Solved: ASA 5505 - Configure Internal Router & DNS Server - No Internet - Page 2

moises.ruiz · ‎12-23-2011

Hi,

I'm new to all Cisco appliances so I'll try to be as clear as possible.

Currently I have an ASA setup as a Firewall with 1 outside interface and 2 inside interfaces. Initially, the Guest interface was setup to receive DHCP from the ASA and everything was working.

I'm adding router and a server for the guest interface and what I'm trying to accomplish now is the following:

ASA 5505 > Airport Extreme with a public static IP (69.xx.xx.6), handling DHCP and NAT > Mac Server as DNS Server

Right now, when I connect to my Airport Extreme with any computer, I don't have internet. I don't understand what's wrong.

My DNS Server has a reserved IP address: 192.168.226.2 and it's pointing to itself and forwarding the ISP DNS servers, the Airport Extreme is handling the DNS Server IP and the ISP DNS Server IP but I can't connect to the internet from the server.

Here's my Cisco ASA configuration:

ASA Version 7.2(3)

!

hostname lampe

domain-name lampe.ca

enable password M6aAV/2UhVYeSYwL encrypted

names

!

interface Vlan1

nameif inside

security-level 100

ip address 192.168.123.126 255.255.255.0

!

interface Vlan2

nameif outside

security-level 0

ip address 69.xx.xx.60 255.255.255.248

!

interface Vlan3

no forward interface Vlan1

nameif guest

security-level 50

ip address 192.168.226.226 255.255.255.0

!

interface Ethernet0/0

switchport access vlan 2

!

interface Ethernet0/1

!

interface Ethernet0/2

!

interface Ethernet0/3

switchport access vlan 3

!

interface Ethernet0/4

!

interface Ethernet0/5

!

interface Ethernet0/6

!

interface Ethernet0/7

!

passwd M6aAV/2UhVYeSYwL encrypted

ftp mode passive

clock timezone EST -5

clock summer-time EDT recurring

dns server-group DefaultDNS

domain-name lampe.ca

access-list crypto_acl_10 extended permit ip 192.168.123.0 255.255.255.0 192.168.205.0 255.255.255.0

access-list nonat extended permit ip 192.168.123.0 255.255.255.0 192.168.205.0 255.255.255.0

access-list nonat extended permit ip 192.168.123.0 255.255.255.0 192.168.99.0 255.255.255.224

access-list inbound extended permit tcp any host 69.xx.xx.61 eq www

access-list inbound extended permit tcp any host 69.xx.xx.61 eq https

access-list inbound extended permit tcp any host 69.xx.xx.61 eq smtp

access-list inbound extended permit tcp any host 69.xx.xx.61 eq pop3

access-list inbound extended permit gre any host 69.xx.xx.61

access-list inbound extended permit tcp any host 69.xx.xx.61 eq pptp

access-list inbound extended permit tcp any host 69.xx.xx.58 eq 8080

access-list inbound extended permit tcp any host 69.xx.xx.61 eq ftp

access-list inbound extended permit icmp any host 69.xx.xx.6

access-list inbound extended permit ip host 69.70.178.122 host 69.xx.xx.6

access-list vpnclient_splitTunnelAcl standard permit 192.168.123.0 255.255.255.0

access-list guest_access_in extended deny ip 192.168.226.0 255.255.255.0 192.168.123.0 255.255.255.0

access-list guest_access_in extended permit ip 192.168.226.0 255.255.255.0 any

access-list guest_access_in extended permit ip any any inactive

access-list guest_access_in extended permit icmp any any inactive

access-list guest_access_in extended permit ip host 69.70.178.122 host 192.168.226.2

access-list guest_access_out extended permit ip host 192.168.226.2 host 69.70.178.122

access-list outside_access_out extended permit ip host 69.xx.xx.6 host 69.70.178.122

pager lines 24

logging enable

logging timestamp

logging monitor debugging

logging buffered errors

logging asdm warnings

mtu inside 1500

mtu outside 1500

mtu guest 1500

ip local pool remotevpn 192.168.99.10-192.168.99.20 mask 255.255.255.0

icmp unreachable rate-limit 1 burst-size 1

icmp permit any guest

asdm image disk0:/asdm-523.bin

no asdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 0 access-list nonat

nat (inside) 1 0.0.0.0 0.0.0.0

nat (guest) 1 0.0.0.0 0.0.0.0 dns

static (inside,outside) 69.xx.xx.61 192.168.123.4 netmask 255.255.255.255 dns

static (inside,outside) 69.xx.xx.58 192.168.123.200 netmask 255.255.255.255

static (guest,outside) 69.xx.xx.6 192.168.226.2 netmask 255.255.255.255 dns

access-group inbound in interface outside

access-group guest_access_in in interface guest

route outside 0.0.0.0 0.0.0.0 69.xx.xx.57 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout uauth 0:05:00 absolute

aaa authentication ssh console LOCAL

http server enable

http 64.254.232.224 255.255.255.224 outside

http 69.70.4.112 255.255.255.248 outside

http 0.0.0.0 0.0.0.0 inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac

crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac

crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac

crypto ipsec transform-set ESP-AES-MD5 esp-aes esp-md5-hmac

crypto ipsec transform-set ESP-AES-SHA esp-aes esp-sha-hmac

crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac

crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac

crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac

crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto dynamic-map outside_dyn_map 20 set pfs

crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA

crypto map outside_map 10 match address crypto_acl_10

crypto map outside_map 10 set peer 64.254.232.248

crypto map outside_map 10 set transform-set ESP-AES-MD5 ESP-AES-SHA

crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map

crypto map outside_map interface outside

crypto isakmp enable outside

crypto isakmp policy 10

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

crypto isakmp nat-traversal 20

telnet 0.0.0.0 0.0.0.0 inside

telnet timeout 5

ssh 0.0.0.0 0.0.0.0 inside

ssh 64.254.232.224 255.255.255.224 outside

ssh 69.70.4.112 255.255.255.248 outside

ssh 69.70.178.122 255.255.255.255 outside

ssh timeout 30

console timeout 0

dhcpd auto_config outside

!

dhcpd dns 24.200.241.37 interface guest

!

class-map inspection_default

match default-inspection-traffic

!

policy-map type inspect dns preset_dns_map

parameters

message-length maximum 512

policy-map global_policy

class inspection_default

inspect dns preset_dns_map

inspect ftp

inspect h323 h225

inspect h323 ras

inspect rsh

inspect rtsp

inspect esmtp

inspect sqlnet

inspect skinny

inspect sunrpc

inspect xdmcp

inspect sip

inspect netbios

inspect tftp

inspect icmp

!

service-policy global_policy global

ntp server 199.212.17.21 source outside

ntp server 199.212.17.22 source outside

ntp server 209.87.233.53 source outside

ntp server 132.246.168.148 source outside

group-policy vpnclient internal

group-policy vpnclient attributes

dns-server value 192.168.123.4

vpn-tunnel-protocol IPSec

split-tunnel-policy tunnelspecified

split-tunnel-network-list value vpnclient_splitTunnelAcl

default-domain value lampe.local

split-dns value lampe.local

username mmintzberg password 8fAM98BTuTuY/jU2 encrypted

username fross password Ykti5THH7ftFZeWp encrypted

username jsilver password 0VSZ094cAtFEZuxW encrypted

username mgadmin password 3Nrrh9/fcmJrMiH2 encrypted privilege 15

username smintzberg password .RPWyyJt7YbCb94T encrypted

username smintzberg attributes

vpn-framed-ip-address 192.168.99.22 255.255.255.0

username mruiz password j8Scwuudo9vNlzVa encrypted privilege 15

tunnel-group 64.254.232.248 type ipsec-l2l

tunnel-group 64.254.232.248 ipsec-attributes

pre-shared-key *

tunnel-group vpnclient type ipsec-ra

tunnel-group vpnclient general-attributes

address-pool remotevpn

default-group-policy vpnclient

tunnel-group vpnclient ipsec-attributes

pre-shared-key *

prompt hostname context

Cryptochecksum:182fd658d3a91cd43ccda34a1cb7cb41

: end

Message was edited by: Moises Ruiz Changed the settings as per Ajay's reply.

moises.ruiz · ‎12-24-2011

That was easier than what I expected.

I've updated the show run config on my original post and here's the resulting trace:

Phase: 1

Type: CAPTURE

Subtype:

Result: ALLOW

Config:

Additional Information:

MAC Access list

Phase: 2

Type: ACCESS-LIST

Subtype:

Result: ALLOW

Config:

Implicit Rule

Additional Information:

MAC Access list

Phase: 3

Type: FLOW-LOOKUP

Subtype:

Result: ALLOW

Config:

Additional Information:

Found no matching flow, creating a new flow

Phase: 4

Type: ROUTE-LOOKUP

Subtype: input

Result: ALLOW

Config:

Additional Information:

in 0.0.0.0 0.0.0.0 outside

Phase: 5

Type: ACCESS-LIST

Subtype: log

Result: ALLOW

Config:

access-group guest_access_in in interface guest

access-list guest_access_in extended permit ip 192.168.226.0 255.255.255.0 any

Additional Information:

Phase: 6

Type: IP-OPTIONS

Subtype:

Result: ALLOW

Config:

Additional Information:

Phase: 7

Type: CAPTURE

Subtype:

Result: ALLOW

Config:

Additional Information:

Phase: 8

Type: NAT

Subtype:

Result: ALLOW

Config:

nat (guest) 1 0.0.0.0 0.0.0.0 dns

match ip guest any outside any

dynamic translation to pool 1 (69.xx.xx.60 [Interface PAT])

translate_hits = 3, untranslate_hits = 0

Additional Information:

Dynamic translate 192.168.226.227/1024 to 69.xx.xx.60/3873 using netmask 255.255.255.255

Phase: 9

Type: NAT

Subtype: host-limits

Result: ALLOW

Config:

nat (guest) 1 0.0.0.0 0.0.0.0 dns

match ip guest any outside any

dynamic translation to pool 1 (69.xx.xx.60 [Interface PAT])

translate_hits = 3, untranslate_hits = 0

Additional Information:

Phase: 10

Type: HOST-LIMIT

Subtype:

Result: ALLOW

Config:

Additional Information:

Phase: 11

Type: ACCESS-LIST

Subtype:

Result: DROP

Config:

Implicit Rule

Additional Information:

Result:

input-interface: guest

input-status: up

input-line-status: up

output-interface: outside

output-status: up

output-line-status: up

Action: drop

Drop-reason: (acl-drop) Flow is denied by configured rule

ajay chauhan · ‎12-24-2011

I do not see any other good reason for dropping this session. Untill unless myself get into firewall and do some more reseach .

Lets wait and see what other says.

moises.ruiz · ‎12-24-2011

Ok I removed:

no access-group outside_access_out out interface outside

and it looks like good news but I still have a problem.

If I go to my DNS server and I put my ASA internal's IP address as the router address (192.168.226.226), I am able to browse the internet for about 2 min and then everything timesout.

If I go and switch the router address from 192.168.226.226 to 192.168.226.1 and then switch back to .226, I have internet again for 2 min and then timesout again.

Here's the result of a continous ping while doing this:

ping: sendto: No route to host

PING 69.70.178.122 (69.70.178.122): 56 data bytes

Request timeout for icmp_seq 0

Request timeout for icmp_seq 1

Request timeout for icmp_seq 2

Request timeout for icmp_seq 3

Request timeout for icmp_seq 4

Request timeout for icmp_seq 5

Request timeout for icmp_seq 6

Request timeout for icmp_seq 7

Request timeout for icmp_seq 8

Request timeout for icmp_seq 9

Request timeout for icmp_seq 10

Request timeout for icmp_seq 11

Request timeout for icmp_seq 12

Request timeout for icmp_seq 13

Request timeout for icmp_seq 14

Request timeout for icmp_seq 15

Request timeout for icmp_seq 16

Request timeout for icmp_seq 17

Request timeout for icmp_seq 18

Request timeout for icmp_seq 19

64 bytes from 69.70.178.122: icmp_seq=20 ttl=249 time=17.481 ms

64 bytes from 69.70.178.122: icmp_seq=21 ttl=249 time=17.205 ms

Request timeout for icmp_seq 22

Request timeout for icmp_seq 23

Request timeout for icmp_seq 24

Request timeout for icmp_seq 25

Request timeout for icmp_seq 26

Request timeout for icmp_seq 27

Request timeout for icmp_seq 28

Request timeout for icmp_seq 29

Request timeout for icmp_seq 30

Request timeout for icmp_seq 31

Request timeout for icmp_seq 32

Request timeout for icmp_seq 33

Request timeout for icmp_seq 34

Request timeout for icmp_seq 35

Request timeout for icmp_seq 36

Request timeout for icmp_seq 37

Request timeout for icmp_seq 38

Request timeout for icmp_seq 39

Request timeout for icmp_seq 40

64 bytes from 69.70.178.122: icmp_seq=41 ttl=249 time=15.022 ms

64 bytes from 69.70.178.122: icmp_seq=42 ttl=249 time=256.040 ms

64 bytes from 69.70.178.122: icmp_seq=43 ttl=249 time=245.477 ms

64 bytes from 69.70.178.122: icmp_seq=44 ttl=249 time=166.006 ms

64 bytes from 69.70.178.122: icmp_seq=45 ttl=249 time=15.459 ms

64 bytes from 69.70.178.122: icmp_seq=46 ttl=249 time=18.365 ms

64 bytes from 69.70.178.122: icmp_seq=47 ttl=249 time=25.194 ms

64 bytes from 69.70.178.122: icmp_seq=48 ttl=249 time=19.793 ms

64 bytes from 69.70.178.122: icmp_seq=49 ttl=249 time=14.913 ms

64 bytes from 69.70.178.122: icmp_seq=50 ttl=249 time=14.585 ms

64 bytes from 69.70.178.122: icmp_seq=51 ttl=249 time=15.553 ms

64 bytes from 69.70.178.122: icmp_seq=52 ttl=249 time=18.458 ms

64 bytes from 69.70.178.122: icmp_seq=53 ttl=249 time=13.687 ms

64 bytes from 69.70.178.122: icmp_seq=54 ttl=249 time=21.561 ms

64 bytes from 69.70.178.122: icmp_seq=55 ttl=249 time=30.306 ms

64 bytes from 69.70.178.122: icmp_seq=56 ttl=249 time=14.491 ms

64 bytes from 69.70.178.122: icmp_seq=57 ttl=249 time=18.285 ms

64 bytes from 69.70.178.122: icmp_seq=58 ttl=249 time=24.627 ms

64 bytes from 69.70.178.122: icmp_seq=59 ttl=249 time=19.628 ms

64 bytes from 69.70.178.122: icmp_seq=60 ttl=249 time=17.183 ms

64 bytes from 69.70.178.122: icmp_seq=61 ttl=249 time=18.076 ms

64 bytes from 69.70.178.122: icmp_seq=62 ttl=249 time=20.951 ms

64 bytes from 69.70.178.122: icmp_seq=63 ttl=249 time=16.581 ms

64 bytes from 69.70.178.122: icmp_seq=64 ttl=249 time=14.824 ms

64 bytes from 69.70.178.122: icmp_seq=65 ttl=249 time=14.789 ms

64 bytes from 69.70.178.122: icmp_seq=66 ttl=249 time=13.190 ms

64 bytes from 69.70.178.122: icmp_seq=67 ttl=249 time=356.120 ms

64 bytes from 69.70.178.122: icmp_seq=68 ttl=249 time=373.400 ms

64 bytes from 69.70.178.122: icmp_seq=69 ttl=249 time=307.852 ms

64 bytes from 69.70.178.122: icmp_seq=100 ttl=249 time=14.506 ms

64 bytes from 69.70.178.122: icmp_seq=101 ttl=249 time=18.167 ms

ping: sendto: No route to host

Any ideas?

Julio Carvajal · ‎12-24-2011

Hello Moises,

Good to know that my advise of removing the access-group did it!!

Now regarding the other problem it could be a DNS server issue,

Please connect a PC on the GUEST interface and please use as DNS server 4.2.2.2 and let me know the result,

Do please rate helpful posts.

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

moises.ruiz · ‎12-24-2011

Yes, thanks Julio we are almost there.

Should I plug a PC directly to the ASA (and enable another port in the guest interface) or plug it to the airport extreme and assign 4.2.2.2 manually as DNS server?

Julio Carvajal · ‎12-24-2011

Hello Moises,

Lets try first with the PC connected to the Airport Extreme using dns 4.2.2.2, if that does not work lets connected directly.

Regards,

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

moises.ruiz · ‎01-03-2012

Ok so I plug the PC directly to the Airport Extreme and set the DNS manually with no luck - No internet.

I then enabled another interface on the ASA and plugged the PC to that interface and I configured the IP address, DNS and Default Gateway manually (8.8.8.8 as DNS and ASA's IP Address as DG) and I was able to go on the internet. Note that when I do this I am unable to ping my DNS and Airport Extreme from the PC.

I don't understand what's going on...

Julio Carvajal · ‎01-03-2012

Hello Moises,

So the problem is with the Airport, as you can see the ASA is doing its job ( if you connect the same PC that you conect to the airport extreme to the Guest interface this should work).

I would say the problem its on the Airport Extreme!!

Is the computer behind the airport extreme able to ping the Guest interface of the ASA?

Julio

Do rate helpful posts

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

moises.ruiz · ‎01-03-2012

My DNS server is behind the Airport Extreme and when I set the Default Gateway to the ASA instead of the Airport Extreme, I am able to ping it and go on the internet but within 1 min it looses connection.

Julio Carvajal · ‎01-03-2012

What if you use 4.2.2.2 as your DNS server instead of the local one?

Can you try it

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

moises.ruiz · ‎01-03-2012

I used 4.2.2.2 as DNS server but no internet.

Julio Carvajal · ‎01-03-2012

Hello,

So the computer is directly connected to the ASA guest interface and it has as a dns server 4.2.2.2 and you cannot connect to the internet?

That is weird.

Please provide the following outputs:

-Sh run nat

-Sh run global

-Sh run nameif

-sh run access-group

-packet-tracer input guest tcp 192.168.226.10 1025 8.8.8.8 80

- Ip config /all from the computer.

Regards,

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

moises.ruiz · ‎01-03-2012

No sorry, when I connect another PC to the ASA and I manually assign IP, Google's DNS and DG, I have internet.

If I connect to the Airport Extreme and I assign the DG to the ASA, then I have internet for a couple of seconds and then it cuts off.

Pinging to the ASA responds fine and then suddenly several: "No route to host" and "Host is down".

Julio Carvajal · ‎01-03-2012

Hello Moises,

That definetly let us know the issue is not with the ASA configuration, it is a Airport extreme issue!!!

The Airport extreme is not sending the traffic to the ASA so you will not be able to do it!

Regards,

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

moises.ruiz · ‎01-09-2012

Ok, I've marked the post as answered and I'll deal with the AE setup.

Thanks a lot both Ajay and Julio I really appreciate it!