ASA as a GW for PC, route/nat problem

Jan 12th, 2009


I'm using ASA5510 ver8.0(3), still having trouble with the routing. Sorry to keep reposting on same topic, I thought I had it resolved....

From PC (GW pointing to ASA) I'm able to ping all Network devices and servers with the nonat ACL setup. I just can't do anything other than ping. RDP, telnet, ssh, smtp any port I try to use on an alternate subnet fails.

Even when I try packet-trace command from ASA it allows the flow.

I don't understand why it takes 14 phases in packet tracer (4 of them being nat) when there's no natting involved.

Things that work:

-Nat from Inside host to outside (internet)

-ping from ASA to any internal subnet on inside interface (learned from EIGRP)

-have this command enabled: same-security-traffic permit intra-interface

-other subnets are reachable via inside interface

-nat (inside) 0 acess-list nonat ~setup

-icmp is allowed through the firewall

What I'm trying to accomplish is, I want to be able to access all internal subnets from ASA (besides ping).

I've attached config and packet trace, if anyone could help much appreciated.


sachinraja Mon, 01/12/2009 - 17:18


I was going through your issue.. I really dont get your setup.. I can see , from config that u have an internal network and an extrnal IP x.x.x.x (public IP ?)

I can also see a lot of nonat statements pointing to different subnets in 10.x segment ? where are thse connected ? hows ur lan setup ? PC connects to layer 2 switch, and gateway directly to ASA ? how is the 10.1.x.x, 10.2.x.x segments connected ? through outside ?


fredj1234 Tue, 01/13/2009 - 08:40


I've attached a PDF I made in visio, to better explain my setup. is internal network.

x.x.x.x is public IP address., 10.1.x.x, 10.2.x.x, etc are all internal subnets to the ASA. The ASA learns of all the 10.x.x.x LAN segments from an internal router through EIGRP. PC connects directly to L2 switch, and PC GW is set directly to ASA.

What I'm trying to do is be able to get the PC(on to be able to access other internal subnets learned by ASA (through EIGRP) such as

Currently, with nonat, I'm able to ping devices off the PC subnet( so PC can ping, but cannot do anything else.

When I take the nonat statment out I can't ping from to

fredj1234 Tue, 01/13/2009 - 11:19

I also came across this document. It's somewhat similar to my visio pdf.

I don't understand why the PC's default gw is pointing towards routerA instead of the PIX. Is this not possible?? There's no reason explaining why the PC's default gw is pointing towards the router instead of the PIX.


This Discussion