05-16-2012 09:22 AM - edited 03-11-2019 04:08 PM
Hello,
Let me start by saying that I'm just starting to study for CCNA, so the ASA seems to be a bit above me yet. The ASA's we are using is for VPN to our corporate office and only allowing access to our Citrix environment, so no direct internet allowed. We have a person who works in the remote office who has need for a caption telephone that requires direct access to the internet. The phone only supports DHCP, and getting the ASA to do an ARP reservations is proving difficult. For now I wrote an access list to allow it's DHCP address out but it still isn't working. The access list I wrote is:
access-list 101 extended permit ip host xxx.xxx.xxx.124 any log
access-list 101 extended permit ip any any
access-group 101 out interface outside
When I do a show access-list I'm seeing that traffic is hitting the access list as the hit counter has increased. When I do a show conn I'm seeing one of the IP's that the phone should have access to, however the flags are: saA, so I'm assuming they are not getting a response. According to the manufacturer, only outbound connections are needed, no incoming ports required. All traffic is TCP.
Any help would be greatly appreciated. Thank you.
05-16-2012 12:12 PM
Hi Scott,
Have you set up NAT for this outbound traffic? A quick setup that should resolve your issue is below.
If your code is PRE 8.3....
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
If your code is 8.3 or later....
object network ANY
subnet 0.0.0.0 0.0.0.0
nat (inside,outside) dynamic interface
Please reply back on whether this resolves your issue.
Kind Regards,
Kevin
**Please remember to rate helpful posts as well as mark the question as 'answered' once your issue is resolved. This will help others to find your solution faster.
05-17-2012 01:27 PM
Hi Kevin,
Thanks for the reply, I just heard from our staff person, and he has informed me it still doesn't work. I have looked at the requirements once more and I may have missed one thing. They are using DNS to resolve IP's. Currently we only have internal DNS servers listed. How can I add an external DNS without interfering with our internal? This is what I currently have for DNS:
dns domain-lookup inside
dns server-group DefaultDNS
name-server xxx.xxx.xxx.34
name-server xxx.xxx.xxx.5
domain-name
Thanks,
Scott
05-17-2012 04:21 PM
Hi Scott,
That DNS configuration is for DNS lookups that originate from the ASA itself. The configuration on the ASA does not force hosts to use those DNS addresses.
Can you ping the outside world with the NAT statements executed? Ping 8.8.8.8?
If so, you can use 8.8.8.8 for public DNS just configure it manually on the host. If you cannot ping the outside world at all please post back the entire sanitized (potentially sensitive information masked) configuration and I will be able to further assist.
Kind Regards,
Kevin
**Please remember to rate helpful posts as well as mark the question as 'answered' once your issue is resolved. This will help others to find your solution faster.
05-18-2012 07:14 AM
Hi Kevin,
I can ping the outside world from the ASA itself. Unfortunately, I cannot assign DNS manually, it only accepts DHCP. I have set up a PC there with the same access list for testing purposes. I assigned public DNS to the test PC and that is unable to get out. When i do a show conn, this is what i get:
UDP out 8.8.8.8:53 in x.x.x.113:64918 idle 0:00:14 flags -
UDP out 8.8.4.4:53 in x.x.x.113:64458 idle 0:00:29 flags -
UDP out 8.8.8.8:53 in x.x.x.113:64458 idle 0:00:29 flags -
Here is my scrubbed config.
ASA Version 7.2(3)
!
hostname
domain-name
names
dns-guard
!
interface Vlan1
nameif inside
security-level 100
ip address x.x.x.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address y.y.y.y
!
interface Ethernet0/0
switchport access vlan 2
speed 100
duplex full
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
***Banner Removed***
ftp mode passive
dns domain-lookup inside
dns server-group DefaultDNS
name-server x.x.x.34
name-server x.x.x.5
domain-name
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object-group icmp-type ALLOWED_ICMP
icmp-object echo-reply
icmp-object unreachable
icmp-object time-exceeded
icmp-object traceroute
icmp-object echo
icmp-object timestamp-reply
object-group icmp-type ALLOWED_ICMP_RESTRICTED
icmp-object echo-reply
access-list tempacl extended permit ip any any
access-list inside_out extended permit icmp any any object-group ALLOWED_ICMP
access-list inside_out extended permit ip any any
access-list outside_in extended permit icmp any any object-group ALLOWED_ICMP_RESTRICTED
access-list outside_in extended permit tcp any any eq ssh
access-list 101 extended permit ip host x.x.x.124 any log
access-list 101 extended permit ip host x.x.x.113 any log
access-list 101 extended permit ip any any
pager lines 40
logging enable
logging timestamp
logging buffer-size 256000
logging asdm-buffer-size 512
logging buffered notifications
logging trap errors
logging history informational
logging asdm errors
no logging message 400014
mtu inside 1500
mtu outside 1500
ip verify reverse-path interface inside
ip verify reverse-path interface outside
ip audit name
ip audit name
ip audit interface inside
ip audit interface outside
icmp unreachable rate-limit 1 burst-size 1
icmp permit any inside
icmp permit any outside
asdm image disk0:/asdm-522.bin
asdm history enable
arp timeout 14400
nat-control
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
access-group inside_out in interface inside
access-group outside_in in interface outside
access-group 101 out interface outside
route outside 0.0.0.0 0.0.0.0 y.y.y.x 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa authentication ssh console LOCAL
***http, SNMP, SSH info removed***
management-access inside
dhcpd dns x.x.x.5 x.x.x.34
dhcpd ping_timeout 750
dhcpd domain
dhcpd auto_config outside
dhcpd update dns
!
dhcpd address x.x.x.100-x.x.x.227 inside
dhcpd enable inside
!
vpnclient server xy.xy.xy.xy xy.xy.xy.xy
vpnclient mode network-extension-mode
vpnclient nem-st-autoconnect
vpnclient vpngroup
vpnclient username
vpnclient management clear
vpnclient enable
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
!
service-policy global_policy global
prompt hostname context
Thanks for all your help!
05-18-2012 12:13 PM
I thought if i add the requirements from the manufacterer it would help. This is from CapTel's customer service.
Thanks,
Setting up the CapTel 800i in an Office Environment
Office Internet connections can be more complex than home connections. The essential setup is still the same, but more detailed information may be needed in order to connect to an office network successfully.
The following information is a list of requirements that can be shared when IT personnel request extra detail to ensure that the CapTel 800i is able to access the network successfully:
05-18-2012 12:45 PM
Hi
The problem seems to be a special unit, the CapTel 800i am I right ?
are all the other units working ?
Have you tried to capture the traffic with fx wireshark ?
that will tell you alot.
What does the packet-tracer tell you ?
Is it NAT aware ? Is it even possible to use the unit behind a nat device ? does it need its own external ip address ?
And as usual when it comes down to live production environment I would like to recomend that you go and talk to a cisco rep about a good tech who can help you out.
good luck
HTH
05-21-2012 11:40 AM
It's supposed to work with NAT from what I have been told, I have not been able to run wireshark, as this is across the country from me.
05-22-2012 01:03 PM
Seeing that my ACL's hit counter increases and I can see the traffic when doing a 'sh conn' but by looking at the flags in the output I'm seeing that it's waiting for responses. Is it possible that there is an issue with NAT yet? Also I'm assuming possibly DNS? I cannot assign anything to the phone as it gets everything from DHCP, not able to statically set any of it.
Thanks,
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide