Ping works from ASA to remote network but not from PCs behind ASA

Unanswered Question
Dec 2nd, 2007

We have a joint venture with a company who has started to take IT into their own hands. Unfortunately they still need access to many of our systems. They recently installed an ASA 5505 with their own internet connection. They are also connected to us via Sprint MPLS and a Cisco 2801 we have on site (10.0.1.1) I have a static route in the ASA directing any traffic for 192.168.1.0 to 10.0.1.1. Pinging works fine from the ASA but none of the PCs behind the ASA can ping anything in the 192.168.1.0 network. To get it to work I had to add a manual route add command on the Windows XP machine. The client PCs use the ASA as their default gateway so I would assume it would just know to forward any request for 192.168.1.0 to 10.0.1.1. I've attached the config for the ASA on site there. I'm thinking this might be something to do with NAT since when I try to ping from a PC that ASA spits out something about "no translation group...."


I appreciate any help.



  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
jeremyault Sun, 12/02/2007 - 17:23

I could be wrong but I think you need a NAT exception for traffic from the 10 network to the 192 network.


Try this:

access-list NONAT permit ip 10.0.1.0 255.255.255.0 192.168.1.0 255.255.255.0

nat (inside) 0 access-list NONAT

henryrohlfs Sun, 12/30/2007 - 18:46

I'm curious if this worked since I have a similar problem routing to a second network on my inside interface.

srue Sun, 12/30/2007 - 21:07

either turn on icmp inspection, or explicity allow echo-reply traffic back in to the ping source.

jimgrumbles Thu, 01/03/2008 - 15:35

Sorry about the lack of response. It looks like the way the remote technician setup the PC for me to access was on a separate network. I had assumed he had it on the same network as all the other PCs but apparently not, they were working normally. Thank you for the responses.

Actions

This Discussion