Devices behind ASA have internet connectivity, but no http

mzinzmzinz Member Posts: 328
I apologize in advance for the length. For future reference, I have replaced the real external IP with “X.X.X.X”. Also, the IP of the server I mention is

I just finished hooking up my first ASA – I had already configured it ahead of time.

Beforehand, it had been my understanding that only two interfaces would be necessary: inside and outside. When I got on-site, it was immediately apparent that they had previously been using a DMZ for their one server. The license on this ASA only allowed 2 nameif’s, so I plugged the server into the third port on the ASA (E0/2) and added it to the same VLAN as my main inside interface (E0/1). The outside interface was on E0/0.

Right off the bat, I have a few questions.

The setup goes DSLModem -> ASA -> Switch -> Users. When I checked my routing table it showed a route to my internal network, so I figured that a static route internally wasn’t necessary. What confused me, though, was that the route looked something like this:

route to, connected, via “inside”

Does this mean that all traffic heading towards the inbound hosts will also be sent to the server since they share the same VLAN?

Additionally, do I need a static route for the server, even though it is directly connected? If so, would it just be: route inside

Immediately after hooking it up, I noticed a few things:

Inside hosts can ping the server(which is on its own interface, like I mentioned before)
Inside can ping ASA
Inside can ping External Gateway (last ISP hop), so I’m assuming it had full connectivity, although I couldn’t test any other IP’s since I didn’t have any memorized.

Server can ping inside hosts
Server can ping ASA
Server can *not* ping External Gateway.

My natural reaction was that it had to either be a NAT issue or ACL issue. Since the inside access-list is applied to the VLAN that both the server and inside network are members of, I ruled that out. At the time, I had only a couple NAT statements:

global (outside) 1 interface
nat (inside) 1
static (inside,outside) X.X.X.X netmask

It occurred to me that I didn’t need a static route for the server, since all connections would be made through the VPN. I deleted the route, and was then able to ping the External Gateway from the Server. Why?

At this point, I attempted to get online with both the server and hosts on the internal network, but wasn't able to load any web pages. I knew that DNS had to be the natural culprit. Throughout my configuration, I had the following DNS statements:

dns domain-lookup inside
dns domain-lookup outside
dns server-group DefaultDNS
domain-name default.domain.invalid
name-server first.isp.dns.server
name-server second.isp.dns.server
group-policy DfltGrpPolicy attributes
dns-server value
group-policy VPN_GRP_POLICY
dns-server value

When I checked ‘ipconfig’ on the host pc’s, it showed as the DNS server, as it should. When I entered the DNS IP manually in Windows TCP/IP config (I’m referring to the ISP’s DNS server), all web pages work. I played around with the DNS commands some and the behavior was odd – it seemed to load pages, but very slowly (when DHCP is handling DNS). After a while, all pages loaded fine and at full speed. I re-entered the old static NAT statement for kicks, and it killed my connection completely. I removed it from the config, and observed the original behavior of slow loading pages. It again sped up after about 15 minutes for seemingly no reason.

I left it after a while and pages seemed to be working properly. Still though, something doesn't seem right. Also, I'm not able to ping or connect to the ASA remotely, even though I'm positive it's accepting ICMP, and should also be accepting VPN connections.

Any advice would be MUCH appreciated.

2x 2950
2x 3550
2x 2650XM
2x 3640
1x 2801


Sign In or Register to comment.