Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1905
Views
5
Helpful
26
Replies

No Internet Access but connected to domain. New install of Windows 7

KYLE NGUYEN
Level 1
Level 1

‎09-07-2016 12:02 PM - edited ‎03-12-2019 01:14 AM

Hi everyone

I have a problem that's driving me nuts trying to troubleshoot. Brand new install of Windows 7 Dell latitude. I'm connected to our domain, but cannot browse the Internet with exclamation icon and msg "No Internet Access."

I can ping all internal servers and gateway. No issues there.

I took the laptop home and connected to my home network fine. Internet connection works perfectly.

But when I get back to the office, I tried connecting with both wired and wireless, both gives msg "No Internet Access."

Firewall is ASA 5505. I did some googling, and found some info on IP Shunning, but when I check my firewall settings, shunning is not enabled. 

Any help is greatly appreciated. Thanks. 

Labels:
0 Helpful
26 Replies 26

Marvin Rhoads
Hall of Fame
Hall of Fame

‎09-07-2016 05:24 PM

Are all of your network settings (IP address, DNS and domain name) set to "auto"?

When you have the failed connectivity, check "ipconfig /all" to see that you are getting everything you expect.

If that looks good, then check the firewall. First make sure traffic from your PC is reaching it (packet capture is easiest). Then make sure it is getting passed through and NATted like you expect (packet-tracer tool)

0 Helpful

KYLE NGUYEN
Level 1
Level 1
In response to Marvin Rhoads

‎09-08-2016 07:35 AM

Hi,

yes. ipconfig /all shows all the right ip addresses. 

I not all that familiar with ASA firewalls, so if you can walk me through setting up the packet capture I would really appreciate it.

Some new developments. so I connected the new laptop directly to the ASA firewall and I get an Internet Connection immediately. I can ping all internal servers and browse the internet. 

If I plug it back into the Cisco switch I lose internet connection, but I'm still connected to the domain/network.

I tried setting up another new desktop and I'm getting the exact same issue. No Internet Access, but I can join domain and connect to all internal servers.

All other workstation already on the network is functioning like normal. No problems. It's only affecting any new machines I'm connecting to the network. 

Any idea what's going on? 

0 Helpful

Marvin Rhoads
Hall of Fame
Hall of Fame
In response to KYLE NGUYEN

‎09-08-2016 10:57 AM

Here's how to do a packet trace on an ASA:

packet-tracer input inside tcp <your pc address> 1025 8.8.8.8 80

That injects a dummy packet to the ASA's inside interface from your client's address using a random ephemeral tcp port as the source with a destination of an Internet address on port 80. (It doesn't matter whether or not anything at that address is listening on port 80 - we only care if the packet leaves the ASA.)

You can do the same thing from the ASDM GUI (Tools > Packet tracer)

If that command tells you at the end the packet is "ALLOWED", then your traffic is probably not reaching the ASA. To verify that, use the packet capture wizard (Wizards > Packet Capture Wizard) to look for the traffic incoming from your PC's source address.

0 Helpful

KYLE NGUYEN
Level 1
Level 1
In response to Marvin Rhoads

‎09-08-2016 11:20 AM

I ran the packet-tracer and the packet was "Allowed." 

I'm pretty sure the traffic is not reaching the ASA for some reason.

I just don't understand why all other workstations are working fine, but it's blocking traffic to ASA on all new computers I add to the network. Why are some traffic reaching the ASA and some not? strange.

0 Helpful

Marvin Rhoads
Hall of Fame
Hall of Fame
In response to KYLE NGUYEN

‎09-08-2016 11:29 AM

It could be any number of things. Port security on your switch, an ACL in your core, a subnet mask mismatch somewhere, asymmetric routing etc.

Break it down step by step. See if you can reach the core switch from your new PC. Then the ASA. Don't just use ping, use something that requires a 3-way handshake like telnet

0 Helpful

KYLE NGUYEN
Level 1
Level 1
In response to Marvin Rhoads

‎09-08-2016 11:47 AM

Ok I can telnet into the core switch fine. 

Telnet into ASA does not work. No connection.

0 Helpful

Marvin Rhoads
Hall of Fame
Hall of Fame
In response to KYLE NGUYEN

‎09-08-2016 11:50 AM

We normally disable telnet on the ASA.

Make sure your source address / subnet is allowed in the ASA configuration (something like "ssh inside 0.0.0.0 0.0.0.0") and try ssh instead.

0 Helpful

KYLE NGUYEN
Level 1
Level 1
In response to Marvin Rhoads

‎09-08-2016 12:00 PM

Don't think it's disabled, because I can telnet into the ASA from my computer fine.

It's just doesn't work from all new computers.  

0 Helpful

Marvin Rhoads
Hall of Fame
Hall of Fame
In response to KYLE NGUYEN

‎09-08-2016 12:31 PM

Check the packet capture I noted earlier to see if the traffic is arriving at the AS inside interface.

0 Helpful

KYLE NGUYEN
Level 1
Level 1
In response to Marvin Rhoads

‎09-08-2016 12:44 PM

Can you walk me through the Packet Capture Wizard?

Point of Ingress

Packet match criteria > do i choose specify packet parameters?

Then put in the source host and destination, protocol is IP?

Point of Egress

input same parameters from point of ingress?

0 Helpful

Marvin Rhoads
Hall of Fame
Hall of Fame
In response to KYLE NGUYEN

‎09-08-2016 01:18 PM

Point of ingress is Inside interface.

Match on your new PC source IP and netmask (255.255.255.255), protocol IP.

Egress leave it as any (0.0.0.0 0.0.0.0) since you don't care - you are just seeing if the packets arrive.

0 Helpful

KYLE NGUYEN
Level 1
Level 1
In response to Marvin Rhoads

‎09-08-2016 01:43 PM

Here's what I got from the problematic ip address. So that means packets are hitting the ASA?

136 p ackets captured
1:00 20:03.6 802.1Q vlan#1 P0 192.168.1.5.137 > 192.168.1.255.137:  udp 50
2:00 20:04.3 802.1Q vlan#1 P0 192.168.1.5.50698 > 74.125.196.147.443: S 2402996771:2402996771(0) win 8192 <mss 1460,nop,wscale 8,nop,nop,sackOK>
3:00 20:04.3 802.1Q vlan#1 P0 74.125.196.147.443 > 192.168.1.5.50698: S 3052699992:3052699992(0) ack 2402996772 win 42780 <mss 1380,nop,nop,sackOK,nop,wscale 7>
4:00 20:04.3 802.1Q vlan#1 P0 192.168.1.5.137 > 192.168.1.255.137:  udp 50
5:00 20:04.3 802.1Q vlan#1 P0 192.168.1.5.50699 > 173.194.219.101.443: S 4101345537:4101345537(0) win 8192 <mss 1460,nop,wscale 8,nop,nop,sackOK>
6:00 20:04.3 802.1Q vlan#1 P0 192.168.1.5.50700 > 74.125.21.95.443: S 2877423746:2877423746(0) win 8192 <mss 1460,nop,wscale 8,nop,nop,sackOK>
7:00 20:04.4 802.1Q vlan#1 P0 173.194.219.101.443 > 192.168.1.5.50699: S 3949143392:3949143392(0) ack 4101345538 win 42780 <mss 1380,nop,nop,sackOK,nop,wscale 7>
8:00 20:04.4 802.1Q vlan#1 P0 74.125.21.95.443 > 192.168.1.5.50700: S 2574977668:2574977668(0) ack 2877423747 win 42780 <mss 1380,nop,nop,sackOK,nop,wscale 7>
9:00 20:04.5 802.1Q vlan#1 P0 192.168.1.5.50701 > 74.125.196.147.443: S 1885877685:1885877685(0) win 8192 <mss 1460,nop,wscale 8,nop,nop,sackOK>
0 Helpful

KYLE NGUYEN
Level 1
Level 1
In response to Marvin Rhoads

‎09-08-2016 01:46 PM

deleted.. duplicate reply

0 Helpful

Marvin Rhoads
Hall of Fame
Hall of Fame
In response to KYLE NGUYEN

‎09-08-2016 01:47 PM

Assuming your source is 192.168.1.5, it looks like they are coming in on a subinterface with tag for VLAN 1.

I see return traffic from an internet host as well at 173.195.219.101.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card