This is my first setup of a Cisco ASA box.
I'm having a lot of problems with use of static route
If I make a PING from the ASA box, I get a replay.
But if the ping comes from a computer, I keep getting: Deny inbound icmp src inside:XXX des inside:YYY (Type 8, code 0)
I have tried to make a NAT rule for this, but I cannot make a role src inside, drs inside
Can any one help me whit this?
I think I misunderstood, what are you trying to ping from the inside computer? Another computer on the inside on a different network, or the ASA itself? Looks like you are trying to ping from machine on inside to another machine inside. This traffic is being routed to inside of ASA and it is denying it as by default it will not allow traffic to go in and out of same interface. You will need to add the "same-security-traffic permit intra-interface" command to allow that to happen.
Thanks a lot.
Now I dont get the deny inbound error.
But I get a: Portmap translation creation failed for icmp src inside:xxx dst inside: xxx (type 8, code 0)
Do I need NAT for that?
What error are you getting now? No translation group found...? Add the following...
So to review you should have...
same-security-traffic permit intra-interface
global (inside) 1 interface
You could also do this for the whole network instead of just
?same-security-traffic permit intra-interface? - Worked, but gave a new error.
(portmap translation creation faild for icmp src inside:XXX dst inside:YYY (type 8, code 0))
?global (inside) 1 interface? - Didn?t help on the new error
But none of this works, and I still have the portmap problem?.
My Cisco ASA 5510 box is going to be a new HQ firewall/VPN ? (HQN)
On the old HQ box (Cisco VPN3000), all of the VPN lines for the EU network is connected. ? (HQO)
At HQN there is a old Cisco Router whit a connection to HQO.
I?m going to move all of the VPN lines one-by-one, but keep the hole network up at the same time.
Before a start moving client computers and servers to the new HQN box (ASA), I want to be able to route traffic from ASA to the VPN3000 at HQN
A copy of my conf, see the Attachment
At The new HQ:
My problem is that fowling doesn?t work:
route LAN 126.96.36.199 255.255.255.0 192.168.163.30 1
route LAN 172.16.3.0 255.255.255.0 192.168.163.30 1
route LAN 10.3.26.0 255.255.255.0 192.168.163.30 1
route LAN 10.2.0.0 255.255.255.0 192.168.163.30 1
route LAN 10.0.5.0 255.255.255.0 192.168.163.30 1
route LAN 10.0.4.0 255.255.252.0 192.168.163.30 1
route LAN 192.168.168.0 255.255.255.0 192.168.163.30 1
I hope you understand me, because my English is not the best.
The error message is gone now, but I don?t get any replay back.
I know the server I?m pinging is there, because when I?m using the 192.168.163.30 as GW, there is no problem.
srue, he is trying to hairpin inside, not pat to the outside.
Mind if we try something else?
no global (LAN) 200 interface
access-list LAN_nat0_outbound extended permit ip any 192.168.168.0 255.255.255.0
Then try to ping something on 192.168.168.0.
Sorry, no connection.
The log says:
6|May 22 2007 16:40:41|302021: Teardown ICMP connection for faddr 192.168.163.11/512 gaddr 192.168.168.12/0 laddr 192.168.168.12/0
On a computer, on the 192.168.168.x network I can ping 192.168.163.1
Yes, you can ping from 192.168.168 to 192.168.163 because it is not being routed through the ASA. Maybe the problem is the return traffic from 192.168.168.12 must be routed back to inside of ASA. As it stands now, the return traffic from the ping would not, it would be routed directly from 192.168.163.30 to 192.168.163.11. Maybe try to add a static route on 163.30 like this.
ip route 192.168.163.11 255.255.255.255 192.168.163.1
This would force the return traffic to inside of ASA.
Another way to force traffic to the ASA would be to nat the traffic 192.168.163.x to 192.168.168.x like this.
access-list nat_to_168 extended permit ip 192.168.163.0 255.255.255.0 192.168.168.0 255.255.255.0
global (inside) 20 interface
nat (inside) 20 access-list nat_to_168