11-08-2014 05:09 AM - edited 03-05-2019 12:08 AM
Hello,
I have a couple of questions as im a complete rookie on this.
I have an 876 DSL router with ip address 10.10.10.1 and i need to allow all trafic to asa 5505 with ip address 192.168.1.1 which is also my default gateway. I am quite confused with the NAT statements.
I have a public IP (from ISP) of (example) 200.158.3.74
What is the NAT statment i should perform on the router?
b) Should i apply the same translation on my asa 5505? And do i have to create a dynamic NAT rule on ASA to allow all the trafic from router?
Your help is appreciated, thanks in advance
11-08-2014 05:20 AM
Can you draw up a diagram about how you're laid out? From your description, the ASA and router don't share a common subnet, so we'll need to know how they're connecting. What do you want to put the public address on - the router or ASA? You would only nat on the one that's in front of your network and connects to the ISP...
HTH,
John
11-08-2014 05:36 AM
I will draw a diagram, in the mid time i can post a show run of my router and give you more helpfull info.
The connection goes like >>Router 876 10.10.10.1 255.255.255.248 >>ASA5505 (vlan2) name if inside 10.10.10.2 255.255.255.248 (vlan1 name if outside 192.168.1.1) >>Webserver 192.168.1.20 255.255.255.0
The public IP address should be on the router 876 correct?
11-08-2014 05:42 AM
------------------------------------------- no ip dhcp use vrf connected ip dhcp excluded-address 10.10.10.1 ip dhcp excluded-address 10.10.10.3 10.10.10.6 ! ip dhcp pool sdm-pool import all network 10.10.10.0 255.255.255.248 default-router 10.10.10.1 dns-server 195.170.0.1 195.170.2.2 lease 0 2 ! ! ip domain name myname ip name-server 195.170.0.x ip name-server 195.170.x.x ! ! ! ! ! crypto isakmp policy 1 encr 3des authentication pre-share group 2 ! crypto isakmp policy 5 encr 3des authentication pre-share group 2 ! crypto isakmp policy 10 encr aes authentication pre-share group 2 ! crypto isakmp policy 11 encr 3des hash md5 authentication pre-share group 2 ! crypto isakmp policy 12 encr aes hash md5 authentication pre-share group 2 crypto isakmp key !!xxx!QAZ2xxx address 69.17. crypto isakmp key #xxx3!QAZxxx address 231.137. crypto isakmp key Gxxx3!QAZxxx address 41.162. ! crypto isakmp client configuration group xd key xd## pool SDM_POOL_1 acl 100 save-password pfs max-users 2 max-logins 2 netmask 255.255.255.0 banner ^CWelcome To Cisco VPN ^C crypto isakmp profile sdm-ike-profile-1 match identity group xxxxxxx client authentication list sdm_vpn_xauth_ml_3 isakmp authorization list sdm_vpn_group_ml_3 client configuration address respond virtual-template 4 ! crypto ipsec security-association lifetime seconds 28800 ! crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-md5-hmac crypto ipsec transform-set vpn esp-aes esp-md5-hmac crypto ipsec transform-set vpn1 esp-3des esp-md5-hmac crypto ipsec transform-set vpn2 esp-3des esp-sha-hmac ! crypto ipsec profile SDM_Profile1 set security-association lifetime seconds 3600 set transform-set ESP-3DES-SHA set isakmp-profile sdm-ike-profile-1 ! ! crypto map vpn 10 ipsec-isakmp ! Incomplete set peer 41.162.xx.xxx set transform-set vpn match address 110 crypto map vpn 11 ipsec-isakmp ! Incomplete set peer 69.17.xxx.xxx set transform-set vpn1 match address 111 crypto map vpn 12 ipsec-isakmp ! Incomplete set peer 231.xxx.0.xxx set transform-set vpn2 match address 112 ! crypto ctcp port 10000 archive log config hidekeys ! ! ! ! ! interface Loopback1 ip address 172.16.1.1 255.255.255.0 ! interface BRI0 no ip address encapsulation hdlc shutdown ! interface ATM0 no ip address no atm ilmi-keepalive dsl operating-mode auto ! interface ATM0.1 point-to-point description $ES_WAN$ pvc 8/35 pppoe-client dial-pool-number 1 ! ! interface FastEthernet0 description broadband internet ! interface FastEthernet1 ! interface FastEthernet2 description Broadband Internet ! interface FastEthernet3 ! interface Virtual-Template4 type tunnel ip unnumbered Loopback1 tunnel mode ipsec ipv4 tunnel protection ipsec profile SDM_Profile1 ! interface Vlan1 description $ETH-SW-xxxxxxxxx-INFO-HWIC 4ESW$ ip address 10.10.10.1 255.255.255.248 ip virtual-reassembly ip tcp adjust-mss 1452 ! interface Dialer0 ip address negotiated ip nat outside ip virtual-reassembly encapsulation ppp dialer pool 1 dialer-group 1 no cdp enable ppp authentication chap pap callin ppp chap hostname xxxx@xxxxxxxx ppp chap password x ppp pap sent-username xxxxx@xxxxxxx password x ip local pool SDM_POOL_1 172.16.x.xxx 172.16.x.xxx no ip forward-protocol nd ip route 0.0.0.0 0.0.0.0 Dialer0 ip route 10.1.1.0 255.255.255.0 10.10.10.2 name Inside ip route 10.1.10.0 255.255.255.0 10.10.10.2 name Inside ip route 192.168.1.0 255.255.255.0 10.10.10.2 name Inside ! no ip http server ip http access-class 23 ip http authentication local ip http secure-server ip http timeout-policy idle 60 life 86400 requests 10000 ip nat inside source static tcp 10.10.10.3 3000 interface Dialer0 3000 ip nat inside source static tcp 10.10.10.3 110 interface Dialer0 110 ip nat inside source static tcp 10.10.10.3 25 interface Dialer0 25 ip nat inside source static tcp 10.10.10.3 3389 interface Dialer0 30xx ip nat inside source static tcp 10.10.10.3 143 interface Dialer0 1xx ip nat inside source static tcp 10.10.10.3 1000 interface Dialer0 10xx ip nat inside source static tcp 10.10.10.2 22 interface Dialer0 22xx ip nat inside source static esp 10.10.10.2 interface Dialer0 ip nat inside source static udp 10.10.10.2 500 interface Dialer0 50xx ip nat inside source static tcp 10.10.10.2 500 interface Dialer0 50xx ip nat inside source static tcp 10.10.10.2 10000 interface Dialer0 100x ip nat inside source static udp 10.10.10.2 4500 interface Dialer0 4500x ip nat inside source static udp 10.10.10.2 10000 interface Dialer0 100x ip nat inside source static udp 10.10.10.2 1701 interface Dialer0 1701x ip nat inside source list 102 interface Dialer0 overload ip nat inside source static tcp 10.10.10.3 389 interface Dialer0 389 ip nat inside source static 10.10.10.1 192.168.1.1 ! access-list 100 remark SDM_ACL Category=4 access-list 100 permit ip 10.10.10.0 0.0.0.255 any access-list 102 remark SDM_ACL Category=2 access-list 102 permit ip 10.10.10.0 0.0.0.7 any dialer-list 1 protocol ip permit no cdp run ! ! route-map staticNAT permit 10 ! ! control-plane ! ! line con 0 no modem enable line aux 0 line vty 0 4 privilege level 15 transport input telnet ssh ! scheduler max-task-time 5000 end
11-08-2014 06:04 AM
From your description, you already have an established connection. I'm not sure how you have your ASA configured, but from the look of you diagram above, it seems like you'd need to allow the 192.168.1.0/24 subnet to nat and that's it:
ip nat inside source list 102 interface Dialer0 overload
Change the 102 acl to add the 192.168.1.0/24 subnet. The IP address would go on the Dialer0 interface instead of dhcp. You don't want/need to nat between the ASA and router. You just need to nat your private addresses out of the router that leads to the ISP.
*Edit*
You'll also need to add "ip nat inside" to interface vlan1 on the router. I also noticed that you have a couple more subnets based on the static routes that you have. If you want them to have internet access, they'll need to be added to the 102 acl as well...
HTH,
John
11-08-2014 06:11 AM
Ok, you are no 1 and thank you!
As i am a rookie,
can i post you a show run of my ASA and if you could tell me maybe its the ASA causing the disconnection and not the router?
11-08-2014 06:33 AM
You're welcome! Sure you can....what's the actual problem? You said something is causing a disconnection? Is it the internet that's disconnecting?
11-08-2014 07:34 AM
Sorry took that long to reply.
Yes, there is no connection to the internet, even though if i connect the router online (now i had to temporarily change it with an industrial until i find whats wrong) i can RDP to the server and from there, putty the router. So i started looking into ASA 5505 for rules that deny traffic from the router. When i was looking in the status monitor i had messages like
"Deny udp src outside: dst inside: by access-group "outside_access_in"
and many similar (i dont have the log in front of me back i can get it as soon as i go home)
I am not that familiar with CLI so i use ASDM (which my first interaction was two weeks ago).
I am not a total rookie as i understand some basic things but
this has turned out to be a real nightmare as i dont know where to start from.
I am posting you a show run of 5505 and i hope for the best
11-08-2014 07:48 AM
Okay...do you get on the internet when the ASA is not in place? Is the ASA a new addition to your network? I'd have to see the running config on the ASA, but generally you have to run inspects on the ASA in order to allow return traffic back into the network unless you want to use ACLs on the outside interface.
I'm a little confused still about the problem. You said you don't have internet access, but in your original post, you were more concerned about NAT. What device does your ISP connect to directly? Is that the router of the ASA?
11-08-2014 07:51 AM
interface Ethernet0/0 switchport access vlan 2 ! interface Ethernet0/1 ! interface Ethernet0/2 ! interface Ethernet0/3 ! interface Ethernet0/4 ! interface Ethernet0/5 ! interface Ethernet0/6 ! interface Ethernet0/7 ! interface Vlan1 nameif inside security-level 100 ip address 192.168.1.1 255.255.255.0 ! interface Vlan2 nameif outside security-level 0 ip address 10.10.10.2 255.255.255.248 ! interface Vlan3 shutdown no forward interface Vlan1 nameif dmz security-level 50 no ip address ! boot system disk0:/asa823-k8.bin boot system disk0:/asa724-k8.bin ftp mode passive dns server-group DefaultDNS domain-name xxxxxx same-security-traffic permit inter-interface same-security-traffic permit intra-interface object-group icmp-type PING description PING icmp-object echo icmp-object echo-reply object-group network VPN_Users description VPN_Users network-object host 172.16.1.101 network-object host 172.16.1.102 object-group service msrd tcp description miscrosoft remote desktop port-object eq 3389 object-group service LifeS description LifeS service-object tcp range 60000 60001 service-object tcp eq h323 service-object udp range 60000 60007 object-group network DTT network-object host 192.168.1.120 object-group service Dt1 tcp port-object eq 2222 port-object eq 8096 port-object eq 8098 port-object eq 8099 port-object eq 8100 port-object eq 8101 port-object eq 8200 port-object eq 8983 port-object eq 9999 object-group protocol TCPUDP protocol-object udp protocol-object tcp access-list inside_nat_static extended permit tcp host 192.168.1.10 eq 3000 inte rface outside access-list outside_access_in remark === Mimecast to Exchange === access-list outside_access_in extended permit tcp xx.xxx.3xxx.xxx 255.255.255.224 host 10.10.10.3 eq smtp access-list outside_access_in extended permit tcp xxx.2xx.1xx.xxx 255.255.255.240 host 10.10.10.3 eq smtp access-list outside_access_in extended permit tcp xxx.xxx.xxx.xxx 255.255.255.224 host 10.10.10.3 eq smtp access-list outside_access_in extended permit tcp xxx.2xx.1xx.9xxx 255.255.255.240 h ost 10.10.10.3 eq smtp access-list outside_access_in extended permit tcp xxx.xxx.xx.xx 255.255.255.248 host 10.10.10.3 eq smtp access-list outside_access_in extended permit tcp xxx1.1xx.2xx 255.255.255.248 host 10.10.10.3 eq pop3 access-list outside_access_in extended permit tcp 41.2xx.xx.xxx 255.255.255.240 h ost 10.10.10.3 eq pop3 access-list outside_access_in extended permit tcp 4xx.xxx.xxx.1xx 255.255.255.224 host 10.10.10.3 eq pop3 access-list outside_access_in extended permit tcp 4x.xxx.1x.1xx 255.255.255.240 host 10.10.10.3 eq pop3 access-list outside_access_in extended permit tcp 4x.xx.3x.1xx 255.255.255.224 host 10.10.10.3 eq pop3 access-list outside_access_in extended permit tcp host 195.10.102.194 host 10.10 .10.3 eq ldap access-list outside_access_in extended permit tcp xxx.xxx.xxx.xxx 255.255.255.248 host 10.10.10.3 eq ldap access-list outside_access_in extended permit tcp 4x.xxx.xx.9xx 255.255.255.240 h ost 10.10.10.3 eq ldap access-list outside_access_in extended permit tcp 4x.xxx.xxx.xxx 255.255.255.224 host 10.10.10.3 eq ldap access-list outside_access_in extended permit tcp xxx.2xx.1xx.1xx 255.255.255.240 host 10.10.10.3 eq ldap access-list outside_access_in extended permit tcp 4x.2xx.3x.1xx 255.255.255.224 host 10.10.10.3 eq ldap access-list outside_access_in extended permit tcp object-group VPN_Users host 10 .10.10.5 eq 3389 access-list outside_access_in extended permit tcp object-group VPN_Users host 10 .10.10.4 eq 3389 access-list outside_access_in extended permit tcp object-group VPN_Users host 10 .10.10.3 eq 3389 access-list outside_access_in extended permit tcp any host 10.10.10.3 eq imap4 access-list outside_access_in extended permit tcp any host 10.10.10.3 eq 3000 access-list outside_access_in extended permit tcp any host 10.10.10.3 eq smtp access-list outside_access_in extended permit tcp any host 10.10.10.3 eq pop3 access-list outside_access_in extended permit object-group LifeS any any access-list outside_access_in extended permit tcp host 8x.2xx.4x.2xx any eq 3389 access-list outside_access_in extended permit tcp host 1xx.1x.1xx.1x any eq 3389 access-list outside_access_in remark === Telnet access from router to internal s witches === access-list outside_access_in extended permit ip host 10.10.10.1 host 192.168.1. 2 access-list outside_access_in extended permit tcp host xx.1xx.xx.xxx any eq 3389 access-list outside_access_in extended permit tcp host xx.1xx.xxx.xxx any eq 338 9 access-list outside_access_in extended permit tcp host xxx.xxx.xxx.xxx any eq 338 9 access-list outside_access_in extended permit tcp host xxx.1xx.xx.xxx any eq 3389 access-list outside_access_in extended permit ip host 192.168.1.10 any access-list outside_access_in extended permit tcp any host 192.168.1.2 eq www access-list inside_nat_static_1 extended permit tcp host 192.168.1.10 eq pop3 in terface outside access-list inside_nat_static_2 extended permit tcp host 192.168.1.10 eq smtp interface outside access-list inside_nat_static_3 extended permit tcp host 192.168.1.10 eq 3389 interface outside access-list inside_nat_static_4 extended permit tcp host 192.168.1.10 eq imap4 interface outside access-list inside_nat_static_5 extended permit tcp host 192.168.1.103 eq 3389 interface outside access-list nonat remark === VPN no nat to IOM === access-list nonat extended permit ip 10.1.1.0 255.255.255.0 172.16.100.0 255.255.255.0 access-list nonat extended permit ip 10.1.1.0 255.255.255.0 192.168.104.0 255.255.255.0 access-list nonat remark === Telnet access from router to internal switches === access-list nonat extended permit ip host 