Dear Vibhor,

Thanks a million for your reply I was really anxiously waiting for some help and I am glad that you have replied.

When i changed the DNS ip's, to google ip's,  in the one of the computer in the domain network then still unable to resolve names. I have Dell Power Edge 410 Server which has two CNICs. First one I am using for the "WAN" connection which is directly connected to the second port from right side of the ASA and the other "LAN" is connected to the switch. Here are the static IP's respectively

WAN

IP: 10.0.0.3

Mask: 255.0.0.0

GW: 10.0.0.1 (ASA IP)

DNS: 10.0.0.2

LAN

IP: 10.0.0.2

Mask: 255.0.0.0

GW: Null

DNS: 10.0.0.2

With the above settings i am able to browse internet on the domain server but still not on the network users. Please note that i am using my domain server DHCP for internal ip address translations and for the external interface I am using the static ip provided by my ISP. Also when i try to ping my ASA from one of the network computer then it says destination host unreachable but from Domain Server i do have a reply. When I run show xlate then i have a reply as the following

1 in use, 246 most used

PAT Global 202.142.XXX.YY (58685) Local 10.0.0.3 (57664)

I hope we can get closer to solve the problem now.

Best regards,

Ghaffar

Hi,

It is clear that the issue is not with the ASA device in this case. I am not sure about how the Dual NIC would work but i see this in the configuration:-

dhcpd dns 10.0.0.2 255.0.0.0
!
dhcpd dns 208.67.222.222 208.67.220.220 interface inside
dhcpd lease 86400 interface inside
dhcpd domain prpgb.org interface inside

You have not given the DHCP address pool for the DHCP clients and the DHCPD dns is mis configured.

To check the connectivity , try connecting a normal PC in the ASA Inside Interface range of IP and then test the internet. I am sure that should work.

Thanks and Regards,

Vibhor Amrodia

Dear Vibhor,

Thanks again for your reply. I am only using my internal domain dhcp for ip address generation internally. I already have disabled dhcpd on the asa but still getting these statement which you have mentioned i.e.

dhcpd dns 10.0.0.2 255.0.0.0
!
dhcpd dns 208.67.222.222 208.67.220.220 interface inside
dhcpd lease 86400 interface inside
dhcpd domain prpgb.org interface inside

I don't know how to remove these from the asa firewall may be this is the reason that the domain users won't get to internet. 

I have already tested this configuration for workgroup users who easily able to get internet but only the problem remains with the domain users who aren't able to go to the internet.

I am trying to implement dual nic scenario because my prior experience is with ISA and TMG servers where this type of configuration works.

Could you please share the DHCP working configuration for internal users using internal domain dhcp? I mean what statements should be there in ASA for using internal domain dhcp?

Thanks and warm regards,

Ghaffar

Hi,

You can remove these statements by going to the configure mode and running these command:-

no dhcpd dns 10.0.0.2 255.0.0.0
no dhcpd dns 208.67.222.222 208.67.220.220 interface inside
no dhcpd lease 86400 interface inside
no dhcpd domain prpgb.org interface inside

There is no explicit configuration on the ASA device for the Internal DHCP.

Okay , can you tell me this:-

The machine with the domain , is it able to contact the DNS server ? If no , you need to check the reason as DNS resolution should work before the internet browsing would work.

Please let me know if you have any other queries.

Thanks and Regards,

Vibhor Amrodia

Dear Vibhor,

Once again thanks for your reply. I have removed the mentioned statements successfully. 

The machine with the domain is able to contact the DNS server which is itself. It can easily resolve its name which i checked through nslookup. Also on this machine i can easily access internet.

Best regards,

Ghaffar

Dear All,

I have solved the issue. I have done the following in-order to browse internet on domain user computers. Here are the steps

1. I have disabled my internal DHCP server in the domain.

2. Then I have configured the ASA DHCP server in the default IP address scheme i.e. 192.168.1.100-200

3. I have Connected my ASA to a switch first then from there I connected a cable to my Domain's Server WAN interface. The LAN (192.168.1.2)interface of the Domain server is also plugged into the same switch. 

4. I am using my Domain Server's DNS for name resolution and forward queries which are not served by my domain to open dns server.

It works perfectly so far but before applying or setting up the entire netowrk i want your help to look into the configuration file for corrections if i am making any mistakes. Thanks again for your help and here is the output of show confing.

prpgbasa# show startup
: Saved
: Written by Ghaffar at 02:11:24.319 PKT Mon Dec 8 2014
!
ASA Version 8.2(5)
!
hostname prpgbasa
domain-name prpgb.org
enable password AExqpLntfuzsVQrq encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
interface Vlan1
 nameif inside
 security-level 100
 ddns update hostname PRPGB.ORG
 dhcp client update dns server both
 ip address 192.168.1.1 255.255.255.0
!
interface Vlan2
 nameif outside
 security-level 0
 ip address 202.142.XXX.YY 255.255.255.252
!
ftp mode passive
clock timezone PKT 5
dns domain-lookup inside
dns server-group DefaultDNS
 name-server 192.168.1.2
 domain-name prpgb.org
object-group network obj_any
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
route outside 0.0.0.0 0.0.0.0 202.142.XXX.YY 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
aaa authentication ssh console LOCAL
aaa authentication http console LOCAL
aaa authentication serial console LOCAL
aaa authentication enable console LOCAL
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
telnet 192.168.1.0 255.255.255.0 inside
telnet timeout 5
ssh 192.168.1.0 255.255.255.0 inside
ssh timeout 5
console timeout 0
dhcpd address 192.168.1.100-192.168.1.200 inside
dhcpd dns 192.168.1.2 interface inside
dhcpd lease 86400 interface inside
dhcpd domain prpgb.org interface inside
dhcpd update dns both interface inside
dhcpd enable inside
!

threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
username ABC password FL01QCj0LaLWTID0 encrypted privilege 15
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum client auto
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
  inspect ip-options
  inspect icmp
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
Cryptochecksum:7c4930a079158c0cb10a42813d3690cd
prpgbasa#

Please suggest me if there are any recomendations.

Thanks in advance.

Ghaffar