11-28-2011 01:51 PM - edited 03-11-2019 02:56 PM
I am trying to make a basic config on my 5520. The first goal is to make trafic from inside to outside.
The internet address is 64.28.29.200 and the default internet gw is 64.28.20.193
What am I missing since I can not get trafic from inside to the internet?
Any help would be appreciated!
ASA Version 8.2(5)
!
hostname asatest
domain-name test.net
enable password xxx
passwd xxx
names
dns-guard
!
interface GigabitEthernet0/0
nameif Outside
security-level 0
ip address 64.28.29.200 255.255.255.240
!
interface GigabitEthernet0/1
nameif Inside
security-level 100
ip address 10.59.64.50 255.255.255.0
boot system disk0:/asa825-k8.bin
ftp mode passive
dns server-group DefaultDNS
domain-name test.net
access-list outside_acl extended permit icmp any any
access-list inside_acl extended permit ip any any
global (Outside) 1 64.28.29.202
nat (Inside) 1 0.0.0.0 0.0.0.0
access-group outside_acl in interface Outside
access-group inside_acl in interface Inside
route Outside 0.0.0.0 0.0.0.0 64.28.29.193 1
Solved! Go to Solution.
12-02-2011 12:56 AM
Hi,
Remove your inside ACL it's not necessary. then look at this:
interface GigabitEthernet0/0
nameif Outside
security-level 0
ip address 64.28.29.200 255.255.255.240
object network obj_any
nat (Inside,Outside) dynamic 64.28.29.202
Try the nat(Inside,Outside) dynamic interface I suggested, remove the inside ACL and then first try a ping to your gateway then to 8.8.8.8 and then do the same from an inside host.
Regards.
Alain
11-28-2011 02:01 PM
The first issue that I notice is this
access-group outside_acl in interface Outside
access-list outside_acl extended permit icmp any any
so you are not allowing anything but ICMP inbound on the outside interface. that makes it very difficult for things like DNS to work, which then impacts many other things that depend on DNS.
HTH
Rick
11-30-2011 06:26 AM
I tried to add
access-list outside_acl extended permit ip any any
but this did not help..
11-30-2011 06:59 AM
Hi,
access-list outside_acl extended permit icmp any any
access-list inside_acl extended permit ip any any
global (Outside) 1 64.28.29.202
nat (Inside) 1 0.0.0.0 0.0.0.0
access-group outside_acl in interface Outside
access-group inside_acl in interface Inside
route Outside 0.0.0.0 0.0.0.0 64.28.29.193 1
1) remove both ACLs and the access-groups commands
2) change global(outside) command to global (Outside) 1 interface
3) enable icmp inspection:
policy-map global_policy
class inspection_default
inspect icmp
Regards.
Alain
12-01-2011 05:31 AM
Thank you for your suggestions.
I got the following error messages while configuring:
asatest(config)# policy-map global_policy
asatest(config-pmap)# class inspection_default
ERROR: % class-map inspection_default not configured
asatest(config-pmap)# inspect icmp
^
ERROR: % Invalid input detected at '^' marker.
asatest(config)# policy-map global_policy
asatest(config-pmap)# class inspection_default
ERROR: % class-map inspection_default not configured
asatest(config-pmap)# inspect icmp
^
ERROR: % Invalid input detected at '^' marker.
The changes did not seem to solve my problem.
Regards,
Torleif
12-01-2011 05:41 AM
Hi,
post entire config.
can you ping your internet gateway from inside ?
Regards.
Alain
12-01-2011 10:31 AM
Hi,
For basic config, as Rich and Alain mentioned, remove the ACLs.Once web access work, you can add addl security.
Also, if you see no issues in reaching the gateway, try using global (Outside) 1 interface. See if that works.
Thx
MS
12-02-2011 12:08 AM
From the inside network I am only able to ping the inside interface. I am not able to ping the outside interface nor the outside gateway from the inside.
Here comes the entire config.
Thx for your help.
Regards,
Torleif
ASA Version 8.4(2)
!
hostname asatest
domain-name test.net
enable password xxx encrypted
passwd xxx encrypted
names
dns-guard
!
interface GigabitEthernet0/0
nameif Outside
security-level 0
ip address 64.28.29.200 255.255.255.240
!
interface GigabitEthernet0/1
nameif Inside
security-level 100
ip address 10.59.64.50 255.255.255.0
!
interface GigabitEthernet0/2
nameif DMZ
security-level 50
ip address 192.168.3.1 255.255.255.0
!
interface GigabitEthernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
nameif management
security-level 100
ip address 10.59.60.50 255.255.255.0
management-only
!
boot system disk0:/asa842-k8.bin
ftp mode passive
dns server-group DefaultDNS
domain-name test.net
object network obj_any
subnet 0.0.0.0 0.0.0.0
access-list outside_acl extended permit icmp any any
access-list outside_acl extended permit ip any any
access-list inside_acl extended permit ip any any
pager lines 24
mtu Outside 1500
mtu Inside 1500
mtu DMZ 1500
mtu management 1500
no failover
failover polltime unit 15 holdtime 45
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-645-206.bin
no asdm history enable
arp timeout 14400
!
object network obj_any
nat (Inside,Outside) dynamic 64.28.29.202
access-group outside_acl in interface Outside
access-group inside_acl in interface Inside
route Outside 0.0.0.0 0.0.0.0 64.28.29.193 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
http server enable
http 10.59.64.0 255.255.255.0 Inside
http 10.59.60.0 255.255.255.0 management
no snmp-server location
no snmp-server contact
snmp-server community *****
snmp-server enable traps snmp authentication linkup linkdown coldstart
telnet timeout 5
ssh timeout 5
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
!
!
prompt hostname context
no call-home reporting anonymous
call-home
profile CiscoTAC-1
no active
destination address http
https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:434092a6461c0571570d49af38b17c46
: end
asatest#
12-02-2011 12:56 AM
Hi,
Remove your inside ACL it's not necessary. then look at this:
interface GigabitEthernet0/0
nameif Outside
security-level 0
ip address 64.28.29.200 255.255.255.240
object network obj_any
nat (Inside,Outside) dynamic 64.28.29.202
Try the nat(Inside,Outside) dynamic interface I suggested, remove the inside ACL and then first try a ping to your gateway then to 8.8.8.8 and then do the same from an inside host.
Regards.
Alain
12-02-2011 01:21 AM
Thank you all for your suggestions and your time!
Alains changes made this work!
Now I have a working config and can work on with my needs..
Torleif
12-02-2011 06:29 AM
Hi Alain / Rich,
Can you shed some light on why the ASA does not work when mapping static ip (global (Outside) 1 x.x.x.x) when compared to dynamic mapping with public ip subnet /28? I had similar issue previously on 8.0 and when changed the config to global (Outside) 1 interface- it worked fine.
The static ip mapping config worked fine for me with public subnets /24 and /27.
Thanks
Ms
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: