01-21-2010 03:17 AM - edited 03-11-2019 09:59 AM
hi,
Im using ASA firewall behind cisco series 3640 router.
Complete setup:
Internet---- cisco router------firewall---coreswitch-----lan users.
whenever the lanusers trying to browse the internet,they can not able to do it but all the logs are showing in asa(inside and outside) but they cant do it.What may be the problem.
01-21-2010 04:36 AM
hi,
Im using ASA firewall behind cisco series 3640 router.
Complete setup:
Internet---- cisco router------firewall---coreswitch-----lan users.
whenever the lanusers trying to browse the internet,they can not able to do it but all the logs are showing in asa(inside and outside) but they cant do it.What may be the problem.
Could be any number of things.
First thing to check is are your clients using private addressing and if so are you Natting their private addresses to a public IP.
If the outside interface of the ASA has a public IP then the usual method to do this is -
nat (inside) 1 0.0.0.0 0.0.0.0
global (outside) 1 interface
Also check you have a default-route on the ASA ie.
route (outside) 0.0.0.0 0.0.0.0 <3640 IP address of interface facing ASA>
Jon
01-21-2010 09:19 PM
01-21-2010 10:08 PM
What is network that is not able to get out to the internet?
Can you ping one of the hosts on that network from the ASA? If not, you may need a route back from the ASA.
And vice-versa, can you ping from a host to the ASA's interface?
Can you ping your ASAs default gateway from the host? (100.100.100.1)
01-22-2010 12:03 AM
hi
we cant able to reach the internet from all the networks.Below lan networks are
(192.168.100.0,192.168.103.0,192.168.104.0)
all the networks are pinging from asa(firewall) as well as we are pinging from lan networks to asa which has not issue
At the same time we are pinging from host to default gateway(100.100.100.1)
but the internet websites are not pinging from hosts.
01-22-2010 02:20 AM
hi
we cant able to reach the internet from all the networks.Below lan networks are
(192.168.100.0,192.168.103.0,192.168.104.0)
all the networks are pinging from asa(firewall) as well as we are pinging from lan networks to asa which has not issue
At the same time we are pinging from host to default gateway(100.100.100.1)
but the internet websites are not pinging from hosts.
In your ASA config you haven't actually applied any of the access-list to any of the interfaces. To get ping working add this to your config -
access-group outside_access_in in interface outside
Jon
01-22-2010 05:28 AM
Well the fact that you can ping the host (100.100.100.1) from the hosts means that traffic is going out of the ASA and returning correctly.
This generally means it's not an ASA problem. If you can ping the ASAs default gateway then we know that you must be natting out and that traffic knows how to get back to you from 100.100.100.1.
The question now is can you ping from your ASA to 4.2.2.2?
01-22-2010 07:17 AM
im extremely sorry for the troule bacause the lan users not able to ping 100.100.100.1.
They are pinging inside interface of the asa firewall inside.
plz suggest me.
01-22-2010 07:32 AM
Try this. Do this capture and post the results back. The ip provided is a test site called gizmodo.com
access-list capture permit ip any host 69.60.7.199
access-list capture permit ip host 69.60.7.199 any
capture capin access-list capture interface inside
capture capout access-list capture interface outside
Then initiate the connection from a PC that doesn't work by putting 69.60.7.199 in your browser.
Issue a 'show cap capin' and 'show cap capout'
01-22-2010 10:10 PM
Hi
i tried this capture command in asa firwall.
the mentioned ip address is pinging in firewall at the same time the i tried both website name and ip but not pinging from our pc(lan networks)
meanwhile i intimate you all the websites are pinging from firewall point of view but the browsing(http) is not happening from all the networks.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide