Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Setting up the ASA to reach the internet

Hello Guys!  This is a simple question about setting up my ASA for internet access.  In can PING anything in the internet from my OUTSIDE interface and I can PING anything from my INSIDE interface on hte private side.  BUT I can reach teh internet from the workstation.  I thought my 'route' was clear as this is a simple config for a  test scenario.  Its too simple to call TAC for so I'm looking for a little assistance from the community  Below is my config:

Result of the command: "sh conf"

: Saved
:
: Serial Number: JMX2040Y1A3
: Hardware:   ASA5505, 512 MB RAM, CPU Geode 500 MHz
: Written by PPPPPPPP at 00:55:32.298 UTC Sat Sep 6 2008
!
ASA Version 9.1(6)
!
hostname TRCLOUD
enable password 8Ry2YjIyt7RRXU24 encrypted
names
!
interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
interface Vlan1
 nameif INTERNAL
 security-level 100
 ip address 172.20.3.1 255.255.255.248
!
interface Vlan2
 nameif EXTERNAL
 security-level 0
 ip address 12.27.64.33 255.255.255.192
!
ftp mode passive
object network obj_any
 subnet 0.0.0.0 0.0.0.0
object network NETWORK_OBJ_10.9.0.0_16
 subnet 10.9.0.0 255.255.0.0
object network NETWORK_OBJ_172.20.3.0_29
 subnet 172.20.3.0 255.255.255.248
object-group icmp-type ALLOW_ICMP
 icmp-object echo
 icmp-object echo-reply
 icmp-object traceroute
 icmp-object unreachable
 icmp-object time-exceeded
access-list INBOUND extended permit icmp any any object-group ALLOW_ICMP
access-list EXTERNAL_cryptomap extended permit ip 172.20.3.0 255.255.255.248 10.9.0.0 255.255.0.0
access-list EXTERNAL_cryptomap_1 extended permit ip 172.20.3.0 255.255.255.248 object NETWORK_OBJ_10.9.0.0_16
pager lines 24
logging enable
logging asdm informational
mtu INTERNAL 1500
mtu EXTERNAL 1500
ip verify reverse-path interface EXTERNAL
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
!
object network obj_any
 nat (INTERNAL,EXTERNAL) dynamic interface
route EXTERNAL 0.0.0.0 0.0.0.0 12.27.64.1 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
http server enable
http 192.168.1.0 255.255.255.0 INTERNAL
http 0.0.0.0 0.0.0.0 INTERNAL
http 0.0.0.0 0.0.0.0 EXTERNAL
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-128-MD5-TRANS esp-aes esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS esp-aes-192 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-192-MD5-TRANS esp-aes-192 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-256-MD5-TRANS esp-aes-256 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-3DES-MD5-TRANS esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS esp-des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-DES-MD5-TRANS esp-des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-DES-MD5-TRANS mode transport
crypto ipsec ikev2 ipsec-proposal DES
 protocol esp encryption des
 protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal 3DES
 protocol esp encryption 3des
 protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES
 protocol esp encryption aes
 protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES192
 protocol esp encryption aes-192
 protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES256
 protocol esp encryption aes-256
 protocol esp integrity sha-1 md5
crypto ipsec security-association pmtu-aging infinite
crypto map EXTERNAL_map 2 match address EXTERNAL_cryptomap
crypto map EXTERNAL_map 2 set peer 209.237.229.123
crypto map EXTERNAL_map 2 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map EXTERNAL_map 2 set ikev2 ipsec-proposal DES 3DES AES AES192 AES256
crypto map EXTERNAL_map 3 match address EXTERNAL_cryptomap_1
crypto map EXTERNAL_map 3 set peer 209.237.229.123
crypto map EXTERNAL_map 3 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map EXTERNAL_map interface EXTERNAL
crypto ca trustpool policy
crypto ikev2 policy 1
 encryption aes-256
 integrity sha
 group 5 2
 prf sha
 lifetime seconds 86400
crypto ikev2 policy 10
 encryption aes-192
 integrity sha
 group 5 2
 prf sha
 lifetime seconds 86400
crypto ikev2 policy 20
 encryption aes
 integrity sha
 group 5 2
 prf sha
 lifetime seconds 86400
crypto ikev2 policy 30
 encryption 3des
 integrity sha
 group 5 2
 prf sha
 lifetime seconds 86400
crypto ikev2 policy 40
 encryption des
 integrity sha
 group 5 2
 prf sha
 lifetime seconds 86400
crypto ikev2 enable INTERNAL
crypto ikev2 enable EXTERNAL
crypto ikev1 enable INTERNAL
crypto ikev1 enable EXTERNAL
crypto ikev1 policy 10
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
telnet 0.0.0.0 0.0.0.0 INTERNAL
telnet timeout 5
no ssh stricthostkeycheck
ssh 0.0.0.0 0.0.0.0 INTERNAL
ssh 0.0.0.0 0.0.0.0 EXTERNAL
ssh timeout 5
ssh key-exchange group dh-group1-sha1
console timeout 0

dhcpd auto_config EXTERNAL
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
username quintin password Al6EjJ9p.JqnQYTA encrypted privilege 15
username enable password FAdq8Y/jR1Akq8Vi encrypted privilege 15
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum client auto
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny  
  inspect sunrpc
  inspect xdmcp
  inspect sip  
  inspect netbios
  inspect tftp
  inspect ip-options
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
Cryptochecksum:5561715cb929fb68558a53af740d5f8e

Can anyone provide a clear answer to why this is NOT working correctly as designed please

  • Silicon Valley Cisco User Group (SVCUG)
3 REPLIES
Bronze

Wasn't clear on the above -

Wasn't clear on the above - Can your Clients ping their own DG, which I assume is -  172.20.3.1.

What are the clients using for DNS?

New Member

Currently there is only a

Currently there is only a single station and it's using LMHOST files for DNS.  The wkstn can ping the IP address 172.20.3.1 with no problem.  BUT I should add the DN server group or at least the name servers (8.8.8.8, etc.)

Bronze

I am not entirely sure but i

I am not entirely sure but i think if you tried to access an external web page via IP it would work. If it does you know the issue is DNS.

1
Views
0
Helpful
3
Replies