01-06-2007 10:56 PM - edited 03-11-2019 02:16 AM
First off, the hardware: Brand new ASA 5510 7.0(6)
I have a very basic setup. One public network, one private network and one management network. I run through the wizards and configure the essentials. For some reason I simply cannot get traffic to flow from the private to the public. I can ping the internal firewall address from clients on the private network. If I do a ping from the ASDM software (from the public interface) to an internet address.... it works no problem. I just seems like something is stopping traffic going from the private to the public. Any thoughts would be appreciated.
Solved! Go to Solution.
01-07-2007 05:50 AM
Hi,
The problem is the NAT. You are putting NAT 0 (non transalation) but that is wrong since your ISP will not accept 192.168.3.x in his network from you. Even if it is accepting, will not route that since are private space IPs.
Correct config:
no nat (private.test.local) 0 192.168.3.0 255.255.255.0
nat (private.test.local) 1 192.168.3.0 255.255.255.0
global (public.test.local) 1 interface
This will make your traffic work, if you have additional Public IPs from your ISP, you can use the "global" command with another IP so that you will not overload on the ASA public IP.
If you have servers inside, you need to have a "static" statement so that the Internet users can initiate connection to your server, eg considering you have a server on 192.168.3.100:
static (private.test.local,public.test.local)74.236.69.x 192.168.3.100 netmask 255.255.255.255
The internet users will access that server with 74.236.69.x.
You will also need to allow traffic on the outside interface (permit ip/tcp/udp any host 74.236.69.x eq
If this helped, please rate.
Regards,
Daniel
PS: before putting a config on the forum you should sanitize it (replace all real Public IPs with 10.x.x.x as well as all other sensitive info)
01-07-2007 12:29 AM
Hi
How abt the nat configuration for your private segment . Is it done??
regards
vanesh k
01-07-2007 02:21 AM
Hi,
Check this step by step guide:
http://cisco.com/en/US/products/ps6120/products_configuration_example09186a00804619d8.shtml
Please rate if this helped.
Regards,
Daniel
01-07-2007 05:06 AM
Yeah, I ran through this already. I performed these config steps on a cleared config... still with no luck.
01-07-2007 05:06 AM
Yeah. I ran through this guide from Cisco even and I still can't seem to get traffic from the private to the public.
http://cisco.com/en/US/products/ps6120/products_configuration_example09186a00804619d8.shtml
01-07-2007 05:19 AM
Here is my config BTW:
ASA Version 7.0(6)
!
hostname asa5510
domain-name test.local
names
dns-guard
!
interface Ethernet0/0
nameif public.test.local
security-level 0
ip address 74.x.69.x.255.255.0
!
interface Ethernet0/1
nameif private.test.local
security-level 100
ip address 192.168.3.4 255.255.255.0
!
interface Ethernet0/2
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
nameif management
security-level 100
ip address 192.168.1.1 255.255.255.0
management-only
!
ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
dns domain-lookup private.test.local
dns name-server 4.2.2.2
pager lines 24
logging enable
logging asdm informational
mtu public.test.local 1500
mtu private.test.local 1500
mtu management 1500
icmp permit any public.test.local
icmp permit any private.test.local
asdm image disk0:/asdm506.bin
asdm history enable
arp timeout 14400
nat-control
nat (private.test.local) 0 192.168.3.0 255.255.255.0
route public.test.local 0.0.0.0 0.0.0.0 74.x.x.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00
timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
http server enable
http 192.168.1.0 255.255.255.0 management
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
telnet timeout 5
ssh timeout 5
console timeout 0
management-access management
dhcpd address 192.168.1.2-192.168.1.10 management
dhcpd lease 3600
dhcpd ping_timeout 50
dhcpd enable management
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map global_policy
class inspection_default
inspect dns maximum-length 512
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
!
service-policy global_policy global
Cryptochecksum:xxx
01-07-2007 05:50 AM
Hi,
The problem is the NAT. You are putting NAT 0 (non transalation) but that is wrong since your ISP will not accept 192.168.3.x in his network from you. Even if it is accepting, will not route that since are private space IPs.
Correct config:
no nat (private.test.local) 0 192.168.3.0 255.255.255.0
nat (private.test.local) 1 192.168.3.0 255.255.255.0
global (public.test.local) 1 interface
This will make your traffic work, if you have additional Public IPs from your ISP, you can use the "global" command with another IP so that you will not overload on the ASA public IP.
If you have servers inside, you need to have a "static" statement so that the Internet users can initiate connection to your server, eg considering you have a server on 192.168.3.100:
static (private.test.local,public.test.local)74.236.69.x 192.168.3.100 netmask 255.255.255.255
The internet users will access that server with 74.236.69.x.
You will also need to allow traffic on the outside interface (permit ip/tcp/udp any host 74.236.69.x eq
If this helped, please rate.
Regards,
Daniel
PS: before putting a config on the forum you should sanitize it (replace all real Public IPs with 10.x.x.x as well as all other sensitive info)
01-07-2007 11:20 AM
Yep.... That is what it was. I just talked with TAC and they also confirmed that. Thank you.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: