Solved: asa 5505 transparent firewall, unable to browse internet

pranavam_dileep · ‎11-18-2008

hi guys,

I have faced a problem while configuring ASA 5505 in Transparent mode

Iam not able to browse the internet , but I can able to ping to the outside ( example :www.google.com,ISP DNS: 212.72.23.30 )

ASA 5505 having management ip 192.168.2.76 255.255.255.0

I have also D-Link ADSL Router which act as the gateway 192.168.2.1 255.255.255.0

I also configure access list to permit tcp 80(http ) ,& udp 53 (domain)

Can any one help me , how to configure ASA 5505 in transparent mode to get internet Access.

Iam attaching the configuration also

: Saved

: Written by enable_15 at 23:23:32.102 UTC Mon Nov 17 2008

!

ASA Version 8.0(2)

!

firewall transparent

hostname ciscoasa

enable password 2KFQnbNIdI.2KYOU encrypted

names

!

interface Vlan1

nameif inside

security-level 100

!

interface Vlan2

nameif outside

security-level 0

!

interface Ethernet0/0

switchport access vlan 2

!

interface Ethernet0/1

!

interface Ethernet0/2

shutdown

!

interface Ethernet0/3

shutdown

!

interface Ethernet0/4

shutdown

!

interface Ethernet0/5

shutdown

!

interface Ethernet0/6

shutdown

!

interface Ethernet0/7

shutdown

!

passwd 2KFQnbNIdI.2KYOU encrypted

ftp mode passive

access-list OUTSIDE_IN extended permit tcp any any eq www

access-list OUTSIDE_IN extended permit udp any any eq domain

access-list OUTSIDE_IN extended permit ip any any

pager lines 24

mtu inside 1500

mtu outside 1500

ip address 192.168.2.76 255.255.255.0

icmp unreachable rate-limit 1 burst-size 1

no asdm history enable

arp timeout 14400

access-group OUTSIDE_IN in interface outside

route outside 0.0.0.0 0.0.0.0 192.168.2.1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout uauth 0:05:00 absolute

dynamic-access-policy-record DfltAccessPolicy

http server enable

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

no crypto isakmp nat-traversal

client-update enable

telnet timeout 5

ssh timeout 5

console timeout 0

:5c7302d5f9e551998f6d06a130073cb1

: endthreat-detection basic-threat

threat-detection statistics access-list

!

class-map inspection_default

match default-inspection-traffic

!

policy-map type inspect dns preset_dns_map

parameters

message-length maximum 512

policy-map global_policy

class inspection_default

inspect dns preset_dns_map

inspect ftp

inspect h323 h225

inspect h323 ras

inspect rsh

inspect rtsp

inspect esmtp

inspect sqlnet

inspect skinny

inspect sunrpc

inspect xdmcp

inspect sip

inspect netbios

inspect tftp

!

service-policy global_policy global

prompt hostname context

Cryptochecksum

husycisco · ‎11-22-2008

Dileep,

Please have a look at following links to learn more about your issue

What is MSS?

http://www.tcpipguide.com/free/t_TCPMaximumSegmentSizeMSSandRelationshiptoIPDatagra.htm

http://www.cisco.com/en/US/docs/ios/12_2t/12_2t4/feature/guide/ft_admss.html

How is it corrected in ASA?

http://www.cisco.com/en/US/docs/security/asa/asa72/system/message/logmsgs.html#wp3089874

Regards,

*Please rate helpful posts and check Resolved My issue checkbox for the post that resolved your issue. Thank You.

View solution in original post

husycisco · ‎11-18-2008

Hello Dileep,

Just to make sure, clients behind firewall do have 192.168.2.1 as default gateway IP, which is the router's IP right? They should not NOT have the ASA's IP which is 192.168.2.76 as default gateway

Regards

pranavam_dileep · ‎11-19-2008

ya, the client having defauit gateway as 192.168.2.1 , router's ip.

client IP: 192.168.2.50/24

gateway :192.168.2.1/24

Primary DNS:( ISP ): 212.72.23.30

Secondary DNS: ( ISP ): 212.72.1.186

I can ping eg :( www.google.com )from cmd of client PC

husycisco · ‎11-19-2008

Dileep,

If you have ASDM, enable logging in ASDM, or enable console logging in ASA console, then in cmd of client, run "telnet http://www.google.com 80", then see if you get a blank screen, then paste the logs created.

husycisco · ‎11-19-2008

dont put http:// before www

pranavam_dileep · ‎11-20-2008

I entered the command : telnet www.google.com 80 "in cmd Iam getting the following log message

ciscoasa#

ciscoasa# %ASA-7-609001: Built local-host outside:209.85.129.147

%ASA-6-302013: Built outbound TCP connection 27 for outside:209.85.129.147/80 (2

09.85.129.147/80) to inside:192.168.2.77/1963 (192.168.2.77/1963)

%ASA-7-609001: Built local-host outside:212.72.23.30

%ASA-6-302015: Built outbound UDP connection 28 for outside:212.72.23.30/53 (212

.72.23.30/53) to inside:192.168.2.77/65095 (192.168.2.77/65095)

%ASA-6-302016: Teardown UDP connection 28 for outside:212.72.23.30/53 to inside:

192.168.2.77/65095 duration 0:00:00 bytes 168

%ASA-7-609002: Teardown local-host outside:212.72.23.30 duration 0:00:00

%ASA-6-302013: Built outbound TCP connection 29 for outside:209.85.137.125/5222

(209.85.137.125/5222) to inside:192.168.2.77/1964 (192.168.2.77/1964)

%ASA-7-609001: Built local-host outside:72.14.205.189

%ASA-6-302013: Built outbound TCP connection 30 for outside:72.14.205.189/80 (72

.14.205.189/80) to inside:192.168.2.77/1966 (192.168.2.77/1966)

%ASA-6-302014: Teardown TCP connection 27 for outside:209.85.129.147/80 to insid

e:192.168.2.77/1963 duration 0:00:10 bytes 0 TCP FINs

%ASA-7-609002: Teardown local-host outside:209.85.129.147 duration 0:00:10

%ASA-6-302014: Teardown TCP connection 30 for outside:72.14.205.189/80 to inside

:192.168.2.77/1966 duration 0:00:00 bytes 414 TCP FINs

%ASA-7-609002: Teardown local-host outside:72.14.205.189 duration 0:00:00

%ASA-4-419001: Dropping TCP packet from outside:209.85.137.125/5222 to inside:19

2.168.2.77/1964, reason: MSS exceeded, MSS 1260, data 1360

%ASA-4-419001: Dropping TCP packet from outside:209.85.137.125/5222 to inside:19

2.168.2.77/1964, reason: MSS exceeded, MSS 1260, data 1360

%ASA-4-419001: Dropping TCP packet from outside:209.85.137.125/5222 to inside:19

2.168.2.77/1964, reason: MSS exceeded, MSS 1260, data 1360

husycisco · ‎11-20-2008

Add this

tcp-map mss-map

exceed-mss allow

access-list http-list2 extended permit tcp any any

class-map http-map1

match access-list http-list2

policy-map http-map

class http-map1

set connection advanced-options mss-map

service-policy http-map interface outside

pranavam_dileep · ‎11-22-2008

I got it, thanks alot , after adding the above commands.

Can u just explain me about this problem, how u rectified it.

Expecting your valuable reply

husycisco · ‎11-22-2008

Dileep,

Please have a look at following links to learn more about your issue

What is MSS?

http://www.tcpipguide.com/free/t_TCPMaximumSegmentSizeMSSandRelationshiptoIPDatagra.htm

http://www.cisco.com/en/US/docs/ios/12_2t/12_2t4/feature/guide/ft_admss.html

How is it corrected in ASA?

http://www.cisco.com/en/US/docs/security/asa/asa72/system/message/logmsgs.html#wp3089874

Regards,

*Please rate helpful posts and check Resolved My issue checkbox for the post that resolved your issue. Thank You.