Skip to main content

ASA Config: Users have connectivity, but can't load webpages

More
16 years 11 months ago #24774 by mzinz
I apologize in advance for the length. For future reference, I have replaced the real external IP with “X.X.X.X”. Also, the IP of the server I mention is 10.0.0.17.

I just finished hooking up my first ASA – I had already configured it ahead of time.

Beforehand, it had been my understanding that only two interfaces would be necessary: inside and outside. When I got on-site, it was immediately apparent that they had previously been using a DMZ for their one server. The license on this ASA only allowed 2 nameif’s, so I plugged the server into the third port on the ASA (E0/2) and added it to the same VLAN as my main inside interface (E0/1). The outside interface was on E0/0.

Right off the bat, I have a few questions.

The setup goes DSLModem -> ASA -> Switch -> Users. When I checked my routing table it showed a route to my internal network, so I figured that a static route internally wasn’t necessary. What confused me, though, was that the route looked something like this:

route to 10.0.0.0/24, connected, via “inside”

Does this mean that all traffic heading towards the inbound hosts will also be sent to the server since they share the same VLAN?

Additionally, do I need a static route for the server, even though it is directly connected? If so, would it just be: route inside 10.0.0.17 255.255.255.255 10.0.0.17?

Immediately after hooking it up, I noticed a few things:

Inside hosts can ping the server(which is on its own interface, like I mentioned before)
Inside can ping ASA
Inside can ping External Gateway (last ISP hop), so I’m assuming it had full connectivity, although I couldn’t test any other IP’s since I didn’t have any memorized.

Server can ping inside hosts
Server can ping ASA
Server can *not* ping External Gateway.

My natural reaction was that it had to either be a NAT issue or ACL issue. Since the inside access-list is applied to the VLAN that both the server and inside network are members of, I ruled that out. At the time, I had only a couple NAT statements:

global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) X.X.X.X 10.0.0.17 netmask 255.255.255.255

It occurred to me that I didn’t need a static route for the server, since all connections would be made through the VPN. I deleted the route, and was then able to ping the External Gateway from the Server. Why?

At this point, I attempted to get online with both the server and hosts on the internal network, but wasn't able to load any web pages. I knew that DNS had to be the natural culprit. Throughout my configuration, I had the following DNS statements:

dns domain-lookup inside
dns domain-lookup outside
dns server-group DefaultDNS
domain-name default.domain.invalid
name-server first.isp.dns.server
name-server second.isp.dns.server
group-policy DfltGrpPolicy attributes
dns-server value 10.0.0.17
group-policy VPN_GRP_POLICY
dns-server value 10.0.0.17

When I checked ‘ipconfig’ on the host pc’s, it showed 10.0.0.17 as the DNS server, as it should. When I entered the DNS IP manually in Windows TCP/IP config (I’m referring to the ISP’s DNS server), all web pages work. I played around with the DNS commands some and the behavior was odd – it seemed to load pages, but very slowly (when DHCP is handling DNS). After a while, all pages loaded fine and at full speed. I re-entered the old static NAT statement for kicks, and it killed my connection completely. I removed it from the config, and observed the original behavior of slow loading pages. It again sped up after about 15 minutes for seemingly no reason.

I left it after a while and pages seemed to be working properly. Still though, something doesn't seem right. Also, I'm not able to ping or connect to the ASA remotely, even though I'm positive it's accepting ICMP, and should also be accepting VPN connections.

Any advice would be MUCH appreciated.

Thanks
More
16 years 11 months ago #24779 by skepticals
Regarding the Ping issue, do you have a statement that allows ICMP in and out? I thought I remember reading that you have to set it up in both directions.
More
16 years 11 months ago #24792 by sp1k3tou
When you say you can not connect to the ASA are you talking about using telnet,ssh, or the ASDM? Or are you talking about a vpn connection?
More
16 years 11 months ago #24845 by Torvald

route to 10.0.0.0/24, connected, via “inside”

Does this mean that all traffic heading towards the inbound hosts will also be sent to the server since they share the same VLAN?


No, it just says go this way if your are looking for anything in the 10. network.

Additionally, do I need a static route for the server, even though it is directly connected? If so, would it just be: route inside 10.0.0.17 255.255.255.255 10.0.0.17?


Static route is used with nat. if you are nating the server address you will need a static route to out side for others to find it.

Immediately after hooking it up, I noticed a few things:

Inside hosts can ping the server(which is on its own interface, like I mentioned before)
Inside can ping ASA
Inside can ping External Gateway (last ISP hop), so I’m assuming it had full connectivity, although I couldn’t test any other IP’s since I didn’t have any memorized.

Server can ping inside hosts
Server can ping ASA
Server can *not* ping External Gateway.

My natural reaction was that it had to either be a NAT issue or ACL issue. Since the inside access-list is applied to the VLAN that both the server and inside network are members of, I ruled that out. At the time, I had only a couple NAT statements:

global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) X.X.X.X 10.0.0.17 netmask 255.255.255.255

It occurred to me that I didn’t need a static route for the server, since all connections would be made through the VPN. I deleted the route, and was then able to ping the External Gateway from the Server. Why?


the static nat needed a ACL to go with it to direct traffic to it.

At this point, I attempted to get online with both the server and hosts on the internal network, but wasn't able to load any web pages. I knew that DNS had to be the natural culprit. Throughout my configuration, I had the following DNS statements:

dns domain-lookup inside
dns domain-lookup outside
dns server-group DefaultDNS
domain-name default.domain.invalid
name-server first.isp.dns.server
name-server second.isp.dns.server
group-policy DfltGrpPolicy attributes
dns-server value 10.0.0.17
group-policy VPN_GRP_POLICY
dns-server value 10.0.0.17

When I checked ‘ipconfig’ on the host pc’s, it showed 10.0.0.17 as the DNS server, as it should. When I entered the DNS IP manually in Windows TCP/IP config (I’m referring to the ISP’s DNS server), all web pages work. I played around with the DNS commands some and the behavior was odd – it seemed to load pages, but very slowly (when DHCP is handling DNS). After a while, all pages loaded fine and at full speed. I re-entered the old static NAT statement for kicks, and it killed my connection completely. I removed it from the config, and observed the original behavior of slow loading pages. It again sped up after about 15 minutes for seemingly no reason.


Have to give everything time to sync up and build the tables.

I left it after a while and pages seemed to be working properly. Still though, something doesn't seem right. Also, I'm not able to ping or connect to the ASA remotely, even though I'm positive it's accepting ICMP, and should also be accepting VPN connections.

Any advice would be MUCH appreciated.

Thanks


Need to see the config for this one.
Time to create page: 0.126 seconds