ASA simple routing problem

Answered Question
Jan 14th, 2009


I'm sure, the problem is not a big one, however I'm stuck for now.

I managed to configure an ASA 5505 under home circumstances, with ADSL internet connection. All went smooth, I could rease the internet, and could reach the device from the internet.

The device is deployed now in a server park, with internet connection through a fixed IP and the first hop is a switch of the ISP.

The other side is a small LAN.

I can remotely manage the device, even port forwarding works to LAN, however there is no LAN communication with the WAN. I cannot ping and/or reach anything outside.

I added one static route on the outside, pointing to my ISP switch.

On the LAN I gave the inside leg of the ASA as the default gateway.

Could someone give me some clue where to proceed?

Thank you in advance!

I have this problem too.
0 votes
Correct Answer by Pravin Phadte about 7 years 9 months ago


Do u have nat configured ?

if configs provided it would be better to guide you.


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Correct Answer
Pravin Phadte Wed, 01/14/2009 - 03:11


Do u have nat configured ?

if configs provided it would be better to guide you.


janos.csaszar Wed, 01/14/2009 - 03:46


Thank you for your reply!

You should be right.

In the meantime I started to compare the old "working" config and the live one, and realized, that I miss natting.

I will make a try late during the night and will notify.

Thanks again!

Pravin Phadte Wed, 01/14/2009 - 03:49

These are the configs you should be looking at

access-list NoNAT extended permit ip

nat (inside) 0 access-list NoNAT

global (outside) 1 interface

nat (inside) 1

Hope this helps

janos.csaszar Wed, 01/14/2009 - 03:57


I have only the global line, but the working only had the nat line, nothing else.

Do I really need the above 2, you mentioned?

If so, which IP and mask - IP and mask do I need?

Thanks again!

Tshi M Wed, 01/14/2009 - 05:52

Could you please post your ASA configuration? you can alter some information such as public IP addresses and so on.


Pravin Phadte Wed, 01/14/2009 - 05:59

interface Vlan1

nameif inside

security-level 100

ip address

no shutdown


interface Vlan2

nameif outside

security-level 0

ip address

no shutdown


interface Ethernet0/0

switchport access vlan 2

no shutdown


interface Ethernet0/1

switchport access vlan 1

no shutdown


management-access inside


! Default route to the provider

route outside 1


! ASDM access

asdm image disk0:/asdm-611.bin

asdm history enable



! NAT Translation for Internet access

global (outside) 1 interface

nat (inside) 1


! NAT Exempt configuration

access-list nonat_acl extended permit ip any

nat (inside) 0 access-list nonat_acl


! Specification on what to encrypt

access-list outside_100_cryptomap extended permit ip


crypto isakmp enable outside

crypto isakmp policy 10

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400


crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac


crypto map outside_map 100 match address outside_100_cryptomap

crypto map outside_map 100 set peer

crypto map outside_map 100 set pfs

crypto map outside_map 100 set transform-set ESP-3DES-SHA

crypto map outside_map interface outside


tunnel-group type ipsec-l2l

tunnel-group ipsec-attributes

pre-shared-key testtest

hope this helps

Tshi M Wed, 01/14/2009 - 06:16

the nat(inside)1 should work. Just to narrow this, I would first change the nat (inside)1 to the inside address. Such as

nat (inside)1

Also you might to enable logging so that you can see what is taking placing.

Tshi M Wed, 01/14/2009 - 06:28

yes, it will but you want to find out why the internal LAN is being blocked. I don't see a route inside command in your config so I only can assume that the inside is on the same subnet as the VLAN1 address.

Enable loggin to see why the traffic is being denied. You can use ASDM as well.

Tshi M Wed, 01/14/2009 - 06:35

Hi Pravinxyz,

I totally agree with you. I actually thaught the posting was from the original poster, I didn't realize it was you replying :-)

janos.csaszar Wed, 01/14/2009 - 06:55


It is my pleasure to let you know, that I inserted the single NAT line, and can reach WAN.

Thank you! You saved my day.

Tshi M Thu, 01/15/2009 - 04:51

Good to hear that you are up and running. Which NAT command did you use?

ramnet communic... Wed, 01/14/2009 - 22:04

hi sure,

Iam hari, can u send to me the show tech report of asa 5505, or please add icmp echo-reply commands. then u reach from outside.




This Discussion