cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
229
Views
5
Helpful
3
Replies
Highlighted
Beginner

Packet Tracer Simulation

I am working on a mock-up of our network on packet tracer. Note IP address are not actual. We do not use a Cisco ASA in our setup but we have a firewall. I am not really familiar with the ASA, so I am having issues with YellowJacket2 getting to the internet, specifically www.email.com  in the web browser. It can ping the address although. What am I missing in the ASA to allow this? Below is a link to the packet tracer.

 

Packet Tracer Link 

3 REPLIES 3
Highlighted
VIP Expert

Hello,

 

I opened your project file, I don't think the ASA is the problem, but rather the way your DNS is set up. Any DNS request does not even make it to the ASA (the hit count for the 'domain' entry is 0).

 

I cannot really figure out how the entire DNS structure is set up, but that is where I would look.

Highlighted
Beginner

It was the ASA, I figured it out about 2 months ago. I can't remember what the solution was though.

Highlighted

Hello,

 

there are a few things I can think of: the NAT (there is a flaw on the ASA in Packet Tracer where only directly connected networks are correctly translated), the inspection, and the access list. I added/changed some things in your config, I still cannot access www.email.com from the yellowjacket2 machine, but maybe it points you in the right direction:

 

ciscoasa#sh run
: Saved
:
ASA Version 9.6(1)
!
hostname ciscoasa
names
!
interface GigabitEthernet1/1
nameif inside
security-level 100
ip address 10.0.4.14 255.255.255.0
!
interface GigabitEthernet1/2
nameif outside
security-level 0
ip address 7.0.0.3 255.0.0.0
!
interface GigabitEthernet1/3
no nameif
no security-level
no ip address
shutdown
!
interface GigabitEthernet1/4
no nameif
no security-level
no ip address
shutdown
!
interface GigabitEthernet1/5
no nameif
no security-level
no ip address
shutdown
!
interface GigabitEthernet1/6
no nameif
no security-level
no ip address
shutdown
!
interface GigabitEthernet1/7
no nameif
no security-level
no ip address
shutdown
!
interface GigabitEthernet1/8
no nameif
no security-level
no ip address
shutdown
!
interface Management1/1
management-only
no nameif
no security-level
no ip address
!
--> object network obj-lan
--> subnet 10.0.4.0 255.255.255.0
!
route inside 10.0.0.0 255.0.0.0 10.0.4.1 1
route outside 0.0.0.0 0.0.0.0 7.0.0.1 1
!
access-list 100 extended permit tcp any any eq www
access-list 100 extended permit tcp any any eq 443
access-list 100 extended permit tcp any any eq domain
access-list 100 extended permit icmp any any
--> access-list 100 extended permit tcp any eq www any
--> access-list 100 extended permit tcp any eq 443 any
--> access-list 100 extended permit tcp any eq domain any
access-list 50 extended permit ip any any
!
access-group 50 in interface inside
access-group 100 in interface outside
--> access-group 100 out interface outside
object network obj-lan
nat (inside,outside) dynamic interface
!
--> class-map inspection_default
--> match default-inspection-traffic
!
--> policy-map global_policy
--> class inspection_default
--> inspect dns
--> inspect ftp
--> inspect h323
--> inspect http
--> inspect icmp
!
--> service-policy global_policy global
!
telnet timeout 5
ssh timeout 5
!
ciscoasa#

Content for Community-Ad