Cannot browse the Web

NiallDavis · ‎08-06-2007

Hi Guys,

I have an ASA5520 with a /24 public network on the internal interface and /28 public network on the outside interface.

You guys kindly helped me with a routing problem last week - I am almost there but now have this problem:

My test PC on the inside network (customer) cannot browse the internet via http. I can ping and resolve via DNS.

I have opened up the ASA completely so that any traffic of any type is allowed both ways - but still I cannot browse!

Any ideas?

Here is the running-conf:

: Saved

:

ASA Version 7.0(6)

!

hostname cr01-sh

domain-name briars.net

enable password xxx

names

name 213.x.x.2 Aurix01-s01

name 90.x.x.56 Niall_Home

name 213.x.x.3 Test01 description Delete This Once working

dns-guard

!

interface GigabitEthernet0/0

nameif WAN

security-level 0

ip address 217.x.x.34 255.255.255.240

!

interface GigabitEthernet0/1

nameif Customer

security-level 10

ip address 213.x.x.254 255.255.255.0

!

interface GigabitEthernet0/2

shutdown

no nameif

no security-level

no ip address

!

interface GigabitEthernet0/3

shutdown

no nameif

no security-level

no ip address

!

interface Management0/0

nameif management

security-level 100

ip address 192.168.1.1 255.255.255.0

management-only

!

passwd xxx

ftp mode passive

access-list WAN_access_in extended permit ip any any

pager lines 24

logging enable

logging asdm informational

mtu WAN 1500

mtu Customer 1500

mtu management 1500

no failover

monitor-interface WAN

monitor-interface Customer

monitor-interface management

icmp permit any WAN

asdm image disk0:/asdm506.bin

no asdm history enable

arp timeout 14400

static (Customer,WAN) Test01 Test01 netmask 255.255.255.255

access-group WAN_access_in in interface WAN

route WAN 0.0.0.0 0.0.0.0 217.x.x.33 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00

timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

http server enable

http 0.0.0.0 0.0.0.0 WAN

http 192.168.1.0 255.255.255.0 management

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

telnet timeout 5

ssh timeout 5

console timeout 0

dhcpd address 192.168.1.2-192.168.1.254 management

dhcpd lease 3600

dhcpd ping_timeout 50

Cryptochecksum:xxx

: end

1cmerchant · ‎08-06-2007

I believe you'll need to add these statements in order to browse (or make any connection for that matter) from the Inside to the Outside network.

global (Outside) 1 interface

nat (Inside) 1 a.b.c.d n.n.n.n

Where a.b.c.d n.n.n.n is the network and subnet of the Inside network that you want to allow to make connections out via the Outside interface.

NiallDavis · ‎08-06-2007

Hi, Thanks for your reply.

I can connect via other ports ie dns, ping, smtp etc - but web pages will not load.

Also, I can see the TCP 80 connection building in the syslog and then teardown almost imediately.

Also, as I am connecting from another public network behind the firewall I don't want to use nat as, ultimately, the network will be used for hosting servers.

The problem just seems to be http!

Thanks again for your response.

Niall.

acomiskey · ‎08-06-2007

Your other issue was solved by the isp right? Did you still have to add this to get it to work?

static (Customer,WAN) Test01 Test01 netmask 255.255.255.255

or does it(everything but http) also work without that?

NiallDavis · ‎08-06-2007

Hi Acomiskey,

Yup - turns out it was the ISP at fault. Yes I didn't need the added line to get access - although everything bar web is working!

Thanks,

Niall.