×

Warning message

  • Cisco Support Forums is in Read Only mode while the site is being migrated.
  • Cisco Support Forums is in Read Only mode while the site is being migrated.

876 Router Allow trafic

Unanswered Question
Nov 8th, 2014
User Badges:

Hello, 

I have a couple of questions as im a complete rookie on this.

I have an 876 DSL router with ip address 10.10.10.1 and i need to allow all trafic to asa 5505 with ip address 192.168.1.1  which is also my default gateway. I am quite confused with the NAT statements.

I have a public IP (from ISP) of (example) 200.158.3.74

What is the NAT statment i should perform on the router?

b) Should i apply the same translation on my asa 5505? And do i have to create a dynamic NAT rule on ASA to allow all the trafic from router?

 

Your help is appreciated, thanks in advance 

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
John Blakley Sat, 11/08/2014 - 05:20
User Badges:
  • Purple, 4500 points or more

Can you draw up a diagram about how you're laid out? From your description, the ASA and router don't share a common subnet, so we'll need to know how they're connecting. What do you want to put the public address on - the router or ASA? You would only nat on the one that's in front of your network and connects to the ISP...

HTH,

John

koliasexpo Sat, 11/08/2014 - 05:36
User Badges:

I will draw a diagram, in the mid time i can post a show run of my router and give you more helpfull info.

The connection goes like >>Router 876 10.10.10.1 255.255.255.248 >>ASA5505 (vlan2) name if inside 10.10.10.2 255.255.255.248 (vlan1 name if outside 192.168.1.1) >>Webserver 192.168.1.20 255.255.255.0 

The public IP address should be on the router 876 correct?

 

 

koliasexpo Sat, 11/08/2014 - 05:42
User Badges:
-------------------------------------------
no ip dhcp use vrf connected
ip dhcp excluded-address 10.10.10.1
ip dhcp excluded-address 10.10.10.3 10.10.10.6
!
ip dhcp pool sdm-pool
   import all
   network 10.10.10.0 255.255.255.248
   default-router 10.10.10.1
   dns-server 195.170.0.1 195.170.2.2
   lease 0 2
!
!
ip domain name myname
ip name-server 195.170.0.x
ip name-server 195.170.x.x
!
!
!
!
!
crypto isakmp policy 1
 encr 3des
 authentication pre-share
 group 2
!
crypto isakmp policy 5
 encr 3des
 authentication pre-share
 group 2
!
crypto isakmp policy 10
 encr aes
 authentication pre-share
 group 2
!
crypto isakmp policy 11
 encr 3des
 hash md5
 authentication pre-share
 group 2
!
crypto isakmp policy 12
 encr aes
 hash md5
 authentication pre-share
 group 2
crypto isakmp key !!xxx!QAZ2xxx address 69.17.
crypto isakmp key #xxx3!QAZxxx address 231.137.
crypto isakmp key Gxxx3!QAZxxx address 41.162.
!
crypto isakmp client configuration group xd
 key xd##
 pool SDM_POOL_1
 acl 100
 save-password
 pfs
 max-users 2
 max-logins 2
 netmask 255.255.255.0
 banner ^CWelcome To Cisco VPN            ^C
crypto isakmp profile sdm-ike-profile-1
   match identity group xxxxxxx
   client authentication list sdm_vpn_xauth_ml_3
   isakmp authorization list sdm_vpn_group_ml_3
   client configuration address respond
   virtual-template 4
!
crypto ipsec security-association lifetime seconds 28800
!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-md5-hmac
crypto ipsec transform-set vpn esp-aes esp-md5-hmac
crypto ipsec transform-set vpn1 esp-3des esp-md5-hmac
crypto ipsec transform-set vpn2 esp-3des esp-sha-hmac
!
crypto ipsec profile SDM_Profile1
 set security-association lifetime seconds 3600
 set transform-set ESP-3DES-SHA
 set isakmp-profile sdm-ike-profile-1
!
!
crypto map vpn 10 ipsec-isakmp
 ! Incomplete
 set peer 41.162.xx.xxx
 set transform-set vpn
 match address 110
crypto map vpn 11 ipsec-isakmp
 ! Incomplete
 set peer 69.17.xxx.xxx
 set transform-set vpn1
 match address 111
crypto map vpn 12 ipsec-isakmp
 ! Incomplete
 set peer 231.xxx.0.xxx
 set transform-set vpn2
 match address 112
!
crypto ctcp port 10000
archive
 log config
  hidekeys
!
!
!
!
!
interface Loopback1
 ip address 172.16.1.1 255.255.255.0
!
interface BRI0
 no ip address
 encapsulation hdlc
 shutdown
!
interface ATM0
 no ip address
 no atm ilmi-keepalive
 dsl operating-mode auto
!
interface ATM0.1 point-to-point
 description $ES_WAN$
 pvc 8/35
  pppoe-client dial-pool-number 1
 !
!
interface FastEthernet0
 description broadband internet
!
interface FastEthernet1
!
interface FastEthernet2
 description Broadband Internet
!
interface FastEthernet3
!
interface Virtual-Template4 type tunnel
 ip unnumbered Loopback1
 tunnel mode ipsec ipv4
 tunnel protection ipsec profile SDM_Profile1
!
interface Vlan1
 description $ETH-SW-xxxxxxxxx-INFO-HWIC 4ESW$
 ip address 10.10.10.1 255.255.255.248
 ip virtual-reassembly
 ip tcp adjust-mss 1452
!
interface Dialer0
 ip address negotiated
 ip nat outside
 ip virtual-reassembly
 encapsulation ppp
 dialer pool 1
 dialer-group 1
 no cdp enable
 ppp authentication chap pap callin
 ppp chap hostname [email protected]
 ppp chap password x
 ppp pap sent-username [email protected] password x
ip local pool SDM_POOL_1 172.16.x.xxx 172.16.x.xxx
no ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 Dialer0
ip route 10.1.1.0 255.255.255.0 10.10.10.2 name Inside
ip route 10.1.10.0 255.255.255.0 10.10.10.2 name Inside
ip route 192.168.1.0 255.255.255.0 10.10.10.2 name Inside
!
no ip http server
ip http access-class 23
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip nat inside source static tcp 10.10.10.3 3000 interface Dialer0 3000
ip nat inside source static tcp 10.10.10.3 110 interface Dialer0 110
ip nat inside source static tcp 10.10.10.3 25 interface Dialer0 25
ip nat inside source static tcp 10.10.10.3 3389 interface Dialer0 30xx
ip nat inside source static tcp 10.10.10.3 143 interface Dialer0 1xx
ip nat inside source static tcp 10.10.10.3 1000 interface Dialer0 10xx
ip nat inside source static tcp 10.10.10.2 22 interface Dialer0 22xx
ip nat inside source static esp 10.10.10.2 interface Dialer0
ip nat inside source static udp 10.10.10.2 500 interface Dialer0 50xx
ip nat inside source static tcp 10.10.10.2 500 interface Dialer0 50xx
ip nat inside source static tcp 10.10.10.2 10000 interface Dialer0 100x
ip nat inside source static udp 10.10.10.2 4500 interface Dialer0 4500x
ip nat inside source static udp 10.10.10.2 10000 interface Dialer0 100x
ip nat inside source static udp 10.10.10.2 1701 interface Dialer0 1701x
ip nat inside source list 102 interface Dialer0 overload
ip nat inside source static tcp 10.10.10.3 389 interface Dialer0 389
ip nat inside source static 10.10.10.1 192.168.1.1
!
access-list 100 remark SDM_ACL Category=4
access-list 100 permit ip 10.10.10.0 0.0.0.255 any
access-list 102 remark SDM_ACL Category=2
access-list 102 permit ip 10.10.10.0 0.0.0.7 any
dialer-list 1 protocol ip permit
no cdp run
!
!
route-map staticNAT permit 10
!
!
control-plane
!
!
line con 0
 no modem enable
line aux 0
line vty 0 4
 privilege level 15
 transport input telnet ssh
!
scheduler max-task-time 5000
end
John Blakley Sat, 11/08/2014 - 06:04
User Badges:
  • Purple, 4500 points or more

From your description, you already have an established connection. I'm not sure how you have your ASA configured, but from the look of you diagram above, it seems like you'd need to allow the 192.168.1.0/24 subnet to nat and that's it:

ip nat inside source list 102 interface Dialer0 overload

Change the 102 acl to add the 192.168.1.0/24 subnet. The IP address would go on the Dialer0 interface instead of dhcp. You don't want/need to nat between the ASA and router. You just need to nat your private addresses out of the router that leads to the ISP.

*Edit*

You'll also need to add "ip nat inside" to interface vlan1 on the router. I also noticed that you have a couple more subnets based on the static routes that you have. If you want them to have internet access, they'll need to be added to the 102 acl as well...

HTH,

John

koliasexpo Sat, 11/08/2014 - 06:11
User Badges:

Ok, you are no 1 and thank you!

As i am a rookie, 

can i post you a show run of my ASA and if you could tell me maybe its the ASA causing the disconnection and not the router?

John Blakley Sat, 11/08/2014 - 06:33
User Badges:
  • Purple, 4500 points or more

You're welcome! Sure you can....what's the actual problem? You said something is causing a disconnection? Is it the internet that's disconnecting?

koliasexpo Sat, 11/08/2014 - 07:34
User Badges:

Sorry took that long to reply.

Yes, there is no connection to the internet, even though if i connect the router online (now i had to temporarily change it with an industrial until i find whats wrong) i can RDP to the server and from there, putty the router. So i started looking into ASA 5505 for rules that deny traffic from the router. When i was looking in the status monitor i had messages like 

"Deny udp src outside: dst inside: by access-group "outside_access_in"

and many similar (i dont have the log in front of me back i can get it as soon as i go home)

I am not that familiar with CLI so i use ASDM (which my first interaction was two weeks ago).

I am not a total rookie as i understand some basic things but

this has turned out to be a real nightmare as i dont know where to start from.

 

I am posting you a show run of 5505 and i hope for the best

 

John Blakley Sat, 11/08/2014 - 07:48
User Badges:
  • Purple, 4500 points or more

Okay...do you get on the internet when the ASA is not in place? Is the ASA a new addition to your network? I'd have to see the running config on the ASA, but generally you have to run inspects on the ASA in order to allow return traffic back into the network unless you want to use ACLs on the outside interface.

I'm a little confused still about the problem. You said you don't have internet access, but in your original post, you were more concerned about NAT. What device does your ISP connect to directly? Is that the router of the ASA?

koliasexpo Sat, 11/08/2014 - 07:51
User Badges:
interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
interface Vlan1
 nameif inside
 security-level 100
 ip address 192.168.1.1 255.255.255.0
!
interface Vlan2
 nameif outside
 security-level 0
 ip address 10.10.10.2 255.255.255.248
!
interface Vlan3
 shutdown
 no forward interface Vlan1
 nameif dmz
 security-level 50
 no ip address
!
boot system disk0:/asa823-k8.bin
boot system disk0:/asa724-k8.bin
ftp mode passive
dns server-group DefaultDNS
 domain-name xxxxxx
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object-group icmp-type PING
 description PING
 icmp-object echo
 icmp-object echo-reply
object-group network VPN_Users
 description VPN_Users
 network-object host 172.16.1.101
 network-object host 172.16.1.102
object-group service msrd tcp
 description miscrosoft remote desktop
 port-object eq 3389
object-group service LifeS
 description LifeS
 service-object tcp range 60000 60001
 service-object tcp eq h323
 service-object udp range 60000 60007
object-group network DTT
 network-object host 192.168.1.120
object-group service Dt1 tcp
 port-object eq 2222
 port-object eq 8096
 port-object eq 8098
 port-object eq 8099
 port-object eq 8100
 port-object eq 8101
 port-object eq 8200
 port-object eq 8983
 port-object eq 9999
object-group protocol TCPUDP
 protocol-object udp
 protocol-object tcp
access-list inside_nat_static extended permit tcp host 192.168.1.10 eq 3000 inte                                                                             rface outside
access-list outside_access_in remark === Mimecast to Exchange ===
access-list outside_access_in extended permit tcp xx.xxx.3xxx.xxx 255.255.255.224                                                                              host 10.10.10.3 eq smtp
access-list outside_access_in extended permit tcp xxx.2xx.1xx.xxx 255.255.255.240                                                                              host 10.10.10.3 eq smtp
access-list outside_access_in extended permit tcp xxx.xxx.xxx.xxx 255.255.255.224                                                                              host 10.10.10.3 eq smtp
access-list outside_access_in extended permit tcp xxx.2xx.1xx.9xxx 255.255.255.240 h                                                                             ost 10.10.10.3 eq smtp
access-list outside_access_in extended permit tcp xxx.xxx.xx.xx 255.255.255.248                                                                              host 10.10.10.3 eq smtp
access-list outside_access_in extended permit tcp xxx1.1xx.2xx 255.255.255.248                                                                              host 10.10.10.3 eq pop3
access-list outside_access_in extended permit tcp 41.2xx.xx.xxx 255.255.255.240 h                                                                             ost 10.10.10.3 eq pop3
access-list outside_access_in extended permit tcp 4xx.xxx.xxx.1xx 255.255.255.224                                                                              host 10.10.10.3 eq pop3
access-list outside_access_in extended permit tcp 4x.xxx.1x.1xx 255.255.255.240                                                                              host 10.10.10.3 eq pop3
access-list outside_access_in extended permit tcp 4x.xx.3x.1xx 255.255.255.224                                                                              host 10.10.10.3 eq pop3
access-list outside_access_in extended permit tcp host 195.10.102.194 host 10.10                                                                             .10.3 eq ldap
access-list outside_access_in extended permit tcp xxx.xxx.xxx.xxx 255.255.255.248                                                                              host 10.10.10.3 eq ldap
access-list outside_access_in extended permit tcp 4x.xxx.xx.9xx 255.255.255.240 h                                                                             ost 10.10.10.3 eq ldap
access-list outside_access_in extended permit tcp 4x.xxx.xxx.xxx 255.255.255.224                                                                              host 10.10.10.3 eq ldap
access-list outside_access_in extended permit tcp xxx.2xx.1xx.1xx 255.255.255.240                                                                              host 10.10.10.3 eq ldap
access-list outside_access_in extended permit tcp 4x.2xx.3x.1xx 255.255.255.224                                                                              host 10.10.10.3 eq ldap
access-list outside_access_in extended permit tcp object-group VPN_Users host 10                                                                             .10.10.5 eq 3389
access-list outside_access_in extended permit tcp object-group VPN_Users host 10                                                                             .10.10.4 eq 3389
access-list outside_access_in extended permit tcp object-group VPN_Users host 10                                                                             .10.10.3 eq 3389
access-list outside_access_in extended permit tcp any host 10.10.10.3 eq imap4
access-list outside_access_in extended permit tcp any host 10.10.10.3 eq 3000
access-list outside_access_in extended permit tcp any host 10.10.10.3 eq smtp
access-list outside_access_in extended permit tcp any host 10.10.10.3 eq pop3
access-list outside_access_in extended permit object-group LifeS any any
access-list outside_access_in extended permit tcp host 8x.2xx.4x.2xx any eq 3389                                                                             
access-list outside_access_in extended permit tcp host 1xx.1x.1xx.1x any eq 3389                                                                             
access-list outside_access_in remark === Telnet access from router to internal s                                                                             witches ===
access-list outside_access_in extended permit ip host 10.10.10.1 host 192.168.1.                                                                             2
access-list outside_access_in extended permit tcp host xx.1xx.xx.xxx any eq 3389
access-list outside_access_in extended permit tcp host xx.1xx.xxx.xxx any eq 338                                                                             9
access-list outside_access_in extended permit tcp host xxx.xxx.xxx.xxx any eq 338                                                                             9
access-list outside_access_in extended permit tcp host xxx.1xx.xx.xxx any eq 3389                                                                             
access-list outside_access_in extended permit ip host 192.168.1.10 any
access-list outside_access_in extended permit tcp any host 192.168.1.2 eq www
access-list inside_nat_static_1 extended permit tcp host 192.168.1.10 eq pop3 in                                                                             terface outside
access-list inside_nat_static_2 extended permit tcp host 192.168.1.10 eq smtp interface outside
access-list inside_nat_static_3 extended permit tcp host 192.168.1.10 eq 3389 interface outside
access-list inside_nat_static_4 extended permit tcp host 192.168.1.10 eq imap4 interface outside
access-list inside_nat_static_5 extended permit tcp host 192.168.1.103 eq 3389 interface outside
access-list nonat remark === VPN no nat to IOM ===
access-list nonat extended permit ip 10.1.1.0 255.255.255.0 172.16.100.0 255.255.255.0
access-list nonat extended permit ip 10.1.1.0 255.255.255.0 192.168.104.0 255.255.255.0
access-list nonat remark === Telnet access from router to internal switches ===
access-list nonat extended permit ip host 192.168.1.2 host 10.10.10.1
access-list nonat remark === VPN no nat to ath ===
access-list nonat extended permit ip 10.1.1.0 255.255.255.0 192.168.101.0 255.255.255.0
access-list nonat extended permit ip 10.1.1.0 255.255.255.0 172.16.101.0 255.255.255.0
access-list nonat remark === VPN no nat to IOM ===
access-list nonat extended permit ip 10.1.1.0 255.255.255.0 172.16.105.0 255.255.255.0
access-list nonat extended permit ip any host 10.10.10.1
access-list outside_3_cryptomap remark === VPN tunnel to at ===
access-list outside_3_cryptomap extended permit ip 192.168.1.0 255.255.255.0 172.16.100.0 255.255.255.0
access-list outside_3_cryptomap extended permit ip 10.1.1.0 255.255.255.0 172.16.100.0 255.255.255.0
access-list outside_1_cryptomap remark === VPN tunnel to at ===
access-list outside_1_cryptomap extended permit ip 10.1.1.0 255.255.255.0 192.168.101.0 255.255.255.0
access-list outside_1_cryptomap extended permit ip 10.1.1.0 255.255.255.0 172.16.101.0 255.255.255.0
access-list inside_nat_static_6 extended permit tcp host 192.168.1.101 eq 3389 interface outside
access-list outside_2_cryptomap remark === VPN tunnel to IOM ===
access-list outside_2_cryptomap extended permit ip 10.1.1.0 255.255.255.0 172.16.105.0 255.255.255.0
access-list outside_2_cryptomap extended permit ip 10.1.1.0 255.255.255.0 192.168.104.0 255.255.255.0
access-list inside_access_out remark === Exchange to software ===
access-list inside_access_out extended permit tcp host 192.168.1.10 xxx.xx.xxx.xxx 255.255.255.248 eq smtp
access-list inside_access_out extended permit tcp host 192.168.1.10 xxx.xxx.xx.xx 255.255.255.240 eq smtp
access-list inside_access_out extended permit tcp host 192.168.1.10 xxx.xxx.xxx.xxx 255.255.255.224 eq smtp
access-list inside_access_out extended permit tcp host 192.168.1.10 xxx.xxx.xxx.xxx 255.255.255.240 eq smtp
access-list inside_access_out extended permit tcp host 192.168.1.10 xxx.xxx.xxx.xxx 255.255.255.224 eq smtp
access-list inside_access_out extended permit tcp host 192.168.1.10 xxx.xxx.xxx.xxx 255.255.255.224 eq pop3
access-list inside_access_out extended permit tcp host 192.168.1.10 xx.xxx.xxx.xxx 255.255.255.240 eq pop3
access-list inside_access_out extended permit tcp host 192.168.1.10 xx.xxx.xxx.xxx 255.255.255.224 eq pop3
access-list inside_access_out extended permit tcp host 192.168.1.10 xxx.xxx.xx.xx 255.255.255.240 eq pop3
access-list inside_access_out extended permit tcp host 192.168.1.10 xxx.xx.xxx.xxx 255.255.255.248 eq pop3
access-list inside_access_out extended permit tcp host 192.168.1.10 xx.xxx.xxx.xxx 255.255.255.224 eq ldap
access-list inside_access_out extended permit tcp host 192.168.1.10 xxx.2xx.xx.xxx 255.255.255.240 eq ldap
access-list inside_access_out extended permit tcp host 192.168.1.10 xxx.xxxx.xxx.xxx 255.255.255.224 eq ldap
access-list inside_access_out extended permit tcp host 192.168.1.10 xxx.xxx.xxx.xx 255.255.255.240 eq ldap
access-list inside_access_out extended permit tcp host 192.168.1.10 xxx.xxx.xxx.xxx 255.255.255.248 eq ldap
access-list inside_access_out extended permit ip any any
access-list inside_access_out extended permit udp any any
access-list outside_nat_static extended permit tcp host 192.168.1.120 eq 8101 interface inside
access-list outside_nat_static_2 extended permit tcp host 192.168.1.120 eq 8100 interface inside
access-list inside_access_in extended permit tcp any any eq www
access-list inside_access_in extended permit ip any host 10.10.10.1
access-list ACL_IN extended permit ip any any
access-list ACL_IN extended permit tcp any any
access-list ACL_IN extended permit object-group TCPUDP any any
access-list ACL_OUT extended permit ip any any
access-list ACL_OUT extended permit udp any any
access-list Compassng extended permit tcp host 192.168.1.120 interface outside
pager lines 30
logging enable
logging buffered debugging
logging asdm informational
mtu inside 1500
mtu outside 1500
mtu dmz 1500
ip local pool company 172.16.1.101-172.16.1.102
icmp unreachable rate-limit 1 burst-size 1
icmp permit any inside
icmp permit any outside
asdm image disk0:/asdm-634-53.bin
no asdm history enable
arp timeout 14400
global (inside) 1 interface
global (outside) 1 interface
nat (inside) 0 access-list nonat
static (inside,outside) tcp 10.10.10.3 imap4 access-list inside_nat_static_4
static (inside,outside) tcp 10.10.10.3 3389 access-list inside_nat_static_3
static (inside,outside) tcp 10.10.10.3 smtp access-list inside_nat_static_2
static (inside,outside) tcp 10.10.10.3 pop3 access-list inside_nat_static_1
static (inside,outside) tcp 10.10.10.3 3000 access-list inside_nat_static
static (inside,outside) tcp 10.10.10.4 3389 access-list inside_nat_static_5
static (inside,outside) tcp 10.10.10.5 3389 access-list inside_nat_static_6
access-group inside_access_in in interface inside
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 10.10.10.1 1
route inside 10.1.1.0 255.255.255.0 192.168.1.2 1
route inside 10.1.10.0 255.255.255.0 192.168.1.2 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
aaa-server test protocol radius
aaa authentication ssh console LOCAL
aaa authentication telnet console LOCAL
http server enable
http 192.168.1.0 255.255.255.0 inside
http 0.0.0.0 0.0.0.0 outside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set new york esp-des esp-md5-hmac
crypto ipsec transform-set IOM esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set canada esp-3des esp-md5-hmac
crypto ipsec security-association lifetime seconds 86400
crypto ipsec security-association lifetime kilobytes 4608000
crypto map outside_map 1 match address outside_1_cryptomap
crypto map outside_map 1 set peer xxx.xxx.xx.xx xxx.xxx.xx.xxx
crypto map outside_map 1 set transform-set new york
crypto map outside_map 2 match address outside_2_cryptomap
crypto map outside_map 2 set peer xxx.xxx.xxx.xxx
crypto map outside_map 2 set transform-set IOM
crypto map outside_map 3 match address outside_3_cryptomap
crypto map outside_map 3 set peer xxx.xxx.xxx.xxx
crypto map outside_map 3 set transform-set canada
crypto map outside_map 3 set security-association lifetime seconds 86400
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
crypto isakmp policy 20
 authentication pre-share
 encryption 3des
 hash md5
 group 2
 lifetime 86400
crypto isakmp nat-traversal 21
no vpn-addr-assign aaa
telnet 192.168.1.10 255.255.255.255 inside
telnet 192.168.1.2 255.255.255.255 inside
telnet timeout 5
ssh xxx.xxx.xxx.xxx 255.255.255.0 outside
ssh xxx.xxx.xxx.xxx 255.255.255.0 outside
ssh 0.0.0.0 0.0.0.0 outside
ssh timeout 60
console timeout 0

threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn

tunnel-group xx.xxx.xxx.xxx type ipsec-l2l
tunnel-group xxx.xxx.xxx.xxx ipsec-attributes
 pre-shared-key *****
tunnel-group xxx.xxx.xxx.xxx type ipsec-l2l
tunnel-group xxx.xxx.xxx.xxx ipsec-attributes
 pre-shared-key *****
tunnel-group xxx.xxx.xxx.xxx type ipsec-l2l
tunnel-group xxx.xxx.xxx.xxx ipsec-attributes
 pre-shared-key *****
tunnel-group-map enable rules
!
class-map global-class
 match any
class-map inspection_default
!
!
policy-map type inspect dns preset_dns_map
 parameters
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
  inspect ip-options
policy-map global-policy
 description cam
 class global-class
  inspect http
 class class-default
  inspect ftp
!
service-policy global-policy global
prompt hostname context
call-home
 profile CiscoTAC-1
  no active
  destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
  destination address email [email protected]
  destination transport-method http
  subscribe-to-alert-group diagnostic
  subscribe-to-alert-group environment
  subscribe-to-alert-group inventory periodic monthly
  subscribe-to-alert-group configuration periodic monthly
  subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:
koliasexpo Sat, 11/08/2014 - 08:28
User Badges:

My isp connects to router first.

 

I originally posted this question about NAT because of my litlle experience i believe maybe the problem lays there. 

Just want to make sure that connections from router (internet) are established. Then If it's not the router or a translation issue, it must be from asa and denying tcp connection from router.

I honnestly don't know. But thank you for giving me any help on this. 

John Blakley Sat, 11/08/2014 - 09:44
User Badges:
  • Purple, 4500 points or more

What we need to do first is establish if the router is working at all with the ISP. If you take the ASA out of the equation, can you get on the internet at all?

In this case, you would need to add "ip nat inside" to your vlan 1 interface:

interface Vlan1
 description $ETH-SW-xxxxxxxxx-INFO-HWIC 4ESW$
 ip address 10.10.10.1 255.255.255.248
 ip virtual-reassembly
 ip tcp adjust-mss 1452
!

 

That needs to be added anyway or no one would be able to translate. Let's get this down to basics before troubleshooting the ASA. There are too many unknowns right now. If you can get to "ISP --- Router -- Switch --- Host", we can troubleshoot if a host can get on the internet.

Another thing you should try is to see if you can ping a host on the internet from the router. Try pinging 8.8.8.8. If it comes back with '!', then you have connectivity to the ISP.

HTH,

John

*** Please rate all useful posts ***

koliasexpo Sun, 11/09/2014 - 00:36
User Badges:

Thank you.

 

Yesterday, the "show run" configuration i received was with the router offline.

If someone connects the router to the DSL and firewall, it connects to the ISP, gets the IP but then it does not give connection to the Host except RDP connection. 

Last time i pinged 8.8.8.8 a got 100% success.

On the other side, 

On the ASA monitor messages like 

deny tcp src outside by access-group outside_access_in 0x0 0x0 vise versa are logging. 

I am not there today and i can't do much remotely as the router is not connected. But i will be there tomorrow morning. 

I am designing a to do list mostly with your advices to check on the configuration and make sure that router has the correct configuration.

Just to make sure, to nat Vlan1 interface the command is "ip nat inside" 

and you said it seems like you'd need to allow the 192.168.1.0/24 subnet to nat, how do i do this?

 

Thanks John

John Blakley Sun, 11/09/2014 - 06:10
User Badges:
  • Purple, 4500 points or more

The acl that the router is using is 102, so that's the one that you'll need to edit. You can just add:

access-list 102 permit ip 192.168.1.0 0.0.0.255 any

 

I noticed that you have crypto maps configured, but all of them reference access-lists that don't exist. I'm assuming that you're not using the vpn tunnel, but if you are, or if you plan to, you'll need to deny the subnets that you know about from being natted over the tunnel. That's possibly a step we'll have to do later, so for now just insert the above and see if it resolves your issue with natting from behind the router. Once you get that working, we can throw the ASA into the mix and get it working.

HTH,

John
 

Actions

This Discussion