URGENT - Can access internet, but not webpages

Unanswered Question
Jan 10th, 2008

I just hooked up a newly configured ASA5505 for a customer.

I have connectivity to the internet (can ping any external IP, can connect to other VPN's, etc), but can't view webpages.

DNS issue, right?

They have a single server which handles DNS/WINS/DHCP, etc. The ip of this server is 10.0.0.17. When I do 'ipconfig' on my computer, it shows the server address for all 3 -- both on the new setup and old.

Their old setup had 2 DNS server addresses (external ones), and I have added them to my ASA config, but it doesn't give them to the actual interface. When I apply these DNS settings *manually*, everything works, including webpages.

I'm really stumped at the moment.

Where in my ASA configuration should I be applying the external DNS server addresses? In the group policy or on my default DNS?

PS: For some reason I'm able to access the www.cisco.com site, even when no other webpages work. Right now I'm using my laptop with the settings given from the ASA, I can't access ANY page except Cisco.com and its subpages (including forums, obviously).

Config Below:

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
tylerlucas Thu, 01/10/2008 - 18:47

hostname **HIDDEN**

domain-name default.domain.invalid

enable password xxx

names

!

interface Vlan1

description Inside Interface - IP:10.0.0.1/24

nameif inside

security-level 100

ip address 10.0.0.1 255.255.255.0

!

interface Vlan2

description Outside Interface - IP:**HIDDEN**

nameif outside

security-level 0

ip address **HIDDEN** 255.255.255.252

!

interface Ethernet0/0

description Outside Network Interface

switchport access vlan 2

!

interface Ethernet0/1

description Inside Network Interface

!

interface Ethernet0/2

!

interface Ethernet0/3

shutdown

!

interface Ethernet0/4

shutdown

!

interface Ethernet0/5

shutdown

!

interface Ethernet0/6

shutdown

!

interface Ethernet0/7

shutdown

!

passwd qS2sCdhBJFJbWywn encrypted

ftp mode passive

clock timezone PST -8

clock summer-time PDT recurring

dns domain-lookup inside

dns domain-lookup outside

dns server-group DefaultDNS

domain-name default.domain.invalid

object-group service ACCEPTED_PORTS tcp

port-object eq telnet

port-object eq ssh

port-object eq smtp

port-object eq 51

port-object eq 500

port-object eq pop3

access-list ACL_INSIDE_GOING_OUT extended permit ip any any

access-list ACL_INSIDE_GOING_OUT extended deny ip any any

access-list ACL_OUT_COMING_IN extended permit tcp any host **HIDDEN** object-group ACCEPTED_PORTS

access-list VPN_TUNNELED_NETWORKS remark List of destination networks to tunnel data to.

access-list VPN_TUNNELED_NETWORKS standard permit 10.0.0.0 255.255.255.0

pager lines 24

logging enable

logging asdm warnings

mtu inside 1500

mtu outside 1500

ip local pool VPN_POOL 10.0.3.10-10.0.3.250 mask 255.255.255.0

icmp unreachable rate-limit 1 burst-size 1

icmp permit any inside

icmp permit any outside

asdm image disk0:/asdm-523.bin

asdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 1 0.0.0.0 0.0.0.0

static (inside,outside)**HIDDEN** 10.0.0.17 netmask 255.255.255.255

access-group ACL_INSIDE_GOING_OUT in interface inside

access-group ACL_OUT_COMING_IN in interface outside

route inside 10.0.0.0 255.255.255.0 10.0.0.2 1

route outside 0.0.0.0 0.0.0.0 **HIDDEN** 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout uauth 1:00:00 absolute

aaa authentication ssh console LOCAL

aaa authentication telnet console LOCAL

aaa authentication enable console LOCAL

aaa authentication http console LOCAL

aaa authentication serial console LOCAL

http server enable

http **HIDDEN** 255.255.255.255 outside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto dynamic-map OUTSIDE_DYN_MAP 30 set pfs

crypto dynamic-map OUTSIDE_DYN_MAP 30 set transform-set ESP-3DES-SHA

crypto map OUTSIDE_MAP 65535 ipsec-isakmp dynamic OUTSIDE_DYN_MAP

crypto map OUTSIDE_MAP interface outside

crypto isakmp enable inside

crypto isakmp enable outside

crypto isakmp policy 30

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

crypto isakmp nat-traversal 20

no vpn-addr-assign aaa

no vpn-addr-assign dhcp

telnet **HIDDEN** 255.255.255.255 outside

telnet timeout 5

ssh 10.0.0.0 255.255.255.0 inside

ssh **HIDDEN** 255.255.255.255 outside

ssh timeout 5

ssh version 2

console timeout 30

dhcpd auto_config outside

!

!

class-map inspection_default

match default-inspection-traffic

!

!

policy-map type inspect dns preset_dns_map

parameters

message-length maximum 512

tylerlucas Thu, 01/10/2008 - 18:47

policy-map global_policy

class inspection_default

inspect dns preset_dns_map

inspect ftp

inspect h323 h225

inspect h323 ras

inspect rsh

inspect rtsp

inspect esmtp

inspect sqlnet

inspect skinny

inspect sunrpc

inspect xdmcp

inspect sip

inspect netbios

inspect tftp

!

service-policy global_policy global

group-policy DfltGrpPolicy attributes

banner none

wins-server none

dns-server none

dhcp-network-scope none

vpn-access-hours none

vpn-simultaneous-logins 10

vpn-idle-timeout 30

vpn-session-timeout none

vpn-filter none

vpn-tunnel-protocol IPSec l2tp-ipsec webvpn

password-storage disable

ip-comp disable

re-xauth disable

group-lock none

pfs disable

ipsec-udp enable

ipsec-udp-port 10000

split-tunnel-policy tunnelall

split-tunnel-network-list none

default-domain none

split-dns none

intercept-dhcp 255.255.255.255 disable

secure-unit-authentication disable

user-authentication disable

user-authentication-idle-timeout 30

ip-phone-bypass disable

leap-bypass disable

nem disable

backup-servers keep-client-config

msie-proxy server none

msie-proxy method no-modify

msie-proxy except-list none

msie-proxy local-bypass disable

nac disable

nac-sq-period 300

nac-reval-period 36000

nac-default-acl none

address-pools none

smartcard-removal-disconnect enable

client-firewall none

client-access-rule none

webvpn

functions url-entry

html-content-filter none

homepage none

keep-alive-ignore 4

http-comp gzip

filter none

url-list none

customization value DfltCustomization

port-forward none

port-forward-name value Application Access

sso-server none

deny-message value Login was successful, but because certain criteria have not been met or due to some specific group policy, you do not have permission to use any of the VPN features. Contact your IT administrator for more information

svc none

svc keep-installer installed

svc keepalive none

svc rekey time none

svc rekey method none

svc dpd-interval client none

svc dpd-interval gateway none

svc compression deflate

group-policy **HIDDEN**_VPN internal

group-policy **HIDDEN**_VPN attributes

vpn-tunnel-protocol IPSec

split-tunnel-policy tunnelspecified

split-tunnel-network-list value VPN_TUNNELED_NETWORKS

default-domain value **HIDDEN**

address-pools value VPN_POOL

tunnel-group **HIDDEN**_TUNNEL type ipsec-ra

tunnel-group **HIDDEN**_TUNNEL general-attributes

address-pool VPN_POOL

default-group-policy **HIDDEN**_VPN

tunnel-group **HIDDEN**_TUNNEL ipsec-attributes

pre-shared-key *

prompt hostname context

Cryptochecksum:xxx

tylerlucas Thu, 01/10/2008 - 18:54

Also,

E0/0 is outside (modem)

E0/1 is to the switch (which leads to all hosts including this PC)

E0/2 is to the server (on the same vlan as E0/1)

Oddly enough, this PC can ping the external gateway, but the server cannot. Both can ping the internal gateway (the ASA, 10.0.0.1)

pengfang Thu, 01/10/2008 - 19:49

Hi, I think you might

option 1: configure DNS forwarding on that server, followed is a link how to do that:

http://www.petri.co.il/configure_dns_forwarding.htm

All DNS request by DHCP client will be sent to this server, then this server forward it to ISP DNS server to resolve.

option 2: configure on DHCP server , assign your ISP's DNS server as your client DNS, this way all client DNS request will be sent to external name server to resolve.

You don't need to configure DNS server on ASA, that's for ASA itself to resolve domain name.

Hope this help , if so pls rate

tylerlucas Thu, 01/10/2008 - 20:11

Forwarding is already enabled on the server.

I have changed my config a little, and pages are loading, but extremely slow....

tylerlucas Thu, 01/10/2008 - 23:00

I realized that I didn't need the static NAT statement so I deleted it. Once I did this, the server could then ping external IP's... Why?

Webpages still acting strangely. They load VERY slowly, then all of a sudden will be fine. Still confused.

Actions

This Discussion