cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2062
Views
0
Helpful
11
Replies

Workstation behind asa cant browse the internet

radarbackwards
Level 1
Level 1

Hi, i'm newbie to cisco asa,  but i have an experience in administering different firewall before (freebsd, watchguard)..I thought this setup would be a piece of cake in ASA but im stuck on this one for 2 days already

 

so here is my topology, Internal network is 10.0.0.0/24, external is 192.168.254.0/24 

 

 

Firewall IP is: 10.0.0.1 (internal) 192.168.254.171 (external)

 

Workstation behind the firewall (10.0.0.2) is  able to ping the IP 8.8.8.8 but cannot browse the internet

 

I already configured the NAT/PAT, Access Rules (i configured any-to-any since i cant get it work just by simply allowing port 80/443) 

 

here is my config 

 

 

hostname ciscoasa
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface GigabitEthernet0
 nameif INSIDE
 security-level 100
 ip address 10.0.0.1 255.255.255.0
!
interface GigabitEthernet1
 nameif OUTSIDE
 security-level 0
 ip address 192.168.254.171 255.255.255.0
!
interface GigabitEthernet2
 shutdown
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet3
 shutdown
 no nameif
 no security-level
 no ip address
!
ftp mode passive
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
access-list global_access extended permit ip any any
pager lines 24
logging enable
logging asdm informational
mtu INSIDE 1500
mtu OUTSIDE 1500
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
!
nat (INSIDE,OUTSIDE) after-auto source dynamic any interface
access-group global_access global
route OUTSIDE 0.0.0.0 0.0.0.0 192.168.254.254 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
http server enable
http 10.0.0.0 255.255.255.0 INSIDE
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
telnet timeout 5
ssh timeout 5
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
!
!
prompt hostname context
call-home reporting anonymous prompt 1
call-home
 profile CiscoTAC-1
  no active
  destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
  destination address email callhome@cisco.com
  destination transport-method http
  subscribe-to-alert-group diagnostic
  subscribe-to-alert-group environment
  subscribe-to-alert-group inventory periodic monthly
  subscribe-to-alert-group configuration periodic monthly
  subscribe-to-alert-group telemetry periodic daily
crashinfo save disable
Cryptochecksum:2fd0136763ed374daee31263c9544c1b

 

 

 

Attached is the logs that im getting

 

Thanks in Advance

11 Replies 11

radarbackwards
Level 1
Level 1

up!

Hi,

Could you provide the output of following packet-tracer:

packet-tracer input inside tcp 10.0.0.2 1025 4.2.2.2 80 de

Regards,

Prateek Verma

Hi, 

as I can see from log PAT is ok. Please, provide the following information:

- as prateek.verma asked: packet-tracer result

- sh run policy-map global_policy

- during connection show conn address 10.0.0.2 detail

ciscoasa(config)# sh run policy-map global_policy
ERROR: % policy-map global_policy does not exist

 

ciscoasa(config)# show conn address 10.0.0.2 detail

UDP OUTSIDE:8.8.8.8/53 INSIDE:10.0.0.2/55533,
    flags -, idle 18s, uptime 25s, timeout 2m0s, bytes 105
UDP OUTSIDE:4.2.2.2/53 INSIDE:10.0.0.2/55533,
    flags -, idle 18s, uptime 26s, timeout 2m0s, bytes 140
TCP OUTSIDE:74.125.130.106/80 INSIDE:10.0.0.2/49250,
    flags UIO, idle 26s, uptime 1m25s, timeout 1h0m, bytes 2983

 

 

 

ciscoasa(config)# packet-tracer input inside tcp 10.0.0.2 1025 4.2.2.2 80 de

Phase: 1
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
 Forward Flow based lookup yields rule:
 in  id=0xbbd64340, priority=1, domain=permit, deny=false
        hits=40150, user_data=0x0, cs_id=0x0, l3_type=0x8
        src mac=0000.0000.0000, mask=0000.0000.0000
        dst mac=0000.0000.0000, mask=0100.0000.0000
        input_ifc=INSIDE, output_ifc=any

Phase: 2
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in   0.0.0.0         0.0.0.0         OUTSIDE

Phase: 3
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group global_access global
access-list global_access extended permit ip any any
Additional Information:
 Forward Flow based lookup yields rule:
 in  id=0xbc89f900, priority=12, domain=permit, deny=false
        hits=35, user_data=0xb9466ac0, cs_id=0x0, use_real_addr, flags=0x0, protocol=0
        src ip/id=0.0.0.0, mask=0.0.0.0, port=0
        dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
        input_ifc=any, output_ifc=any

Phase: 4
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
 Forward Flow based lookup yields rule:
 in  id=0xbc29c430, priority=0, domain=inspect-ip-options, deny=true
        hits=293, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
        src ip/id=0.0.0.0, mask=0.0.0.0, port=0
        dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
        input_ifc=INSIDE, output_ifc=any

Phase: 5
Type: NAT
Subtype:
Result: ALLOW
Config:
nat (INSIDE,OUTSIDE) after-auto source dynamic any interface
Additional Information:
Dynamic translate 10.0.0.2/1025 to 192.168.254.171/37074
 Forward Flow based lookup yields rule:
 in  id=0xbc8ab278, priority=6, domain=nat, deny=false
        hits=16, user_data=0xbc2cb600, cs_id=0x0, use_real_addr, flags=0x0, protocol=0
        src ip/id=0.0.0.0, mask=0.0.0.0, port=0
        dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
        input_ifc=INSIDE, output_ifc=OUTSIDE

Phase: 6
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
 Reverse Flow based lookup yields rule:
 in  id=0xbc2c38a8, priority=0, domain=inspect-ip-options, deny=true
        hits=52, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
        src ip/id=0.0.0.0, mask=0.0.0.0, port=0
        dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
        input_ifc=OUTSIDE, output_ifc=any

Phase: 7
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 299, packet dispatched to next module
Module information for forward flow ...
snp_fp_tracer_drop
snp_fp_inspect_ip_options
snp_fp_tcp_normalizer
snp_fp_translate
snp_fp_adjacency
snp_fp_fragment
snp_ifc_stat

Module information for reverse flow ...
snp_fp_tracer_drop
snp_fp_inspect_ip_options
snp_fp_translate
snp_fp_tcp_normalizer
snp_fp_adjacency
snp_fp_fragment
snp_ifc_stat

Result:
input-interface: INSIDE
input-status: up
input-line-status: up
output-interface: OUTSIDE
output-status: up
output-line-status: up
Action: allow

packet-tracer shows that your requests can successfully pass firewall. Maybe on server 4.2.2.2 port 80 is not listening.

Can you initiate connect one more time and on ASA immediately run show conn address 10.0.0.2 detail (witch will show you the current state of connections through ASA)

 

UDP OUTSIDE:8.8.8.8/53 INSIDE:10.0.0.2/60564,
    flags -, idle 8s, uptime 16s, timeout 2m0s, bytes 136
TCP OUTSIDE:120.28.26.242/80 INSIDE:10.0.0.2/49304,
    flags saA, idle 1s, uptime 4s, timeout 30s, bytes 0
UDP OUTSIDE:4.2.2.2/53 INSIDE:10.0.0.2/60564,
    flags -, idle 8s, uptime 15s, timeout 2m0s, bytes 102
TCP OUTSIDE:120.28.26.232/80 INSIDE:10.0.0.2/49303,
    flags saA, idle 16s, uptime 25s, timeout 30s, bytes 0
TCP OUTSIDE:120.28.26.232/80 INSIDE:10.0.0.2/49302,
    flags saA, idle 27s, uptime 27s, timeout 30s, bytes 0

 

 

 

 

 

 

hi, I tried setting up a local webserver and interconnecting it outside through another router, i managed to access the web server, im sorry i forgot to tell that its only a gns3 lab + virtualbox 

This sounds like a DNS issue (considering you are able to ping to the internet but not browse).  What are you using as your DHCP server and is it issuing the clients with a DNS server IP?  If you configure a static DNS server on your client machine (for example 4.2.2.2 or 8.8.8.8) are you now able to browse the internet?

--

Please remember to select a correct answer and rate helpful posts

--
Please remember to select a correct answer and rate helpful posts

no, im not using an internal dns, my machine in vmware is using external dns 8.8.8.8 and 4.2.2.2 from the beginning

This could very well be a GNS3 issue.  Have you tried saving all your config and restarting GNS3 and all the devices?

--

Please remember to select a correct answer and rate helpful posts

--
Please remember to select a correct answer and rate helpful posts

TCP handshake doesn't pass.
What we can see from your output:

TCP OUTSIDE:120.28.26.232/80 INSIDE:10.0.0.2/49303,
    flags saA, idle 16s, uptime 25s, timeout 30s, bytes 0

Flags:

a - awaiting outside ACK to SYN,

s - awaiting outside SYN, 

A - awaiting inside ACK to SYN

So, host 10.0.0.2 (inside side) sent TCP SYN, and ASA saw this request (as proof, it creates this note in Connections  Table)

But flag 'a' means that 120.28.26.232 doesn't reply on your TCP SYN with ACK and it doesn't send his own TCP SYN to 10.0.0.2.

Maybe 120.28.26.232 doesn't receive your request at all or tcp port 80 is closed on it.
But at least, we know that problem is not with ASA.

Cheers!

 

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: