Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
421
Views
0
Helpful
2
Replies

DNS issue or something else?

Go to solution
ecala
Level 1
Level 1

‎10-11-2013 07:27 AM - edited ‎03-11-2019 07:50 PM

Hello,

  I'm kind of new to ASA's. Im running into an issue were my PC is able to ping outside to the internet but is not able to access web pages using an ip address or a URL. Below are my configs for the router, switch and firewall Any help will be greatly appreciated. Thx!

                  

ASA Version 9.1(3)
!
hostname Staway
enable password 2KFQnbNIdI.2KYOU encrypted
xlate per-session deny tcp any4 any4
xlate per-session deny tcp any4 any6
xlate per-session deny tcp any6 any4
xlate per-session deny tcp any6 any6
xlate per-session deny udp any4 any4 eq domain
xlate per-session deny udp any4 any6 eq domain
xlate per-session deny udp any6 any4 eq domain
xlate per-session deny udp any6 any6 eq domain
names
!
interface Ethernet0/0

To Router
!
interface Ethernet0/1

To switch
switchport access vlan 20
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
interface Vlan1
nameif management
security-level 0
ip address 10.10.10.2 255.255.255.248
!
interface Vlan20
nameif inside
security-level 100
ip address 10.10.0.29 255.255.255.224
!
ftp mode passive
dns domain-lookup management
dns domain-lookup inside
dns server-group DefaultDNS
name-server 8.8.8.8
pager lines 24
logging enable
logging asdm informational
mtu management 1500
mtu inside 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
route management 0.0.0.0 0.0.0.0 10.10.10.1 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
http server enable
http 10.10.0.1 255.255.255.255 management
http 10.10.0.5 255.255.255.255 management
http 10.10.10.5 255.255.255.255 management
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
crypto ipsec security-association pmtu-aging infinite
crypto ca trustpool policy
telnet timeout 5
ssh timeout 5
ssh key-exchange group dh-group1-sha1
console timeout 0

dhcpd address 10.10.0.1-10.10.0.18 inside
dhcpd lease 10000 interface inside
dhcpd domain Abstract interface inside
dhcpd enable inside
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
username admin password f3UhLvUj1QsXsuK7 encrypted
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
  message-length maximum client auto
  message-length maximum 512
policy-map global_policy
class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect ip-options
  inspect netbios
  inspect rsh
  inspect rtsp
  inspect skinny 
  inspect esmtp
  inspect sqlnet
  inspect sunrpc
  inspect tftp
  inspect sip 
  inspect xdmcp
  inspect icmp
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
call-home
profile CiscoTAC-1
  no active
  destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
  destination address email callhome@cisco.com
  destination transport-method http
  subscribe-to-alert-group diagnostic
  subscribe-to-alert-group environment
  subscribe-to-alert-group inventory periodic monthly
  subscribe-to-alert-group configuration periodic monthly
  subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:ded86308fbb7db5f1d66495b071fe1

router
*******


interface Embedded-Service-Engine0/0
no ip address
shutdown
!
interface GigabitEthernet0/0      --------------> to ISP
ip address dhcp
ip nat outside
ip virtual-reassembly in
duplex auto
speed auto
!
interface GigabitEthernet0/1    ----------------> to firewall
ip address 10.10.10.1 255.255.255.248
ip nat inside
ip virtual-reassembly in
duplex auto
speed auto
!
ip forward-protocol nd
!
no ip http server
no ip http secure-server
!
ip nat inside source list 101 interface GigabitEthernet0/0 overload
ip route 0.0.0.0 0.0.0.0 GigabitEthernet0/0
ip route 10.10.0.0 255.255.255.224 10.10.10.2
ip route 10.10.10.0 255.255.255.248 10.10.10.2
!
!
!
access-list 101 permit ip 10.10.0.0 0.0.255.255 any


switch
***********
interface FastEthernet0/1 --------------------------> to router
!       
interface FastEthernet0/2 --------------------------> to PC
!
interface Vlan1
description LAN Network
ip address 10.10.10.28 255.255.255.224

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Jouni Forss
VIP Alumni
VIP Alumni

‎10-11-2013 07:33 AM

Hi,

You dont atleast have DNS servers configured for your ASA DHCP.

dhcpd dns

- Jouni

View solution in original post

0 Helpful
2 Replies 2

Go to solution
Jouni Forss
VIP Alumni
VIP Alumni

‎10-11-2013 07:33 AM

Hi,

You dont atleast have DNS servers configured for your ASA DHCP.

dhcpd dns

- Jouni

0 Helpful

Go to solution
ecala
Level 1
Level 1
In response to Jouni Forss

‎10-13-2013 09:10 AM

Thank You!

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card