Hi Kevin,

Thanks for the reply, I just heard from our staff person, and he has informed me it still doesn't work.  I have looked at the requirements once more and I may have missed one thing.  They are using DNS to resolve IP's.  Currently we only have internal DNS servers listed.  How can I add an external DNS without interfering with our internal?  This is what I currently have for DNS:

dns domain-lookup inside

dns server-group DefaultDNS

name-server xxx.xxx.xxx.34

name-server xxx.xxx.xxx.5

domain-name .org

Thanks,

Scott

Hi Scott,

That DNS configuration is for DNS lookups that originate from the ASA itself. The configuration on the ASA does not force hosts to use those DNS addresses.

Can you ping the outside world with the NAT statements executed? Ping 8.8.8.8?

If so, you can use 8.8.8.8 for public DNS just configure it manually on the host. If you cannot ping the outside world at all please post back the entire sanitized (potentially sensitive information masked) configuration and I will be able to further assist.

Kind Regards,

Kevin

**Please remember to rate helpful posts as well as mark the question as 'answered' once your issue is resolved. This will help others to find your solution faster.

Hi Kevin,

I can ping the outside world from the ASA itself.  Unfortunately, I cannot assign DNS manually, it only accepts DHCP.  I have set up a PC there with the same access list for testing purposes.  I assigned public DNS to the test PC and that is unable to get out.  When i do a show conn, this is what i get:

UDP out 8.8.8.8:53 in x.x.x.113:64918 idle 0:00:14 flags -

UDP out 8.8.4.4:53 in x.x.x.113:64458 idle 0:00:29 flags -

UDP out 8.8.8.8:53 in x.x.x.113:64458 idle 0:00:29 flags -

Here is my scrubbed config.

ASA Version 7.2(3)

!

hostname

domain-name .org

names

dns-guard

!

interface Vlan1

nameif inside

security-level 100

ip address x.x.x.1 255.255.255.0

!

interface Vlan2

nameif outside

security-level 0

ip address y.y.y.y

!

interface Ethernet0/0

switchport access vlan 2

speed 100

duplex full

!

interface Ethernet0/1

!

interface Ethernet0/2

!

interface Ethernet0/3

!

interface Ethernet0/4

!

interface Ethernet0/5

!

interface Ethernet0/6

!

interface Ethernet0/7

!

***Banner Removed***

ftp mode passive

dns domain-lookup inside

dns server-group DefaultDNS

name-server x.x.x.34

name-server x.x.x.5

domain-name .org

same-security-traffic permit inter-interface

same-security-traffic permit intra-interface

object-group icmp-type ALLOWED_ICMP

icmp-object echo-reply

icmp-object unreachable

icmp-object time-exceeded

icmp-object traceroute

icmp-object echo

icmp-object timestamp-reply

object-group icmp-type ALLOWED_ICMP_RESTRICTED

icmp-object echo-reply

access-list tempacl extended permit ip any any

access-list inside_out extended permit icmp any any object-group ALLOWED_ICMP

access-list inside_out extended permit ip any any

access-list outside_in extended permit icmp any any object-group ALLOWED_ICMP_RESTRICTED

access-list outside_in extended permit tcp any any eq ssh

access-list 101 extended permit ip host x.x.x.124 any log

access-list 101 extended permit ip host x.x.x.113 any log

access-list 101 extended permit ip any any

pager lines 40

logging enable

logging timestamp

logging buffer-size 256000

logging asdm-buffer-size 512

logging buffered notifications

logging trap errors

logging history informational

logging asdm errors

no logging message 400014

mtu inside 1500

mtu outside 1500

ip verify reverse-path interface inside

ip verify reverse-path interface outside

ip audit name attack action alarm

ip audit name info action alarm

ip audit interface inside

ip audit interface outside

icmp unreachable rate-limit 1 burst-size 1

icmp permit any inside

icmp permit any outside

asdm image disk0:/asdm-522.bin

asdm history enable

arp timeout 14400

nat-control

global (outside) 1 interface

nat (inside) 1 0.0.0.0 0.0.0.0

access-group inside_out in interface inside

access-group outside_in in interface outside

access-group 101 out interface outside

route outside 0.0.0.0 0.0.0.0 y.y.y.x 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server RADIUS protocol radius

aaa authentication ssh console LOCAL

***http, SNMP, SSH info removed***

management-access inside

dhcpd dns x.x.x.5 x.x.x.34

dhcpd ping_timeout 750

dhcpd domain .org

dhcpd auto_config outside

dhcpd update dns

!

dhcpd address x.x.x.100-x.x.x.227 inside

dhcpd enable inside

!

vpnclient server xy.xy.xy.xy xy.xy.xy.xy

vpnclient mode network-extension-mode

vpnclient nem-st-autoconnect

vpnclient vpngroup password

vpnclient username password

vpnclient management clear

vpnclient enable

!

class-map inspection_default

match default-inspection-traffic

!

!

policy-map type inspect dns preset_dns_map

parameters

  message-length maximum 512

policy-map global_policy

class inspection_default

  inspect dns preset_dns_map

  inspect ftp

  inspect h323 h225

  inspect h323 ras

  inspect rsh

  inspect rtsp

  inspect esmtp

  inspect sqlnet

  inspect skinny

  inspect sunrpc

  inspect xdmcp

  inspect sip

  inspect netbios

  inspect tftp

!

service-policy global_policy global

prompt hostname context

Thanks for all your help!

I thought if i add the requirements from the manufacterer it would help. This is from CapTel's customer service.

Thanks,

Setting up the CapTel 800i in an Office Environment

Office Internet connections can be more complex than home connections. The essential setup is still the same, but more detailed information may be needed in order to connect to an office network successfully.

The following information is a list of requirements that can be shared when IT personnel request extra detail to ensure that the CapTel 800i is able to access the network successfully:

• The CapTel 800i obtains its IP address via DHCP only.
  
• If you require a static IP for the CapTel 800i, we suggest you configure your DHCP server to map the phone’s MAC address to a specific IP. To obtain the MAC address of the phone and other information, with the handset hung up press 0474636 (0IPINFO).
  
• The CapTel 800i uses DNS to resolve the IP Address for the Captioning Service Center. The domains resolved through DNS are hybridcaptel.com and hybridcaptel-otw.com.
  
• hybridcaptel.com is used for captions and currently resolves to the following IP ranges:
  
  • 69.8.140.208 - 69.8.140.223
    
  • 69.11.243.160 - 69.11.243.191
    
  • 71.87.12.177 - 71.87.12.190
    
  • The phone will use outbound TCP ports 5007-7000 to connect to captions on these IP addresses.
    
• hybridcaptel-otw.com is used to perform software updates and currently resolves to:
  
  • 68.117.127.134
    
  • The phone will use outbound TCP ports 5004, 5100-5130 to this IP.
    
• These IP address ranges and ports are subject to change without notice.
  
• If the phone is being used in a locked down environment, the network’s security settings may require adjustments to permit the necessary communication from the CapTel 800i to the Captioning Service.
  
• The CapTel 800i uses only outbound connections over the public Internet. No incoming ports are required.
  
• Our caption service is a proprietary protocol that runs over TCP.
  
• Proxy servers are not supported.
  

Hi

The problem seems to be a special unit, the CapTel 800i am I right ?

are all the other units working ?

Have you tried to capture the traffic with fx wireshark ?

that will tell you alot.

What does the packet-tracer tell you ?

Is it NAT aware ? Is it even possible to use the unit behind a nat device ? does it need its own external ip address ?

And as usual when it comes down to live production environment I would like to recomend that you go and talk to a cisco rep about a good tech who can help you out.

good luck

HTH

It's supposed to work with NAT from what I have been told, I have not been able to run wireshark, as this is across the country from me.

Seeing that my ACL's hit counter increases and I can see the traffic when doing a 'sh conn' but by looking at the flags in the output I'm seeing that it's waiting for responses.  Is it possible that there is an issue with NAT yet?  Also I'm assuming possibly DNS?  I cannot assign anything to the phone as it gets everything from DHCP, not able to statically set any of it.

Thanks,