0.0 0.0.0.0 inside_1

telnet 172.16.251.5 255.255.255.255 inside_1

telnet 172.16.251.8 255.255.255.252 inside_2

telnet 0.0.0.0 0.0.0.0 inside_2

telnet timeout 5

ssh 172.16.251.5 255.255.255.255 inside_1

ssh 172.16.251.9 255.255.255.255 inside_2

ssh timeout 5

ssh key-exchange group dh-group1-sha1

console timeout 30

dhcpd address 192.168.1.2-192.168.1.254 management

dhcpd enable management

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

Please help me as soon as possible....................

Firewall preventing Internet Access

Jouni Forss — Thu, 04 Apr 2013 11:41:45 GMT

Hi.

The information you have given isnt enough to say anything specific about this situation.

It would seem to me that you are using the Internet Router to do the NAT for all users on the LAN.

What you should atleast confirm is that the Internet Router then has routes for the networks behind the ASA pointing towards the "outside" IP address of the ASA. Also you would have to make sure the router has NAT configurations for those networks.

I would also suggest not using the ACLs in both directions on the interfaces. Attaching them in the direction "in" is usually enough.

- Jouni

topic Firewall preventing Internet Access in Network Security

Firewall preventing Internet Access

Firewall preventing Internet Access