06-24-2007 05:44 AM - edited 03-03-2019 05:34 PM
Hello,
I need help to solve this case, here are the details:
Router c3845:
interface GigabitEthernet0/0
ip address 212.x.x.106 255.255.255.252
!
interface GigabitEthernet0/1
ip address 88.x.x.1 255.255.255.192
!
ip route 0.0.0.0 0.0.0.0.0 g0/0
ip route 172.16.200.0 255.255.255.224 88.76.192.2
ip route 172.16.204.0 255.255.255.0 88.76.192.2
------------------------
cisco ASA:
interface GigabitEthernet0/0
nameif outside
security-level 0
ip address 88.x.x.2 255.255.255.192
!
interface GigabitEthernet0/1
nameif inside
security-level 100
ip address 172.16.200.225 255.255.255.224
!
access-list w extended permit ip any any
access-list icmp extended permit icmp any any
access-list icmp extended permit icmp any any echo
access-list icmp extended permit icmp any any echo-reply
!
access-group w in int inside
access-group icmp in int outside
!
icmp permit any outside
icmp permit any inside
!
S 0.0.0.0 0.0.0.0 [1/0] via 88.76.192.2, outside
C 88.x.x.0 255.255.255.192 is directly connected, outside
C 172.16.200.224 255.255.255.224 is directly connected, inside
S 172.16.204.0 255.255.255.0 [1/0] via 172.16.200.226, inside
--------------------
Workstation: IP 172.16.204.27
I can ping the workstation from the ASA without any problems, i can send logging traps from the ASA to this workstation, the case is that i need to make the router send logging to this workstation
but i can't even ping this workstation from the router althoug there is a route to its subnet configured in the router.
so could anyone tell me where is the problem?
Thanks
Talal Habeeb
06-24-2007 05:55 AM
Friend,
By default all traffic from a higher security interface to a lower security interface will get Natted.
you will have to define a staic nat for the workstation and send the router logs to the Natted public IP
eg.
on the ASA
static(inside,outside)88.76.192.3 172.16.204.27 netmask 255.255.255.255 0 0
router(config)#looging 88.76.192.3
router(config)#logging trap debugging
HTH, rate if it does
Narayan
06-24-2007 11:06 PM
Hello,
Thank you Narayan, it worked and i successfully ping the workstation from the router using the mapped IP address, but after a while it didn't work
and i cannot ping the workstation from the router although i didn't configure anything after the static map so what do you think about this problem?
Thanks
Talal Habeeb
06-24-2007 11:34 PM
Hi
In addition to the above post u need to configure a access-list to allow connections from lower security to higher security interfaces.
Configure a access list permit the logging ports and apply it on outside interface.
Thanks
Mahmood
06-24-2007 11:47 PM
Have you made any changes to the access-list you had posted?
can you repost your configuration?
Narayan
06-25-2007 04:46 AM
Hello,
Thank you Narayan and Mahmood, as you said Mahmood i configured access-list and it is now working just fine.
Thanks
Talal Habeeb
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide