07-16-2015 07:10 AM - edited 03-11-2019 11:16 PM
Hi, i'm newbie to cisco asa, but i have an experience in administering different firewall before (freebsd, watchguard)..I thought this setup would be a piece of cake in ASA but im stuck on this one for 2 days already
so here is my topology, Internal network is 10.0.0.0/24, external is 192.168.254.0/24
Firewall IP is: 10.0.0.1 (internal) 192.168.254.171 (external)
Workstation behind the firewall (10.0.0.2) is able to ping the IP 8.8.8.8 but cannot browse the internet
I already configured the NAT/PAT, Access Rules (i configured any-to-any since i cant get it work just by simply allowing port 80/443)
here is my config
hostname ciscoasa
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface GigabitEthernet0
nameif INSIDE
security-level 100
ip address 10.0.0.1 255.255.255.0
!
interface GigabitEthernet1
nameif OUTSIDE
security-level 0
ip address 192.168.254.171 255.255.255.0
!
interface GigabitEthernet2
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet3
shutdown
no nameif
no security-level
no ip address
!
ftp mode passive
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
access-list global_access extended permit ip any any
pager lines 24
logging enable
logging asdm informational
mtu INSIDE 1500
mtu OUTSIDE 1500
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
!
nat (INSIDE,OUTSIDE) after-auto source dynamic any interface
access-group global_access global
route OUTSIDE 0.0.0.0 0.0.0.0 192.168.254.254 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
http server enable
http 10.0.0.0 255.255.255.0 INSIDE
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
telnet timeout 5
ssh timeout 5
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
!
!
prompt hostname context
call-home reporting anonymous prompt 1
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email callhome@cisco.com
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
crashinfo save disable
Cryptochecksum:2fd0136763ed374daee31263c9544c1b
Attached is the logs that im getting
Thanks in Advance
07-16-2015 07:56 PM
up!
07-16-2015 11:02 PM
Hi,
Could you provide the output of following packet-tracer:
packet-tracer input inside tcp 10.0.0.2 1025 4.2.2.2 80 de
Regards,
Prateek Verma
07-17-2015 12:57 AM
Hi,
as I can see from log PAT is ok. Please, provide the following information:
- as prateek.verma asked: packet-tracer result
- sh run policy-map global_policy
- during connection show conn address 10.0.0.2 detail
07-17-2015 02:37 AM
ciscoasa(config)# sh run policy-map global_policy
ERROR: % policy-map global_policy does not exist
ciscoasa(config)# show conn address 10.0.0.2 detail
UDP OUTSIDE:8.8.8.8/53 INSIDE:10.0.0.2/55533,
flags -, idle 18s, uptime 25s, timeout 2m0s, bytes 105
UDP OUTSIDE:4.2.2.2/53 INSIDE:10.0.0.2/55533,
flags -, idle 18s, uptime 26s, timeout 2m0s, bytes 140
TCP OUTSIDE:74.125.130.106/80 INSIDE:10.0.0.2/49250,
flags UIO, idle 26s, uptime 1m25s, timeout 1h0m, bytes 2983
ciscoasa(config)# packet-tracer input inside tcp 10.0.0.2 1025 4.2.2.2 80 de
Phase: 1
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
Forward Flow based lookup yields rule:
in id=0xbbd64340, priority=1, domain=permit, deny=false
hits=40150, user_data=0x0, cs_id=0x0, l3_type=0x8
src mac=0000.0000.0000, mask=0000.0000.0000
dst mac=0000.0000.0000, mask=0100.0000.0000
input_ifc=INSIDE, output_ifc=any
Phase: 2
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 0.0.0.0 0.0.0.0 OUTSIDE
Phase: 3
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group global_access global
access-list global_access extended permit ip any any
Additional Information:
Forward Flow based lookup yields rule:
in id=0xbc89f900, priority=12, domain=permit, deny=false
hits=35, user_data=0xb9466ac0, cs_id=0x0, use_real_addr, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
input_ifc=any, output_ifc=any
Phase: 4
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0xbc29c430, priority=0, domain=inspect-ip-options, deny=true
hits=293, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
input_ifc=INSIDE, output_ifc=any
Phase: 5
Type: NAT
Subtype:
Result: ALLOW
Config:
nat (INSIDE,OUTSIDE) after-auto source dynamic any interface
Additional Information:
Dynamic translate 10.0.0.2/1025 to 192.168.254.171/37074
Forward Flow based lookup yields rule:
in id=0xbc8ab278, priority=6, domain=nat, deny=false
hits=16, user_data=0xbc2cb600, cs_id=0x0, use_real_addr, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
input_ifc=INSIDE, output_ifc=OUTSIDE
Phase: 6
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Reverse Flow based lookup yields rule:
in id=0xbc2c38a8, priority=0, domain=inspect-ip-options, deny=true
hits=52, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
input_ifc=OUTSIDE, output_ifc=any
Phase: 7
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 299, packet dispatched to next module
Module information for forward flow ...
snp_fp_tracer_drop
snp_fp_inspect_ip_options
snp_fp_tcp_normalizer
snp_fp_translate
snp_fp_adjacency
snp_fp_fragment
snp_ifc_stat
Module information for reverse flow ...
snp_fp_tracer_drop
snp_fp_inspect_ip_options
snp_fp_translate
snp_fp_tcp_normalizer
snp_fp_adjacency
snp_fp_fragment
snp_ifc_stat
Result:
input-interface: INSIDE
input-status: up
input-line-status: up
output-interface: OUTSIDE
output-status: up
output-line-status: up
Action: allow
07-17-2015 02:48 AM
packet-tracer shows that your requests can successfully pass firewall. Maybe on server 4.2.2.2 port 80 is not listening.
Can you initiate connect one more time and on ASA immediately run show conn address 10.0.0.2 detail (witch will show you the current state of connections through ASA)
07-17-2015 01:35 PM
UDP OUTSIDE:8.8.8.8/53 INSIDE:10.0.0.2/60564,
flags -, idle 8s, uptime 16s, timeout 2m0s, bytes 136
TCP OUTSIDE:120.28.26.242/80 INSIDE:10.0.0.2/49304,
flags saA, idle 1s, uptime 4s, timeout 30s, bytes 0
UDP OUTSIDE:4.2.2.2/53 INSIDE:10.0.0.2/60564,
flags -, idle 8s, uptime 15s, timeout 2m0s, bytes 102
TCP OUTSIDE:120.28.26.232/80 INSIDE:10.0.0.2/49303,
flags saA, idle 16s, uptime 25s, timeout 30s, bytes 0
TCP OUTSIDE:120.28.26.232/80 INSIDE:10.0.0.2/49302,
flags saA, idle 27s, uptime 27s, timeout 30s, bytes 0
07-17-2015 06:33 PM
hi, I tried setting up a local webserver and interconnecting it outside through another router, i managed to access the web server, im sorry i forgot to tell that its only a gns3 lab + virtualbox
07-18-2015 12:09 AM
This sounds like a DNS issue (considering you are able to ping to the internet but not browse). What are you using as your DHCP server and is it issuing the clients with a DNS server IP? If you configure a static DNS server on your client machine (for example 4.2.2.2 or 8.8.8.8) are you now able to browse the internet?
--
Please remember to select a correct answer and rate helpful posts
07-18-2015 07:24 AM
no, im not using an internal dns, my machine in vmware is using external dns 8.8.8.8 and 4.2.2.2 from the beginning
07-19-2015 05:44 AM
This could very well be a GNS3 issue. Have you tried saving all your config and restarting GNS3 and all the devices?
--
Please remember to select a correct answer and rate helpful posts
07-20-2015 12:01 AM
TCP handshake doesn't pass.
What we can see from your output:
TCP OUTSIDE:120.28.26.232/80 INSIDE:10.0.0.2/49303, flags saA, idle 16s, uptime 25s, timeout 30s, bytes 0
Flags:
a - awaiting outside ACK to SYN,
s - awaiting outside SYN,
A - awaiting inside ACK to SYN
So, host 10.0.0.2 (inside side) sent TCP SYN, and ASA saw this request (as proof, it creates this note in Connections Table)
But flag 'a' means that 120.28.26.232 doesn't reply on your TCP SYN with ACK and it doesn't send his own TCP SYN to 10.0.0.2.
Maybe 120.28.26.232 doesn't receive your request at all or tcp port 80 is closed on it.
But at least, we know that problem is not with ASA.
Cheers!
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: