Devices behind ASA have internet connectivity, but no http
mzinz
Member Posts: 328
I apologize in advance for the length. For future reference, I have replaced the real external IP with “X.X.X.X”. Also, the IP of the server I mention is 10.0.0.17.
I just finished hooking up my first ASA – I had already configured it ahead of time.
Beforehand, it had been my understanding that only two interfaces would be necessary: inside and outside. When I got on-site, it was immediately apparent that they had previously been using a DMZ for their one server. The license on this ASA only allowed 2 nameif’s, so I plugged the server into the third port on the ASA (E0/2) and added it to the same VLAN as my main inside interface (E0/1). The outside interface was on E0/0.
Right off the bat, I have a few questions.
The setup goes DSLModem -> ASA -> Switch -> Users. When I checked my routing table it showed a route to my internal network, so I figured that a static route internally wasn’t necessary. What confused me, though, was that the route looked something like this:
route to 10.0.0.0/24, connected, via “inside”
Does this mean that all traffic heading towards the inbound hosts will also be sent to the server since they share the same VLAN?
Additionally, do I need a static route for the server, even though it is directly connected? If so, would it just be: route inside 10.0.0.17 255.255.255.255 10.0.0.17?
Immediately after hooking it up, I noticed a few things:
Inside hosts can ping the server(which is on its own interface, like I mentioned before)
Inside can ping ASA
Inside can ping External Gateway (last ISP hop), so I’m assuming it had full connectivity, although I couldn’t test any other IP’s since I didn’t have any memorized.
Server can ping inside hosts
Server can ping ASA
Server can *not* ping External Gateway.
My natural reaction was that it had to either be a NAT issue or ACL issue. Since the inside access-list is applied to the VLAN that both the server and inside network are members of, I ruled that out. At the time, I had only a couple NAT statements:
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) X.X.X.X 10.0.0.17 netmask 255.255.255.255
It occurred to me that I didn’t need a static route for the server, since all connections would be made through the VPN. I deleted the route, and was then able to ping the External Gateway from the Server. Why?
At this point, I attempted to get online with both the server and hosts on the internal network, but wasn't able to load any web pages. I knew that DNS had to be the natural culprit. Throughout my configuration, I had the following DNS statements:
dns domain-lookup inside
dns domain-lookup outside
dns server-group DefaultDNS
domain-name default.domain.invalid
name-server first.isp.dns.server
name-server second.isp.dns.server
group-policy DfltGrpPolicy attributes
dns-server value 10.0.0.17
group-policy VPN_GRP_POLICY
dns-server value 10.0.0.17
When I checked ‘ipconfig’ on the host pc’s, it showed 10.0.0.17 as the DNS server, as it should. When I entered the DNS IP manually in Windows TCP/IP config (I’m referring to the ISP’s DNS server), all web pages work. I played around with the DNS commands some and the behavior was odd – it seemed to load pages, but very slowly (when DHCP is handling DNS). After a while, all pages loaded fine and at full speed. I re-entered the old static NAT statement for kicks, and it killed my connection completely. I removed it from the config, and observed the original behavior of slow loading pages. It again sped up after about 15 minutes for seemingly no reason.
I left it after a while and pages seemed to be working properly. Still though, something doesn't seem right. Also, I'm not able to ping or connect to the ASA remotely, even though I'm positive it's accepting ICMP, and should also be accepting VPN connections.
Any advice would be MUCH appreciated.
Thanks
I just finished hooking up my first ASA – I had already configured it ahead of time.
Beforehand, it had been my understanding that only two interfaces would be necessary: inside and outside. When I got on-site, it was immediately apparent that they had previously been using a DMZ for their one server. The license on this ASA only allowed 2 nameif’s, so I plugged the server into the third port on the ASA (E0/2) and added it to the same VLAN as my main inside interface (E0/1). The outside interface was on E0/0.
Right off the bat, I have a few questions.
The setup goes DSLModem -> ASA -> Switch -> Users. When I checked my routing table it showed a route to my internal network, so I figured that a static route internally wasn’t necessary. What confused me, though, was that the route looked something like this:
route to 10.0.0.0/24, connected, via “inside”
Does this mean that all traffic heading towards the inbound hosts will also be sent to the server since they share the same VLAN?
Additionally, do I need a static route for the server, even though it is directly connected? If so, would it just be: route inside 10.0.0.17 255.255.255.255 10.0.0.17?
Immediately after hooking it up, I noticed a few things:
Inside hosts can ping the server(which is on its own interface, like I mentioned before)
Inside can ping ASA
Inside can ping External Gateway (last ISP hop), so I’m assuming it had full connectivity, although I couldn’t test any other IP’s since I didn’t have any memorized.
Server can ping inside hosts
Server can ping ASA
Server can *not* ping External Gateway.
My natural reaction was that it had to either be a NAT issue or ACL issue. Since the inside access-list is applied to the VLAN that both the server and inside network are members of, I ruled that out. At the time, I had only a couple NAT statements:
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) X.X.X.X 10.0.0.17 netmask 255.255.255.255
It occurred to me that I didn’t need a static route for the server, since all connections would be made through the VPN. I deleted the route, and was then able to ping the External Gateway from the Server. Why?
At this point, I attempted to get online with both the server and hosts on the internal network, but wasn't able to load any web pages. I knew that DNS had to be the natural culprit. Throughout my configuration, I had the following DNS statements:
dns domain-lookup inside
dns domain-lookup outside
dns server-group DefaultDNS
domain-name default.domain.invalid
name-server first.isp.dns.server
name-server second.isp.dns.server
group-policy DfltGrpPolicy attributes
dns-server value 10.0.0.17
group-policy VPN_GRP_POLICY
dns-server value 10.0.0.17
When I checked ‘ipconfig’ on the host pc’s, it showed 10.0.0.17 as the DNS server, as it should. When I entered the DNS IP manually in Windows TCP/IP config (I’m referring to the ISP’s DNS server), all web pages work. I played around with the DNS commands some and the behavior was odd – it seemed to load pages, but very slowly (when DHCP is handling DNS). After a while, all pages loaded fine and at full speed. I re-entered the old static NAT statement for kicks, and it killed my connection completely. I removed it from the config, and observed the original behavior of slow loading pages. It again sped up after about 15 minutes for seemingly no reason.
I left it after a while and pages seemed to be working properly. Still though, something doesn't seem right. Also, I'm not able to ping or connect to the ASA remotely, even though I'm positive it's accepting ICMP, and should also be accepting VPN connections.
Any advice would be MUCH appreciated.
Thanks
_______LAB________
2x 2950
2x 3550
2x 2650XM
2x 3640
1x 2801
2x 2950
2x 3550
2x 2650XM
2x 3640
1x 2801
Comments
-
dtlokee
Member Posts: 2,378 ■■■■□□□□□□
I am not totally sure of the configuration but if you are trying to configure you will need a nat 0 rule for the VPN traffic and I would change your nat rule to allow only the pecific inside sunet, not all subnets. For your ICMP stuff, do you have the ACL on the outside interface set up to allow ICMP packets inbound?The only easy day was yesterday! -
mzinz
Member Posts: 328
dtlokee wrote:I am not totally sure of the configuration but if you are trying to configure you will need a nat 0 rule for the VPN traffic and I would change your nat rule to allow only the pecific inside sunet, not all subnets. For your ICMP stuff, do you have the ACL on the outside interface set up to allow ICMP packets inbound?
Thanks for the reply.
What should the syntax of the nat0 statement be? What is it accomplishing? Is the purpose of it to NOT NAT traffic going through the tunnel?
Will the current NAT rule, which NAT's everything going inside to out, mess with my VPN? Or just a precaution?_______LAB________
2x 2950
2x 3550
2x 2650XM
2x 3640
1x 2801 -
Netstudent
Member Posts: 1,693 ■■■□□□□□□□
Maybe these will help.
http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00807f9a89.shtml
http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00804675ac.shtml
ANd for future reference make this URL a favorite.
http://www.cisco.com/en/US/products/ps6120/prod_configuration_examples_list.htmlThere is no place like 127.0.0.1 BUT 209.62.5.3 is my 127.0.0.1 away from 127.0.0.1! -
mzinz
Member Posts: 328
Netstudent wrote:Maybe these will help.
http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00807f9a89.shtml
http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00804675ac.shtml
ANd for future reference make this URL a favorite.
http://www.cisco.com/en/US/products/ps6120/prod_configuration_examples_list.html
Hey, thanks so much for the link. Much appreciated._______LAB________
2x 2950
2x 3550
2x 2650XM
2x 3640
1x 2801