cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1017
Views
0
Helpful
13
Replies

cannot access the internet router through ASA

mohamed_makled
Level 1
Level 1

Dear all

i have an ASA in the main site , the users in this site can access internet properly without any problems.

But after installing the firewall between the internet router and the BB switch , i cannot ping nor telnet on the internet router from my pc in the LAN.

There is a WAN router connected to a dmz interface on the ASA ( its name is wan ) . From the LAN , i can ping & telnet on the wan router but i cannot do that on the internet router.

routing on the internet router:

-------------------------------

ip route 0.0.0.0 0.0.0.0 10.82.212.169

ip route 10.1.0.0 255.255.0.0 82.35.212.169

ip route 172.18.100.0 255.255.255.0 82.35.212.169

82.35.212.169 is the outside interface of the ASA.

please find the attached files for the topology and the ASA configuration

please i need your advice.

regards

13 Replies 13

a.alekseev
Level 7
Level 7

can you ping the inet router from the asa?

what default gateway do you have on PC?

Dear a.alekseev

Thanks for your reply . form the ASA i can ping the internet router . Also i can ping my pc from the ASA.

From the internet router i can ping the outside interface of the ASA .

But when trying to ping my pc from the internet router i cannot & the following log appears on the ASA :

%ASA-3-305005 : No translation group found for icmp src outside:82.35.212.172 dst inside:10.1.2.48(type8,code0).

The default gateway on my pc (10.1.2.48) is the interface vlan on the BB switch (10.1.2.1) .

From my pc i can ping my gateway , the inside interface of the ASA and the outside interface of the ASA.

regards

you may need couple of things in your config.

in global policy add inspec icmp

i.e

policy-map global_policy

class inspection_default

inspect icmp

even though you have nat (inside) 1 0.0, you may need to explitcitly specify 10.1.0.0/16 network seating behind another L3 device behind asa in nat.

you could get 10.1.0.0/16 nated through outside interface to get to internet router using outside interface as PAT , try.

nat (inside) 1 10.1.0.0 255.255.0.0

you may also do a no nat acl to connect to internet router but preferrabe do it through interface PAT.. try that.. this would also include get you outbound internet via PAT for the 10.1.0.0/16 network.

Rgds

Jorge

Jorge Rodriguez

Dear jorge

Thanks for your reply . i will do that and feed back you again but i need to remind you that i can ping the wan router interface from my pc which is connected to the ASA , also i can telnet on this router , why i cannot do that for the internet router???

Does the BB switch have a route to 82.35.212.172 or it's default route is pointing to the inside address of the ASA?

With the existing configuration you won't be able to ping from outside to inside PC. However, the configuration looks good and you should be able to ping from inside to outside as long as routing on your inside is good to the ASA.

Have you tried doing a 'clear xlate' in the ASA and test connectivity from inside to the Inetneret router?

Dear sundar

Thanks for your reply . on the BB switch there is a default route to the inside interface of the ASA only .

ip route 0.0.0.0 0.0.0.0 172.18.100.254

i do clear xlate on the ASA many times but i am still facing the same problem.

regards

Try this.

Do a 'debug ip icmp' on the Internet router.

Try to ping from your PC and see if the echo packets are making it to the router.

Dear sundar

ok i will do that and feedback you again.

thanks

Sundar , long time .. greedings!

Momahed is geting bellow message, it seems from begining of the post he is trying to ping from internet router to pc inside subnet 10.1.0.0/16,yet there is not static nat for 10.1.0.0/16 hosts nor specific rule for this. If we observe the nat statement in config for WAN router that works we see the difference.

%ASA-3-305005 : No translation group found for icmp src outside:82.35.212.172 dst inside:10.1.2.48(type8,code0).

you can do debug ip icmp as suggested , but I believe the issue is the nating , first to ping from outide ASA to inside you need some form of NATing and access rules as traffic from outside to inside is denied but in his case he is permiting icmp but there is no translations happening from outside to inside 10.1.0.0/16.

ON the other hand, local to ASA firewall it is aware of 10.1.0.0/16 but it does not know how to translate to outside when traffic is going outside internet router.

Just a thought.. do the changes step at a time.. as suggested debug ip icmp will help to see whats happening.

Rgds

Jorge

Jorge Rodriguez

But when trying to ping my pc from the internet router i cannot & the following log appears on the ASA :

%ASA-3-305005 : No translation group found for icmp src outside:82.35.212.172 dst inside:10.1.2.48(type8,code0).

This is normal.

You cannot ping internal hosts from outside because you are doing PAT.

Mohammed, any update with your problem? is it resolved, pls let us know.

Jorge Rodriguez

Dear jorge

The problem is solved now and every thing is ok . The situation before the firewall that the BB switch is connected directly to the internet router , so it was must to create interface vlan on the BB for internet , it was 82.35.212.169.

After installing the firewall between the BB switch and the internet router , we must delete the above interface vlan on the BB.

now after deleting it , i can ping and telnet on the router.

i would like to thank you jorge and everyone for helping me in this issue.

Thanks for updating us.

That makes sense as it was a LAN routing issue.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: