11-18-2008 12:22 AM - last edited on 03-25-2019 05:41 PM by ciscomoderator
hi guys,
I have faced a problem while configuring ASA 5505 in Transparent mode
Iam not able to browse the internet , but I can able to ping to the outside ( example :www.google.com,ISP DNS: 212.72.23.30 )
ASA 5505 having management ip 192.168.2.76 255.255.255.0
I have also D-Link ADSL Router which act as the gateway 192.168.2.1 255.255.255.0
I also configure access list to permit tcp 80(http ) ,& udp 53 (domain)
Can any one help me , how to configure ASA 5505 in transparent mode to get internet Access.
Iam attaching the configuration also
: Saved
: Written by enable_15 at 23:23:32.102 UTC Mon Nov 17 2008
!
ASA Version 8.0(2)
!
firewall transparent
hostname ciscoasa
enable password 2KFQnbNIdI.2KYOU encrypted
names
!
interface Vlan1
nameif inside
security-level 100
!
interface Vlan2
nameif outside
security-level 0
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
shutdown
!
interface Ethernet0/3
shutdown
!
interface Ethernet0/4
shutdown
!
interface Ethernet0/5
shutdown
!
interface Ethernet0/6
shutdown
!
interface Ethernet0/7
shutdown
!
passwd 2KFQnbNIdI.2KYOU encrypted
ftp mode passive
access-list OUTSIDE_IN extended permit tcp any any eq www
access-list OUTSIDE_IN extended permit udp any any eq domain
access-list OUTSIDE_IN extended permit ip any any
pager lines 24
mtu inside 1500
mtu outside 1500
ip address 192.168.2.76 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
access-group OUTSIDE_IN in interface outside
route outside 0.0.0.0 0.0.0.0 192.168.2.1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
http server enable
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
no crypto isakmp nat-traversal
client-update enable
telnet timeout 5
ssh timeout 5
console timeout 0
:5c7302d5f9e551998f6d06a130073cb1
: endthreat-detection basic-threat
threat-detection statistics access-list
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum
Solved! Go to Solution.
11-22-2008 08:56 AM
Dileep,
Please have a look at following links to learn more about your issue
What is MSS?
http://www.tcpipguide.com/free/t_TCPMaximumSegmentSizeMSSandRelationshiptoIPDatagra.htm
http://www.cisco.com/en/US/docs/ios/12_2t/12_2t4/feature/guide/ft_admss.html
How is it corrected in ASA?
http://www.cisco.com/en/US/docs/security/asa/asa72/system/message/logmsgs.html#wp3089874
Regards,
*Please rate helpful posts and check Resolved My issue checkbox for the post that resolved your issue. Thank You.
11-18-2008 07:14 AM
Hello Dileep,
Just to make sure, clients behind firewall do have 192.168.2.1 as default gateway IP, which is the router's IP right? They should not NOT have the ASA's IP which is 192.168.2.76 as default gateway
Regards
11-19-2008 04:55 AM
ya, the client having defauit gateway as 192.168.2.1 , router's ip.
client IP: 192.168.2.50/24
gateway :192.168.2.1/24
Primary DNS:( ISP ): 212.72.23.30
Secondary DNS: ( ISP ): 212.72.1.186
I can ping eg :( www.google.com )from cmd of client PC
11-19-2008 05:10 AM
Dileep,
If you have ASDM, enable logging in ASDM, or enable console logging in ASA console, then in cmd of client, run "telnet http://www.google.com 80", then see if you get a blank screen, then paste the logs created.
11-19-2008 05:35 AM
dont put http:// before www
11-20-2008 02:41 AM
I entered the command : telnet www.google.com 80 "in cmd Iam getting the following log message
ciscoasa#
ciscoasa# %ASA-7-609001: Built local-host outside:209.85.129.147
%ASA-6-302013: Built outbound TCP connection 27 for outside:209.85.129.147/80 (2
09.85.129.147/80) to inside:192.168.2.77/1963 (192.168.2.77/1963)
%ASA-7-609001: Built local-host outside:212.72.23.30
%ASA-6-302015: Built outbound UDP connection 28 for outside:212.72.23.30/53 (212
.72.23.30/53) to inside:192.168.2.77/65095 (192.168.2.77/65095)
%ASA-6-302016: Teardown UDP connection 28 for outside:212.72.23.30/53 to inside:
192.168.2.77/65095 duration 0:00:00 bytes 168
%ASA-7-609002: Teardown local-host outside:212.72.23.30 duration 0:00:00
%ASA-6-302013: Built outbound TCP connection 29 for outside:209.85.137.125/5222
(209.85.137.125/5222) to inside:192.168.2.77/1964 (192.168.2.77/1964)
%ASA-7-609001: Built local-host outside:72.14.205.189
%ASA-6-302013: Built outbound TCP connection 30 for outside:72.14.205.189/80 (72
.14.205.189/80) to inside:192.168.2.77/1966 (192.168.2.77/1966)
%ASA-6-302014: Teardown TCP connection 27 for outside:209.85.129.147/80 to insid
e:192.168.2.77/1963 duration 0:00:10 bytes 0 TCP FINs
%ASA-7-609002: Teardown local-host outside:209.85.129.147 duration 0:00:10
%ASA-6-302014: Teardown TCP connection 30 for outside:72.14.205.189/80 to inside
:192.168.2.77/1966 duration 0:00:00 bytes 414 TCP FINs
%ASA-7-609002: Teardown local-host outside:72.14.205.189 duration 0:00:00
%ASA-4-419001: Dropping TCP packet from outside:209.85.137.125/5222 to inside:19
2.168.2.77/1964, reason: MSS exceeded, MSS 1260, data 1360
%ASA-4-419001: Dropping TCP packet from outside:209.85.137.125/5222 to inside:19
2.168.2.77/1964, reason: MSS exceeded, MSS 1260, data 1360
%ASA-4-419001: Dropping TCP packet from outside:209.85.137.125/5222 to inside:19
2.168.2.77/1964, reason: MSS exceeded, MSS 1260, data 1360
11-20-2008 07:02 AM
Add this
tcp-map mss-map
exceed-mss allow
access-list http-list2 extended permit tcp any any
class-map http-map1
match access-list http-list2
policy-map http-map
class http-map1
set connection advanced-options mss-map
service-policy http-map interface outside
11-22-2008 04:28 AM
I got it, thanks alot , after adding the above commands.
Can u just explain me about this problem, how u rectified it.
Expecting your valuable reply
11-22-2008 08:56 AM
Dileep,
Please have a look at following links to learn more about your issue
What is MSS?
http://www.tcpipguide.com/free/t_TCPMaximumSegmentSizeMSSandRelationshiptoIPDatagra.htm
http://www.cisco.com/en/US/docs/ios/12_2t/12_2t4/feature/guide/ft_admss.html
How is it corrected in ASA?
http://www.cisco.com/en/US/docs/security/asa/asa72/system/message/logmsgs.html#wp3089874
Regards,
*Please rate helpful posts and check Resolved My issue checkbox for the post that resolved your issue. Thank You.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: