asa firewall issue

Unanswered Question

hi,

   Im using ASA firewall behind cisco series 3640 router.

   Complete setup:

       Internet---- cisco router------firewall---coreswitch-----lan users.

  whenever the lanusers trying to browse the internet,they can not able to do it but all the logs are showing in asa(inside and outside) but they cant do it.What may be the problem.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Jon Marshall Thu, 01/21/2010 - 04:36

[email protected]

hi,

   Im using ASA firewall behind cisco series 3640 router.

   Complete setup:

       Internet---- cisco router------firewall---coreswitch-----lan users.

  whenever the lanusers trying to browse the internet,they can not able to do it but all the logs are showing in asa(inside and outside) but they cant do it.What may be the problem.

Could be any number of things.

First thing to check is are your clients using private addressing and if so are you Natting their private addresses to a public IP.

If the outside interface of the ASA has a public IP then the usual method to do this is -

nat (inside) 1 0.0.0.0 0.0.0.0

global (outside) 1 interface

Also check you have a default-route on the ASA ie.

route (outside) 0.0.0.0 0.0.0.0  <3640 IP address of interface facing ASA>

Jon

August Ritchie Thu, 01/21/2010 - 22:08

What is network that is not able to get out to the internet?

Can you ping one of the hosts on that network from the ASA? If not, you may need a route back from the ASA.


And vice-versa, can you ping from a host to the ASA's interface?

Can you ping your ASAs default gateway from the host? (100.100.100.1)

hi

   we cant able to reach the internet from all the networks.Below lan networks are

     (192.168.100.0,192.168.103.0,192.168.104.0)

all the networks are pinging from asa(firewall)  as well as we are pinging from lan networks to asa which has not issue

At the same time we are pinging from host to default gateway(100.100.100.1)

but the internet websites are not pinging from hosts.

Jon Marshall Fri, 01/22/2010 - 02:20

[email protected]

hi

   we cant able to reach the internet from all the networks.Below lan networks are

     (192.168.100.0,192.168.103.0,192.168.104.0)

all the networks are pinging from asa(firewall)  as well as we are pinging from lan networks to asa which has not issue

At the same time we are pinging from host to default gateway(100.100.100.1)

but the internet websites are not pinging from hosts.

In your ASA config you haven't actually applied any of the access-list to any of the interfaces. To get ping working add this to your config -

access-group outside_access_in in interface outside

Jon

August Ritchie Fri, 01/22/2010 - 05:28

Well the fact that you can ping the host (100.100.100.1) from the hosts means that traffic is going out of the ASA and returning correctly.

This generally means it's not an ASA problem. If you can ping the ASAs default gateway then we know that you must be natting out and that traffic knows how to get back to you from 100.100.100.1.

The question now is can you ping from your ASA to 4.2.2.2?

August Ritchie Fri, 01/22/2010 - 07:32

Try this. Do this capture and post the results back. The ip provided is a test site called gizmodo.com

access-list capture permit ip any host 69.60.7.199

access-list capture permit ip host 69.60.7.199 any

capture capin access-list capture interface inside

capture capout access-list capture interface outside

Then initiate the connection from a PC that doesn't work by putting 69.60.7.199 in your browser.

Issue a 'show cap capin' and 'show cap capout'

Hi

      i tried this capture command in asa firwall.

the mentioned ip address is pinging in firewall at the same time the i tried both website name and ip but not pinging from our pc(lan networks)

meanwhile i intimate you all the websites are pinging from firewall point of view but the browsing(http) is not happening from all the networks.

Actions

This Discussion