192.168.1.2 host 10.10.10.1 access-list nonat remark === VPN no nat to ath === access-list nonat extended permit ip 10.1.1.0 255.255.255.0 192.168.101.0 255.255.255.0 access-list nonat extended permit ip 10.1.1.0 255.255.255.0 172.16.101.0 255.255.255.0 access-list nonat remark === VPN no nat to IOM === access-list nonat extended permit ip 10.1.1.0 255.255.255.0 172.16.105.0 255.255.255.0 access-list nonat extended permit ip any host 10.10.10.1 access-list outside_3_cryptomap remark === VPN tunnel to at === access-list outside_3_cryptomap extended permit ip 192.168.1.0 255.255.255.0 172.16.100.0 255.255.255.0 access-list outside_3_cryptomap extended permit ip 10.1.1.0 255.255.255.0 172.16.100.0 255.255.255.0 access-list outside_1_cryptomap remark === VPN tunnel to at === access-list outside_1_cryptomap extended permit ip 10.1.1.0 255.255.255.0 192.168.101.0 255.255.255.0 access-list outside_1_cryptomap extended permit ip 10.1.1.0 255.255.255.0 172.16.101.0 255.255.255.0 access-list inside_nat_static_6 extended permit tcp host 192.168.1.101 eq 3389 interface outside access-list outside_2_cryptomap remark === VPN tunnel to IOM === access-list outside_2_cryptomap extended permit ip 10.1.1.0 255.255.255.0 172.16.105.0 255.255.255.0 access-list outside_2_cryptomap extended permit ip 10.1.1.0 255.255.255.0 192.168.104.0 255.255.255.0 access-list inside_access_out remark === Exchange to software === access-list inside_access_out extended permit tcp host 192.168.1.10 xxx.xx.xxx.xxx 255.255.255.248 eq smtp access-list inside_access_out extended permit tcp host 192.168.1.10 xxx.xxx.xx.xx 255.255.255.240 eq smtp access-list inside_access_out extended permit tcp host 192.168.1.10 xxx.xxx.xxx.xxx 255.255.255.224 eq smtp access-list inside_access_out extended permit tcp host 192.168.1.10 xxx.xxx.xxx.xxx 255.255.255.240 eq smtp access-list inside_access_out extended permit tcp host 192.168.1.10 xxx.xxx.xxx.xxx 255.255.255.224 eq smtp access-list inside_access_out extended permit tcp host 192.168.1.10 xxx.xxx.xxx.xxx 255.255.255.224 eq pop3 access-list inside_access_out extended permit tcp host 192.168.1.10 xx.xxx.xxx.xxx 255.255.255.240 eq pop3 access-list inside_access_out extended permit tcp host 192.168.1.10 xx.xxx.xxx.xxx 255.255.255.224 eq pop3 access-list inside_access_out extended permit tcp host 192.168.1.10 xxx.xxx.xx.xx 255.255.255.240 eq pop3 access-list inside_access_out extended permit tcp host 192.168.1.10 xxx.xx.xxx.xxx 255.255.255.248 eq pop3 access-list inside_access_out extended permit tcp host 192.168.1.10 xx.xxx.xxx.xxx 255.255.255.224 eq ldap access-list inside_access_out extended permit tcp host 192.168.1.10 xxx.2xx.xx.xxx 255.255.255.240 eq ldap access-list inside_access_out extended permit tcp host 192.168.1.10 xxx.xxxx.xxx.xxx 255.255.255.224 eq ldap access-list inside_access_out extended permit tcp host 192.168.1.10 xxx.xxx.xxx.xx 255.255.255.240 eq ldap access-list inside_access_out extended permit tcp host 192.168.1.10 xxx.xxx.xxx.xxx 255.255.255.248 eq ldap access-list inside_access_out extended permit ip any any access-list inside_access_out extended permit udp any any access-list outside_nat_static extended permit tcp host 192.168.1.120 eq 8101 interface inside access-list outside_nat_static_2 extended permit tcp host 192.168.1.120 eq 8100 interface inside access-list inside_access_in extended permit tcp any any eq www access-list inside_access_in extended permit ip any host 10.10.10.1 access-list ACL_IN extended permit ip any any access-list ACL_IN extended permit tcp any any access-list ACL_IN extended permit object-group TCPUDP any any access-list ACL_OUT extended permit ip any any access-list ACL_OUT extended permit udp any any access-list Compassng extended permit tcp host 192.168.1.120 interface outside pager lines 30 logging enable logging buffered debugging logging asdm informational mtu inside 1500 mtu outside 1500 mtu dmz 1500 ip local pool company 172.16.1.101-172.16.1.102 icmp unreachable rate-limit 1 burst-size 1 icmp permit any inside icmp permit any outside asdm image disk0:/asdm-634-53.bin no asdm history enable arp timeout 14400 global (inside) 1 interface global (outside) 1 interface nat (inside) 0 access-list nonat static (inside,outside) tcp 10.10.10.3 imap4 access-list inside_nat_static_4 static (inside,outside) tcp 10.10.10.3 3389 access-list inside_nat_static_3 static (inside,outside) tcp 10.10.10.3 smtp access-list inside_nat_static_2 static (inside,outside) tcp 10.10.10.3 pop3 access-list inside_nat_static_1 static (inside,outside) tcp 10.10.10.3 3000 access-list inside_nat_static static (inside,outside) tcp 10.10.10.4 3389 access-list inside_nat_static_5 static (inside,outside) tcp 10.10.10.5 3389 access-list inside_nat_static_6 access-group inside_access_in in interface inside access-group outside_access_in in interface outside route outside 0.0.0.0 0.0.0.0 10.10.10.1 1 route inside 10.1.1.0 255.255.255.0 192.168.1.2 1 route inside 10.1.10.0 255.255.255.0 192.168.1.2 1 timeout xlate 3:00:00 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02 timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00 timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00 timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute timeout tcp-proxy-reassembly 0:01:00 dynamic-access-policy-record DfltAccessPolicy aaa-server test protocol radius aaa authentication ssh console LOCAL aaa authentication telnet console LOCAL http server enable http 192.168.1.0 255.255.255.0 inside http 0.0.0.0 0.0.0.0 outside no snmp-server location no snmp-server contact snmp-server enable traps snmp authentication linkup linkdown coldstart crypto ipsec transform-set new york esp-des esp-md5-hmac crypto ipsec transform-set IOM esp-3des esp-md5-hmac crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac crypto ipsec transform-set canada esp-3des esp-md5-hmac crypto ipsec security-association lifetime seconds 86400 crypto ipsec security-association lifetime kilobytes 4608000 crypto map outside_map 1 match address outside_1_cryptomap crypto map outside_map 1 set peer xxx.xxx.xx.xx xxx.xxx.xx.xxx crypto map outside_map 1 set transform-set new york crypto map outside_map 2 match address outside_2_cryptomap crypto map outside_map 2 set peer xxx.xxx.xxx.xxx crypto map outside_map 2 set transform-set IOM crypto map outside_map 3 match address outside_3_cryptomap crypto map outside_map 3 set peer xxx.xxx.xxx.xxx crypto map outside_map 3 set transform-set canada crypto map outside_map 3 set security-association lifetime seconds 86400 crypto map outside_map interface outside crypto isakmp enable outside crypto isakmp policy 10 authentication pre-share encryption 3des hash sha group 2 lifetime 86400 crypto isakmp policy 20 authentication pre-share encryption 3des hash md5 group 2 lifetime 86400 crypto isakmp nat-traversal 21 no vpn-addr-assign aaa telnet 192.168.1.10 255.255.255.255 inside telnet 192.168.1.2 255.255.255.255 inside telnet timeout 5 ssh xxx.xxx.xxx.xxx 255.255.255.0 outside ssh xxx.xxx.xxx.xxx 255.255.255.0 outside ssh 0.0.0.0 0.0.0.0 outside ssh timeout 60 console timeout 0 threat-detection basic-threat threat-detection statistics access-list no threat-detection statistics tcp-intercept webvpn tunnel-group xx.xxx.xxx.xxx type ipsec-l2l tunnel-group xxx.xxx.xxx.xxx ipsec-attributes pre-shared-key ***** tunnel-group xxx.xxx.xxx.xxx type ipsec-l2l tunnel-group xxx.xxx.xxx.xxx ipsec-attributes pre-shared-key ***** tunnel-group xxx.xxx.xxx.xxx type ipsec-l2l tunnel-group xxx.xxx.xxx.xxx ipsec-attributes pre-shared-key ***** tunnel-group-map enable rules ! class-map global-class match any class-map inspection_default ! ! policy-map type inspect dns preset_dns_map parameters policy-map global_policy class inspection_default inspect dns preset_dns_map inspect ftp inspect h323 h225 inspect h323 ras inspect rsh inspect rtsp inspect esmtp inspect sqlnet inspect skinny inspect sunrpc inspect xdmcp inspect sip inspect netbios inspect tftp inspect ip-options policy-map global-policy description cam class global-class inspect http class class-default inspect ftp ! service-policy global-policy global prompt hostname context call-home profile CiscoTAC-1 no active destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService destination address email callhome@cisco.com destination transport-method http subscribe-to-alert-group diagnostic subscribe-to-alert-group environment subscribe-to-alert-group inventory periodic monthly subscribe-to-alert-group configuration periodic monthly subscribe-to-alert-group telemetry periodic daily Cryptochecksum:
11-08-2014 08:28 AM
My isp connects to router first.
I originally posted this question about NAT because of my litlle experience i believe maybe the problem lays there.
Just want to make sure that connections from router (internet) are established. Then If it's not the router or a translation issue, it must be from asa and denying tcp connection from router.
I honnestly don't know. But thank you for giving me any help on this.
11-08-2014 09:44 AM
What we need to do first is establish if the router is working at all with the ISP. If you take the ASA out of the equation, can you get on the internet at all?
In this case, you would need to add "ip nat inside" to your vlan 1 interface:
interface Vlan1 description $ETH-SW-xxxxxxxxx-INFO-HWIC 4ESW$ ip address 10.10.10.1 255.255.255.248 ip virtual-reassembly ip tcp adjust-mss 1452 !
That needs to be added anyway or no one would be able to translate. Let's get this down to basics before troubleshooting the ASA. There are too many unknowns right now. If you can get to "ISP --- Router -- Switch --- Host", we can troubleshoot if a host can get on the internet.
Another thing you should try is to see if you can ping a host on the internet from the router. Try pinging 8.8.8.8. If it comes back with '!', then you have connectivity to the ISP.
HTH,
John
*** Please rate all useful posts ***
11-09-2014 12:36 AM
Thank you.
Yesterday, the "show run" configuration i received was with the router offline.
If someone connects the router to the DSL and firewall, it connects to the ISP, gets the IP but then it does not give connection to the Host except RDP connection.
Last time i pinged 8.8.8.8 a got 100% success.
On the other side,
On the ASA monitor messages like
deny tcp src outside by access-group outside_access_in 0x0 0x0 vise versa are logging.
I am not there today and i can't do much remotely as the router is not connected. But i will be there tomorrow morning.
I am designing a to do list mostly with your advices to check on the configuration and make sure that router has the correct configuration.
Just to make sure, to nat Vlan1 interface the command is "ip nat inside"
and you said it seems like you'd need to allow the 192.168.1.0/24 subnet to nat, how do i do this?
Thanks John
11-09-2014 06:10 AM
The acl that the router is using is 102, so that's the one that you'll need to edit. You can just add:
access-list 102 permit ip 192.168.1.0 0.0.0.255 any
I noticed that you have crypto maps configured, but all of them reference access-lists that don't exist. I'm assuming that you're not using the vpn tunnel, but if you are, or if you plan to, you'll need to deny the subnets that you know about from being natted over the tunnel. That's possibly a step we'll have to do later, so for now just insert the above and see if it resolves your issue with natting from behind the router. Once you get that working, we can throw the ASA into the mix and get it working.
HTH,
John
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide