Cisco ASA 5505 DNS

[willharder]

Hello all,

I have a cisco ASA 5505 set up, and we can connect to it via VPN, nothing is reachable when connected. Cannot ping or resolve dns.

It works just fine for routing as we use it for routing the internet.

Here is the printout:

: Saved
:
ASA Version 8.2(2)
!
hostname ciscoasa2
domain-name schunk.com
enable password Ufwfzoc7M.Mj9hYL encrypted
passwd Ufwfzoc7M.Mj9hYL encrypted
names
name 195.226.73.80 Germany_Vid
name 192.168.169.48 vid
!
interface Vlan1
nameif inside
security-level 100
ip address 192.168.169.200 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address 12.156.212.50 255.255.255.248
!
interface Vlan3
no forward interface Vlan1
nameif dmz
security-level 50
no ip address
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
boot system disk0:/asa822-k8.bin
ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
dns domain-lookup inside
dns domain-lookup outside
dns domain-lookup dmz
dns server-group DefaultDNS
name-server 192.168.169.5
domain-name schunk.com
object-group service VID tcp-udp
description Video Conf port range
port-object range 3230 3253
port-object range 1718 1722
object-group protocol TCPUDP
protocol-object udp
protocol-object tcp
access-list 101 extended permit icmp any any echo-reply
access-list 101 extended permit icmp any any source-quench
access-list 101 extended permit icmp any any time-exceeded
access-list 101 extended permit object-group TCPUDP Germany_Vid 255.255.255.240 host vid object-group VID
access-list inside_nat0_outbound extended permit ip any 192.168.2.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 192.168.169.0 255.255.255.0 192.168.2.0 255.255.255.0
access-list Tunnel standard permit 192.168.169.0 255.255.255.0
pager lines 24
logging enable
logging buffer-size 8096
logging asdm informational
logging recipient-address level errors
mtu inside 1500
mtu outside 1500
mtu dmz 1500
ip local pool VPNPool2 192.168.2.200-192.168.2.220 mask 255.255.255.0
ip local pool Eniro 192.168.169.160-192.168.169.170 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-631.bin
asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 192.168.169.0 255.255.255.0
access-group 101 in interface outside
route outside 0.0.0.0 0.0.0.0 12.156.212.49 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
aaa authentication ssh console LOCAL
aaa authentication http console LOCAL
aaa authentication telnet console LOCAL
aaa authorization command LOCAL
http server enable
http 192.168.169.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map outside_dyn_map 20 set pfs
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 40 set pfs
crypto dynamic-map outside_dyn_map 40 set transform-set ESP-3DES-SHA
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
crypto ca server
shutdown
smtp from-address
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
no vpn-addr-assign aaa
no vpn-addr-assign dhcp
vpn-sessiondb max-session-limit 10
telnet 192.168.169.0 255.255.255.0 inside
telnet timeout 5
ssh 192.168.169.0 255.255.255.0 inside
ssh 0.0.0.0 0.0.0.0 outside
ssh timeout 5
ssh version 2
console timeout 0
dhcpd dns 12.127.17.71 12.127.17.72
dhcpd domain schunk.com
!

vpnclient mode network-extension-mode
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
group-policy EnviroVPN internal
group-policy EnviroVPN attributes
dns-server value 192.168.169.5 12.127.17.71
vpn-simultaneous-logins 10
vpn-tunnel-protocol IPSec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value Tunnel
default-domain value envirotronics.local
username admin password lIQVOVGsgBRGvXaS encrypted privilege 15
username enviro password 67mJFP68l7e1h4qJ encrypted privilege 0
tunnel-group EnviroVPN type remote-access
tunnel-group EnviroVPN general-attributes
address-pool VPNPool2
default-group-policy EnviroVPN
tunnel-group EnviroVPN ipsec-attributes
pre-shared-key *****
!
class-map type inspect h323 match-any Video
match media-type video
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map type inspect h323 Teleconferance
description Polycom
parameters
hsi-group 323
hsi 12.156.212.53
endpoint vid dmz
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect rsh
inspect rtsp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
inspect h323 ras Teleconferance
!
service-policy global_policy global
prompt hostname context
call-home
profile CiscoTAC-1
no active
destination address http

https://tools.cisco.com/its/service/...es/DDCEService

destination address email
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:a8f7dface0c842f545e01f87a3b13f37
: end
asdm image disk0:/asdm-631.bin
asdm location Germany_Vid 255.255.255.240 inside
asdm location vid 255.255.255.255 inside
asdm history enable




Any help would be greatly appreciated! It uses internal dhcp.

 

[unclerico]

hmmm, your config looks good. typcially when you can't reach internal resources it is due to not having NAT exemption configured, but you do. i'm assuming that the client connecting is behind a NAT device?? if so you could always add crypto isakmp nat-traversal.

I hate all Uppercase... I don't want my groups to seem angry at me all the time! =)
- ColdFlame (vbscript forum)

 

[willharder]

Thanks for the reply!

The ASA is connected straight from the T1 line to our router. The IP addresses are using NAT. I have tried using NAT and using the same subnet as what everyone uses and still no luck.

I tried to put this command in and try it and no luck.

