10-18-2007 08:11 AM - edited 03-03-2019 07:13 PM
Hello,
i have a asa 5510 device
int0 is connected to ISP1
int1 is connected to lan (10.100.100.0/255.255.255.0)
ASA is configured to nat(PAT) lan.
what is the problem:
i need to configure asa to route all traffic to lan 10.10.0.0/255.255.0.0 through 10.100.100.1.
i configure on device a static route:
route inside 10.10.0.0 255.255.0.0 10.100.100.1 1
the problem is if i ping 10.10.1.1 which is a valid host the asa report portmap translation creation failed for icmp source inside dst inside 10.10.1.1
if i put on a computer the gw 10.100.100.1 and i ping 10.10.1.1 it works.
thx
10-18-2007 08:48 AM
Can you post a sanitized config?
10-18-2007 09:23 AM
: Saved
:
ASA Version 7.2(3)
!
hostname ASA
domain-name car.ro
enable password xxxxxxx encrypted
names
name 80.xx.xx.70 AdrsPublica
name 10.100.100.61 ITManager
name 80.xx.xx.65 Router2821
!
interface Ethernet0/0
nameif WAN1
security-level 0
ip address 80.xx.xx.66 255.255.255.224
!
interface Ethernet0/1
nameif inside
security-level 100
ip address 10.100.100.3 255.255.255.0
!
interface Ethernet0/2
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
nameif management
security-level 100
ip address 192.168.1.1 255.255.255.0
management-only
!
passwd xxxxxxxxxxxxxx encrypted
ftp mode passive
clock timezone EEST 2
clock summer-time EEDT recurring last Sun Mar 3:00 last Sun Oct 4:00
dns server-group DefaultDNS
domain-name car.ro
same-security-traffic permit intra-interface
access-list WAN1_access_in extended permit ip host Router2821 host 80.xx.xx.71 log emergencies
access-list inside_access_in extended permit ip 10.100.100.0 255.255.255.0 any
access-list inside_access_in extended permit ip 10.10.0.0 255.255.0.0 10.100.100.0 255.255.255.0
pager lines 24
logging enable
logging asdm informational
mtu WAN1 1500
mtu inside 1500
mtu management 1500
ip verify reverse-path interface WAN1
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-523.bin
no asdm history enable
arp timeout 14400
nat-control
global (WAN1) 101 interface
global (WAN1) 120 80.xx.xx.71 netmask 255.255.255.255
nat (inside) 101 10.100.100.0 255.255.255.0
static (inside,WAN1) udp 80.xx.xx.71 tftp ITManager tftp netmask 255.255.255.255
access-group WAN1_access_in in interface Idilis
access-group inside_access_in in interface inside
route WAN1 0.0.0.0 0.0.0.0 Router2821 1
route inside 10.10.0.0 255.255.0.0 10.100.100.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
http server enable
http 192.168.1.0 255.255.255.0 management
http 10.100.100.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
telnet 10.100.100.0 255.255.255.0 inside
telnet timeout 5
ssh timeout 5
console timeout 0
management-access management
dhcpd address 192.168.1.2-192.168.1.254 management
!
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect icmp
!
service-policy global_policy global
username alex password xxxxxxxxxxxxxxxxxxxxxxxxx encrypted privilege 15
prompt hostname context
Cryptochecksum:xxx
: end
asdm image disk0:/asdm-523.bin
no asdm history enable
10-18-2007 11:34 AM
The problem here is you are attempting to hairpin the traffic on the inside interface. You were right by adding the same-security-traffic permit intra-interface command but you need a little more.
Add...
static (inside,inside) 10.10.0.0 10.10.0.0 netmask 255.255.0.0
global (inside) 101 interface
Adding the global statement with the corresponding nat statement will ensure the reply from the 10.10.0.0 network will be routed back to the inside of the ASA, which will then be routed back to the source 10.100.100.x.
10-18-2007 12:27 PM
done work
THX
10-18-2007 12:30 PM
Does that mean it worked or it did not work? I hope it did.
10-19-2007 09:29 AM
it worked
Thank you very much
But i have another question
I have 2 ISP.
I want to configure the int 0/3 with an ip address from the second provider. The allocated ip address is 82.76.xx.xx/255.255.255.0. the dns form this provider is 193.231.236.xx. i want to config the asa to nat all request that go to dns(193.231......)through 82.76.xx.xx
it is possible?
thank you
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide