Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

ASA 5510 traffic from inside to outside

Hello,

I'm working on a basic configuration of a 5510 ASA.

inside network of 192.168.23.0 /24
outside network 141.0.x.0 /24

config is as follows:

interface Ethernet0/0
 nameif OUTSIDE
 security-level 0
 ip address 141.0.x.0 255.255.255.0
!
interface Ethernet0/1
 nameif INSIDE
 security-level 50
 ip address 192.168.23.1 255.255.255.0

same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
access-list OUTSIDE_access_in extended permit icmp any any
access-list OUTSIDE_access_in extended permit tcp any interface OUTSIDE eq https
access-list INSIDE_access_in extended permit icmp any any

global (OUTSIDE) 1 interface
nat (INSIDE) 1 192.168.23.0 255.255.255.0
access-group OUTSIDE_access_in in interface OUTSIDE
access-group INSIDE_access_in in interface INSIDE
route OUTSIDE 0.0.0.0 0.0.0.0 141.0.x.57 1

In the LAB When I plug a laptop into the outside interface with address 141.0.x.57 I can ping it from a laptop from the inside interface and I can even access the IIS page. However, when I connect the ISP's firewall into the outside interface with the same address that I used the testing laptop with, I cannot seem to be able to access the outside world.

I can ping from the ASA's outside interface (x.58, to the ISP's x.57), but I cannot ping from the inside 192.168.23.x to it or access anything.

So traffic between inside and outside interface is not going through when in live setup. However, when in the lab it works fine.

Any ideas please?

 

1 ACCEPTED SOLUTION

Accepted Solutions
VIP Purple

The output in Phase7 still

The output in Phase7 still looks very strange. Please upgrade your ASA before testing any further. 8.2(1) was a horrible release.


--
Don't stop after you've improved your network! Improve the world by lending money to the working poor: http://www.kiva.org/invitedby/karsteni
12 REPLIES
VIP Purple

Can you ping from the ASA to

  1. Can you ping from the ASA to an internet-IP like 8.8.8.8?
  2. Can you ping the IP .44.57 from an inside system?

And:

The line "access-list OUTSIDE_access_in extended permit tcp any interface OUTSIDE eq https" is probably not needed in your setup as there is no static NAT for an internal server.


--
Don't stop after you've improved your network! Improve the world by lending money to the working poor: http://www.kiva.org/invitedby/karsteni
New Member

Hi Karsten, 1. From ASA

Hi Karsten,

1. From ASA outside interface I can ping 8.8.8.8

2. From inside interface I cannot ping x.57

However, in the lab when I have a laptop plugged into the outside interface with the x.57, i can ping it. I've statically assigned the laptop with x.57, correct subnet, and a default GW of the ASA outside interface of 58.

Do I need to setup a static NAT?

This setup is for public internet where I will have devices on the inside interface pick up a dhcp address of 192.168.23.x accessing the internet (ISP's Juniper 1x.0.x.57)

VIP Purple

That shows that your external

That shows that your external setup is fine. But it's strange that you can ping your external PC but not the provider-device.

Make sure that you have the icmp-inspection active:

policy-map global_policy
  class inspection_default
   inspect icmp

Please show the output of the following command:

packet-tracer input INSIDE 192.168.23.10 8 0 144.0.44.47

 


--
Don't stop after you've improved your network! Improve the world by lending money to the working poor: http://www.kiva.org/invitedby/karsteni
New Member

Version of FW:Cisco Adaptive

Version of FW:

Cisco Adaptive Security Appliance Software Version 8.2(1)
Device Manager Version 6.3(1)

Output of Packet-Trace Command is:

SDH-PUBLIC-ASA(config)# packet-tracer input INSIDE icmp 192.168.23.10 8 0 1xpacket-tracer input INSIDE icmp 192.168.23.10 8 0 141.$

Phase: 1
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
MAC Access list

Phase: 2
Type: FLOW-LOOKUP
Subtype:
Result: ALLOW
Config:
Additional Information:
Found no matching flow, creating a new flow

Phase: 3
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in   141.0.x.0      255.255.255.0   OUTSIDE
              
Phase: 4
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group INSIDE_access_in in interface INSIDE
access-list INSIDE_access_in extended permit icmp any any
Additional Information:

Phase: 5
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 6
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
class-map inspection_default
 match default-inspection-traffic
policy-map global_policy
 class inspection_default
  inspect icmp
service-policy global_policy global
Additional Information:

Phase: 7
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
Additional Information:

Phase: 8
Type: NAT
Subtype:
Result: ALLOW
Config:
nat (INSIDE) 0 192.168.23.0 255.255.255.0
  match ip INSIDE 192.168.23.0 255.255.255.0 OUTSIDE any
    identity NAT translation, pool 0
    translate_hits = 104, untranslate_hits = 0
Additional Information:
Dynamic translate 192.168.23.10/0 to 192.168.23.10/0 using netmask 255.255.255.255
              
Phase: 9
Type: NAT
Subtype: host-limits
Result: ALLOW
Config:
nat (INSIDE) 0 192.168.23.0 255.255.255.0
  match ip INSIDE 192.168.23.0 255.255.255.0 OUTSIDE any
    identity NAT translation, pool 0
    translate_hits = 107, untranslate_hits = 0
Additional Information:

Phase: 10
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 11
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 141, packet dispatched to next module

Result:
input-interface: INSIDE
input-status: up
input-line-status: up
output-interface: OUTSIDE
output-status: up
output-line-status: up
Action: allow

VIP Purple

obviously you didn't show us

obviously you didn't show us the complete NAT-config:

Phase: 8
Type: NAT
Subtype:
Result: ALLOW
Config:
nat (INSIDE) 0 192.168.23.0 255.255.255.0
  match ip INSIDE 192.168.23.0 255.255.255.0 OUTSIDE any
    identity NAT translation, pool 0
    translate_hits = 104, untranslate_hits = 0
Additional Information:
Dynamic translate 192.168.23.10/0 to 192.168.23.10/0 using netmask 255.255.255.255

 

You have to correct you NAT-Exemption (nat 0).

And you really should upgrade your ASA to at least 8.2.(5).


--
Don't stop after you've improved your network! Improve the world by lending money to the working poor: http://www.kiva.org/invitedby/karsteni
New Member

That was the complete NAT in

That was the complete NAT in the OP. Since then I rebooted the FW and it picket up the original config with a different NAT.

I have run the command with the same NAT config now on the OP.

Apologies for the confusion..

New Member

Sorry, I've made the

Sorry, I've made the following change to Nat

global (OUTSIDE) 1 interface
nat (INSIDE) 1 192.168.23.0 255.255.255.0

And here is the result of the same packet-trace command:

SDH-PUBLIC-ASA(config)# packet-tracer input INSIDE icmp 192.168.23.10 8 0 141.$

Phase: 1
Type: FLOW-LOOKUP
Subtype:
Result: ALLOW
Config:
Additional Information:
Found no matching flow, creating a new flow

Phase: 2
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in   141.0.x.0      255.255.255.0   OUTSIDE

Phase: 3
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group INSIDE_access_in in interface INSIDE
access-list INSIDE_access_in extended permit icmp any any
Additional Information:
              
Phase: 4
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 5
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
class-map inspection_default
 match default-inspection-traffic
policy-map global_policy
 class inspection_default
  inspect icmp
service-policy global_policy global
Additional Information:

Phase: 6
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
Additional Information:

Phase: 7
Type: NAT
Subtype:
Result: ALLOW
Config:
nat (INSIDE) 1 192.168.23.0 255.255.255.0
  match ip INSIDE 192.168.23.0 255.255.255.0 OUTSIDE any
    dynamic translation to pool 1 (141.0.x.58 [Interface PAT])
    translate_hits = 66, untranslate_hits = 0
Additional Information:
Dynamic translate 192.168.23.10/0 to 192.168.23.10/0 using netmask 255.255.255.255

Phase: 8
Type: NAT
Subtype: host-limits
Result: ALLOW
Config:
nat (INSIDE) 1 192.168.23.0 255.255.255.0
  match ip INSIDE 192.168.23.0 255.255.255.0 OUTSIDE any
    dynamic translation to pool 1 (141.0.x.58 [Interface PAT])
    translate_hits = 66, untranslate_hits = 0
Additional Information:

Phase: 9
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 10
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 286, packet dispatched to next module

Result:
input-interface: INSIDE
input-status: up
input-line-status: up
output-interface: OUTSIDE
output-status: up
output-line-status: up
Action: allow

 

VIP Purple

The output in Phase7 still

The output in Phase7 still looks very strange. Please upgrade your ASA before testing any further. 8.2(1) was a horrible release.


--
Don't stop after you've improved your network! Improve the world by lending money to the working poor: http://www.kiva.org/invitedby/karsteni
New Member

Hi Karsten, Many thanks for

Hi Karsten,

 

Many thanks for your help mate.

 

I've upgraded both the image and ASDM and it's flying.

:)
 

config looks like goodproblem

config looks like good

problem can be like mac filtering from provider side

VIP Purple

> problem can be like mac

> problem can be like mac filtering from provider side

That seems very unlikely to me. With this NAT-config, the pings from internal PC and the ASA should look completely the same on L2/L3 for the provider-router.
 
If the ASA is not running the latest 8.2 code, an update should also be done. There have been far too many strange bugs in the ASA.

--
Don't stop after you've improved your network! Improve the world by lending money to the working poor: http://www.kiva.org/invitedby/karsteni
New Member

Hi Tagir, Thought of this and

Hi Tagir,

 

Thought of this and used another laptop to connect straight into ISP's 44.57 and was able to access the internet. If it was MAC filtering, then laptop test should've failed.

129
Views
0
Helpful
12
Replies
CreatePlease to create content