ASA as a GW for PC, route/nat problem

Unanswered Question
Jan 12th, 2009

Hi,

I'm using ASA5510 ver8.0(3), still having trouble with the routing. Sorry to keep reposting on same topic, I thought I had it resolved....

From PC (GW pointing to ASA) I'm able to ping all Network devices and servers with the nonat ACL setup. I just can't do anything other than ping. RDP, telnet, ssh, smtp any port I try to use on an alternate subnet fails.

Even when I try packet-trace command from ASA it allows the flow.

I don't understand why it takes 14 phases in packet tracer (4 of them being nat) when there's no natting involved.

Things that work:

-Nat from Inside host to outside (internet)

-ping from ASA to any internal subnet on inside interface (learned from EIGRP)

-have this command enabled: same-security-traffic permit intra-interface

-other subnets are reachable via inside interface

-nat (inside) 0 acess-list nonat ~setup

-icmp is allowed through the firewall

What I'm trying to accomplish is, I want to be able to access all internal subnets from ASA (besides ping).

I've attached config and packet trace, if anyone could help much appreciated.

-Fred

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 2 (1 ratings)
Loading.
sachinraja Mon, 01/12/2009 - 17:18

Fred

I was going through your issue.. I really dont get your setup.. I can see , from config that u have an internal network 10.0.0.0/16 and an extrnal IP x.x.x.x (public IP ?)

I can also see a lot of nonat statements pointing to different subnets in 10.x segment ? where are thse connected ? hows ur lan setup ? PC connects to layer 2 switch, and gateway directly to ASA ? how is the 10.1.x.x, 10.2.x.x segments connected ? through outside ?

Raj

fredj1234 Tue, 01/13/2009 - 08:40

Raj,

I've attached a PDF I made in visio, to better explain my setup.

10.0.0.0/16 is internal network.

x.x.x.x is public IP address.

10.1.101.0, 10.1.x.x, 10.2.x.x, etc are all internal subnets to the ASA. The ASA learns of all the 10.x.x.x LAN segments from an internal router through EIGRP. PC connects directly to L2 switch, and PC GW is set directly to ASA.

What I'm trying to do is be able to get the PC(on 10.0.0.0/16) to be able to access other internal subnets learned by ASA (through EIGRP) such as 10.1.101.0.

Currently, with nonat, I'm able to ping devices off the PC subnet(10.0.0.0/16) so PC 10.0.0.20 can ping 10.1.101.20, but cannot do anything else.

When I take the nonat statment out I can't ping from 10.0.0.20 to 10.1.101.20.

fredj1234 Tue, 01/13/2009 - 11:19

I also came across this document. It's somewhat similar to my visio pdf.

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00804619d8.shtml#r1

I don't understand why the PC's default gw is pointing towards routerA instead of the PIX. Is this not possible?? There's no reason explaining why the PC's default gw is pointing towards the router instead of the PIX.

Actions

This Discussion