Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
23284
Views
21
Helpful
31
Replies

ASA 5505 - Configure Internal Router & DNS Server - No Internet

Go to solution
moises.ruiz
Level 1
Level 1

‎12-23-2011 09:14 AM - edited ‎03-11-2019 03:06 PM

Hi,

I'm new to all Cisco appliances so I'll try to be as clear as possible.

Currently I have an ASA setup as a Firewall with 1 outside interface and 2 inside interfaces. Initially, the Guest interface was setup to receive DHCP from the ASA and everything was working.

I'm adding router and a server for the guest interface and what I'm trying to accomplish now is the following:

ASA 5505 > Airport Extreme with a public static IP (69.xx.xx.6), handling DHCP and NAT  > Mac Server as DNS Server

Right now, when I connect to my Airport Extreme with any computer, I don't have internet. I don't understand what's wrong.

My DNS Server has a reserved IP address: 192.168.226.2 and it's pointing to itself and forwarding the ISP DNS servers, the Airport Extreme is handling the DNS Server IP and the ISP DNS Server IP but I can't connect to the internet from the server. 

Here's my Cisco ASA configuration:

ASA Version 7.2(3)

!

hostname lampe

domain-name lampe.ca

enable password M6aAV/2UhVYeSYwL encrypted

names

!

interface Vlan1

nameif inside

security-level 100

ip address 192.168.123.126 255.255.255.0

!

interface Vlan2

nameif outside

security-level 0

ip address 69.xx.xx.60 255.255.255.248

!

interface Vlan3

no forward interface Vlan1

nameif guest

security-level 50

ip address 192.168.226.226 255.255.255.0

!

interface Ethernet0/0

switchport access vlan 2

!            

interface Ethernet0/1

!            

interface Ethernet0/2

!            

interface Ethernet0/3

switchport access vlan 3

!            

interface Ethernet0/4

!            

interface Ethernet0/5

!            

interface Ethernet0/6

!            

interface Ethernet0/7

!            

passwd M6aAV/2UhVYeSYwL encrypted

ftp mode passive

clock timezone EST -5

clock summer-time EDT recurring

dns server-group DefaultDNS

domain-name lampe.ca

access-list crypto_acl_10 extended permit ip 192.168.123.0 255.255.255.0 192.168.205.0 255.255.255.0

access-list nonat extended permit ip 192.168.123.0 255.255.255.0 192.168.205.0 255.255.255.0

access-list nonat extended permit ip 192.168.123.0 255.255.255.0 192.168.99.0 255.255.255.224

access-list inbound extended permit tcp any host 69.xx.xx.61 eq www

access-list inbound extended permit tcp any host 69.xx.xx.61 eq https

access-list inbound extended permit tcp any host 69.xx.xx.61 eq smtp

access-list inbound extended permit tcp any host 69.xx.xx.61 eq pop3

access-list inbound extended permit gre any host 69.xx.xx.61

access-list inbound extended permit tcp any host 69.xx.xx.61 eq pptp

access-list inbound extended permit tcp any host 69.xx.xx.58 eq 8080

access-list inbound extended permit tcp any host 69.xx.xx.61 eq ftp

access-list inbound extended permit icmp any host 69.xx.xx.6

access-list inbound extended permit ip host 69.70.178.122 host 69.xx.xx.6

access-list vpnclient_splitTunnelAcl standard permit 192.168.123.0 255.255.255.0

access-list guest_access_in extended deny ip 192.168.226.0 255.255.255.0 192.168.123.0 255.255.255.0

access-list guest_access_in extended permit ip 192.168.226.0 255.255.255.0 any

access-list guest_access_in extended permit ip any any inactive

access-list guest_access_in extended permit icmp any any inactive

access-list guest_access_in extended permit ip host 69.70.178.122 host 192.168.226.2

access-list guest_access_out extended permit ip host 192.168.226.2 host 69.70.178.122

access-list outside_access_out extended permit ip host 69.xx.xx.6 host 69.70.178.122

pager lines 24

logging enable

logging timestamp

logging monitor debugging

logging buffered errors

logging asdm warnings

mtu inside 1500

mtu outside 1500

mtu guest 1500

ip local pool remotevpn 192.168.99.10-192.168.99.20 mask 255.255.255.0

icmp unreachable rate-limit 1 burst-size 1

icmp permit any guest

asdm image disk0:/asdm-523.bin

no asdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 0 access-list nonat

nat (inside) 1 0.0.0.0 0.0.0.0

nat (guest) 1 0.0.0.0 0.0.0.0 dns

static (inside,outside) 69.xx.xx.61 192.168.123.4 netmask 255.255.255.255 dns

static (inside,outside) 69.xx.xx.58 192.168.123.200 netmask 255.255.255.255

static (guest,outside) 69.xx.xx.6 192.168.226.2 netmask 255.255.255.255 dns

access-group inbound in interface outside

access-group guest_access_in in interface guest

route outside 0.0.0.0 0.0.0.0 69.xx.xx.57 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout uauth 0:05:00 absolute

aaa authentication ssh console LOCAL

http server enable

http 64.254.232.224 255.255.255.224 outside

http 69.70.4.112 255.255.255.248 outside

http 0.0.0.0 0.0.0.0 inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac

crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac

crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac

crypto ipsec transform-set ESP-AES-MD5 esp-aes esp-md5-hmac

crypto ipsec transform-set ESP-AES-SHA esp-aes esp-sha-hmac

crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac

crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac

crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac

crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto dynamic-map outside_dyn_map 20 set pfs

crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA

crypto map outside_map 10 match address crypto_acl_10

crypto map outside_map 10 set peer 64.254.232.248

crypto map outside_map 10 set transform-set ESP-AES-MD5 ESP-AES-SHA

crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map

crypto map outside_map interface outside

crypto isakmp enable outside

crypto isakmp policy 10

authentication pre-share

encryption 3des

hash sha    

group 2     

lifetime 86400

crypto isakmp nat-traversal  20

telnet 0.0.0.0 0.0.0.0 inside

telnet timeout 5

ssh 0.0.0.0 0.0.0.0 inside

ssh 64.254.232.224 255.255.255.224 outside

ssh 69.70.4.112 255.255.255.248 outside

ssh 69.70.178.122 255.255.255.255 outside

ssh timeout 30

console timeout 0

dhcpd auto_config outside

!            

dhcpd dns 24.200.241.37 interface guest

!            

!            

class-map inspection_default

match default-inspection-traffic

!            

!            

policy-map type inspect dns preset_dns_map

parameters  

  message-length maximum 512

policy-map global_policy

class inspection_default

  inspect dns preset_dns_map

  inspect ftp

  inspect h323 h225

  inspect h323 ras

  inspect rsh

  inspect rtsp

  inspect esmtp

  inspect sqlnet

  inspect skinny

  inspect sunrpc

  inspect xdmcp

  inspect sip

  inspect netbios

  inspect tftp

  inspect icmp

!            

service-policy global_policy global

ntp server 199.212.17.21 source outside

ntp server 199.212.17.22 source outside

ntp server 209.87.233.53 source outside

ntp server 132.246.168.148 source outside

group-policy vpnclient internal

group-policy vpnclient attributes

dns-server value 192.168.123.4

vpn-tunnel-protocol IPSec

split-tunnel-policy tunnelspecified

split-tunnel-network-list value vpnclient_splitTunnelAcl

default-domain value lampe.local

split-dns value lampe.local

username mmintzberg password 8fAM98BTuTuY/jU2 encrypted

username fross password Ykti5THH7ftFZeWp encrypted

username jsilver password 0VSZ094cAtFEZuxW encrypted

username mgadmin password 3Nrrh9/fcmJrMiH2 encrypted privilege 15

username smintzberg password .RPWyyJt7YbCb94T encrypted

username smintzberg attributes

vpn-framed-ip-address 192.168.99.22 255.255.255.0

username mruiz password j8Scwuudo9vNlzVa encrypted privilege 15

tunnel-group 64.254.232.248 type ipsec-l2l

tunnel-group 64.254.232.248 ipsec-attributes

pre-shared-key *

tunnel-group vpnclient type ipsec-ra

tunnel-group vpnclient general-attributes

address-pool remotevpn

default-group-policy vpnclient

tunnel-group vpnclient ipsec-attributes

pre-shared-key *

prompt hostname context

Cryptochecksum:182fd658d3a91cd43ccda34a1cb7cb41

: end 

Message was edited by: Moises Ruiz Changed the settings as per Ajay's reply.

Labels:
0 Helpful
31 Replies 31

Go to solution
moises.ruiz
Level 1
Level 1
In response to moises.ruiz

‎01-26-2012 02:21 PM

Ajay & Julio,

I believe the problem seems to be at the ASA.

As soon as I remove (or add) a static NAT Rule, the problem goes away (or comes back).

Any ideas?

Since I've already marked this question as answered (and it looks like a different issue), I will re-post if I see no activity.

0 Helpful

Go to solution
Julio Carvajal
VIP Alumni
VIP Alumni
In response to moises.ruiz

‎12-24-2011 11:07 AM

Hello Moises,

Checking the configuration and the Packet-tracer I have found the problem.

Please remove the following Access-group and this should work

no access-group outside_access_out out interface outside

Please do rate helpful posts,

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card