unable to reach outside network

hyundai_mum · ‎05-19-2010

Hi,

lan users unable to access outside network which has permitted in the accesslist, but if i try access same network from outside interface i can access that network.

find below configuration done on firewall................................

FW-HyundaiHMM# show run

: Saved

:

PIX Version 8.0(3)

!

hostname FW-HyundaiHMM

enable password f1/B5iV9rJ.dvsDE encrypted

names

dns-guard

!

interface Ethernet0

description P2P link

speed 100

duplex full

nameif outside1

security-level 0

ip address 172.23.15.11 255.255.255.0

!

interface Ethernet1

description LAN interface

speed 100

duplex full

nameif inside

security-level 100

ip address 192.168.10.11 255.255.255.0

!

interface Ethernet2

description Internet Gateway

speed 100

duplex full

nameif outside2

security-level 0

ip address 24.0.0.1 255.255.255.0

!

passwd 2KFQnbNIdI.2KYOU encrypted

boot system flash:/pix803.bin

ftp mode passive

clock timezone IST 5 30

same-security-traffic permit inter-interface

!

access-list icmpacl extended permit icmp any 192.168.10.0 255.255.255.0

access-list acl_inside extended permit tcp 192.168.10.0 255.255.255.0 any eq www

access-list acl_inside extended permit tcp 192.168.10.0 255.255.255.0 any eq https

access-list acl_outside extended permit tcp any 192.168.10.0 255.255.255.0 eq www

access-list acl_outside extended permit tcp any 192.168.10.0 255.255.255.0 eq https

pager lines 24

logging enable

logging asdm informational

logging host inside 172.23.15.33

mtu outside1 1500

mtu inside 1500

mtu outside2 1500

icmp unreachable rate-limit 1 burst-size 1

asdm image flash:/asdm-603.bin

no asdm history enable

arp timeout 14400

access-group icmpacl in interface outside1

access-group acl_inside in interface inside

access-group acl_outside out interface inside

access-group icmpacl in interface outside2

!

route outside2 0.0.0.0 0.0.0.0 24.0.0.2 1

route outside1 203.242.32.0 255.255.255.0 172.23.15.254 1

route outside1 203.242.35.0 255.255.255.0 172.23.15.254 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout uauth 0:05:00 absolute

dynamic-access-policy-record DfltAccessPolicy

http server enable

http 172.23.15.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

telnet timeout 5

ssh 172.23.15.0 255.255.255.0 outside1

ssh 192.168.10.0 255.255.255.0 inside

ssh timeout 30

ssh version 2

console timeout 0

threat-detection basic-threat

threat-detection statistics access-list

!

class-map icmp-class

match access-list icmpacl

class-map inspection_default

match default-inspection-traffic

!

policy-map global_policy

class inspection_default

inspect ftp

inspect h323 h225

inspect h323 ras

inspect rsh

inspect rtsp

inspect esmtp

inspect sqlnet

inspect skinny

inspect sunrpc

inspect xdmcp

inspect sip

inspect netbios

inspect tftp

class icmp-class

inspect icmp

!

service-policy global_policy global

prompt hostname context

Cryptochecksum:2479f6a773b36ca416012b410e6c5a93

: end

i am not using interface ethernet2

thanks in advance if anybody can help me sortout this error

Hasmukh

Jennifer Halim · ‎05-19-2010

I am not sure how it will work if you don't use ethernet2 because your default gateway is pointing out towards ethernet2 interface (outside2). If you are not using ethernet2, which interface is connected to the internet?

You would also need to configure NAT to access the internet. Assuming that you are going to use ethernet2, then the following needs to be configured:

nat (inside) 1 0 0

global (outside2) 1 interface

If you are using the other outside1 interface instead for internet access, you would need to change the default route towards this interface. Then configure the NAT statements as well:

nat (inside) 1 0 0

global (outside1) 1 interface

Please also remove "access-group acl_outside out interface inside" for simplicity to start with.

Hope that helps.

hyundai_mum · ‎05-19-2010

Hi halijenn,

thanks for yr help, i made the changes in default route and Natting is done on my router so i don't need Nating to configure on firewall, but same situation lan user unable to access outside network, find the below config

FW-HyundaiHMM# show run

: Saved

:

PIX Version 8.0(3)

!

hostname FW-HyundaiHMM

enable password f1/B5iV9rJ.dvsDE encrypted

names

dns-guard

!

interface Ethernet0

description P2P link

speed 100

duplex full

nameif outside1

security-level 0

ip address 172.23.15.11 255.255.255.0

!

interface Ethernet1

description LAN interface

speed 100

duplex full

nameif inside

security-level 100

ip address 192.168.10.11 255.255.255.0

!

interface Ethernet2

description Internet Gateway

speed 100

duplex full

nameif outside2

security-level 0

ip address 24.0.0.1 255.255.255.0

!

passwd 2KFQnbNIdI.2KYOU encrypted

boot system flash:/pix803.bin

ftp mode passive

clock timezone IST 5 30

same-security-traffic permit inter-interface

!

access-list icmpacl extended permit icmp any 192.168.10.0 255.255.255.0

access-list acl_inside extended permit tcp 192.168.10.0 255.255.255.0 any eq www

access-list acl_inside extended permit tcp 192.168.10.0 255.255.255.0 any eq https

pager lines 24

logging enable

logging asdm informational

logging host outside1 172.23.15.33

mtu outside1 1500

mtu inside 1500

mtu outside2 1500

icmp unreachable rate-limit 1 burst-size 1

asdm image flash:/asdm-603.bin

no asdm history enable

arp timeout 14400

access-group icmpacl in interface outside1

access-group acl_inside in interface inside

!

route outside1 0.0.0.0 0.0.0.0 172.23.15.254 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout uauth 0:05:00 absolute

dynamic-access-policy-record DfltAccessPolicy

http server enable

http 172.23.15.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

telnet timeout 5

ssh 172.23.15.0 255.255.255.0 outside1

ssh 192.168.10.0 255.255.255.0 inside

ssh timeout 30

ssh version 2

console timeout 0

threat-detection basic-threat

threat-detection statistics access-list

!

class-map icmp-class

match access-list icmpacl

class-map inspection_default

match default-inspection-traffic

!

policy-map global_policy

class inspection_default

inspect ftp

inspect h323 h225

inspect h323 ras

inspect rsh

inspect rtsp

inspect esmtp

inspect sqlnet

inspect skinny

inspect sunrpc

inspect xdmcp

inspect sip

inspect netbios

inspect tftp

class icmp-class

inspect icmp

!

service-policy global_policy global

prompt hostname context

Cryptochecksum:f28faf8c4283d5edc723fe18134aebd4

: end

FW-HyundaiHMM#

i am not using ethernet2 interface

Hasmukh

Jennifer Halim · ‎05-19-2010

You also need to configure the following on the ASA:

no nat-control

Then "clear xlate"

Also, I assume that your router has route for 192.168.10.0/24 pointing back towards the ASA outside1 interface (172.23.15.11), and NATing on the router also include the 192.168.10.0/24 subnet?

hyundai_mum · ‎05-19-2010

Hi halijenn,

i configured no nat-control and clear xlate, i am sorry to provide incomplete info, topology is as below

LAN--FIREWALL--SWITCH(unmanageable)-ROUTER

so i don't need to have route back to firewall

do u find anything else which i can configure on firewall so it can work as i desire

thanks once again

Hasmukh

Jennifer Halim · ‎05-19-2010

Of course you need a route back on the router for the firewall LAN, otherwise, how would the router knows how to route the 192.168.10.0/24 subnet to?

Alternatively, you can just PAT on the ASA and since the router will be in the same subnet as the outside1 interface, that will take care of it.

nat (inside) 1 0 0

global (outside1) 1 interface

hyundai_mum · ‎05-19-2010

Hi halijenn,

thanks for yr prompt support, as i don't hv access to router so i can't configure route back to firewall but i configured nat as u suggested. find firewall configuration below

FW-HyundaiHMM# show run

: Saved

:

PIX Version 8.0(3)

!

hostname FW-HyundaiHMM

enable password f1/B5iV9rJ.dvsDE encrypted

names

dns-guard

!

interface Ethernet0

description P2P link

speed 100

duplex full

nameif outside1

security-level 0

ip address 172.23.15.11 255.255.255.0

!

interface Ethernet1

description LAN interface

speed 100

duplex full

nameif inside

security-level 50

ip address 192.168.10.11 255.255.255.0

!

interface Ethernet2

description Internet Gateway

speed 100

duplex full

nameif outside2

security-level 0

ip address 24.0.0.1 255.255.255.0

!

passwd 2KFQnbNIdI.2KYOU encrypted

boot system flash:/pix803.bin

ftp mode passive

clock timezone IST 5 30

same-security-traffic permit inter-interface

!

access-list icmpacl extended permit icmp any 192.168.10.0 255.255.255.0

access-list acl_inside extended permit tcp 192.168.10.0 255.255.255.0 any eq www

access-list acl_inside extended permit tcp 192.168.10.0 255.255.255.0 any eq https

pager lines 24

logging enable

logging asdm informational

logging host inside 172.23.15.33

mtu outside1 1500

mtu inside 1500

mtu outside2 1500

icmp unreachable rate-limit 1 burst-size 1

asdm image flash:/asdm-603.bin

no asdm history enable

arp timeout 14400

global (outside1) 1 interface

nat (inside) 1 0.0.0.0 0.0.0.0

access-group icmpacl in interface outside1

access-group acl_inside in interface inside

route outside1 0.0.0.0 0.0.0.0 172.23.15.254 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout uauth 0:05:00 absolute

dynamic-access-policy-record DfltAccessPolicy

http server enable

http 172.23.15.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

telnet timeout 5

ssh 172.23.15.0 255.255.255.0 outside1

ssh 192.168.10.0 255.255.255.0 inside

ssh timeout 30

ssh version 2

console timeout 0

threat-detection basic-threat

threat-detection statistics access-list

!

class-map icmp-class

match access-list icmpacl

class-map inspection_default

match default-inspection-traffic

!

policy-map global_policy

class inspection_default

inspect ftp

inspect h323 h225

inspect h323 ras

inspect rsh

inspect rtsp

inspect esmtp

inspect sqlnet

inspect skinny

inspect sunrpc

inspect xdmcp

inspect sip

inspect netbios

inspect tftp

class icmp-class

inspect icmp

!

service-policy global_policy global

prompt hostname context

Cryptochecksum:a1539d1ca9ff673af0f23f1ffa2d099e

: end

FW-HyundaiHMM#

still lan users can not access outside network, any other configuration changes i can do on firewall.

thanks

Hasmukh

Jennifer Halim · ‎05-19-2010

Are you just testing browsing the Internet? Are you able to ping from the internal network? Can you ping the internet from the ASA itself? Where is the DNS server, internal or external DNS server, and are they able to perform dns resolution?

Can you test by configuring the following ACL:

access-list acl_inside extended permit ip 192.168.10.0 255.255.255.0 any