Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1060
Views
0
Helpful
9
Replies

asa firewall issue

manivelengg
Level 1
Level 1

‎01-21-2010 03:17 AM - edited ‎03-11-2019 09:59 AM

hi,

   Im using ASA firewall behind cisco series 3640 router.

   Complete setup:

       Internet---- cisco router------firewall---coreswitch-----lan users.

  whenever the lanusers trying to browse the internet,they can not able to do it but all the logs are showing in asa(inside and outside) but they cant do it.What may be the problem.

Labels:
0 Helpful
9 Replies 9

Jon Marshall
Hall of Fame
Hall of Fame

‎01-21-2010 04:36 AM 

manivelengg@gmail.com
hi,
   Im using ASA firewall behind cisco series 3640 router.
   Complete setup:
       Internet---- cisco router------firewall---coreswitch-----lan users.
  whenever the lanusers trying to browse the internet,they can not able to do it but all the logs are showing in asa(inside and outside) but they cant do it.What may be the problem.

Could be any number of things.

First thing to check is are your clients using private addressing and if so are you Natting their private addresses to a public IP.

If the outside interface of the ASA has a public IP then the usual method to do this is -

nat (inside) 1 0.0.0.0 0.0.0.0

global (outside) 1 interface

Also check you have a default-route on the ASA ie.

route (outside) 0.0.0.0 0.0.0.0  <3640 IP address of interface facing ASA>

Jon

0 Helpful

manivelengg
Level 1
Level 1
In response to Jon Marshall

‎01-21-2010 09:19 PM

hi

  i checked the asa inside and outside nat and default route.all are correct.I have attached the firewall config(asa).

60256-ASA Firewall Current Config.txt.zip
0 Helpful

August Ritchie
Level 1
Level 1
In response to manivelengg

‎01-21-2010 10:08 PM

What is network that is not able to get out to the internet?

Can you ping one of the hosts on that network from the ASA? If not, you may need a route back from the ASA.


And vice-versa, can you ping from a host to the ASA's interface?

Can you ping your ASAs default gateway from the host? (100.100.100.1)

0 Helpful

manivelengg
Level 1
Level 1
In response to August Ritchie

‎01-22-2010 12:03 AM

hi

   we cant able to reach the internet from all the networks.Below lan networks are

     (192.168.100.0,192.168.103.0,192.168.104.0)

all the networks are pinging from asa(firewall)  as well as we are pinging from lan networks to asa which has not issue

At the same time we are pinging from host to default gateway(100.100.100.1)

but the internet websites are not pinging from hosts.

0 Helpful

Jon Marshall
Hall of Fame
Hall of Fame
In response to manivelengg

‎01-22-2010 02:20 AM 

manivelengg@gmail.com
hi
   we cant able to reach the internet from all the networks.Below lan networks are
     (192.168.100.0,192.168.103.0,192.168.104.0)
all the networks are pinging from asa(firewall)  as well as we are pinging from lan networks to asa which has not issue
 At the same time we are pinging from host to default gateway(100.100.100.1)
but the internet websites are not pinging from hosts.

In your ASA config you haven't actually applied any of the access-list to any of the interfaces. To get ping working add this to your config -

access-group outside_access_in in interface outside

Jon

0 Helpful

August Ritchie
Level 1
Level 1
In response to Jon Marshall

‎01-22-2010 05:28 AM

Well the fact that you can ping the host (100.100.100.1) from the hosts means that traffic is going out of the ASA and returning correctly.

This generally means it's not an ASA problem. If you can ping the ASAs default gateway then we know that you must be natting out and that traffic knows how to get back to you from 100.100.100.1.

The question now is can you ping from your ASA to 4.2.2.2?

0 Helpful

manivelengg
Level 1
Level 1
In response to August Ritchie

‎01-22-2010 07:17 AM

im extremely sorry for the troule bacause the lan users not able to ping 100.100.100.1.

They are pinging inside interface of the asa firewall inside.

plz suggest me.

0 Helpful

August Ritchie
Level 1
Level 1
In response to manivelengg

‎01-22-2010 07:32 AM

Try this. Do this capture and post the results back. The ip provided is a test site called gizmodo.com

access-list capture permit ip any host 69.60.7.199

access-list capture permit ip host 69.60.7.199 any

capture capin access-list capture interface inside

capture capout access-list capture interface outside

Then initiate the connection from a PC that doesn't work by putting 69.60.7.199 in your browser.

Issue a 'show cap capin' and 'show cap capout'

0 Helpful

manivelengg
Level 1
Level 1
In response to August Ritchie

‎01-22-2010 10:10 PM

Hi

      i tried this capture command in asa firwall.

the mentioned ip address is pinging in firewall at the same time the i tried both website name and ip but not pinging from our pc(lan networks)

meanwhile i intimate you all the websites are pinging from firewall point of view but the browsing(http) is not happening from all the networks.

60276-cap capin.txt.zip
0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card