default route inside outside - allow internet for inside hosts

Unanswered Question
Mar 20th, 2010
User Badges:

i`m frustrated i`m not getting this working and i don`t know why. Have created a default route ( route outside 0 0 <outside gateway ip> and i`m not able to connect to the internet from inside hosts. From asa i`m able to ping internet adresses.


I`ve played with nat rules and acl`s but no success. How is the right way to allow internet traffic if these are the interfaces:


interface GigabitEthernet0/0
nameif outside
security-level 0
ip address 10.10.10.1 255.255.255.0
!
interface GigabitEthernet0/1
nameif inside
security-level 100
ip address 192.168.100.1 255.255.254.0


here is a sh route:


C     10.10.10.0 255.255.255.0 is directly connected, outside<br/>C     192.168.100.0 255.255.254.0 is directly connected, insideS*    0.0.0.0 0.0.0.0 10.10.10.1, outside


Do i need a NAT rule or any ACLs? I have tried a ACL on the inside interface wit any any ip traffic...?

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Jennifer Halim Sat, 03/20/2010 - 00:58
User Badges:
  • Cisco Employee,

Both interfaces on this ASA is assigned private ip address, hence your next hop router should be doing the NAT to a public ip address.


Since the ASA can ping the internet, I assume that your router already has NAT statement for the 10.10.10.0/24 subnet.


You can PAT everything from the ASA to the ASA interface as follows:


nat (inside) 1 0 0

global (outside) 1 interface


Your default gateway configured on the ASA should be configured with the router ip address:


route outside 0 0 <10.10.10.x>

thorstenn Sat, 03/20/2010 - 01:07
User Badges:

i`ve change the outside ip here in the forum. Assuming this is my outside ip 188.104.20.250 and this is the gateway 188.104.20.254 for the outside ip, then this is the right way to get it working?


route outside 0 0 188.104.20.254

nat (inside) 1 0 0

global (outside) 1 interface

Jennifer Halim Sat, 03/20/2010 - 01:35
User Badges:
  • Cisco Employee,

If you haven't configured any ACL that has been applied to inside interface, then no, you don't need any ACL.


"sh run access-group" will show you whether there is any ACL applied to any interfaces, and if there is none applied to inside interface, then you don't need to configure any specific ACL. If you have applied ACL on the inside interface, then you need to explicitly allow/permit the internet traffic.

thorstenn Sat, 03/20/2010 - 03:57
User Badges:

I`m running ASA 8.3 . These commands not working.


ciscoasa(config)# nat (inside) 1 0 0
ERROR: This syntax of nat command has been deprecated.
Please refer to "help nat" command for more details.


ciscoasa(config)# global (outside) 1 interface
ERROR: This syntax of nat command has been deprecated.
Please refer to "help nat" command for more details.


What are the commands in ASA 8.3 ?

Jennifer Halim Sat, 03/20/2010 - 03:59
User Badges:
  • Cisco Employee,

:-)

object network obj_any
   subnet 0.0.0.0 0.0.0.0
   nat (inside,outside) dynamic interface
thorstenn Sat, 03/20/2010 - 04:11
User Badges:

Hmm from outside i can reach 188.104.20.254 and 188.104.20.250 so the outside interface from the asa is reachable.....


Anything is blocking the traffic from inside to outside.... any suggestions?

thorstenn Sat, 03/20/2010 - 04:12
User Badges:

fyi i have configured one access-group for an internal sub interface....


here it is:


access-group C3_access_in in interface C3
access-group global_access global

thorstenn Sat, 03/20/2010 - 04:22
User Badges:

Ah, i`m thinking its working now. I can reach the GW 188.104.20.254 ..... but not the ASA outside 188.104.20.250 interface from inside. How can i change this ?

Jennifer Halim Sat, 03/20/2010 - 05:11
User Badges:
  • Cisco Employee,

You won't be able to access the ASA outside interface from inside. It's not supported. From inside, you can only access the inside interface of the ASA.

Is your internal network able to access the Internet now?

You mention you have access-group assigned to the internal interface, are you allowing traffic to the internet?

thorstenn Sat, 03/20/2010 - 08:00
User Badges:

yes now its working. But now NO NAT rule working. Wuaha... any quick suggestion? Its important for now i`m running out of time

I have many nat rules for different clients inside and on subinterfaces..... nothing working... ;(


Ok, we have two external ip ranges. The first ip of one range is configured on the outside interface. The second range is routed over these range from the ISP. How can i use both IPs on the outside interface ?


If the range is not routed over the other range how could i use this IPs? It worked before on another firewall so i think it should be working on the ASA too. On the other firewall we created on the outside interface "aliases" from the other ip range.... how does this work on asa?

Jennifer Halim Sat, 03/20/2010 - 16:55
User Badges:
  • Cisco Employee,

NO NAT:

- Create 2 objects, source and destination object

- Create the NAT rule from high security level to low security level



Eg: inside - 10.10.10.0/24, ip pool: 192.168.10.0/24

NO NAT rule:


object network obj-10.10.10.0

     subnet 10.10.10.0 255.255.255.0


object network obj-192.168.10.0

     subnet 192.168.10.0 255.255.255.0


nat (inside,outside) source static obj-10.10.10.0 obj-10.10.10.0 destination static obj-192.168.10.0 obj-192.168.10.0



With 2 public ip addresses ranges, eg: outside ASA is configured with ISP 1 range, you can route the public range from ISP 2 towards the ASA outside interface on the router in front of the ASA.

Actions

This Discussion