topic Re: asa firewall issue in Network Security

asa firewall issue

manivelengg — Mon, 11 Mar 2019 16:59:39 GMT

hi,

Im using ASA firewall behind cisco series 3640 router.

Complete setup:

Internet---- cisco router------firewall---coreswitch-----lan users.

whenever the lanusers trying to browse the internet,they can not able to do it but all the logs are showing in asa(inside and outside) but they cant do it.What may be the problem.

Re: asa firewall issue

Jon Marshall — Thu, 21 Jan 2010 12:36:54 GMT

manivelengg@gmail.com

hi,

Im using ASA firewall behind cisco series 3640 router.

Complete setup:

Internet---- cisco router------firewall---coreswitch-----lan users.

whenever the lanusers trying to browse the internet,they can not able to do it but all the logs are showing in asa(inside and outside) but they cant do it.What may be the problem.

Could be any number of things.

First thing to check is are your clients using private addressing and if so are you Natting their private addresses to a public IP.

If the outside interface of the ASA has a public IP then the usual method to do this is -

nat (inside) 1 0.0.0.0 0.0.0.0

global (outside) 1 interface

Also check you have a default-route on the ASA ie.

route (outside) 0.0.0.0 0.0.0.0 <3640 IP address of interface facing ASA>

Jon

Re: asa firewall issue

manivelengg — Fri, 22 Jan 2010 05:19:09 GMT

i checked the asa inside and outside nat and default route.all are correct.I have attached the firewall config(asa).

Re: asa firewall issue

August Ritchie — Fri, 22 Jan 2010 06:08:44 GMT

What is network that is not able to get out to the internet?

Can you ping one of the hosts on that network from the ASA? If not, you may need a route back from the ASA.

And vice-versa, can you ping from a host to the ASA's interface?

Can you ping your ASAs default gateway from the host? (100.100.100.1)

Re: asa firewall issue

manivelengg — Fri, 22 Jan 2010 08:03:34 GMT

we cant able to reach the internet from all the networks.Below lan networks are

(192.168.100.0,192.168.103.0,192.168.104.0)

all the networks are pinging from asa(firewall) as well as we are pinging from lan networks to asa which has not issue

At the same time we are pinging from host to default gateway(100.100.100.1)

but the internet websites are not pinging from hosts.

Re: asa firewall issue

Jon Marshall — Fri, 22 Jan 2010 10:20:19 GMT

manivelengg@gmail.com

we cant able to reach the internet from all the networks.Below lan networks are

(192.168.100.0,192.168.103.0,192.168.104.0)

all the networks are pinging from asa(firewall) as well as we are pinging from lan networks to asa which has not issue

At the same time we are pinging from host to default gateway(100.100.100.1)

but the internet websites are not pinging from hosts.

In your ASA config you haven't actually applied any of the access-list to any of the interfaces. To get ping working add this to your config -

access-group outside_access_in in interface outside

Jon

Re: asa firewall issue

August Ritchie — Fri, 22 Jan 2010 13:28:03 GMT

Well the fact that you can ping the host (100.100.100.1) from the hosts means that traffic is going out of the ASA and returning correctly.

This generally means it's not an ASA problem. If you can ping the ASAs default gateway then we know that you must be natting out and that traffic knows how to get back to you from 100.100.100.1.

The question now is can you ping from your ASA to 4.2.2.2?

Re: asa firewall issue

manivelengg — Fri, 22 Jan 2010 15:17:15 GMT

im extremely sorry for the troule bacause the lan users not able to ping 100.100.100.1.

They are pinging inside interface of the asa firewall inside.

plz suggest me.

Re: asa firewall issue

August Ritchie — Fri, 22 Jan 2010 15:32:18 GMT

Try this. Do this capture and post the results back. The ip provided is a test site called gizmodo.com

access-list capture permit ip any host 69.60.7.199

access-list capture permit ip host 69.60.7.199 any

capture capin access-list capture interface inside

capture capout access-list capture interface outside

Then initiate the connection from a PC that doesn't work by putting 69.60.7.199 in your browser.

Issue a 'show cap capin' and 'show cap capout'

Re: asa firewall issue

manivelengg — Sat, 23 Jan 2010 06:10:31 GMT

i tried this capture command in asa firwall.

the mentioned ip address is pinging in firewall at the same time the i tried both website name and ip but not pinging from our pc(lan networks)

meanwhile i intimate you all the websites are pinging from firewall point of view but the browsing(http) is not happening from all the networks.