cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
Join Customer Connection to register!
317
Views
20
Helpful
8
Replies
NetworkTyler
Beginner

Unable to get to access internet Insideto out

Hello, I am very new to Firewalls and and stumped on a basic config. I currently have 1 ASA, 1 Router, 1 switch connected to my home network that is setup to DHCP (192.168.1.x). I have setup my router/switch to router on a stick design. I am able to ping 8.8.8.8 from the ASA, no problem. But i am unable to ping 8.8.8.8 from the router or the switch. I do have several vlans, which I will lay out the key ones below. I also have pasted in the ASA config to help get an answer to why my inside traffic is unable to reach the internet.

User Vlan - 192.168.105.1/25

Management 192.168.110.1/25

Inside (for the firewall) 192.168.50.2/24

 

ASA ips -

Int gi1/1

Outside, DHCP (do not have a static from provider)

Int gi1/2

Inside, 192.168.50.1/24

Mgt

192.168.110.50

I do have a route in place to send all traffic from 192.0.0.0 to the 50.2 inside network on the router. i'd like to keep the inside network on the router in place.

 

ASA Version 9.9(2)61
!
hostname ciscoasa
names

!
interface GigabitEthernet1/1
description Outside
nameif outside
security-level 0
ip address dhcp
!
interface GigabitEthernet1/2
description Inside
nameif Inside
security-level 100
ip address 192.168.50.1 255.255.255.0
!
interface GigabitEthernet1/3
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet1/4
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet1/5
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet1/6
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet1/7
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet1/8
shutdown
no nameif
no security-level
no ip address
!
interface Management1/1
management-only
nameif management
security-level 50
ip address 192.168.110.50 255.255.255.128
!
ftp mode passive
pager lines 24
mtu outside 1500
mtu Inside 1500
mtu management 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
icmp permit any Inside
icmp permit any management
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
arp rate-limit 16384
!
nat (Inside,outside) after-auto source dynamic any interface
route outside 0.0.0.0 0.0.0.0 192.168.1.1 1
route Inside 192.0.0.0 255.0.0.0 192.168.50.2 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 sctp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
timeout conn-holddown 0:00:15
timeout igp stale-route 0:01:10
user-identity default-domain LOCAL
aaa authentication login-history
no snmp-server location
no snmp-server contact
service sw-reset-button
crypto ipsec security-association pmtu-aging infinite
crypto ca trustpool policy
telnet timeout 5
ssh stricthostkeycheck
ssh timeout 5
ssh version 2
ssh key-exchange group dh-group1-sha1
console timeout 0

threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
dynamic-access-policy-record DfltAccessPolicy
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
no tcp-inspection
policy-map global_policy
class inspection_default
inspect ftp
inspect h323 h225
inspect h323 ras
inspect ip-options
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
inspect dns preset_dns_map
inspect icmp
policy-map type inspect dns migrated_dns_map_2
parameters
message-length maximum client auto
message-length maximum 512
no tcp-inspection
policy-map type inspect dns migrated_dns_map_1
parameters
message-length maximum client auto
message-length maximum 512
no tcp-inspection
!
service-policy global_policy global
prompt hostname context

 

1 ACCEPTED SOLUTION

Accepted Solutions
Tyson Joachims
Rising star

Does the router have a default route going to the ASA? If this is a Cisco router, the command would be:

ip route 0.0.0.0 0.0.0.0 192.168.50.1

View solution in original post

8 REPLIES 8
Tyson Joachims
Rising star

Does the router have a default route going to the ASA? If this is a Cisco router, the command would be:

ip route 0.0.0.0 0.0.0.0 192.168.50.1

View solution in original post

That was it! I knew it was something simple.. Much appreciated!
The next thing is, i'm now able to ping 8.8.8.8. However, trying to go to google.com it doesn't not work because I do not have an DNS Server specified. Since my cisco router is doing DHCP and not the ASA, would I simply just add my ip name-server to 8.8.8.8 for DNS? if so, would i then need to setup any ACLs on the ASA for tcp or udp?

 

Thank you!

 

Tyson Joachims
Rising star

It's not as important that the router is able to resolve DNS so much as it's important for your end users so that they can go to websites using URLs. I would ensure that your router has an entry for the DNS servers in the DHCP scopes. In the example shown, I'm using the Cisco Umbrella public DNS servers but you can use Google DNS if you want to:

ip dhcp pool USER-DHCP
 network 192.168.105.0 255.255.255.128
 default-router 192.168.105.1
 dns-server 208.67.222.222 208.220.220

 You do not need to add any special ACLs since DNS is initiated from the INSIDE of the network to the OUTSIDE, the return traffic will be allowed.

If you do want to be able to resolve DNS on the router, the command you showed will work btw.

Thank you for your help! i'm all set!

 

Tyson,

Another issue i'm running into is being able to ping from the Host pc on the 192.168.105.x network to any inside interfaces. of which i can't get ASDM setup unless i put myself on the management IP range that the ASA is setup on. I ran a packet-tracer and it looks like its coming down to an access list that isn't configured. I have ICMP Permitted on both the inside and management interface. But i'm unable to figure out what access list needs to be added to get ping/remote access from the 105 network to work.

ciscoasa# packet-tracer input inside icmp 192.168.105.4 0 8 192.168.110.50

 

ciscoasa# packet-tracer input inside icmp 192.168.105.4 0 8 192.168.110.50

Phase: 1
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
MAC Access list

Phase: 2
Type: ROUTE-LOOKUP
Subtype: Resolve Egress Interface
Result: ALLOW
Config:
Additional Information:
found next-hop 192.168.50.2 using egress ifc  Inside

Phase: 3
Type: ACCESS-LIST
Subtype:
Result: DROP
Config:
Implicit Rule
Additional Information:

Result:
input-interface: Inside
input-status: up
input-line-status: up
output-interface: Inside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule

 

You should not need to put yourself on the Management network in order to administrate your ASA. You can ssh/telnet/ASDM to the IP address of the inside interface provided that you have configured the ASA to allow authentication for those protocols.

First you have to have a user account to login. Here I will create a local account on the ASA although a more advanced (and preferred) method would be to authenticate to a AAA server:

username myname password 5tr0ngP@ssword privilege 15

SSH

crypto key generate rsa general-keys modulus 2048
aaa authentication ssh console LOCAL ssh key-exchange group dh-group14-sha256
ssh version 2 ssh 192.168.50.0 255.255.255.0 Inside

ASDM

aaa authentication http console LOCAL
http server enable
http 192.168.50.0 255.255.255.0 Inside

Telnet

---DON'T USE IT---

I'm not going to show it. It's unencrypted and not secure.

 

As for not being able to ping the Inside interface of the ASA from your User VLAN, can you verify the following:

1. Does the user VLAN use the IP address of the router for the default gateway?

2. Can the router ping the Inside interface of the ASA?

Thank you! 

1. I'm not sure i understand the question. The router for user vlan 105 is 192.168.105.0 for the network, gateway is .1 /25 network

2. I am able to ping the inside interface of the ASA, 192.168.50.1 from switch, router and host PC. I am unable to ping the management port of the ASA from the Host pc, but am able to from the switch. The switch is on the management network though, 192.168.110.5

 

After going through your steps for SSH, it would not let me use sha-256. im not sure if that makes a difference. But, i cannot SSH to the ASA via the inside interface, 192.168.50.1 from the host pc, 192.168.105.x

 

Here is what my SSH shoes in the ASA

 

ssh 192.168.50.0 255.255.255.0 Inside
ssh timeout 5
ssh version 2
ssh key-exchange group dh-group1-sha1

What I was getting at is that the Management interface of the ASA is not commonly used just because you can manage the ASA by going to the inside interface. The reason you likely cannot reach the management interface is due to a lack of a route:

route management 0.0.0.0 0.0.0.0 192.168.110.1

The key-exchange is fine as is but you will get a warning if you are running the latest version of Putty or some terminal emulator indicating that the cipher algorithm is weak.

The only thing I see left to enable for SSH is the aaa authentication

Are you able to use the ASDM to get to the ASA?