asa 5510 behind cisco 2811 router

Antonio Brandao · ‎08-17-2010

Hello all,

I have follow structure

lan - asa - router - internet.

And I would like to give internet access to machines inside my network.

with actual conf I from inside I can ping inside interface on cisco router, and stops there.

Follow my confs about what I´m doing

Router

===================================================

interface FastEthernet0/0
description Outside
no ip address
no ip redirects
no ip proxy-arp
duplex auto
speed auto
no snmp ifindex persist
service-policy output AutoQoS-Policy-Trust
!
interface FastEthernet0/0.1
description Internet_Interface
encapsulation dot1Q 1 native
ip address 10.10.178.20 255.255.255.0
ip virtual-reassembly
!

interface FastEthernet0/1.501
description internet_inside_vlan
encapsulation dot1Q 501
ip address 10.1.1.1 255.255.255.252
!
interface FastEthernet0/1.502
description dmz_inside_vlan
encapsulation dot1Q 502
ip address 10.1.2.1 255.255.255.252
!

ip route 0.0.0.0 0.0.0.0 10.10.178.20 (outside ip)

ip nat source static 10.1.1.2 10.10.178.20

ASA

==========================================

!
interface Ethernet0/0
no nameif
no security-level
no ip address
!
interface Ethernet0/0.501
description outside_internet
vlan 501
nameif outside_1
security-level 0
ip address 10.1.1.2 255.255.255.0
!
interface Ethernet0/0.502
description outside_dmz
vlan 502
nameif outside_2
security-level 0
ip address 10.1.2.2 255.255.255.0
!
interface Ethernet0/1
no nameif
no security-level
no ip address
!
interface Ethernet0/1.10
description users_lan
vlan 10
nameif inside_1
security-level 100
ip address 192.168.10.1 255.255.255.0
!
interface Ethernet0/1.20
description serv_farm
vlan 20
nameif inside_2
security-level 100
ip address 192.168.20.1 255.255.255.0
!
interface Ethernet0/1.40
description telephony
vlan 40
nameif inside_3
security-level 100
ip address 192.168.40.1 255.255.255.0
!
interface Ethernet0/1.50
description guest_lan
vlan 50
nameif inside_4
security-level 100
ip address 192.168.50.1 255.255.255.0
!
interface Ethernet0/2
description dmz
shutdown
nameif dmz
security-level 50
ip address 192.168.30.1 255.255.255.0
!
interface Management0/0
nameif management
security-level 0
ip address 192.168.60.20 255.255.255.0
management-only
!

same-security-traffic permit inter-interface
same-security-traffic permit intra-interface

access-list outside_1_in extended permit tcp any host 10.1.1.1 log
access-list permit_all extended permit tcp any any log
access-list permit_all extended permit icmp any any log
access-list permit_all extended permit udp any any log

global (outside_1) 1 interface

nat (inside_1) 1 192.168.10.0 255.255.255.0
nat (inside_1) 1 192.168.20.0 255.255.255.0
nat (inside_1) 1 192.168.30.0 255.255.255.0
nat (inside_1) 1 192.168.40.0 255.255.255.0
nat (inside_1) 1 192.168.50.0 255.255.255.0

static (inside_1,inside_2) 192.168.10.0 192.168.10.0 netmask 255.255.255.0
static (inside_2,inside_1) 192.168.20.0 192.168.20.0 netmask 255.255.255.0
static (dmz,outside_2) interface 192.168.30.5 netmask 255.255.255.255

access-group permit_all in interface outside_1
access-group permit_all out interface inside_1
access-group permit_all out interface inside_2
access-group permit_all in interface management

route outside_1 0.0.0.0 0.0.0.0 10.1.1.1 1

Nagaraja Thanthry · ‎08-17-2010

Hello,

You are missing couple of NAT configurations on the router.

interface FastEthernet0/0.1

description Internet_Interface

encapsulation dot1Q 1 native

ip address 10.10.178.20 255.255.255.0

ip nat outside -

Missing

ip virtual-reassembly

!

interface FastEthernet0/1.501

description internet_inside_vlan

encapsulation dot1Q 501

ip nat inside -

Missing

ip address 10.1.1.1 255.255.255.252

Hope this helps.

Regards,

NT