06-24-2007 05:44 AM - edited 03-03-2019 05:34 PM
Hello,
I need help to solve this case, here are the details:
Router c3845:
interface GigabitEthernet0/0
ip address 212.x.x.106 255.255.255.252
!
interface GigabitEthernet0/1
ip address 88.x.x.1 255.255.255.192
!
ip route 0.0.0.0 0.0.0.0.0 g0/0
ip route 172.16.200.0 255.255.255.224 88.76.192.2
ip route 172.16.204.0 255.255.255.0 88.76.192.2
------------------------
cisco ASA:
interface GigabitEthernet0/0
nameif outside
security-level 0
ip address 88.x.x.2 255.255.255.192
!
interface GigabitEthernet0/1
nameif inside
security-level 100
ip address 172.16.200.225 255.255.255.224
!
access-list w extended permit ip any any
access-list icmp extended permit icmp any any
access-list icmp extended permit icmp any any echo
access-list icmp extended permit icmp any any echo-reply
!
access-group w in int inside
access-group icmp in int outside
!
icmp permit any outside
icmp permit any inside
!
S 0.0.0.0 0.0.0.0 [1/0] via 88.76.192.2, outside
C 88.x.x.0 255.255.255.192 is directly connected, outside
C 172.16.200.224 255.255.255.224 is directly connected, inside
S 172.16.204.0 255.255.255.0 [1/0] via 172.16.200.226, inside
--------------------
Workstation: IP 172.16.204.27
I can ping the workstation from the ASA without any problems, i can send logging traps from the ASA to this workstation, the case is that i need to make the router send logging to this workstation
but i can't even ping this workstation from the router althoug there is a route to its subnet configured in the router.
so could anyone tell me where is the problem?
Thanks
Talal Habeeb
06-24-2007 05:55 AM
Friend,
By default all traffic from a higher security interface to a lower security interface will get Natted.
you will have to define a staic nat for the workstation and send the router logs to the Natted public IP
eg.
on the ASA
static(inside,outside)88.76.192.3 172.16.204.27 netmask 255.255.255.255 0 0
router(config)#looging 88.76.192.3
router(config)#logging trap debugging
HTH, rate if it does
Narayan
06-24-2007 11:06 PM
Hello,
Thank you Narayan, it worked and i successfully ping the workstation from the router using the mapped IP address, but after a while it didn't work
and i cannot ping the workstation from the router although i didn't configure anything after the static map so what do you think about this problem?
Thanks
Talal Habeeb
06-24-2007 11:34 PM
Hi
In addition to the above post u need to configure a access-list to allow connections from lower security to higher security interfaces.
Configure a access list permit the logging ports and apply it on outside interface.
Thanks
Mahmood
06-24-2007 11:47 PM
Have you made any changes to the access-list you had posted?
can you repost your configuration?
Narayan
06-25-2007 04:46 AM
Hello,
Thank you Narayan and Mahmood, as you said Mahmood i configured access-list and it is now working just fine.
Thanks
Talal Habeeb
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: