cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
735
Views
5
Helpful
7
Replies

ASA 5510 and routing

fcgsupport
Level 1
Level 1

First off, the hardware: Brand new ASA 5510 7.0(6)

I have a very basic setup. One public network, one private network and one management network. I run through the wizards and configure the essentials. For some reason I simply cannot get traffic to flow from the private to the public. I can ping the internal firewall address from clients on the private network. If I do a ping from the ASDM software (from the public interface) to an internet address.... it works no problem. I just seems like something is stopping traffic going from the private to the public. Any thoughts would be appreciated.

1 Accepted Solution

Accepted Solutions

Hi,

The problem is the NAT. You are putting NAT 0 (non transalation) but that is wrong since your ISP will not accept 192.168.3.x in his network from you. Even if it is accepting, will not route that since are private space IPs.

Correct config:

no nat (private.test.local) 0 192.168.3.0 255.255.255.0

nat (private.test.local) 1 192.168.3.0 255.255.255.0

global (public.test.local) 1 interface

This will make your traffic work, if you have additional Public IPs from your ISP, you can use the "global" command with another IP so that you will not overload on the ASA public IP.

If you have servers inside, you need to have a "static" statement so that the Internet users can initiate connection to your server, eg considering you have a server on 192.168.3.100:

static (private.test.local,public.test.local)74.236.69.x 192.168.3.100 netmask 255.255.255.255

The internet users will access that server with 74.236.69.x.

You will also need to allow traffic on the outside interface (permit ip/tcp/udp any host 74.236.69.x eq )

If this helped, please rate.

Regards,

Daniel

PS: before putting a config on the forum you should sanitize it (replace all real Public IPs with 10.x.x.x as well as all other sensitive info)

View solution in original post

7 Replies 7

network.king
Level 4
Level 4

Hi

How abt the nat configuration for your private segment . Is it done??

regards

vanesh k

Hi,

Check this step by step guide:

http://cisco.com/en/US/products/ps6120/products_configuration_example09186a00804619d8.shtml

Please rate if this helped.

Regards,

Daniel

Yeah, I ran through this already. I performed these config steps on a cleared config... still with no luck.

Yeah. I ran through this guide from Cisco even and I still can't seem to get traffic from the private to the public.

http://cisco.com/en/US/products/ps6120/products_configuration_example09186a00804619d8.shtml

fcgsupport
Level 1
Level 1

Here is my config BTW:

ASA Version 7.0(6)

!

hostname asa5510

domain-name test.local

names

dns-guard

!

interface Ethernet0/0

nameif public.test.local

security-level 0

ip address 74.x.69.x.255.255.0

!

interface Ethernet0/1

nameif private.test.local

security-level 100

ip address 192.168.3.4 255.255.255.0

!

interface Ethernet0/2

shutdown

no nameif

no security-level

no ip address

!

interface Management0/0

nameif management

security-level 100

ip address 192.168.1.1 255.255.255.0

management-only

!

ftp mode passive

clock timezone EST -5

clock summer-time EDT recurring

dns domain-lookup private.test.local

dns name-server 4.2.2.2

pager lines 24

logging enable

logging asdm informational

mtu public.test.local 1500

mtu private.test.local 1500

mtu management 1500

icmp permit any public.test.local

icmp permit any private.test.local

asdm image disk0:/asdm506.bin

asdm history enable

arp timeout 14400

nat-control

nat (private.test.local) 0 192.168.3.0 255.255.255.0

route public.test.local 0.0.0.0 0.0.0.0 74.x.x.1 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00

timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

http server enable

http 192.168.1.0 255.255.255.0 management

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

telnet timeout 5

ssh timeout 5

console timeout 0

management-access management

dhcpd address 192.168.1.2-192.168.1.10 management

dhcpd lease 3600

dhcpd ping_timeout 50

dhcpd enable management

!

class-map inspection_default

match default-inspection-traffic

!

!

policy-map global_policy

class inspection_default

inspect dns maximum-length 512

inspect ftp

inspect h323 h225

inspect h323 ras

inspect rsh

inspect rtsp

inspect esmtp

inspect sqlnet

inspect skinny

inspect sunrpc

inspect xdmcp

inspect sip

inspect netbios

inspect tftp

!

service-policy global_policy global

Cryptochecksum:xxx

Hi,

The problem is the NAT. You are putting NAT 0 (non transalation) but that is wrong since your ISP will not accept 192.168.3.x in his network from you. Even if it is accepting, will not route that since are private space IPs.

Correct config:

no nat (private.test.local) 0 192.168.3.0 255.255.255.0

nat (private.test.local) 1 192.168.3.0 255.255.255.0

global (public.test.local) 1 interface

This will make your traffic work, if you have additional Public IPs from your ISP, you can use the "global" command with another IP so that you will not overload on the ASA public IP.

If you have servers inside, you need to have a "static" statement so that the Internet users can initiate connection to your server, eg considering you have a server on 192.168.3.100:

static (private.test.local,public.test.local)74.236.69.x 192.168.3.100 netmask 255.255.255.255

The internet users will access that server with 74.236.69.x.

You will also need to allow traffic on the outside interface (permit ip/tcp/udp any host 74.236.69.x eq )

If this helped, please rate.

Regards,

Daniel

PS: before putting a config on the forum you should sanitize it (replace all real Public IPs with 10.x.x.x as well as all other sensitive info)

Yep.... That is what it was. I just talked with TAC and they also confirmed that. Thank you.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: