04-01-2010 07:23 AM - edited 03-04-2019 08:00 AM
Solved! Go to Solution.
04-01-2010 11:39 AM
stewartrose wrote:
Hi Jon,
If I go into the router via the console, and ping google.com it comes back and says Translating "google.com" ...domain server
% Unrecognized host or address, or protocol not running..
All the best from Alan
Alan
This is because the router is no longer getting a DHCP address from the ASA together with DNS servers so it can't do DNS lookups. This isn't a problem once it's all working as normally routers don't access web pages.
What we will have to do is tell your 192.168.2.x PC what DNS servers to use, hence the reason at the moment i asked you to test with an IP address.
We can setup a DHCP pool for 192.168.2.x on your router when we get internet access working for IP addresses if you want. Note the DHCP pool we deleted was for 192.168.1.x and not 192.168.2.x so we are not just putting back what we deleted
Jon
04-01-2010 11:32 AM
stewartrose wrote:
Hi Jon,
I can ping 192.168.1.1 now all the time, but no further..
All the best from Alan
Alan
Making progress
On your ASA I have just noticed you have an access-list outside_in but you haven't applied it to the outside interface ie.
ASA(config)# access-group outside_in in interface outside
Also when you ping make sure you ping something beyond the ASA and by IP not DNS name to start with. If you try to ping the outside IP of the ASA it won't work so try the next-hop from the ASA ie. the ISP router.
Also couple of other things -
1) can you edit your previous posts and where you have public IPs just leave the last octet ie. x.x.x.82 for your outside IP on the ASA and also the default-route on the ASA - best to keep those sort of things out of posts.
2) your access-list on the ASA is wide open so is this just a temporary acl to test with ?
Jon
Cisco are currently donating money to the Haiti earthquake appeal for every rating so please consider rating all helpful posts.
04-01-2010 11:42 AM
Hi Jon,
I add the line on the ASA Mmmm dont like an open firewall
Ok I pinged an IP in Canada should be far enough away
and that was within the router it self, then did it for the PC and stiill nothing...
All the best from Alan
04-01-2010 11:45 AM
Alan
Can you post "sh running-config xlate" or "sh xlate" from the ASA after you ping ?
Can you try pinging the ISP next-hop from the ASA ?
Jon
04-01-2010 11:51 AM
Hi Jon, this is getting interesting well for me it is..
All the best from Alan
18 in use, 956 most used
PAT Global x.x.x.82(15) Local 192.168.1.2 ICMP id 4792
PAT Global x.x.x.82(4512) Local 192.168.1.3(1026)
PAT Global x.x.x.82(14435) Local 192.168.1.3(3305)
PAT Global x.x.x.82(4511) Local 192.168.1.3(63826)
PAT Global x.x.x.82(14433) Local 192.168.1.3(3302)
PAT Global x.x.x.82(4510) Local 192.168.1.3(63591)
PAT Global x.x.x.82(14431) Local 192.168.1.3(3300)
PAT Global x.x.x.82(14430) Local 192.168.1.3(3298)
PAT Global x.x.x.82(14425) Local 192.168.1.3(3292)
PAT Global x.x.x.82(14424) Local 192.168.1.3(3291)
PAT Global x.x.x.82(14387) Local 192.168.1.3(3231)
PAT Global x.x.x.82(14050) Local 192.168.1.3(2643)
PAT Global x.x.x.82(14048) Local 192.168.1.3(2641)
PAT Global x.x.x.82(14047) Local 192.168.1.3(2640)
PAT Global x.x.x.82(4470) Local 192.168.1.3(21403)
PAT Global x.x.x.82(13731) Local 192.168.1.3(2051)
PAT Global x.x.x.82(11812) Local 192.168.1.3(3201)
PAT Global x.x.x.82(10305) Local 192.168.1.3(4527)
I remembered
04-01-2010 11:59 AM
Alan
Can you ping the address in Canada from the actual firewall itself - you may have to temporarily add this to your firewall -
icmp permit any outside
Jon
04-01-2010 12:05 PM
Hi Jon,
That ip was useless, looks like it does not except so I tried an other one, and have success from every where
well done so far...
All the best from Alan
04-01-2010 12:06 PM
stewartrose wrote:
Hi Jon,
That ip was useless, looks like it does not except so I tried an other one, and have success from every where
well done so far...
All the best from Alan
So what else do we need to sort out ?
Jon
04-01-2010 12:09 PM
Hi Jon,
MM...can we do it so I can get to a website url is that possible please... then fix my security HOLE you found
All the best from Alan
04-01-2010 12:14 PM
stewartrose wrote:
Hi Jon,
MM...can we do it so I can get to a website url is that possible please... then fix my security HOLE you found
All the best from Alan
From PC2 ?
Well you can either manually add the DNS servers (the ones configured under the DHCP pool on the ASA) or you can add a DHCP pool for 192.168.2.x network to the router with the same DNS servers as on the ASA. If you have many clients then probably best to setup DHCP pool on the router.
As for the firewall if you just want web access then remove the access-list from the interface ie.
ASA(config)# no access-group outside_in in interface
you don't need an acl to allow return traffic back in for stateful traffic such as http which is why you could access this forum even without the access-list applied. We only applied it for ping.
If you want ping access then rather than use an acl turn on ICMP inspection on the ASA firewall and then you won't need an acl on the outside. You will only need an acl on the outside interface if you start hosting servers that you want internet users to be able to access.
Jon
04-01-2010 12:20 PM
Hi Jon,
I thank you very much, you put a lot of time into this and I am very happy, I have learnt a great deal of information, and looking at the views on this forum I think a few more people have gained some insite to....
Thank again Jon
All the best from Alan
04-01-2010 12:22 PM
Alan
No problem, glad to have helped.
Jon
Cisco are currently donating money to the Haiti earthquake appeal for every rating so please consider rating all helpful posts.
04-02-2010 12:14 AM
Good Morning Jon,
Sorry I am in trouble on the last part, cannot seem to get the browser to work with domain names...
"Well you can either manually add the DNS servers (the ones configured under the DHCP pool on the ASA) or you can add a DHCP pool for 192.168.2.x network to the router with the same DNS servers as on the ASA. If you have many clients then probably best to setup DHCP pool on the router."
Could I have the code for both methods please Jon.
All the best from Alan
04-02-2010 01:20 AM
stewartrose wrote:
Good Morning Jon,
Sorry I am in trouble on the last part, cannot seem to get the browser to work with domain names...
"Well you can either manually add the DNS servers (the ones configured under the DHCP pool on the ASA) or you can add a DHCP pool for 192.168.2.x network to the router with the same DNS servers as on the ASA. If you have many clients then probably best to setup DHCP pool on the router."
Could I have the code for both methods please Jon.
All the best from Alan
Alan
Your ASA is handing out these DNS servers - 212.23.3.100 212.23.6.100
To add manually you go into the networking properties on the PC ie. where you set a static IP you can also specific DNS servers.
To do it via DHCP from the router -
ip dhcp excluded-address 192.168.2.1 192.168.1.10 <-- note you can exclude any IPs from the pool that you want to here
!
ip dhcp pool locallan
import all
network 192.168.2.0 255.255.255.0
default-router 192.168.2.1
dns-server 212.23.3.100 212.23.6.100
!
Jon
If this works can you mark the post as solved as this helps others when searching for answers.
04-02-2010 01:31 AM
Good Morning Jon,
Thank you for getting back to me, and I understand a ot more now, but do I need to change FastEthernet0/1 port to dhcp for the second option.
All the best from Alan
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide