Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
559
Views
2
Helpful
3
Replies

ASA as a GW for PC, route/nat problem

fredj1234
Level 1
Level 1

‎01-12-2009 04:38 PM - edited ‎03-11-2019 07:36 AM

Hi,

I'm using ASA5510 ver8.0(3), still having trouble with the routing. Sorry to keep reposting on same topic, I thought I had it resolved....

From PC (GW pointing to ASA) I'm able to ping all Network devices and servers with the nonat ACL setup. I just can't do anything other than ping. RDP, telnet, ssh, smtp any port I try to use on an alternate subnet fails.

Even when I try packet-trace command from ASA it allows the flow.

I don't understand why it takes 14 phases in packet tracer (4 of them being nat) when there's no natting involved.

Things that work:

-Nat from Inside host to outside (internet)

-ping from ASA to any internal subnet on inside interface (learned from EIGRP)

-have this command enabled: same-security-traffic permit intra-interface

-other subnets are reachable via inside interface

-nat (inside) 0 acess-list nonat ~setup

-icmp is allowed through the firewall

What I'm trying to accomplish is, I want to be able to access all internal subnets from ASA (besides ping).

I've attached config and packet trace, if anyone could help much appreciated.

-Fred

Labels:
Preview file
9 KB
0 Helpful
3 Replies 3

sachinraja
Level 9
Level 9

‎01-12-2009 05:18 PM

Fred

I was going through your issue.. I really dont get your setup.. I can see , from config that u have an internal network 10.0.0.0/16 and an extrnal IP x.x.x.x (public IP ?)

I can also see a lot of nonat statements pointing to different subnets in 10.x segment ? where are thse connected ? hows ur lan setup ? PC connects to layer 2 switch, and gateway directly to ASA ? how is the 10.1.x.x, 10.2.x.x segments connected ? through outside ?

Raj

fredj1234
Level 1
Level 1
In response to sachinraja

‎01-13-2009 08:40 AM

Raj,

I've attached a PDF I made in visio, to better explain my setup.

10.0.0.0/16 is internal network.

x.x.x.x is public IP address.

10.1.101.0, 10.1.x.x, 10.2.x.x, etc are all internal subnets to the ASA. The ASA learns of all the 10.x.x.x LAN segments from an internal router through EIGRP. PC connects directly to L2 switch, and PC GW is set directly to ASA.

What I'm trying to do is be able to get the PC(on 10.0.0.0/16) to be able to access other internal subnets learned by ASA (through EIGRP) such as 10.1.101.0.

Currently, with nonat, I'm able to ping devices off the PC subnet(10.0.0.0/16) so PC 10.0.0.20 can ping 10.1.101.20, but cannot do anything else.

When I take the nonat statment out I can't ping from 10.0.0.20 to 10.1.101.20.

Preview file
46 KB
0 Helpful

fredj1234
Level 1
Level 1
In response to fredj1234

‎01-13-2009 11:19 AM

I also came across this document. It's somewhat similar to my visio pdf.

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00804619d8.shtml#r1

I don't understand why the PC's default gw is pointing towards routerA instead of the PIX. Is this not possible?? There's no reason explaining why the PC's default gw is pointing towards the router instead of the PIX.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card