Solved: Re: not able to surf internet

Mohd Khairul Nizam · ‎08-21-2013

Hi all,

Please help as this one server not able to surf internet (80) although it able to establish a site to site vpn with other office. I seem that all config is right but I might miss out something...I post the config below ( i delete most of the object and vpn config)

: Saved

:

ASA Version 8.0(4)

!

hostname asalot10

enable password aY encrypted

passwd 2K encrypted

names

name 172.17.100.22 NAVNew

name 172.27.17.215 NECUser

name 172.47.1.10 NarayaServer

name 62.x.x.172 NarayaTelco1

name 62.x.x.178 NarayaTelco2

name 172.57.1.10 IPVSSvr description IPVSSvr

name 122.152.181.147 Japan01

name 122.152.181.0 Japan02

!

interface Ethernet0/0

nameif outside

security-level 0

ip address 60.x.x.50 255.255.255.252

!

interface Ethernet0/1

nameif inside

security-level 100

ip address 172.27.17.100 255.255.0.0

!

interface Ethernet0/2

no nameif

no security-level

no ip address

!

interface Ethernet0/3

shutdown

no nameif

no security-level

no ip address

!

interface Management0/0

nameif management

security-level 100

ip address 192.168.5.1 255.255.255.0

management-only

!

regex domainlist1 "\.youtube\.com"

regex domainlist2 "\.facebook\.com"

ftp mode passive

clock timezone SGT 8

access-list inside_access_in extended deny ip any Japan02 255.255.255.0

access-list inside_access_in extended deny tcp object-group PermitInternet any object-group torrent1

access-list inside_access_in extended permit ip object-group PermitInternet any

access-list inside_access_in extended permit ip host NarayaServer any

access-list inside_access_in extended permit ip host IPVSSvr any

access-list inside_access_in extended permit ip host NAVNew any

access-list inside_access_in extended permit ip host 172.17.100.30 any

access-list outside_access_in extended permit object-group NECareService object-group NECare any

access-list outside_access_in extended permit ip object-group DM_INLINE_NETWORK_1 host NarayaServer

access-list outside_1_cryptomap extended permit ip host NarayaServer object-group Nry_Png

access-list outside_1_cryptomap extended permit ip host NAVNew host 192.168.1.2

access-list outsidein extended permit tcp any host 60.x.x.50 eq https

access-list outsidein extended permit tcp object-group DM_INLINE_NETWORK_2 host 60..x.50 eq 8080

access-list outsidein extended permit ip object-group DM_INLINE_NETWORK_3 host IPVSSvr

access-list outsidein extended permit object-group rdp any host 60.x.x.50

access-list inside_mpc extended permit object-group TCPUDP any any eq www

access-list inside_mpc extended permit tcp any any eq www

access-list inside_nat0_outbound extended permit ip host NarayaServer any

access-list inside_nat0_outbound extended permit ip any 172.27.17.240 255.255.255.248

pager lines 24

logging enable

logging list a1 level debugging

logging asdm informational

logging host inside NAVNew

mtu outside 1500

mtu inside 1500

mtu management 1500

ip local pool lot10ippool 172.27.17.240-172.27.17.245 mask 255.255.255.0

ip verify reverse-path interface outside

icmp unreachable rate-limit 1 burst-size 1

asdm image disk0:/asdm-613.bin

no asdm history enable

arp timeout 14400

global (outside) 10 interface

nat (inside) 0 access-list inside_nat0_outbound

nat (inside) 10 0.0.0.0 0.0.0.0

static (inside,outside) tcp interface 8080 NarayaServer 8080 netmask 255.255.255.255

static (inside,outside) tcp interface 3389 NAVNew 3389 netmask 255.255.255.255

access-group outsidein in interface outside

access-group inside_access_in in interface inside

route outside 0.0.0.0 0.0.0.0 60.x.x.49 1

route inside 172.17.100.20 255.255.255.255 172.27.17.100 1

route inside NAVNew 255.255.255.255 172.27.17.100 1

route inside 172.17.100.30 255.255.255.255 172.27.17.100 1

route inside NarayaServer 255.255.255.255 172.27.17.100 1

route inside 172.47.1.11 255.255.255.255 172.27.17.100 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

dynamic-access-policy-record DfltAccessPolicy

http server enable

http 192.168.5.0 255.255.255.0 management

http 0.0.0.0 0.0.0.0 outside

http NAVNew 255.255.255.255 inside

http 172.17.100.30 255.255.255.255 inside

Jouni Forss · ‎08-21-2013

Doh, still errors, sorry about that

access-list inside_nat0_outbound extended permit ip host NarayaServer object-group Nry_Png

no access-list inside_nat0_outbound extended permit ip host NarayaServer any

Was missing the "host" part this time.

- Jouni

View solution in original post

Jouni Forss · ‎08-21-2013

Hi,

What is the IP address of the server that isnt able to access Internet? You didnt mention the IP address.

If everything else works at the moment then it would seem that either the server has network settings configured incorrectly or an ACL is blocking the connections on the firewall.

- Jouni

Mohd Khairul Nizam · ‎08-21-2013

opps..

the server is NarayaServer 172.47.1.10

the server itself have site to site vpn establish but locally can't http

Jouni Forss · ‎08-21-2013

Hi,

I guess we could try using the "packet-tracer" command to show what configuration the server matches on the ASA.

packet-tracer input inside tcp 172.47.1.10 12345 8.8.8.8 80

Do you mean that the ASA has an L2L VPN established which the server 172.47.1.10 uses?

- Jouni

Mohd Khairul Nizam · ‎08-21-2013

hi,

yup, correct, the Server (172.47.1.10) has L2L VPN establish.

below is the result of packet tracer

----

asalot10# packet-tracer input inside tcp 172.47.1.10 12345 8.8.8.8 80

Phase: 1

Type: FLOW-LOOKUP

Subtype:

Result: ALLOW

Config:

Additional Information:

Found no matching flow, creating a new flow

Phase: 2

Type: ROUTE-LOOKUP

Subtype: input

Result: ALLOW

Config:

Additional Information:

in 0.0.0.0 0.0.0.0 outside

Phase: 3

Type: ACCESS-LIST

Subtype: log

Result: ALLOW

Config:

access-group inside_access_in in interface inside

access-list inside_access_in extended permit ip host NarayaServer any

Additional Information:

Phase: 4

Type: IP-OPTIONS

Subtype:

Result: ALLOW

Config:

Additional Information:

Phase: 5

Type: INSPECT

Subtype: inspect-http

Result: ALLOW

Config:

Additional Information:

Phase: 6

Type: NAT-EXEMPT

Subtype:

Result: ALLOW

Config:

match ip inside host NarayaServer outside any

NAT exempt

translate_hits = 13760, untranslate_hits = 240

Additional Information:

Phase: 7

Type: NAT

Subtype: host-limits

Result: ALLOW

Config:

static (inside,outside) tcp interface 8080 NarayaServer 8080 netmask 255.255.255.255

match tcp inside host NarayaServer eq 8080 outside any

static translation to 60.54.140.50/8080

translate_hits = 0, untranslate_hits = 68

Additional Information:

Phase: 8

Type: NAT

Subtype:

Result: ALLOW

Config:

nat (inside) 10 0.0.0.0 0.0.0.0

match ip inside any outside any

dynamic translation to pool 10 (60.54.140.50 [Interface PAT])

translate_hits = 1965839, untranslate_hits = 571759

Additional Information:

Phase: 9

Type: IP-OPTIONS

Subtype:

Result: ALLOW

Config:

Additional Information:

Phase: 10

Type: FLOW-CREATION

Subtype:

Result: ALLOW

Config:

Additional Information:

New flow created with id 2074376, packet dispatched to next module

Phase: 11

Type: ROUTE-LOOKUP

Subtype: output and adjacency

Result: ALLOW

Config:

Additional Information:

found next-hop 60.54.140.49 using egress ifc outside

adjacency Active

next-hop mac address 0004.ed1d.f265 hits 939

Result:

input-interface: inside

input-status: up

input-line-status: up

output-interface: outside

output-status: up

output-line-status: up

Action: allow

Jouni Forss · ‎08-21-2013

Ah,

I was a bit blind.

The reason the Server cant access Internet is this NAT0 ACL line

access-list inside_nat0_outbound extended permit ip host NarayaServer any

You should remove this line and specify the exact destination network behind the VPN in the ACL.

Since you have the destination set to "any" this will mean that even traffic to Internet will go through the firewall WITHOUT NAT. This naturally means the connections fails.

Since I cant see your exact L2L VPN configuration I can only guess, so here is my guess what you probably need

You seem to have some Crypto Map related ACL

access-list outside_1_cryptomap extended permit ip host NarayaServer object-group Nry_Png

access-list outside_1_cryptomap extended permit ip host NAVNew host 192.168.1.2

According to the above the ONLY destination network/hosts NAT0 should apply for this local server is the networks/hosts configured under "object-group Nry_Png".

So you might need the following change to the NAT0 ACL

access-list inside_nat0_outbound extended permit NarayaServer object-group Nry_Png

no access-list inside_nat0_outbound extended permit ip host NarayaServer any

Hope this helps

- Jouni

Mohd Khairul Nizam · ‎08-21-2013

Hi JouniForss,

I attached the full config, so that you can confirm what u suggesting. please help to confirm this much appreciated ( i remove the object in the config )

Jouni Forss · ‎08-21-2013

Hi,

Since you have only a single L2L VPN and VPN Client configuration then it would seem to me you could do the following changes as I suggested

access-list inside_nat0_outbound extended permit NarayaServer object-group Nry_Png

no access-list inside_nat0_outbound extended permit ip host NarayaServer any

After this the server should be able to access Internet.

- Jouni

Mohd Khairul Nizam · ‎08-21-2013

Hi JouniForss,

Seem like the command couldnt be enter..? pls advise

access-list inside_nat0_outbound extended permit NarayaServer object-group Nry_Png

Jouni Forss · ‎08-21-2013

Hi,

Sorry, missing 1 from there

So the whole configuration

access-list inside_nat0_outbound extended permit ip NarayaServer object-group Nry_Png

no access-list inside_nat0_outbound extended permit ip host NarayaServer any

Marked the previously missing part with RED.

- Jouni

Mohd Khairul Nizam · ‎08-21-2013

Thanks but after object group NarayaServer then error? it ask for netmask.. i should put 255.255.255.255 right?

asalot10(config)# $bound extended permit ip NarayaServer ?

configure mode commands/options:

A.B.C.D Netmask for source IP address

asalot10(config)# $bound extended permit ip NarayaServer

Jouni Forss · ‎08-21-2013

Doh, still errors, sorry about that

access-list inside_nat0_outbound extended permit ip host NarayaServer object-group Nry_Png

no access-list inside_nat0_outbound extended permit ip host NarayaServer any

Was missing the "host" part this time.

- Jouni

Mohd Khairul Nizam · ‎08-21-2013

thanks a lot. ur help is much appreciate. all works