Solved: ASA 5505 - Configure Internal Router & DNS Server - No Internet

moises.ruiz · ‎12-23-2011

Hi,

I'm new to all Cisco appliances so I'll try to be as clear as possible.

Currently I have an ASA setup as a Firewall with 1 outside interface and 2 inside interfaces. Initially, the Guest interface was setup to receive DHCP from the ASA and everything was working.

I'm adding router and a server for the guest interface and what I'm trying to accomplish now is the following:

ASA 5505 > Airport Extreme with a public static IP (69.xx.xx.6), handling DHCP and NAT > Mac Server as DNS Server

Right now, when I connect to my Airport Extreme with any computer, I don't have internet. I don't understand what's wrong.

My DNS Server has a reserved IP address: 192.168.226.2 and it's pointing to itself and forwarding the ISP DNS servers, the Airport Extreme is handling the DNS Server IP and the ISP DNS Server IP but I can't connect to the internet from the server.

Here's my Cisco ASA configuration:

ASA Version 7.2(3)

!

hostname lampe

domain-name lampe.ca

enable password M6aAV/2UhVYeSYwL encrypted

names

!

interface Vlan1

nameif inside

security-level 100

ip address 192.168.123.126 255.255.255.0

!

interface Vlan2

nameif outside

security-level 0

ip address 69.xx.xx.60 255.255.255.248

!

interface Vlan3

no forward interface Vlan1

nameif guest

security-level 50

ip address 192.168.226.226 255.255.255.0

!

interface Ethernet0/0

switchport access vlan 2

!

interface Ethernet0/1

!

interface Ethernet0/2

!

interface Ethernet0/3

switchport access vlan 3

!

interface Ethernet0/4

!

interface Ethernet0/5

!

interface Ethernet0/6

!

interface Ethernet0/7

!

passwd M6aAV/2UhVYeSYwL encrypted

ftp mode passive

clock timezone EST -5

clock summer-time EDT recurring

dns server-group DefaultDNS

domain-name lampe.ca

access-list crypto_acl_10 extended permit ip 192.168.123.0 255.255.255.0 192.168.205.0 255.255.255.0

access-list nonat extended permit ip 192.168.123.0 255.255.255.0 192.168.205.0 255.255.255.0

access-list nonat extended permit ip 192.168.123.0 255.255.255.0 192.168.99.0 255.255.255.224

access-list inbound extended permit tcp any host 69.xx.xx.61 eq www

access-list inbound extended permit tcp any host 69.xx.xx.61 eq https

access-list inbound extended permit tcp any host 69.xx.xx.61 eq smtp

access-list inbound extended permit tcp any host 69.xx.xx.61 eq pop3

access-list inbound extended permit gre any host 69.xx.xx.61

access-list inbound extended permit tcp any host 69.xx.xx.61 eq pptp

access-list inbound extended permit tcp any host 69.xx.xx.58 eq 8080

access-list inbound extended permit tcp any host 69.xx.xx.61 eq ftp

access-list inbound extended permit icmp any host 69.xx.xx.6

access-list inbound extended permit ip host 69.70.178.122 host 69.xx.xx.6

access-list vpnclient_splitTunnelAcl standard permit 192.168.123.0 255.255.255.0

access-list guest_access_in extended deny ip 192.168.226.0 255.255.255.0 192.168.123.0 255.255.255.0

access-list guest_access_in extended permit ip 192.168.226.0 255.255.255.0 any

access-list guest_access_in extended permit ip any any inactive

access-list guest_access_in extended permit icmp any any inactive

access-list guest_access_in extended permit ip host 69.70.178.122 host 192.168.226.2

access-list guest_access_out extended permit ip host 192.168.226.2 host 69.70.178.122

access-list outside_access_out extended permit ip host 69.xx.xx.6 host 69.70.178.122

pager lines 24

logging enable

logging timestamp

logging monitor debugging

logging buffered errors

logging asdm warnings

mtu inside 1500

mtu outside 1500

mtu guest 1500

ip local pool remotevpn 192.168.99.10-192.168.99.20 mask 255.255.255.0

icmp unreachable rate-limit 1 burst-size 1

icmp permit any guest

asdm image disk0:/asdm-523.bin

no asdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 0 access-list nonat

nat (inside) 1 0.0.0.0 0.0.0.0

nat (guest) 1 0.0.0.0 0.0.0.0 dns

static (inside,outside) 69.xx.xx.61 192.168.123.4 netmask 255.255.255.255 dns

static (inside,outside) 69.xx.xx.58 192.168.123.200 netmask 255.255.255.255

static (guest,outside) 69.xx.xx.6 192.168.226.2 netmask 255.255.255.255 dns

access-group inbound in interface outside

access-group guest_access_in in interface guest

route outside 0.0.0.0 0.0.0.0 69.xx.xx.57 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout uauth 0:05:00 absolute

aaa authentication ssh console LOCAL

http server enable

http 64.254.232.224 255.255.255.224 outside

http 69.70.4.112 255.255.255.248 outside

http 0.0.0.0 0.0.0.0 inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac

crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac

crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac

crypto ipsec transform-set ESP-AES-MD5 esp-aes esp-md5-hmac

crypto ipsec transform-set ESP-AES-SHA esp-aes esp-sha-hmac

crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac

crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac

crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac

crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto dynamic-map outside_dyn_map 20 set pfs

crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA

crypto map outside_map 10 match address crypto_acl_10

crypto map outside_map 10 set peer 64.254.232.248

crypto map outside_map 10 set transform-set ESP-AES-MD5 ESP-AES-SHA

crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map

crypto map outside_map interface outside

crypto isakmp enable outside

crypto isakmp policy 10

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

crypto isakmp nat-traversal 20

telnet 0.0.0.0 0.0.0.0 inside

telnet timeout 5

ssh 0.0.0.0 0.0.0.0 inside

ssh 64.254.232.224 255.255.255.224 outside

ssh 69.70.4.112 255.255.255.248 outside

ssh 69.70.178.122 255.255.255.255 outside

ssh timeout 30

console timeout 0

dhcpd auto_config outside

!

dhcpd dns 24.200.241.37 interface guest

!

class-map inspection_default

match default-inspection-traffic

!

policy-map type inspect dns preset_dns_map

parameters

message-length maximum 512

policy-map global_policy

class inspection_default

inspect dns preset_dns_map

inspect ftp

inspect h323 h225

inspect h323 ras

inspect rsh

inspect rtsp

inspect esmtp

inspect sqlnet

inspect skinny

inspect sunrpc

inspect xdmcp

inspect sip

inspect netbios

inspect tftp

inspect icmp

!

service-policy global_policy global

ntp server 199.212.17.21 source outside

ntp server 199.212.17.22 source outside

ntp server 209.87.233.53 source outside

ntp server 132.246.168.148 source outside

group-policy vpnclient internal

group-policy vpnclient attributes

dns-server value 192.168.123.4

vpn-tunnel-protocol IPSec

split-tunnel-policy tunnelspecified

split-tunnel-network-list value vpnclient_splitTunnelAcl

default-domain value lampe.local

split-dns value lampe.local

username mmintzberg password 8fAM98BTuTuY/jU2 encrypted

username fross password Ykti5THH7ftFZeWp encrypted

username jsilver password 0VSZ094cAtFEZuxW encrypted

username mgadmin password 3Nrrh9/fcmJrMiH2 encrypted privilege 15

username smintzberg password .RPWyyJt7YbCb94T encrypted

username smintzberg attributes

vpn-framed-ip-address 192.168.99.22 255.255.255.0

username mruiz password j8Scwuudo9vNlzVa encrypted privilege 15

tunnel-group 64.254.232.248 type ipsec-l2l

tunnel-group 64.254.232.248 ipsec-attributes

pre-shared-key *

tunnel-group vpnclient type ipsec-ra

tunnel-group vpnclient general-attributes

address-pool remotevpn

default-group-policy vpnclient

tunnel-group vpnclient ipsec-attributes

pre-shared-key *

prompt hostname context

Cryptochecksum:182fd658d3a91cd43ccda34a1cb7cb41

: end

Message was edited by: Moises Ruiz Changed the settings as per Ajay's reply.

ajay chauhan · ‎12-24-2011

config t

no access-group guest_access_out out interface guest

Then get the trace.

View solution in original post

ajay chauhan · ‎12-24-2011

I do not see any other good reason for dropping this session. Untill unless myself get into firewall and do some more reseach .

Lets wait and see what other says.

View solution in original post

Julio Carvajal · ‎12-24-2011

Hello Moises,

Good to know that my advise of removing the access-group did it!!

Now regarding the other problem it could be a DNS server issue,

Please connect a PC on the GUEST interface and please use as DNS server 4.2.2.2 and let me know the result,

Do please rate helpful posts.

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

View solution in original post

ajay chauhan · ‎12-23-2011

static (guest,guest) 69.xx.xx.7 192.168.226.2 netmask 255.255.255.255 dns

should be

static (guest,outside) 69.xx.xx.7 192.168.226.2 netmask 255.255.255.255 dns

moises.ruiz · ‎12-23-2011

Well that certainly helps explain why I couldn't ping my server from the outside (I was leaving that for later), thanks Ajay.

I'm still unable to browse the internet on the Guest interface.

ajay chauhan · ‎12-23-2011

Please also add and try .

policy-map global_policy

class inspection_default

inspect icmp

moises.ruiz · ‎12-23-2011

Would you mind telling me how to do it through the ASDM?

ajay chauhan · ‎12-23-2011

Hi,

You have to look at this link -http://www.cisco.com/en/US/products/ps6120/products_tech_note09186a0080b84568.shtml.

Should help you to configure .

Thanks

Ajay

moises.ruiz · ‎12-23-2011

Ok got it, I added the ICMP into the protocol inspections of the Global policy but I'm still unable to browse the internet from the guest network.

Julio Carvajal · ‎12-23-2011

Hello Moises,

So guest users at 192.168.226.x cannot access the internet.

You do have the Nat statement and the ACL for that traffic so checking the ASA configuration it should work. seems like something else is blocking the connection so lets work on doing some captures.

Lets work with a PC with the ip address of 192.168.226.5 going to xxxxx ip address on the outside ( do an nslookup for a web-server or any other host you know the ip address)

access-list guest permit ip host 192.168.226.5 host xxxxx

access-list guest permit ip host xxxx host 192.168.226.5

access-list outside permit ip host 69.xx.xx.6 host xxxxxx

access-list outside permit ip host xxxxxx host 69.xx.xx.6

capture capguest access-list guest interface guest circular-buffer

capture capout access-list outside interface outside circular-buffer

Then try to generate the traffic to that xxx ip on the outside from 192.168.226.5

Go to the inside network and from any PC go to any browser and download the capture via Pcap and upload it here for us.

https://192.168.123.126/capture/capguest/pcap

https://192.168.123.126/capture/capout/pcap

Please do rate helpful posts.

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

moises.ruiz · ‎12-24-2011

Hi Julio,

Here's what I did:

I've added the Access Lists through the ASDM but I used my DNS server (192.168.226.2) to troubleshoot as I can't go to the office right now (If we need to do it from another computer, let me know and I will do it tomorrow or wednesday).

I didn't know how to add captures through the ASDM so I ran the following commands through SSH:

capture capguest access-list guest_access_in interface guest circular-buffer

capture capout access-list outside_access_out interface outside circular-buffer

Then I went into my DNS Server and tried the following:

http://69.70.178.122

Ping to 69.70.178.122

Lookup to 69.70.178.122

After, I downloaded the PCAP files but they didn't have any packet, also through the capture command there's nothing.

I have updated the running config on my original post.

ajay chauhan · ‎12-24-2011

For a while if we keep DNS issue aside lets test your internet connectivity- Please paste output of this from CLI

packet-tracer input guest tcp 192.168.226.227 1024 4.2.2.2 80

Ajay

moises.ruiz · ‎12-24-2011

This looks interesting, I will need to find out what does it mean but here it goes:

Phase: 1

Type: CAPTURE

Subtype:

Result: ALLOW

Config:

Additional Information:

MAC Access list

Phase: 2

Type: ACCESS-LIST

Subtype:

Result: ALLOW

Config:

Implicit Rule

Additional Information:

MAC Access list

Phase: 3

Type: FLOW-LOOKUP

Subtype:

Result: ALLOW

Config:

Additional Information:

Found no matching flow, creating a new flow

Phase: 4

Type: ROUTE-LOOKUP

Subtype: input

Result: ALLOW

Config:

Additional Information:

in 0.0.0.0 0.0.0.0 outside

Phase: 5

Type: ACCESS-LIST

Subtype: log

Result: ALLOW

Config:

access-group guest_access_in in interface guest

access-list guest_access_in extended permit ip 192.168.226.0 255.255.255.0 any

Additional Information:

Phase: 6

Type: IP-OPTIONS

Subtype:

Result: ALLOW

Config:

Additional Information:

Phase: 7

Type: CAPTURE

Subtype:

Result: ALLOW

Config:

Additional Information:

Phase: 8

Type: NAT

Subtype:

Result: ALLOW

Config:

nat (guest) 1 0.0.0.0 0.0.0.0 dns

match ip guest any outside any

dynamic translation to pool 1 (69.xx.xx.60 [Interface PAT])

translate_hits = 2, untranslate_hits = 0

Additional Information:

Dynamic translate 192.168.226.227/1024 to 69.xx.xx.60/3872 using netmask 255.255.255.255

Phase: 9

Type: NAT

Subtype: host-limits

Result: ALLOW

Config:

nat (guest) 1 0.0.0.0 0.0.0.0 dns

match ip guest any outside any

dynamic translation to pool 1 (69.xx.xx.60 [Interface PAT])

translate_hits = 2, untranslate_hits = 0

Additional Information:

Phase: 10

Type: HOST-LIMIT

Subtype:

Result: ALLOW

Config:

Additional Information:

Phase: 11

Type: ACCESS-LIST

Subtype:

Result: DROP

Config:

Implicit Rule

Additional Information:

Result:

input-interface: guest

input-status: up

input-line-status: up

output-interface: outside

output-status: up

output-line-status: up

Action: drop

Drop-reason: (acl-drop) Flow is denied by configured rule

ajay chauhan · ‎12-24-2011

Looks like dropped by ACL ? Can you post latest show run config .

ajay chauhan · ‎12-24-2011

Also remove this -

access-group guest_access_out out interface guest

and paste the trace again .

moises.ruiz · ‎12-24-2011

Sorry Ajay but today is the first time I actually use the CLI hehe how can I remove that Group Access List with a command? I don't see it in the ASDM...

ajay chauhan · ‎12-24-2011

config t

no access-group guest_access_out out interface guest

Then get the trace.