cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
781
Views
0
Helpful
5
Replies

Unable to browse internet on a domain user's computer through ASA 5503 Firewall

GhaffarHunzai
Level 1
Level 1

Dear All,

I am trying to configure my new firewall for the last one month but still unable to fix it. I have a domain in windows 2012 standard edition and the firewall with unlimited license. Here is the output of show startup-config. Please note that prpgb.org is my local domain.



prpgbasa# show startup-config
: Saved
: Written by enable_15 at 02:50:45.169 PKT Thu Nov 20 2014
!
ASA Version 8.2(5)
!
hostname prpgbasa
domain-name prpgb.org
enable password AExqpLntfuzsVQrq encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
interface Vlan1
 nameif inside
 security-level 100
 ip address 10.0.0.1 255.0.0.0
!
interface Vlan2
 nameif outside
 security-level 0
 ip address 202.142.XXX.YY 255.255.255.252
!
ftp mode passive
clock timezone PKT 5
dns server-group DefaultDNS
 domain-name prpgb.org
pager lines 24
logging asdm informational
mtu inside 1500
mtu outside 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
route outside 0.0.0.0 0.0.0.0 202.142.XXX.YZ 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 10.0.0.0 255.0.0.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
telnet 10.0.0.0 255.0.0.0 inside
telnet timeout 5
ssh 10.0.0.0 255.0.0.0 inside
ssh timeout 5
console timeout 0
dhcpd dns 10.0.0.2 255.0.0.0
!
dhcpd dns 208.67.222.222 208.67.220.220 interface inside
dhcpd lease 86400 interface inside
dhcpd domain prpgb.org interface inside
!

threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum client auto
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
  inspect ip-options
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
Cryptochecksum:23c0af4b2ddf9e925f83ce13909ab900
prpgbasa#

 

You all are requested to have a look into the problem and suggest me the modifications.

Thanks

5 Replies 5

Rowell Dionicio
Level 1
Level 1

Couple of questions:

Is is it happening on one or all computers?

Do you have a DHCP lease from the ASA?

Can you ping the ASA?

When you run show xlate do you see the computer's IP being NAT'd?

Dear Rowel,

Thanks a million for your reply I was really anxiously waiting for some help and I am glad that you also have replied.

When i changed the DNS ip's, to google ip's,  in the one of the computer in the domain network then still unable to resolve names. I have Dell Power Edge 410 Server which has two CNICs. First one I am using for the "WAN" connection which is directly connected to the second port from right side of the ASA and the other "LAN" is connected to the switch. Every computer on the network is not able to browser internet. I am using my internal domain DHCP for ip address allotment and using static ip for external enterface provided by my ISP. Here are the static IP's respectively

WAN

IP: 10.0.0.3

Mask: 255.0.0.0

GW: 10.0.0.1 (ASA IP)

DNS: 10.0.0.2

 

LAN

IP: 10.0.0.2

Mask: 255.0.0.0

GW: Null

DNS: 10.0.0.2

With the above settings i am able to browse internet on the domain server but still not on the network users. Also when i try to ping my ASA from one of the network computer then it says destination host unreachable but from Domain Server i do have a reply. When I run show xlate then i have a reply as the following

1 in use, 246 most used

PAT Global 202.142.XXX.YY (58685) Local 10.0.0.3 (57664)

I hope we can get closer to solve the problem now.

 

Best regards,

Ghaffar

Can you draw up a diagram of how your network is configured? It sounds like your server has a connection to the internal network and the WAN network. Why?

What IP information does your computer get and what is it's gateway?

What is the IP address of your ASA and what is the IP address of your DHCP server?

Dear Rowell, 

Thanks for your reply.

As already mentioned I have two nic which are builtin in the server. I want to use both of these for internal and external interfaces as it can be done using an is a or tmg server. I am not sure whether internal DNS will work for external interface too. But it doesn't work even if I use Google IPS or opendns IP in the external interface DNS address.

For internal(LAN) I have configured dhcp and DNS. IP addresses which assigns by the dhcp server ( 10.0.0.2) are the following

IP address range 10.0.0.1 - 10.0.0.255

Mask: 255.0.0.0

Gateway: 10.0.0.1 ( which is ASA's IP)

DNS: 10.0.0.2 ( which is the internal DNS domain server)

 

I have changed the default IP address of ASA as 10.0.0.1 which is in my internal DNS IP range. I have changed it because I wanted both ASA and DNS server to be in the same network to communicate each other.

 

DHCP server IP address is 10.0.0.2

ASA IP address: 10.0.0.1

 

I hope that I have tried to explain what you have asked for and thanks again for your reply.

Dear All,

I have solved the issue. I have done the following in-order to browse internet on domain user computers. Here are the steps

1. I have disabled my internal DHCP server in the domain.

2. Then I have configured the ASA DHCP server in the default IP address scheme i.e. 192.168.1.100-200

3. I have Connected my ASA to a switch first then from there I connected a cable to my Domain's Server WAN interface. The LAN (192.168.1.2)interface of the Domain server is also plugged into the same switch. 

4. I am using my Domain Server's DNS for name resolution and forward queries which are not served by my domain to open dns server.

 

It works perfectly so far but before applying or setting up the entire netowrk i want your help to look into the configuration file for corrections if i am making any mistakes. Thanks again for your help and here is the output of show confing.

prpgbasa# show startup
: Saved
: Written by Ghaffar at 02:11:24.319 PKT Mon Dec 8 2014
!
ASA Version 8.2(5)
!
hostname prpgbasa
domain-name prpgb.org
enable password AExqpLntfuzsVQrq encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
interface Vlan1
 nameif inside
 security-level 100
 ddns update hostname PRPGB.ORG
 dhcp client update dns server both
 ip address 192.168.1.1 255.255.255.0
!
interface Vlan2
 nameif outside
 security-level 0
 ip address 202.142.XXX.YY 255.255.255.252
!
ftp mode passive
clock timezone PKT 5
dns domain-lookup inside
dns server-group DefaultDNS
 name-server 192.168.1.2
 domain-name prpgb.org
object-group network obj_any
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
route outside 0.0.0.0 0.0.0.0 202.142.XXX.YY 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
aaa authentication ssh console LOCAL
aaa authentication http console LOCAL
aaa authentication serial console LOCAL
aaa authentication enable console LOCAL
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
telnet 192.168.1.0 255.255.255.0 inside
telnet timeout 5
ssh 192.168.1.0 255.255.255.0 inside
ssh timeout 5
console timeout 0
dhcpd address 192.168.1.100-192.168.1.200 inside
dhcpd dns 192.168.1.2 interface inside
dhcpd lease 86400 interface inside
dhcpd domain prpgb.org interface inside
dhcpd update dns both interface inside
dhcpd enable inside
!

threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
username ABC password FL01QCj0LaLWTID0 encrypted privilege 15
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum client auto
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
  inspect ip-options
  inspect icmp
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
Cryptochecksum:7c4930a079158c0cb10a42813d3690cd
prpgbasa#

 

Please suggest me if there are any recomendations.

Thanks in advance.

Ghaffar

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: