unable to access internet through firewall

hyundai_mum · ‎06-08-2010

Hi,

my pix515e which is running 8.0x ios unable to access internet through it. domain name server is external(ISP), on it's next hop router ip domain-name ip address is configured. could u tell me what changes i should make to my firewall to make it work.

i can ping firewall next hop ip address.

thanks in advance

HS

Federico Coto Fajardo · ‎06-08-2010

Hi HS,

Do you have Internet from the firewall itself? (are you talking about an ASA, FWSM, PIX)?

i.e Can you PING 4.2.2.2 from the firewall itself?

If you have internet from the firewall itself, we just need to check the configuration to make sure that it allows Internet.

Please let us know the above.

Federico.

hyundai_mum · ‎06-08-2010

Hi,

as i already mentioned, i am using cisco PIX 515E which is runing IOS 8.0, firewall is connected to router and my router is connected to ISP router. what configuration i should have on firewall so i can reach internet. how do i configure domain-name server's ip address

pls help me

thanks

HS

Federico Coto Fajardo · ‎06-08-2010

On a normal PIX configuration directly connected to the ISP router you need at least this:

nat (inside) 1 0 0

global (outside) 1 interface

The public IP assigned to the outside interface

A private IP assigned to the inside interface (which is going to be the default gateway for the local LAN).

route outside 0 0 x.x.x.x --> this is the PIX's default gateway (router's IP)

Assuming the local is directly connected to the PIX, you should be able to get to the Internet with the above configuration.

If you need additional information let us know.

What is the purpose of the domain-name? Do you want the PIX to assign a DNS to the internal LAN?

Federico.

hyundai_mum · ‎06-08-2010

Hi,

my pix has two interface out of which one is connected to leased line router and another is connected to internet router, if my Lan user whats to reach internet they must have dns server ip address to resole the domain name, that is my purpose of domain-name ip to configure on my firewall so Lan user can resolve domain name and get to the internet.

my Lan user can reach remote server through leased line without any problem.

thanks

HS

Federico Coto Fajardo · ‎06-08-2010

The ASA can only assing a DNS server to the LAN if its also the DHCP server. Is the ASA the DHCP server?

Federico.

hyundai_mum · ‎06-09-2010

Hi,

no i have not configured my firewall as DHCP server, find firewall configuration below to help me.

FIREWALL# show run

: Saved

:

PIX Version 8.0(3)

!

hostname FIREWALL

enable password f1/B5iV9rJ.dvsDE encrypted

names

dns-guard

!

interface Ethernet0

description P2P link

speed 100

duplex full

nameif outside1

security-level 0

ip address 172.23.15.211 255.255.255.0

!

interface Ethernet1

description LAN interface

speed 100

duplex full

nameif inside

security-level 100

ip address 192.168.10.11 255.255.255.0

!

interface Ethernet2

description Internet Gateway

speed 100

duplex full

nameif outside2

security-level 0

ip address 25.0.0.1 255.255.255.0

!

passwd 2KFQnbNIdI.2KYOU encrypted

boot system flash:/pix803.bin

ftp mode passive

clock timezone IST 5 30

same-security-traffic permit inter-interface

access-list icmpacl extended permit icmp any 192.168.10.0 255.255.255.0

access-list acl_inside extended permit ip 192.168.10.0 255.255.255.0 any

pager lines 24

logging enable

logging asdm informational

logging host inside 172.23.15.33

mtu outside1 1500

mtu inside 1500

mtu outside2 1500

icmp unreachable rate-limit 1 burst-size 1

asdm image flash:/asdm-603.bin

no asdm history enable

arp timeout 14400

global (outside1) 1 interface

nat (inside) 1 192.168.10.0 255.255.255.0

access-group icmpacl in interface outside1

access-group acl_inside in interface inside

route outside1 0.0.0.0 0.0.0.0 172.23.15.254 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout uauth 0:05:00 absolute

dynamic-access-policy-record DfltAccessPolicy

http server enable

http 172.23.15.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

telnet timeout 5

ssh 172.23.15.0 255.255.255.0 outside1

ssh 192.168.10.0 255.255.255.0 inside

ssh timeout 30

ssh version 2

console timeout 0

threat-detection basic-threat

threat-detection statistics access-list

!

class-map icmp-class

match access-list icmpacl

class-map inspection_default

match default-inspection-traffic

!

policy-map global_policy

class inspection_default

inspect ftp

inspect h323 h225

inspect h323 ras

inspect rsh

inspect rtsp

inspect esmtp

inspect sqlnet

inspect skinny

inspect sunrpc

inspect xdmcp

inspect sip

inspect netbios

inspect tftp

inspect icmp

class icmp-class

inspect icmp

!

service-policy global_policy global

prompt hostname context

Cryptochecksum:a0d0dc337be25e49c653aeb27031f59a

: end

FIREWALL#

Thanks

HS

Kureli Sankar · ‎06-09-2010

1. can you ping www.google.com and get an IP address?

2. Have you tried to load the page just with an IP address? http://74.125.87.99

3. can the firewall ping 4.2.2.2?

4. enable logging buffer and check what the syslogs say.

conf t

logging buffered 7

exit

sh logg | i 192.168.10.x

for the clients IP address that has trouble going to the internet.

-KS

hyundai_mum · ‎06-09-2010

Hi,

1. i will not get ping reply as on my isp router icmp requests are denied.

2. i tried to load page it says "page can't be displayed"

3. firewall can't ping 4.2.2.2

4.find logs below

FIREWALL# show logg | i 192.168.10.10 (logs while browsing http://74.125.87.99 )

%PIX-5-111007: Begin configuration: 192.168.10.10 reading from terminal

%PIX-5-111005: 192.168.10.10 end configuration: OK

%PIX-3-305006: portmap translation creation failed for tcp src inside:192.168.10.10/1096 dst outside2:74.125.87.99/80

%PIX-7-710005: UDP request discarded from 192.168.10.10/138 to inside:192.168.10.255/138

%PIX-7-710005: UDP request discarded from 192.168.10.10/137 to inside:192.168.10.255/137

FIREWALL# show logg | i 192.168.10.10 (logs while browsing google.co.in )

%PIX-3-305006: portmap translation creation failed for udp src inside:192.168.10.10/64660 dst outside2:202.95.94.1/53

%PIX-3-305006: portmap translation creation failed for udp src inside:192.168.10.10/64660 dst outside2:202.148.202.3/53

%PIX-3-305006: portmap translation creation failed for udp src inside:192.168.10.10/64660 dst outside2:202.95.94.1/53

%PIX-3-305006: portmap translation creation failed for udp src inside:192.168.10.10/64660 dst outside2:202.148.202.3/53

%PIX-3-305006: portmap translation creation failed for udp src inside:192.168.10.10/64660 dst outside2:202.95.94.1/53

%PIX-3-305006: portmap translation creation failed for udp src inside:192.168.10.10/64660 dst outside2:202.148.202.3/53

202.95.94.1 and 202.148.202.3 are DNS server ip address

regards

HS

Kureli Sankar · ‎06-09-2010

Interesting...

That syslog message means that you have a problem with the global statement.

You are the following:

global (outside1) 1 interface

nat (inside) 1 192.168.10.0 255.255.255.0

But the firewall is trying to take outside2 and failing.

Are you using outside1 to go out to the internet or outside2?

This message is talking about outside2 and you do not have a route or global statement for that interface.

You can either shut down outside2 interface or

add the following:

global (outside2) 1 interface

route outside2 0.0.0.0 0.0.0.0 x.x.x.x -----> where x.x.x.x is the next hop off of that outside2 interface.

You may have to remove the existing default route.

I would try to shut down the outside2 interface and try it.

-KS