Hi, I am having one 2800 router  where the ISP link is, Another port is for ASA 5520. There are two 4503  core switches connected with firewall. When i am connect the ISP, i can  ping upto ISP Gateway, but not DNS(8.8.8.8) or any public IP. as a  result, from access switches i cant get internet connectivity.

When  i disconnected Firewall connection from router, i got ping of DNS &  Other public IP. so , i think the problem is in Firewall. there is no  denial of anything in firewall, but still it is preventing dns.

Please help me in this regard, as it is an urgent issue before migration.

Here is some snapshot:

access-list external-in extended permit ip any any

access-list external-in extended permit tcp any any

access-list external-in extended permit udp any any

access-list external-in extended permit icmp any any echo

access-list external-in extended permit icmp any any echo-reply

access-list external-in extended permit icmp any any time-exceeded

access-list external-in extended permit icmp any any unreachable

access-list external-in extended permit tcp any any eq telnet

access-list external-in extended permit icmp any any

access-list internal-out extended permit ip any any

access-list internal-out extended permit tcp any any

access-list internal-out extended permit udp any any

access-list internal-out extended permit icmp any any echo

access-list internal-out extended permit icmp any any echo-reply

access-list internal-out extended permit icmp any any time-exceeded

access-list internal-out extended permit icmp any any unreachable

access-list internal-out extended permit tcp any any eq telnet

access-list internal-out extended permit icmp any any

access-list global_access extended permit ip any any

pager lines 24

logging enable

logging asdm informational

mtu outside 1500

mtu inside_1 1500

mtu inside_2 1500

mtu management 1500

no failover

icmp unreachable rate-limit 1 burst-size 1

no asdm history enable

arp timeout 14400

access-group internal-out in interface outside

access-group internal-out out interface outside

access-group external-in in interface inside_1

access-group external-in out interface inside_1

access-group external-in in interface inside_2

access-group external-in out interface inside_2

access-group global_access global

route outside 0.0.0.0 0.0.0.0 172.16.251.1 1

route inside_1 172.16.0.0 255.255.0.0 172.16.251.6 1

route inside_2 172.16.0.0 255.255.0.0 172.16.251.10 2

route inside_1 192.168.0.0 255.255.224.0 172.16.251.6 1

route inside_2 192.168.0.0 255.255.224.0 172.16.251.10 2

timeout xlate 3:00:00

timeout pat-xlate 0:00:30

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

timeout floating-conn 0:00:00

dynamic-access-policy-record DfltAccessPolicy

user-identity default-domain LOCAL

http server enable

http 192.168.1.0 255.255.255.0 management

http 172.16.251.2 255.255.255.255 outside

http 0.0.0.0 0.0.0.0 inside_1

http 172.16.251.5 255.255.255.255 inside_1

http 0.0.0.0 0.0.0.0 inside_2

http 172.16.251.9 255.255.255.255 inside_2

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart

telnet 172.16.251.0 255.255.255.252 outside

telnet 172.16.251.4 255.255.255.252 inside_1

telnet 0.0.0.0 0.0.0.0 inside_1

telnet 172.16.251.5 255.255.255.255 inside_1

telnet 172.16.251.8 255.255.255.252 inside_2

telnet 0.0.0.0 0.0.0.0 inside_2

telnet timeout 5

ssh 172.16.251.5 255.255.255.255 inside_1

ssh 172.16.251.9 255.255.255.255 inside_2

ssh timeout 5

ssh key-exchange group dh-group1-sha1

console timeout 30

dhcpd address 192.168.1.2-192.168.1.254 management

dhcpd enable management

!

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept