ASA5505- PAT

Answered Question
Apr 6th, 2009

Hi,


We are replacing PIX 501 with ASA 5505. We are able to get the L2L VPN up but not the Internet access. When we try to add the NAT (Inside) x statement firewall gives warning message saying missing outside command. But If we add the Outside command to end of NAT statement we loose L2L vpns but Internet access works. Below is the config ..


global (outside) 1 interface

nat (inside) 0 access-list nonat

nat (inside) 1 0.0.0.0 0.0.0.0


Below are the Warning messeges



WARNING: Binding inside nat statement to outermost interface.

WARNING: Keyword "outside" is probably missing.

*** Output from config line 94, "nat (inside) 1 0.0.0.0 0...


We have tried 2 diffrent IOS


!

Cisco Adaptive Security Appliance Software Version 8.0(4) and Version 7.2.4.9



thanks in advance for the help.


Correct Answer by UCcomp2007 about 7 years 10 months ago

Unless you made an error when pasted config into this forum, you need to set your security-level for outside interface to 0 and inside security-level to 100. Your above message showed outside at 100 and inside at 0.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (2 ratings)
Loading.
sykesemea Mon, 04/06/2009 - 01:03

Hello there,


Yes, We have configured this correctly and here is the config. I guess.. no issue with that as my Site to Site VPNs are working.


interface Vlan1

description Inside

nameif inside

security-level 0

ip address 172.x.x.x 255.255.255.0

!

interface Vlan2

description outside

nameif outside

security-level 100

ip address 195.x.x.x 255.255.255.248

!

interface Ethernet0/0

description outside

switchport access vlan 2

!

interface Ethernet0/1

description inside

speed 100

duplex full

sykesemea Mon, 04/06/2009 - 01:15

we have only 1 IP for this connnection and wont be able to try this.

sykesemea Mon, 04/06/2009 - 01:43

Hi Andrew,


Sorry for confusion, this is a xDSL link and we have only Static IP.

sykesemea Mon, 04/06/2009 - 02:06

We already have PIX501 working with is setup and i am not sure ASA not workin with the GLobal (Outside)1 Interace

Here is sh ver


Cisco Adaptive Security Appliance Software Version 8.0(4)

Device Manager Version 6.1(3)


Compiled on Thu 07-Aug-08 20:53 by builders

System image file is "disk0:/asa804-k8.bin"

Config file at boot was "startup-config"


defraasa01 up 2 days 18 hours


Hardware: ASA5505, 256 MB RAM, CPU Geode 500 MHz

Internal ATA Compact Flash, 128MB

BIOS Flash M50FW080 @ 0xffe00000, 1024KB


Encryption hardware device : Cisco ASA-5505 on-board accelerator (revision 0x0)

Boot microcode : CN1000-MC-BOOT-2.00

SSL/IKE microcode: CNLite-MC-SSLm-PLUS-2.03

IPSec microcode : CNlite-MC-IPSECm-MAIN-2.05

0: Int: Internal-Data0/0 : address is 0024.97b1.e40a, irq 11

1: Ext: Ethernet0/0 : address is 0024.97b1.e402, irq 255

2: Ext: Ethernet0/1 : address is 0024.97b1.e403, irq 255

3: Ext: Ethernet0/2 : address is 0024.97b1.e404, irq 255

4: Ext: Ethernet0/3 : address is 0024.97b1.e405, irq 255

5: Ext: Ethernet0/4 : address is 0024.97b1.e406, irq 255

6: Ext: Ethernet0/5 : address is 0024.97b1.e407, irq 255

7: Ext: Ethernet0/6 : address is 0024.97b1.e408, irq 255

8: Ext: Ethernet0/7 : address is 0024.97b1.e409, irq 255

9: Int: Internal-Data0/1 : address is 0000.0003.0002, irq 255

10: Int: Not used : irq 255

11: Int: Not used : irq 255


Licensed features for this platform:

Maximum Physical Interfaces : 8

VLANs : 3, DMZ Restricted

Inside Hosts : 10

Failover : Disabled

VPN-DES : Enabled

VPN-3DES-AES : Enabled

VPN Peers : 10

WebVPN Peers : 2

Dual ISPs : Disabled

VLAN Trunk Ports : 0

AnyConnect for Mobile : Disabled

AnyConnect for Linksys phone : Disabled

Advanced Endpoint Assessment : Disabled

UC Proxy Sessions : 2


This platform has a Base license.

sykesemea Mon, 04/06/2009 - 02:35

Hi,


I dont have this ASA in production right now as we had this issue. During the testing , we have only 2 hosts in network. When Licenses get over, traselation wont happen?

FYI.. our currnt pix is also has only 10 host license and all working.


Does pix and ASA work diffrenlty in terms of licesnse?


We have orderd 50 hosts license for this and will be getting it soon.


Regards,

Venky

Correct Answer
UCcomp2007 Mon, 04/06/2009 - 03:47

Unless you made an error when pasted config into this forum, you need to set your security-level for outside interface to 0 and inside security-level to 100. Your above message showed outside at 100 and inside at 0.

Actions

This Discussion