topic Re: Cannot Access Internet in Network Security

Cannot Access Internet

beatinger — Fri, 21 Feb 2020 17:22:05 GMT

I am having an issue accessing the Internet from workstations/server behind my Cisco ASA5540 firewall. I have worked on this for many hours, with no luck. I have been using Cisco PIX firewalls for years, and am trying very hard to get over on this ASA5540 firewall. I honestly do not understand what the issue is. I can ping out to the Internet from the firewall, no problem, both a IPs and at DNS names. I just cannot get out to the Internet from any server or workstation. The following is my configuration, and after that, a "show version" output. Please let me know what you think might be wrong here. Thank you very much!

ciscoasa5540(config)# show config
: Saved
: Written by enable_15 at 18:29:44.131 UTC Fri Aug 2 2019
!
ASA Version 7.2(2)
!
hostname ciscoasa5540
domain-name edenhosting.net
enable password Vkz0vtCccFeMll8t encrypted
names
name 10.1.252.245 NS1 description Primary DNS Server (91)
name 10.1.252.219 Sendmail description OLD Mail Server (92)
name 10.1.252.247 ExchangeServer description Exchange Server 2016 (94)
name 10.1.252.249 WebServerIIS80 description Windows Server 2012 (93)
name 10.1.252.190 DRAC-DNS description DRAC for DNS Server (87)
name 10.1.252.191 DRAC-WebServer description DRAC for Web Server (92)
name 10.1.252.246 NAS description Synology NAS (86)
name 10.1.252.250 WebServerIIS10 description Windows Server 2019 (88)
name 10.1.252.192 DRAC-VirtualServer description DRAC for Virtual Server (89)
!
interface GigabitEthernet0/0
speed 100
duplex full
nameif outside
security-level 0
ip address 12.43.6.90 255.255.0.0
!
interface GigabitEthernet0/1
speed 100
duplex full
nameif inside
security-level 100
ip address 10.1.252.254 255.255.255.0
!
interface GigabitEthernet0/2
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
nameif management
security-level 100
ip address 192.168.1.1 255.255.255.0
management-only
!
passwd ZPTx1zDL8pJ7Ffwu encrypted
ftp mode passive
dns domain-lookup outside
dns server-group DefaultDNS
name-server NS1
name-server 8.8.8.8
domain-name edenhosting.net
access-list inside_access_in extended permit tcp host 12.43.6.91 host NS1 eq domain
access-list inside_access_in extended permit udp host 12.43.6.91 host NS1 eq domain
access-list inside_access_in extended permit tcp host 12.43.6.92 host Sendmail eq pop3
access-list inside_access_in extended permit tcp host 12.43.6.92 host Sendmail eq smtp
access-list inside_access_in extended permit tcp host 12.43.6.92 host Sendmail eq domain
access-list inside_access_in extended permit tcp host 12.43.6.92 host Sendmail eq 587
access-list inside_access_in extended permit tcp host 12.43.6.92 host Sendmail eq 465
access-list inside_access_in extended permit tcp host 12.43.6.92 host Sendmail eq www
access-list inside_access_in extended permit tcp host 12.43.6.92 host Sendmail eq https
access-list inside_access_in extended permit tcp host 12.43.6.92 host Sendmail eq 8088
access-list inside_access_in extended permit icmp any any
access-list inside_access_in extended permit tcp host 12.43.6.93 host WebServerIIS80 eq www
access-list inside_access_in extended permit ip 10.1.252.0 255.255.255.0 any
pager lines 24
logging enable
logging timestamp
logging buffer-size 999999
logging buffered debugging
logging trap debugging
logging history debugging
logging asdm debugging
logging facility 23
mtu outside 1500
mtu inside 1500
mtu management 1500
ip verify reverse-path interface outside
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-522.bin
asdm history enable
arp timeout 14400
nat-control
nat (inside) 1 10.1.252.0 255.255.255.0
static (inside,outside) 12.43.6.91 NS1 netmask 255.255.255.255
static (inside,outside) 12.43.6.92 Sendmail netmask 255.255.255.255 tcp 0 120
static (inside,outside) 12.43.6.93 WebServerIIS80 netmask 255.255.255.255 tcp 0 120
access-group inside_access_in in interface inside
route outside 0.0.0.0 0.0.0.0 12.43.6.81 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
http server enable
http 192.168.1.0 255.255.255.0 management
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd address 192.168.1.2-192.168.1.254 management
dhcpd enable management
!
!
!
prompt hostname context
Cryptochecksum:c01c5eda61d05eb6144365d3feb1d611

ciscoasa5540(config)# show version

Cisco Adaptive Security Appliance Software Version 7.2(2)
Device Manager Version 5.2(2)

Compiled on Wed 22-Nov-06 14:16 by builders
System image file is "disk0:/asa722-k8.bin"
Config file at boot was "startup-config"

ciscoasa5540 up 2 hours 41 mins

Hardware: ASA5540-K8, 2560 MB RAM, CPU Pentium 4 2000 MHz
Internal ATA Compact Flash, 256MB
BIOS Flash AT49LW080 @ 0xffe00000, 1024KB

Encryption hardware device : Cisco ASA-55x0 on-board accelerator (revision 0x0)
Boot microcode : CNlite-MC-Boot-Cisco-1.2
SSL/IKE microcode: CNlite-MC-IPSEC-Admin-3.03
IPSec microcode : CNlite-MC-IPSECm-MAIN-2.04
0: Ext: GigabitEthernet0/0 : address is 001a.2f94.4f56, irq 9
1: Ext: GigabitEthernet0/1 : address is 001a.2f94.4f57, irq 9
2: Ext: GigabitEthernet0/2 : address is 001a.2f94.4f58, irq 9
3: Ext: GigabitEthernet0/3 : address is 001a.2f94.4f59, irq 9
4: Ext: Management0/0 : address is 001a.2f94.4f55, irq 11
5: Int: Internal-Data0/0 : address is 0000.0001.0002, irq 11
6: Int: Internal-Control0/0 : address is 0000.0001.0001, irq 5

Licensed features for this platform:
Maximum Physical Interfaces : Unlimited
Maximum VLANs : 200
Inside Hosts : Unlimited
Failover : Active/Active
VPN-DES : Enabled
VPN-3DES-AES : Enabled
Security Contexts : 2
GTP/GPRS : Disabled
VPN Peers : 5000
WebVPN Peers : 10

This platform has an ASA 5540 VPN Premium license.

Serial Number: JMX1112L1JH
Running Activation Key: 0x133c6c4f 0x3cca370e 0x9882a598 0x897810c8 0x0a2c0289
Configuration register is 0x1
Configuration last modified by enable_15 at 18:29:39.206 UTC Fri Aug 2 2019

Re: Cannot Access Internet

balaji.bandi — Sat, 03 Aug 2019 20:58:08 GMT

ASA 7.2 ~(Hoooo) its quite old code, cisco retired ages ago. let me re-think what iam providng suggestion may not be correct, since been long worked. on that. before 8.3 there was some global command for NAT, which is no longer available in 8.3 onwards.

high level i think you having NAT issue ( also your Internet subnet is correct ? 255.255.0.0 - no provider will allocate this kind of address space for user, please check that also).

hostname(config)# global (outside) 1 X.x.x.x << public IP or range you can specify

here is the reference guide :

https://www.cisco.com/c/en/us/td/docs/security/asa/asa72/configuration/guide/conf_gd/cfgnat.html#wp1042810%0A

Re: Cannot Access Internet

beatinger — Sat, 03 Aug 2019 21:14:59 GMT

Thank you so much for your reply! I changed the subnet mask as you suggested (that is how it was in my old PIX), and that had no effect.
I used to use the global on the PIX a long time ago, but found that the PIX would work fine with JUST this:
route outside 0.0.0.0 0.0.0.0 12.43.6.81 1
I am not sure why I would need both statements, but will try it. I entered the following:
global (outside) 1 12.43.6.81
And again, I am able to access the Internet AND all of the workstations just fine from the ASA firewall itself (using pings).
So I think you are correct in saying there may be a NAT issue, as perhaps the workstation IPs are being block from translation from inside to outside.
I also found a line in the configuration that concerns me, as follows:

nat-control

I read up on this, and don't understand it much, but thought that it might actually be the issue.

Re: Cannot Access Internet

balaji.bandi — Sat, 03 Aug 2019 22:43:37 GMT

Since you moved from PIX, many things changes on ASA.

To make it easy, start with simple config and build on top of static NAT and more complex things you like to do.

So lets focus Internal networks NAT with Public IP get internet access done.

once you made changes post the configuration to review. (since i dont have any old code device for to simulate for your problem)

we have moved way ahead of 9.x trends.

Re: Cannot Access Internet

beatinger — Sat, 03 Aug 2019 23:48:59 GMT

I'll do exactly that and get back to this thread. I can update the IOS at a later time. What would be the very latest IOS that I can install on this device (ASA-5540)?
Thank you very much for your help!

Re: Cannot Access Internet

Ken Stieers — Sun, 04 Aug 2019 00:24:59 GMT

9.1.7-32

https://software.cisco.com/download/home/279916880/type/280775065/release/9.1.7%20Interim

Re: Cannot Access Internet

balaji.bandi — Sun, 04 Aug 2019 10:33:35 GMT

asa917-32-k8.bin - this is latest verion,

read the release notes :

https://www.cisco.com/web/software/280775065/131523/ASA-917-Interim-Release-Notes.html

upgrading from 7.2 to 9.1 is big change. so make sure you aware lot of config changes and upgrade path.

Re: Cannot Access Internet

beatinger — Thu, 08 Aug 2019 23:12:59 GMT

Thank you very much Balaji. I was also wondering if you might know what the very latest version of the software for the IPS hardware would be? I have the following installed in the 5540 (using "show inv"):

Name: "slot 1", DESCR: "ASA 5500 Series Security Services Module-20"
PID: ASA-SSM-20 , VID: V01 , SN: JAF10431796

I don't have any software installed for this device at all yet, and would like to get it working. Do you know what I need to install to get this going? Please let me know. Thank you very much!

Re: Cannot Access Internet

balaji.bandi — Fri, 09 Aug 2019 00:59:39 GMT

its been long time i have not worked on SSM since we moved to FTD.

as per the cisco here is the latest. IPS-SSM_20-K9-sys-1.1-a-7.0-2-E3.img