Connected but can't browse

[macpoint]

Hello everyone,

Need your suggestion..problem is some of our office computer does show connected with net but sometimes they are not able browse from any browser. Sometimes 1st one or 2nd tab works after that internet starts to slow down...slow loading of pages..or no loading at all...

Network overview

T1 connected-Netgear switch-connected asa5510 firewall(connected to cisco router 1841)connected to dell switch--

Also i am not able to ping any site or able to tracert on any site on computers ...tracert only does 1 hop after that time out ...pls help any advise is welcome. Thanks

 

[burtsbees]

You're going to need to give more info than that...let's start of with the configs of the router and the firewall. Are there vlans in the switches at all? When did this start happening? Did everything work okay before?

/

tim@tim-laptop ~ $ sudo apt-get install windows
Reading package lists... Done
Building dependency tree
Reading state information... Done
E: Couldn't find package windows...Thank Goodness!

 

[macpoint]

Yes, but this connection in and out are happening from quit while now....

Like i said i can't ping or tracert on any site...

Also can enabling ping or tracert can be security risk?

Firewall ASA5510 configs:

ASA Version 8.0(4)
!
hostname AP
domain-name ls.net
enable password encrypted
passwd encrypted
names
dns-guard
!
interface Ethernet0/0
nameif outside
security-level 0
ip address xx.xxx.yyz.34 255.255.255.224
!
interface Ethernet0/1
speed 1000
duplex full
nameif inside
security-level 100
ip address 10.10.11.250 255.255.255.0
!
interface Ethernet0/2
nameif mpls
security-level 100
ip address 10.10.21.2 255.255.255.0
!
interface Ethernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
shutdown
no nameif
security-level 100
no ip address
management-only
!
boot system disk0:/asa804-k8.bin
ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
dns server-group DefaultDNS
domain-name lawsuites.net
same-security-traffic permit inter-interface
access-list 100 extended permit tcp any host xx.xxx.xxx.40 eq www
access-list 100 extended permit tcp any host xx.xxx.xxx.40 eq https
access-list 100 extended permit tcp any host xx.xxx.xxx.40 eq 3389
access-list 100 extended permit tcp any host xx.xxx.xxx.42 range 3230 3235
access-list 100 extended permit tcp any host xx.xxx.xxx.42 eq h323
access-list 100 extended permit udp any host xx.xxx.xxx.42 range 3230 3253
access-list vpn extended permit ip 10.10.10.0 255.255.255.0 192.168.10.0 255.255.255.0
access-list vpn extended permit ip 10.10.11.0 255.255.255.0 192.168.10.0 255.255.255.0
access-list NY-NJNONAT extended permit ip 10.10.11.0 255.255.255.0 10.10.10.0 255.255.255.
0
access-list NY-NJNONAT extended permit ip 10.10.12.0 255.255.255.0 10.10.10.0 255.255.255.
0
access-list NY-NJNONAT extended permit ip 10.10.13.0 255.255.255.0 10.10.10.0 255.255.255.
0
access-list NY-NJNONAT extended permit ip 10.10.14.0 255.255.255.0 10.10.10.0 255.255.255.
0
access-list 101 extended permit icmp any any echo-reply
access-list 101 extended permit icmp any any source-quench
access-list 101 extended permit icmp any any unreachable
access-list 101 extended permit icmp any any time-exceeded
access-list NY-NJ extended permit ip 10.10.11.0 255.255.255.0 10.10.10.0 255.255.255.0
access-list NY-NJ extended permit ip 10.10.12.0 255.255.255.0 10.10.10.0 255.255.255.0
access-list NY-NJ extended permit ip 10.10.13.0 255.255.255.0 10.10.10.0 255.255.255.0
access-list NY-NJ extended permit ip 10.10.14.0 255.255.255.0 10.10.10.0 255.255.255.0
no pager
logging enable
logging asdm informational
mtu outside 1500
mtu inside 1500
mtu mpls 1500
ip local pool Remote-Pool 192.168.10.1-192.168.10.25 mask 255.255.255.0
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-613.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list NY-NJNONAT
nat (inside) 1 10.10.11.0 255.255.255.0 tcp 50 20
nat (inside) 1 10.10.12.0 255.255.255.0 tcp 50 20
nat (inside) 1 10.10.13.0 255.255.255.0 tcp 50 20
nat (inside) 1 10.10.14.0 255.255.255.0 tcp 50 20
static (inside,outside) xx.xxx.xxx.40 10.10.11.12 netmask 255.255.255.255
static (inside,outside) 10.10.11.154 38.117.199.42 netmask 255.255.255.255
access-group 100 in interface outside
route outside 0.0.0.0 0.0.0.0 38.117.199.33 1
route mpls 10.10.1.0 255.255.255.0 10.10.21.1 1
route mpls 10.10.2.0 255.255.255.0 10.10.21.1 1
route mpls 10.10.3.0 255.255.255.0 10.10.21.1 1
route mpls 10.10.4.0 255.255.255.0 10.10.21.1 1
route mpls 10.10.5.0 255.255.255.0 10.10.21.1 1
route mpls 10.10.6.0 255.255.255.0 10.10.21.1 1
route mpls 10.10.7.0 255.255.255.0 10.10.21.1 1
route mpls 10.10.8.0 255.255.255.0 10.10.21.1 1
route mpls 10.10.9.0 255.255.255.0 10.10.21.1 1
route mpls 10.10.10.0 255.255.255.0 10.10.21.1 1
route inside 10.10.12.0 255.255.255.0 10.10.12.1 1
route inside 10.10.13.0 255.255.255.0 10.10.13.1 1
route inside 10.10.14.0 255.255.255.0 10.10.14.1 1
route mpls 10.10.20.0 255.255.255.0 10.10.21.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 10.10.11.0 255.255.255.0 inside
http 10.10.10.0 255.255.255.0 inside
http 0.0.0.0 0.0.0.0 outside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set NJ_Tunnel esp-aes-256 esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map dynmap 10 set security-association lifetime seconds 28800
crypto dynamic-map dynmap 10 set security-association lifetime kilobytes 4608000
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set security-association lifetime secon
ds 28800
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set security-association lifetime kilob
ytes 4608000
crypto map mymap 10 ipsec-isakmp dynamic dynmap
crypto map outside_map 20 set pfs
crypto map outside_map 20 set peer 64.52.254.98
crypto map outside_map 20 set security-association lifetime seconds 28800
crypto map outside_map 20 set security-association lifetime kilobytes 4608000
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map maptoNJ 10 match address NY-NJ
crypto map maptoNJ 10 set transform-set NJ_Tunnel
crypto map maptoNJ 10 set security-association lifetime seconds 28800
crypto map maptoNJ 10 set security-association lifetime kilobytes 4608000
crypto map maptoNJ interface outside
crypto isakmp identity address
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 86400
crypto isakmp policy 11
authentication pre-share
encryption aes-256
hash sha
group 2
lifetime 28800
crypto isakmp policy 30
authentication pre-share
encryption aes
hash sha
group 2
lifetime 86400
crypto isakmp nat-traversal 30
no vpn-addr-assign aaa
no vpn-addr-assign dhcp
telnet 10.10.10.0 255.255.255.0 inside
telnet 10.10.11.0 255.255.255.0 inside
telnet 10.10.12.0 255.255.255.0 inside
telnet timeout 60
ssh 0.0.0.0 0.0.0.0 outside
ssh timeout 60
console timeout 0
threat-detection basic-threat
threat-detection statistics port
threat-detection statistics protocol
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
username admin password id6XqXzHqVdjWpuR encrypted privilege 15
tunnel-group Supp0Rt type remote-access
tunnel-group Supp0Rt general-attributes
address-pool Remote-Pool
tunnel-group Supp0Rt ipsec-attributes
pre-shared-key *
tunnel-group xx.xx.254.98 type ipsec-l2l
tunnel-group xx.xx.254.98 ipsec-attributes
pre-shared-key *
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns migrated_dns_map_1
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns migrated_dns_map_1
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect pptp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:f48dc512c34f86cf6e5b43d10f8220a3
: end

 

[burtsbees]

You did ot answer all the questions...need more info pls.

/

tim@tim-laptop ~ $ sudo apt-get install windows
Reading package lists... Done
Building dependency tree
Reading state information... Done
E: Couldn't find package windows...Thank Goodness!

 

[macpoint]

sorry...here we go:

You're going to need to give more info than that...let's start of with the configs of the router and the firewall.-
--already posted firewall configs, trying to get you router configs....


Are there vlans in the switches at all?
---i think no.

When did this start happening?

--happening from at least 4 to 5 months

Did everything work okay before?
--up and down was there..who ever set up our network ..didn't do it right...

P.S: can see the firewall configs if ICMP is open, if yes then why i am not able to do tracert.

 

[unclerico]

1) no icmp traffic is passing because you aren't permitting it to. you either need to add icmp to the default inspection rule or you need to apply your ACL 101. if you apply ACL 101 make sure you adjust it to permit http/s, dns, ntp, etc.
2) i see your inside interface is hard coded to 1000/Full, is the switch that it is connected to also set to 1000/Full?? check the port statistics on inside interface, outside interface, the downlevel switch, and the router serial interface to see if there any errors. if you're seeing a lot of errors then this could be why your connectivity is unstable.

I hate all Uppercase... I don't want my groups to seem angry at me all the time! =)
- ColdFlame (vbscript forum)

 

[macpoint]

unclerico thanks,

1. Can you please give me the entry's how to do this default or ACL...which is better default or adding ACL
2. 1000/full how do check it in the switch ..do you want me to post switch configs...

thanks for the much needed information...pls help me with this

 

[unclerico]

1) to add icmp inspection:

ASA(config)# policy-map global_policy
ASA(config-pmap)# class inspection_default
ASA(config-pmap-class)# inspect icmp

2) if i'm reading your topology right, you have an 1841 router connected to the inside of your 5510 and a switch connected to the outside of your 5510 which is then connected to a Netgear router??

I hate all Uppercase... I don't want my groups to seem angry at me all the time! =)
- ColdFlame (vbscript forum)

 

[macpoint]

2. Yes, but it's netgear switch(10/100)..and i am going to change to 3Com 2928(10/100/1000)

thanks again...

 

[macpoint]

okay with :
ASA(config)# policy-map global_policy
ASA(config-pmap)# class inspection_default
ASA(config-pmap-class)# inspect icmp

i am able to ping now but still no tracert..pls help...

Only able to do 1 hop..after everything time out.

 

[macpoint]

Let me give you better overview network topology:

Before:

T1-Netgear switch(which was only 10/100)-asa5510(coonected with cisco1841)-asa5510-Dell switch--

Now (since friday 5/14/2010):

T1-3com 2928(which is 10/100/1000)-asa5510(coonected with cisco1841)-asa5510-Dell switch--

 

[burtsbees]

That makes absolutely no sense whatsoever.

You have two ASA5510's???

T1---switch

why the switch? What device comes off the smartjack?

Can you send a Visio???

/

tim@tim-laptop ~ $ sudo apt-get install windows
Reading package lists... Done
Building dependency tree
Reading state information... Done
E: Couldn't find package windows...Thank Goodness!

 

[macpoint]

sorry let me explain agian:

we only have one ASA5510 and reason of the switch some people who rent space don't want use our router and firewall so they connect their own router to our switch ....

So we have

1. T1 BOX
2. 3COM SWITCH
3. ASA5510
4. CISCO 1841
5. DELL SWITCH



T1 box(proivded the ISP company)-3com switch---ASA5510(now ASA5110 is connected with cisco 1841)-Dell switch (dell switch connected with ASA5510)


one wires goes between asa5510 and csico 1841..but the last dell switch is connected with asa5510 ....

Sorry again for the confusion...

 

[burtsbees]

Got it.

no access-list 100 extended

access-list 100 extended permit tcp any host xx.xxx.xxx.40 eq www
access-list 100 extended permit tcp any host xx.xxx.xxx.40 eq https
access-list 100 extended permit tcp any host xx.xxx.xxx.40 eq 3389
access-list 100 extended permit tcp any host xx.xxx.xxx.42 range 3230 3235
access-list 100 extended permit tcp any host xx.xxx.xxx.42 eq h323
access-list 100 extended permit udp any host xx.xxx.xxx.42 range 3230 3253
access-list 100 extended permit icmp any any echo-reply
access-list 100 extended permit icmp any any source-quench
access-list 100 extended permit icmp any any unreachable
access-list 100 extended permit icmp any any time-exceeded

See what options you have for ZBF to inspect...

ASA(config)# policy-map global_policy
ASA(config-pmap)# class inspection_default
ASA(config-pmap-class)# inspect icmp ?

note the "?" after "icmp"---in the PIX, there were more options available for ICMP inspection under CBAC (no ZBF then), but I can't remember...something like "inspect icmp error" or close to that...anyway:

1.Rebuild the acl (I don't know how to do line by line in an ASA).
2.Add all ICMP options (if any more exist) under the class inspection_default for the policy map of the ZBF.

***WHEW!***

Let us know about all the ICMP inspect options. Good luck.

/



tim@tim-laptop ~ $ sudo apt-get install windows
Reading package lists... Done
Building dependency tree
Reading state information... Done
E: Couldn't find package windows...Thank Goodness!

 

[macpoint]

let me try this...big thanks..i know it was alot of writing

 

[macpoint]

@unclerico
"2) i see your inside interface is hard coded to 1000/Full, is the switch that it is connected to also set to 1000/Full?? check the port statistics on inside interface, outside interface, the downlevel switch, and the router serial interface to see if there any errors. if you're seeing a lot of errors then this could be why your connectivity is unstable."

I did change my netgear switch that was ony 10/100 to better switch 10/100/1000..but our router 1841 i think is 10/100..does that make any difference...

 

[unclerico]

yes. the 1841 is the device hanging off the inside interface and that is the one that is hard-coded. you need to make sure both sides (inside interface of ASA and fastEthernet interface of the 1841) are set the same; either both are hard-coded to 100/Full or set them to auto-negotiate

I hate all Uppercase... I don't want my groups to seem angry at me all the time! =)
- ColdFlame (vbscript forum)

 

[macpoint]

So your saying 1000/full is hard-coded in the asa5510 firewall. if yes Can you tell how can i do this...auto-negotiate ? Don't want make any mistakes. Thanks again for taking your time out and helping me.