11-21-2008 03:30 AM - edited 03-11-2019 07:16 AM
Hi,
I have a problem with an ASA, I cannot send a ping to a directly connected modem in outside ASA interface.
The ACLs is set to permit IP any to any.
And the static rules are:
access-list inside_nat0_outbound extended permit ip 10.0.0.0 255.255.255.0 any
global (outside) 101 interface
nat (inside) 0 access-list inside_nat0_outbound_1
nat (inside) 101 0.0.0.0 0.0.0.0
The modem has an IP address in the same subnet than the outside interface address. The inside subnet range is 10.0.0.0
Can you see why I can't ping the modem. Is it because nat 0 command erases nat from all packets from 10.0.0.0, and so packet sender IP is not in the same subnet than modem IP?
Solved! Go to Solution.
11-21-2008 07:09 AM
No, but if you make changes to NAT you will need to do a "clear xlate" to remove the existing NAT translations.
Jon
11-21-2008 03:36 AM
Elena
"Is it because nat 0 command erases nat from all packets from 10.0.0.0, and so packet sender IP is not in the same subnet than modem IP?"
Well yes very probably. Unless the modem has a route for 10.0.0.0/24 pointing back to the outside interface of your ASA it won't work.
You need to NAT the 10.0.0.x addresses as they leave the outside interface of the ASA so remove the nat exemption part of your config ie.
no access-list inside_nat0_outbound extended permit ip 10.0.0.0 255.255.255.0 any
Jon
11-21-2008 05:04 AM
Can I remove the line nat (inside) 0 access-list inside_nat0_outbound_1 ?
11-21-2008 05:08 AM
Elena
Difficult to say as you only posted a part of your config. If you are sure it is not being used for anything else on the firewall then yes you can remove it.
Jon
11-21-2008 05:14 AM
Jon,
I understand what you mean, and I want all the traffic to be nated.
Otherwise, I still have the problem with the modem and I hesitate if the cable has to be straight or crossover. Is the firewall like a PC or like a switch in this item?
11-21-2008 05:18 AM
If you want all traffic to be Natted then yes remove that line from your config.
The firewall is like a router/PC in this regard so you either
1) need a switch between the modem and pix and use straight thru cables
OR
2) Use a crossover cable
Jon
11-21-2008 05:34 AM
With a cross over cable and with nat activated on outside, I still have problems to ping the modem address --.49 in the same subnet than outside ip interface --.50
I send you the configuration to ask you to find any discordance to pass pings through.
For example, look at the command
icmp unreachable rate-limit 1 burst-size 1
I have also configured VPNs for remote acces but I can't put the configuration text window. Tell me also whether this could be th problem.
Please help me. Thanks.
ASA Version 8.0(4)
!
hostname --
domain-name --.es
enable password -- encrypted
passwd -- encrypted
names
name -- PoolVPN
!
interface Ethernet0/0
nameif outside
security-level 0
ip address --.50 255.255.255.252
!
interface Ethernet0/1
nameif inside
security-level 100
ip address 10.0.0.22 255.255.255.0
!
interface Ethernet0/2
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
shutdown
no nameif
no security-level
no ip address
management-only
!
ftp mode passive
dns server-group DefaultDNS
domain-name --
object-group protocol TCPUDP
protocol-object udp
protocol-object tcp
access-list AccesoLANlocal remark Acceso local conectado a VPN
access-list AccesoLANlocal standard permit host 0.0.0.0
access-list inside_nat0_outbound extended permit ip 10.0.0.0 255.255.255.0 any
access-list 101 extended permit icmp any any
access-list outside_access_in extended permit ip any any
access-list outside_access_in extended permit icmp any 10.0.0.0 255.255.255.0 echo-reply inactive
access-list outside_access_in extended permit tcp any any eq www
access-list inside_nat0_outbound_1 extended permit ip any 10.0.0.0 255.255.255.192
pager lines 24
logging enable
logging buffered debugging
logging asdm debugging
mtu outside 1500
mtu inside 1500
ip local pool VPNPool 10.0.0.30-10.0.0.39 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-613.bin
no asdm history enable
arp timeout 14400
global (outside) 101 interface
nat (inside) 101 0.0.0.0 0.0.0.0
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 --.49 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
11-21-2008 06:11 AM
Elena
Can you ping the .49 address from the ASA device itself ?
You may need to clear xlate if you have change the NAT translations or at least clear xlate for the inside host you are pinging the modem from.
Jon
11-21-2008 06:40 AM
No, I can't ping the .49 address.
11-21-2008 06:44 AM
Can you add to your config
icmp permit any outside
this is only temporary. Retest with both a straight thru and a crossover just in case the modem is doing some funny.
Jon
11-21-2008 06:54 AM
I've already tried with a straight and crossover cable, but without the command
icmp permit any outside
I'll try the command on monday. But I don't think it will work because I have tried before a config on test, with a PC on the outside and I have pinged successfully.
This problem could have a relationship with the VPN remote access?
11-21-2008 07:07 AM
Does the ASA need to restart the interface to take changes on nat?
11-21-2008 07:09 AM
No, but if you make changes to NAT you will need to do a "clear xlate" to remove the existing NAT translations.
Jon
11-24-2008 04:21 AM
It's ok, thanks
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide