Solved: Unable to access internet with ASA

mahesh18 · ‎09-28-2012

Hi all,

I am new to ASA world.

I have config ASA 5505 and it is conencted to layer 3 switch that connects to cable Modem.

ASA is config with DHCP option and PC is able to get the IP from ASA.

But from PC i am unable to access the internet.

From ASA itself i am able to ping the Websites fine.

ASA has config with DHCP for inside and also it is doing NAT.

When i connect the ASA directly to Cable modem then pc is able to access the internet.

thanks

mahesh

Jennifer Halim · ‎09-28-2012

Does the PC has DNS server that resolves public websites?

Are you able to access websites from PC by IP address?

Can you pls share the config. Thanks.

View solution in original post

Jennifer Halim · ‎09-28-2012

Does the PC has DNS server that resolves public websites?

Are you able to access websites from PC by IP address?

Can you pls share the config. Thanks.

mahesh18 · ‎09-28-2012

Hi Jennifer.

i tried to open websites by IP did not work.

here is config of ASA

ciscoasa# sh running-config

: Saved

:

ASA Version 8.4(4)1

!

hostname ciscoasa

enable password .vV.3QsyXqiTEfZu encrypted

passwd PnBz02JMnfQN7Ggt encrypted

names

!

interface Ethernet0/0

switchport access vlan 2

!

interface Ethernet0/1

!

interface Ethernet0/2

shutdown

!

interface Ethernet0/3

shutdown

!

interface Ethernet0/4

shutdown

!

interface Ethernet0/5

shutdown

!

interface Ethernet0/6

shutdown

!

interface Ethernet0/7

shutdown

!

interface Vlan1

nameif inside

security-level 100

ip address 192.168.1.1 255.255.255.0

!

interface Vlan2

nameif outside

security-level 0

ip address 192.168.11.5 255.255.255.0

!

banner motd

banner motd +-+

banner motd | |

banner motd | *** Unauthorized Use or Access Prohibited *** |

banner motd | |

banner motd | For Authorized Official Use Only |

banner motd | You must have explicit permission to access or |

banner motd | configure this device. All activities performed |

banner motd | on this device may be logged, and violations of |

banner motd | this policy may result in disciplinary action, and |

banner motd | may be reported to law enforcement authorities. |

banner motd | |

banner motd | There is no right to privacy on this device. |

banner motd | |

banner motd +-+

banner motd

banner motd +-+

banner motd | |

banner motd | *** Unauthorized Use or Access Prohibited *** |

banner motd | |

banner motd | For Authorized Official Use Only |

banner motd | You must have explicit permission to access or |

banner motd | configure this device. All activities performed |

banner motd | on this device may be logged, and violations of |

banner motd | this policy may result in disciplinary action, and |

banner motd | may be reported to law enforcement authorities. |

banner motd | |

banner motd | There is no right to privacy on this device. |

banner motd | |

banner motd +-+

banner motd

boot system disk0:/asa844-1-k8.bin

ftp mode passive

clock timezone MST -7

clock summer-time MST recurring

object network obj-192.168.1.0

subnet 192.168.1.0 255.255.255.0

no pager

logging enable

logging timestamp

logging buffered debugging

logging asdm informational

mtu inside 1500

mtu outside 1500

icmp unreachable rate-limit 1 burst-size 1

asdm image disk0:/asdm-649.bin

no asdm history enable

arp timeout 14400

!

object network obj-192.168.1.0

nat (inside,outside) dynamic interface

route outside 0.0.0.0 0.0.0.0 192.168.11.1 1

timeout xlate 3:00:00

timeout pat-xlate 0:00:30

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

timeout floating-conn 0:00:00

dynamic-access-policy-record DfltAccessPolicy

user-identity default-domain LOCAL

aaa authentication http console LOCAL

aaa authentication ssh console LOCAL

http server enable

http 192.168.1.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

no crypto isakmp nat-traversal

telnet timeout 5

ssh 192.168.1.0 255.255.255.0 inside

ssh 192.168.0.0 255.255.0.0 outside

ssh timeout 5

ssh key-exchange group dh-group1-sha1

console timeout 15

dhcpd address 192.168.1.5-192.168.1.250 inside

dhcpd enable inside

!

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

ntp server 91.103.24.10

webvpn

username mintoo password AILiHuRWFGgkbsI5 encrypted privilege 15

!

prompt hostname context

call-home reporting anonymous prompt 2

call-home

profile CiscoTAC-1

no active

destination address http https://tools.cisco.com/its/service/oddce/services/DD

CEService

destination address email callhome@cisco.com

destination transport-method http

subscribe-to-alert-group diagnostic

subscribe-to-alert-group environment

subscribe-to-alert-group inventory periodic monthly

subscribe-to-alert-group configuration periodic monthly

subscribe-to-alert-group telemetry periodic daily

Cryptochecksum:4a1203c1c8d7b2dd85cdcfe379f7418a

: end

mahesh18 · ‎09-28-2012

Hi Jennifer,

I added the command dhcpd dns x.x.x.x

now pc is able to access the internet.

Thanks

mahesh

Jennifer Halim · ‎09-28-2012

Excellent. Thanks for the update.