Here is the running config of our main ASA. They both go from the T1 straight to our switch:

: Saved
:
ASA Version 8.2(2)
!
hostname ciscoasa
domain-name schunk.com
names
!
interface Vlan1
nameif inside
security-level 100
ip address 192.168.169.201 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address 75.119.77.194 255.255.255.248
!
interface Vlan3
no forward interface Vlan1
nameif dmz
security-level 50
no ip address
!
interface Vlan30
description LAN Failover Interface
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
description Internal LAN Interface
!
interface Ethernet0/2
shutdown
!
interface Ethernet0/3
shutdown
!
interface Ethernet0/4
switchport access vlan 30
!
interface Ethernet0/5
shutdown
!
interface Ethernet0/6
shutdown
!
interface Ethernet0/7
shutdown
!
boot system disk0:/asa822-k8.bin
ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
dns domain-lookup inside
dns domain-lookup outside
dns domain-lookup dmz
dns server-group DefaultDNS
name-server 192.168.169.5
domain-name schunk.com
access-list 101 extended permit icmp any any echo-reply
access-list 101 extended permit icmp any any source-quench
access-list 101 extended permit icmp any any time-exceeded
access-list inside_nat0_outbound extended permit ip any 192.168.2.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 192.168.169.0 255.255.255.0 192.168.2.0 255.255.255.0
access-list Tunnel standard permit 192.168.169.0 255.255.255.0
pager lines 24
logging enable
logging asdm informational

mtu inside 1500
mtu outside 1500
mtu dmz 1500
ip local pool VPNPool 192.168.2.100-192.168.2.120 mask 255.255.255.0
failover
failover lan unit primary
failover lan interface fo Vlan30
failover interface ip fo 10.30.30.31 255.255.255.0 standby 10.30.30.32
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-631.bin
asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 192.168.169.0 255.255.255.0
access-group 101 in interface outside
route outside 0.0.0.0 0.0.0.0 75.119.77.193 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
aaa authentication http console LOCAL
aaa authentication ssh console LOCAL
aaa authentication telnet console LOCAL
aaa authorization command LOCAL
http server enable
http 192.168.169.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map outside_dyn_map 20 set pfs
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 40 set pfs
crypto dynamic-map outside_dyn_map 40 set transform-set ESP-3DES-SHA
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
vpn-sessiondb max-session-limit 10
telnet 192.168.169.0 255.255.255.0 inside
telnet timeout 5
ssh 192.168.169.0 255.255.255.0 inside
ssh 0.0.0.0 0.0.0.0 outside
ssh timeout 5
ssh version 2
console timeout 0
dhcpd dns 12.127.17.71 12.127.17.72
dhcpd domain schunk.com
!

threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
group-policy EnviroVPN internal
group-policy EnviroVPN attributes
dns-server value 192.168.169. 12.127.17.71
vpn-simultaneous-logins 10
vpn-tunnel-protocol IPSec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value Tunnel
default-domain value
tunnel-group EnviroVPN type remote-access
tunnel-group EnviroVPN general-attributes
address-pool VPNPool
default-group-policy
tunnel-group N ipsec-attributes
pre-shared-key
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
!
service-policy global_policy global
privilege cmd level 3 mode exec command perfmon
privilege cmd level 3 mode exec command ping
privilege cmd level 3 mode exec command who
privilege cmd level 3 mode exec command logging
privilege cmd level 3 mode exec command failover
privilege show level 5 mode exec command import
privilege show level 5 mode exec command running-config
privilege show level 3 mode exec command reload
privilege show level 3 mode exec command mode
privilege show level 3 mode exec command firewall
privilege show level 3 mode exec command asp
privilege show level 3 mode exec command cpu
privilege show level 3 mode exec command interface
privilege show level 3 mode exec command clock
privilege show level 3 mode exec command dns-hosts
privilege show level 3 mode exec command access-list
privilege show level 3 mode exec command logging
privilege show level 3 mode exec command vlan
privilege show level 3 mode exec command ip
privilege show level 3 mode exec command ipv6
privilege show level 3 mode exec command failover
privilege show level 3 mode exec command asdm
privilege show level 3 mode exec command arp
privilege show level 3 mode exec command route
privilege show level 3 mode exec command ospf
privilege show level 3 mode exec command aaa-server
privilege show level 3 mode exec command aaa
privilege show level 3 mode exec command eigrp
privilege show level 3 mode exec command crypto
privilege show level 3 mode exec command vpn-sessiondb
privilege show level 3 mode exec command ssh
privilege show level 3 mode exec command dhcpd
privilege show level 3 mode exec command vpnclient
privilege show level 3 mode exec command vpn
privilege show level 3 mode exec command blocks
privilege show level 3 mode exec command wccp
privilege show level 3 mode exec command dynamic-filter
privilege show level 3 mode exec command webvpn
privilege show level 3 mode exec command module
privilege show level 3 mode exec command uauth
privilege show level 3 mode exec command compression
privilege show level 3 mode configure command interface
privilege show level 3 mode configure command clock
privilege show level 3 mode configure command access-list
privilege show level 3 mode configure command logging
privilege show level 3 mode configure command ip
privilege show level 3 mode configure command failover
privilege show level 5 mode configure command asdm
privilege show level 3 mode configure command arp
privilege show level 3 mode configure command route
privilege show level 3 mode configure command aaa-server
privilege show level 3 mode configure command aaa
privilege show level 3 mode configure command crypto
privilege show level 3 mode configure command ssh
privilege show level 3 mode configure command dhcpd
privilege show level 5 mode configure command privilege
privilege clear level 3 mode exec command dns-hosts
privilege clear level 3 mode exec command logging
privilege clear level 3 mode exec command arp
privilege clear level 3 mode exec command aaa-server
privilege clear level 3 mode exec command crypto
privilege clear level 3 mode exec command dynamic-filter
privilege cmd level 3 mode configure command failover
privilege clear level 3 mode configure command logging
privilege clear level 3 mode configure command arp
privilege clear level 3 mode configure command crypto
privilege clear level 3 mode configure command aaa-server
prompt hostname context
call-home
profile CiscoTAC-1
no active
destination address http

https://tools.cisco.com/its/service/oddce/services/DDCEService

destination address email callhome@cisco.com
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:04f09586924af8cfa2a79e64bcada220
: end
asdm image disk0:/asdm-631.bin
asdm history enable