ASA 5505 cannot ping Internet hosts by name?

Discussion in 'Cisco' started by gipper, Jan 27, 2008.

  1. gipper

    gipper Guest

    From my internal XP client I can ping hosts by IP address but not by
    name. I also cannot surf the web since name resolution does not work.
    My XP client's default gateway and DNS setting points to 10.1.1.1,
    which is the inside interface of the ASA.

    My Config is below, anyone? Thanks! >


    ASA Version 8.0(3)
    !
    hostname ciscoasa
    domain-name default.domain.invalid
    enable password xxxxxxxxxxx encrypted
    names
    !
    interface Vlan1
    nameif inside
    security-level 100
    ip address 10.1.1.1 255.255.255.0
    !
    interface Vlan2
    nameif outside
    security-level 0
    pppoe client vpdn group bellsouth
    ip address pppoe setroute
    !
    interface Ethernet0/0
    switchport access vlan 2
    !
    interface Ethernet0/1
    !
    interface Ethernet0/2
    !
    interface Ethernet0/3
    !
    interface Ethernet0/4
    !
    interface Ethernet0/5
    !
    interface Ethernet0/6
    !
    interface Ethernet0/7
    !
    passwd xxxxxxxxxxx encrypted
    boot system disk0:/asa803-k8.bin
    ftp mode passive
    dns server-group DefaultDNS
    domain-name default.domain.invalid
    same-security-traffic permit intra-interface
    pager lines 24
    logging asdm informational
    mtu inside 1500
    mtu outside 1500
    icmp unreachable rate-limit 1 burst-size 1
    asdm image disk0:/asdm-603.bin
    no asdm history enable
    arp timeout 14400
    global (outside) 1 interface
    nat (inside) 1 0.0.0.0 0.0.0.0
    route outside 0.0.0.0 0.0.0.0 65.14.x.x
    timeout xlate 3:00:00
    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
    timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat
    0:05:00
    timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-
    disconnect 0:02:00
    timeout uauth 0:05:00 absolute
    dynamic-access-policy-record DfltAccessPolicy
    http server enable
    http 10.1.1.0 255.255.255.0 inside
    no snmp-server location
    no snmp-server contact
    snmp-server enable traps snmp authentication linkup linkdown
    coldstart
    telnet timeout 5
    ssh timeout 5
    console timeout 0
    vpdn group bellsouth request dialout pppoe
    vpdn group bellsouth localname
    vpdn group bellsouth ppp authentication pap
    vpdn username password ********* store-local
    dhcpd auto_config outside
    !
    dhcpd address 10.1.1.2-10.1.1.33 inside
    dhcpd enable inside
    !

    threat-detection basic-threat
    threat-detection statistics access-list
    !
    class-map inspection_default
    match default-inspection-traffic
    !
    !
    policy-map type inspect dns preset_dns_map
    parameters
    message-length maximum 512
    policy-map global_policy
    class inspection_default
    inspect ftp
    inspect h323 h225
    inspect h323 ras
    inspect rsh
    inspect rtsp
    inspect esmtp
    inspect sqlnet
    inspect skinny
    inspect sunrpc
    inspect xdmcp
    inspect sip
    inspect netbios
    inspect tftp
    inspect icmp
    inspect dns preset_dns_map
    !
    service-policy global_policy global
    prompt hostname context
    :end
     
    gipper, Jan 27, 2008
    #1
    1. Advertising

  2. gipper

    hinka

    Joined:
    Jul 29, 2006
    Messages:
    26
    dns

    i think you need this statement..

    dhcpd dns xx.xx.xx.xx
     
    hinka, Jan 27, 2008
    #2
    1. Advertising

  3. gipper

    Guest

    On Jan 27, 7:00 am, gipper <> wrote:
    > From my internal XP client I can ping hosts by IP address but not by
    > name. I also cannot surf the web since name resolution does not work.
    > My XP client's default gateway andDNSsetting points to 10.1.1.1,
    > which is the inside interface of the ASA.
    >
    > My Config is below, anyone? Thanks! >
    >
    > ASA Version 8.0(3)
    > !




    Hi gipper

    I'm not 100% sure, but i think the PIX/ASA can't act as a dns server.
    I also take a look in the documentation, but i can't find any hint
    about. If I'm right, you must specify the DNS Server from your
    internal server (if you have one) or you give dns servers from your
    isp:

    dhcpd dns 198.162.11.2 198.162.11.3

    cu
     
    , Jan 27, 2008
    #3
  4. gipper

    Chris Guest

    On Sat, 26 Jan 2008 22:00:35 -0800 (PST), gipper wrote:

    > From my internal XP client I can ping hosts by IP address but not by
    > name. I also cannot surf the web since name resolution does not work.
    > My XP client's default gateway and DNS setting points to 10.1.1.1,
    > which is the inside interface of the ASA.
    >
    >


    Point your clients at a DNS server and then DNS resolution should work. The
    ASA is not a DNS server.

    Chris.
     
    Chris, Jan 27, 2008
    #4
  5. gipper

    Merv Guest

    For your setup to work, BellSouth needs to provide their DNS server
    info as part of PPP info

    the



    I do not have access to an ASA 5505 so cnannot provide the appropriate
    show or debug commands.

    As an interim measure, config a "dhcpd dns" command manually


    NameServer: AUTH-DNS.ASM.BELLSOUTH.NET 205.152.37.24
    NameServer: AUTH-DNS.MIA.BELLSOUTH.NET 205.152.144.24
    NameServer: AUTH-DNS.MSY.BELLSOUTH.NET 205.152.132.24


    ping the above BellSouthe DNS server IP addresses to see which
    BellSouth DNS server responds the fastest from where you are.


    dhcpd dns < insert BellSouth DNS server IP address here > interface
    inside

    Then renew your DHCP lease on your PC and check output of ipconfig /
    all to see if PC was given the DNS server IP address
    that you manually configured on the ASA.

    If so you should be able to ping by name



    Then you can work on the original problem of getting DNS info passed
    automatically PPPOE -> ASA DHCP server --> PC (DHCL client)
     
    Merv, Jan 27, 2008
    #5
  6. gipper

    gipper Guest

    On Jan 27, 7:46 am, Merv <> wrote:
    > For your setup to work, BellSouth needs to provide their DNS server
    > info as part of PPP info
    >
    > the
    >
    > I do not have access to an ASA 5505 so cnannot provide the appropriate
    > show or debug commands.
    >
    > As an interim measure, config a "dhcpd dns" command manually
    >
    > NameServer: AUTH-DNS.ASM.BELLSOUTH.NET          205.152.37.24
    > NameServer: AUTH-DNS.MIA.BELLSOUTH.NET          205.152.144.24
    > NameServer: AUTH-DNS.MSY.BELLSOUTH.NET          205.152.132.24
    >
    > ping the above BellSouthe DNS server IP addresses to see which
    > BellSouth DNS server responds the fastest from where you are.
    >
    > dhcpd dns   < insert BellSouth DNS server IP address here > interface
    > inside
    >
    > Then renew your DHCP lease on your PC and check output of ipconfig /
    > all to see if PC was given the DNS server IP address
    > that you manually configured on the ASA.
    >
    > If so you should be able to ping by name
    >
    > Then you can work on the original problem of getting DNS info passed
    > automatically   PPPOE -> ASA DHCP server  --> PC (DHCL client)


    Guys, sorry I didn't explain it better, I'm not trying to make the ASA
    act as DNS, just trying to get it to pass through the DNS info from my
    ISP. Merv hit it on the head. What baffles me is that I had the
    entry checked in ASDM to enable DHCP auto configuration from interface
    outside, but that didn't seem to work? For some reason the ASA
    refuses to pass my BellSouth DNS server info to internal DHCP
    clients. My D-Link did this without an issue. Anyway, adding dhcpd
    dns x.x.x.x worked! I can't tell you how many hours I've spent
    troubleshooting this. Thank you Merv!!!!
     
    gipper, Jan 27, 2008
    #6
  7. gipper

    Merv Guest

    OP,

    okay glad the workaround helped you out.

    Now to get to the root cause of your issue.

    Need to find out if BellSouth is passing the DNS server info via PPP



    see Cisco docs "Configuring DHCP, DDNS, and WCCP Services"

    http://cco.cisco.com/en/US/docs/security/asa/asa72/configuration/guide/dhcp.html#wp1059065


    For example, to assign the range 10.0.1.101 to 10.0.1.110 to hosts
    connected to the inside interface, enter the following commands:

    hostname(config)# dhcpd address 10.0.1.101-10.0.1.110 inside
    hostname(config)# dhcpd dns 209.165.201.2 209.165.202.129
    hostname(config)# dhcpd wins 209.165.201.5
    hostname(config)# dhcpd lease 3000
    hostname(config)# dhcpd domain example.com
    hostname(config)# dhcpd enable inside



    try
    command "show ip address outside pppoe" to see if beside display the
    IP{ address assigned during PPP negioations it also shows DNS server
    info

    could also try

    debug pppoe event
    debug pppoe packet

    Need to clear interface or disconnect outside interfac eand then
    reconnect to tripper PPP to restart

    So lets get to the point that you know you are gettign the DNS server
    info dynamiclally via PPP and then we can go from there.

    Anyone knowing the correct ASA show commands fro this please jump in .


    Merv
     
    Merv, Jan 27, 2008
    #7
  8. gipper

    will.harder

    Joined:
    Oct 21, 2011
    Messages:
    1
    Cisco ASA 5505

    Hello all,

    I have a cisco ASA 5505 set up, and we can connect to it via VPN, nothing is reachable when connected. Cannot ping or resolve dns.

    It works just fine for routing as we use it for routing the internet.

    Here is the printout:

    : Saved
    :
    ASA Version 8.2(2)
    !
    !
    interface Vlan1
    nameif inside
    security-level 100
    ip address 192.168.169.200 255.255.255.0
    !
    interface Vlan2
    nameif outside
    security-level 0
    ip address 12.156.212.50 255.255.255.248
    !
    interface Vlan3
    no forward interface Vlan1
    nameif dmz
    security-level 50
    no ip address
    !
    interface Ethernet0/0
    switchport access vlan 2
    !
    interface Ethernet0/1
    !
    interface Ethernet0/2
    !
    interface Ethernet0/3
    !
    interface Ethernet0/4
    !
    interface Ethernet0/5
    !
    interface Ethernet0/6
    !
    interface Ethernet0/7
    !
    boot system disk0:/asa822-k8.bin
    ftp mode passive
    clock timezone EST -5
    clock summer-time EDT recurring
    dns domain-lookup inside
    dns domain-lookup outside
    dns domain-lookup dmz
    dns server-group DefaultDNS
    name-server 192.168.169.5
    domain-name schunk.com
    object-group service VID tcp-udp
    description Video Conf port range
    port-object range 3230 3253
    port-object range 1718 1722
    object-group protocol TCPUDP
    protocol-object udp
    protocol-object tcp
    access-list 101 extended permit icmp any any echo-reply
    access-list 101 extended permit icmp any any source-quench
    access-list 101 extended permit icmp any any time-exceeded
    access-list 101 extended permit object-group TCPUDP Germany_Vid 255.255.255.240 host vid object-group VID
    access-list inside_nat0_outbound extended permit ip any 192.168.2.0 255.255.255.0
    access-list inside_nat0_outbound extended permit ip 192.168.169.0 255.255.255.0 192.168.2.0 255.255.255.0
    access-list Tunnel standard permit 192.168.169.0 255.255.255.0
    pager lines 24
    logging enable
    logging buffer-size 8096
    logging asdm informational
    mtu inside 1500
    mtu outside 1500
    mtu dmz 1500
    ip local pool VPNPool2 192.168.2.200-192.168.2.220 mask 255.255.255.0
    ip local pool Eniro 192.168.169.160-192.168.169.170 mask 255.255.255.0
    icmp unreachable rate-limit 1 burst-size 1
    asdm image disk0:/asdm-631.bin
    asdm history enable
    arp timeout 14400
    global (outside) 1 interface
    nat (inside) 0 access-list inside_nat0_outbound
    nat (inside) 1 192.168.169.0 255.255.255.0
    access-group 101 in interface outside
    route outside 0.0.0.0 0.0.0.0 12.156.212.49 1
    timeout xlate 3:00:00
    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
    timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
    timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
    timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
    timeout tcp-proxy-reassembly 0:01:00
    dynamic-access-policy-record DfltAccessPolicy
    aaa authentication ssh console LOCAL
    aaa authentication http console LOCAL
    aaa authentication telnet console LOCAL
    aaa authorization command LOCAL
    http server enable
    http 192.168.169.0 255.255.255.0 inside
    no snmp-server location
    no snmp-server contact
    snmp-server enable traps snmp authentication linkup linkdown coldstart
    crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
    crypto ipsec security-association lifetime seconds 28800
    crypto ipsec security-association lifetime kilobytes 4608000
    crypto dynamic-map outside_dyn_map 20 set pfs
    crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA
    crypto dynamic-map outside_dyn_map 40 set pfs
    crypto dynamic-map outside_dyn_map 40 set transform-set ESP-3DES-SHA
    crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
    crypto map outside_map interface outside
    crypto ca server
    shutdown

    crypto isakmp enable outside
    crypto isakmp policy 10
    authentication pre-share
    encryption 3des
    hash sha
    group 2
    lifetime 86400
    no vpn-addr-assign aaa
    no vpn-addr-assign dhcp
    vpn-sessiondb max-session-limit 10
    telnet 192.168.169.0 255.255.255.0 inside
    telnet timeout 5
    ssh 192.168.169.0 255.255.255.0 inside
    ssh 0.0.0.0 0.0.0.0 outside
    ssh timeout 5
    ssh version 2
    console timeout 0
    dhcpd dns 12.127.17.71 12.127.17.72
    dhcpd domain schunk.com
    !

    vpnclient mode network-extension-mode
    threat-detection basic-threat
    threat-detection statistics access-list
    no threat-detection statistics tcp-intercept
    webvpn
    group-policy EnviroVPN internal
    group-policy EnviroVPN attributes
    dns-server value 192.168.169.5 12.127.17.71
    vpn-simultaneous-logins 10
    vpn-tunnel-protocol IPSec
    split-tunnel-policy tunnelspecified
    split-tunnel-network-list value Tunnel
    default-domain value envirotronics.local
    tunnel-group EnviroVPN type remote-access
    tunnel-group EnviroVPN general-attributes
    address-pool VPNPool2
    default-group-policy EnviroVPN
    tunnel-group EnviroVPN ipsec-attributes
    pre-shared-key *****
    !
    class-map type inspect h323 match-any Video
    match media-type video
    class-map inspection_default
    match default-inspection-traffic
    !
    !
    policy-map type inspect dns preset_dns_map
    parameters
    message-length maximum 512
    policy-map type inspect h323 Teleconferance
    description Polycom
    parameters
    hsi-group 323
    hsi 12.156.212.53
    endpoint vid dmz
    policy-map global_policy
    class inspection_default
    inspect dns preset_dns_map
    inspect ftp
    inspect h323 h225
    inspect rsh
    inspect rtsp
    inspect sqlnet
    inspect skinny
    inspect sunrpc
    inspect xdmcp
    inspect sip
    inspect netbios
    inspect tftp
    inspect ip-options
    inspect h323 ras Teleconferance
    !
    service-policy global_policy global
    prompt hostname context
    call-home
    profile CiscoTAC-1
    no active
    destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
    destination address email
    destination transport-method http
    subscribe-to-alert-group diagnostic
    subscribe-to-alert-group environment
    subscribe-to-alert-group inventory periodic monthly
    subscribe-to-alert-group configuration periodic monthly
    subscribe-to-alert-group telemetry periodic daily
    Cryptochecksum:a8f7dface0c842f545e01f87a3b13f37
    : end
    asdm image disk0:/asdm-631.bin
    asdm location Germany_Vid 255.255.255.240 inside
    asdm location vid 255.255.255.255 inside
    asdm history enable




    Any help would be greatly appreciated! It uses internal dhcp.
     
    Last edited: Oct 21, 2011
    will.harder, Oct 21, 2011
    #8
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. spec
    Replies:
    7
    Views:
    1,310
    Peter
    Jun 5, 2006
  2. Replies:
    1
    Views:
    3,379
  3. chairuou
    Replies:
    0
    Views:
    1,347
    chairuou
    Oct 29, 2008
  4. Dogg Child

    Re: ASA 5505 behind ASA 5505

    Dogg Child, Jun 7, 2010, in forum: Cisco
    Replies:
    0
    Views:
    687
    Dogg Child
    Jun 7, 2010
  5. Dogg Child

    ASA 5550 behind ASA 5505

    Dogg Child, Jun 7, 2010, in forum: Cisco
    Replies:
    4
    Views:
    1,093
    Morph
    Jun 8, 2010
Loading...

Share This Page