- Posts: 9
- Thank you received: 0
ASA Config: Users have connectivity, but can't load webpages
16 years 10 months ago #24774
by mzinz
I apologize in advance for the length. For future reference, I have replaced the real external IP with “X.X.X.X”. Also, the IP of the server I mention is 10.0.0.17.
I just finished hooking up my first ASA – I had already configured it ahead of time.
Beforehand, it had been my understanding that only two interfaces would be necessary: inside and outside. When I got on-site, it was immediately apparent that they had previously been using a DMZ for their one server. The license on this ASA only allowed 2 nameif’s, so I plugged the server into the third port on the ASA (E0/2) and added it to the same VLAN as my main inside interface (E0/1). The outside interface was on E0/0.
Right off the bat, I have a few questions.
The setup goes DSLModem -> ASA -> Switch -> Users. When I checked my routing table it showed a route to my internal network, so I figured that a static route internally wasn’t necessary. What confused me, though, was that the route looked something like this:
route to 10.0.0.0/24, connected, via “inside”
Does this mean that all traffic heading towards the inbound hosts will also be sent to the server since they share the same VLAN?
Additionally, do I need a static route for the server, even though it is directly connected? If so, would it just be: route inside 10.0.0.17 255.255.255.255 10.0.0.17?
Immediately after hooking it up, I noticed a few things:
Inside hosts can ping the server(which is on its own interface, like I mentioned before)
Inside can ping ASA
Inside can ping External Gateway (last ISP hop), so I’m assuming it had full connectivity, although I couldn’t test any other IP’s since I didn’t have any memorized.
Server can ping inside hosts
Server can ping ASA
Server can *not* ping External Gateway.
My natural reaction was that it had to either be a NAT issue or ACL issue. Since the inside access-list is applied to the VLAN that both the server and inside network are members of, I ruled that out. At the time, I had only a couple NAT statements:
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) X.X.X.X 10.0.0.17 netmask 255.255.255.255
It occurred to me that I didn’t need a static route for the server, since all connections would be made through the VPN. I deleted the route, and was then able to ping the External Gateway from the Server. Why?
At this point, I attempted to get online with both the server and hosts on the internal network, but wasn't able to load any web pages. I knew that DNS had to be the natural culprit. Throughout my configuration, I had the following DNS statements:
dns domain-lookup inside
dns domain-lookup outside
dns server-group DefaultDNS
domain-name default.domain.invalid
name-server first.isp.dns.server
name-server second.isp.dns.server
group-policy DfltGrpPolicy attributes
dns-server value 10.0.0.17
group-policy VPN_GRP_POLICY
dns-server value 10.0.0.17
When I checked ‘ipconfig’ on the host pc’s, it showed 10.0.0.17 as the DNS server, as it should. When I entered the DNS IP manually in Windows TCP/IP config (I’m referring to the ISP’s DNS server), all web pages work. I played around with the DNS commands some and the behavior was odd – it seemed to load pages, but very slowly (when DHCP is handling DNS). After a while, all pages loaded fine and at full speed. I re-entered the old static NAT statement for kicks, and it killed my connection completely. I removed it from the config, and observed the original behavior of slow loading pages. It again sped up after about 15 minutes for seemingly no reason.
I left it after a while and pages seemed to be working properly. Still though, something doesn't seem right. Also, I'm not able to ping or connect to the ASA remotely, even though I'm positive it's accepting ICMP, and should also be accepting VPN connections.
Any advice would be MUCH appreciated.
Thanks
I just finished hooking up my first ASA – I had already configured it ahead of time.
Beforehand, it had been my understanding that only two interfaces would be necessary: inside and outside. When I got on-site, it was immediately apparent that they had previously been using a DMZ for their one server. The license on this ASA only allowed 2 nameif’s, so I plugged the server into the third port on the ASA (E0/2) and added it to the same VLAN as my main inside interface (E0/1). The outside interface was on E0/0.
Right off the bat, I have a few questions.
The setup goes DSLModem -> ASA -> Switch -> Users. When I checked my routing table it showed a route to my internal network, so I figured that a static route internally wasn’t necessary. What confused me, though, was that the route looked something like this:
route to 10.0.0.0/24, connected, via “inside”
Does this mean that all traffic heading towards the inbound hosts will also be sent to the server since they share the same VLAN?
Additionally, do I need a static route for the server, even though it is directly connected? If so, would it just be: route inside 10.0.0.17 255.255.255.255 10.0.0.17?
Immediately after hooking it up, I noticed a few things:
Inside hosts can ping the server(which is on its own interface, like I mentioned before)
Inside can ping ASA
Inside can ping External Gateway (last ISP hop), so I’m assuming it had full connectivity, although I couldn’t test any other IP’s since I didn’t have any memorized.
Server can ping inside hosts
Server can ping ASA
Server can *not* ping External Gateway.
My natural reaction was that it had to either be a NAT issue or ACL issue. Since the inside access-list is applied to the VLAN that both the server and inside network are members of, I ruled that out. At the time, I had only a couple NAT statements:
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) X.X.X.X 10.0.0.17 netmask 255.255.255.255
It occurred to me that I didn’t need a static route for the server, since all connections would be made through the VPN. I deleted the route, and was then able to ping the External Gateway from the Server. Why?
At this point, I attempted to get online with both the server and hosts on the internal network, but wasn't able to load any web pages. I knew that DNS had to be the natural culprit. Throughout my configuration, I had the following DNS statements:
dns domain-lookup inside
dns domain-lookup outside
dns server-group DefaultDNS
domain-name default.domain.invalid
name-server first.isp.dns.server
name-server second.isp.dns.server
group-policy DfltGrpPolicy attributes
dns-server value 10.0.0.17
group-policy VPN_GRP_POLICY
dns-server value 10.0.0.17
When I checked ‘ipconfig’ on the host pc’s, it showed 10.0.0.17 as the DNS server, as it should. When I entered the DNS IP manually in Windows TCP/IP config (I’m referring to the ISP’s DNS server), all web pages work. I played around with the DNS commands some and the behavior was odd – it seemed to load pages, but very slowly (when DHCP is handling DNS). After a while, all pages loaded fine and at full speed. I re-entered the old static NAT statement for kicks, and it killed my connection completely. I removed it from the config, and observed the original behavior of slow loading pages. It again sped up after about 15 minutes for seemingly no reason.
I left it after a while and pages seemed to be working properly. Still though, something doesn't seem right. Also, I'm not able to ping or connect to the ASA remotely, even though I'm positive it's accepting ICMP, and should also be accepting VPN connections.
Any advice would be MUCH appreciated.
Thanks
- skepticals
- Offline
- Elite Member
-
Less
More
- Posts: 783
- Thank you received: 0
16 years 10 months ago #24779
by skepticals
Replied by skepticals on topic Re: ASA Config: Users have connectivity, but can't load webpages
Regarding the Ping issue, do you have a statement that allows ICMP in and out? I thought I remember reading that you have to set it up in both directions.
16 years 10 months ago #24792
by sp1k3tou
Replied by sp1k3tou on topic Re: ASA Config: Users have connectivity, but can't load webpages
When you say you can not connect to the ASA are you talking about using telnet,ssh, or the ASDM? Or are you talking about a vpn connection?
16 years 9 months ago #24845
by Torvald
No, it just says go this way if your are looking for anything in the 10. network.
Static route is used with nat. if you are nating the server address you will need a static route to out side for others to find it.
the static nat needed a ACL to go with it to direct traffic to it.
Have to give everything time to sync up and build the tables.
Need to see the config for this one.
Replied by Torvald on topic Re: ASA Config: Users have connectivity, but can't load webp
route to 10.0.0.0/24, connected, via “inside”
Does this mean that all traffic heading towards the inbound hosts will also be sent to the server since they share the same VLAN?
No, it just says go this way if your are looking for anything in the 10. network.
Additionally, do I need a static route for the server, even though it is directly connected? If so, would it just be: route inside 10.0.0.17 255.255.255.255 10.0.0.17?
Static route is used with nat. if you are nating the server address you will need a static route to out side for others to find it.
Immediately after hooking it up, I noticed a few things:
Inside hosts can ping the server(which is on its own interface, like I mentioned before)
Inside can ping ASA
Inside can ping External Gateway (last ISP hop), so I’m assuming it had full connectivity, although I couldn’t test any other IP’s since I didn’t have any memorized.
Server can ping inside hosts
Server can ping ASA
Server can *not* ping External Gateway.
My natural reaction was that it had to either be a NAT issue or ACL issue. Since the inside access-list is applied to the VLAN that both the server and inside network are members of, I ruled that out. At the time, I had only a couple NAT statements:
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) X.X.X.X 10.0.0.17 netmask 255.255.255.255
It occurred to me that I didn’t need a static route for the server, since all connections would be made through the VPN. I deleted the route, and was then able to ping the External Gateway from the Server. Why?
the static nat needed a ACL to go with it to direct traffic to it.
At this point, I attempted to get online with both the server and hosts on the internal network, but wasn't able to load any web pages. I knew that DNS had to be the natural culprit. Throughout my configuration, I had the following DNS statements:
dns domain-lookup inside
dns domain-lookup outside
dns server-group DefaultDNS
domain-name default.domain.invalid
name-server first.isp.dns.server
name-server second.isp.dns.server
group-policy DfltGrpPolicy attributes
dns-server value 10.0.0.17
group-policy VPN_GRP_POLICY
dns-server value 10.0.0.17
When I checked ‘ipconfig’ on the host pc’s, it showed 10.0.0.17 as the DNS server, as it should. When I entered the DNS IP manually in Windows TCP/IP config (I’m referring to the ISP’s DNS server), all web pages work. I played around with the DNS commands some and the behavior was odd – it seemed to load pages, but very slowly (when DHCP is handling DNS). After a while, all pages loaded fine and at full speed. I re-entered the old static NAT statement for kicks, and it killed my connection completely. I removed it from the config, and observed the original behavior of slow loading pages. It again sped up after about 15 minutes for seemingly no reason.
Have to give everything time to sync up and build the tables.
I left it after a while and pages seemed to be working properly. Still though, something doesn't seem right. Also, I'm not able to ping or connect to the ASA remotely, even though I'm positive it's accepting ICMP, and should also be accepting VPN connections.
Any advice would be MUCH appreciated.
Thanks
Need to see the config for this one.
Time to create page: 0.123 seconds