10-22-2014 03:36 AM - edited 03-11-2019 09:58 PM
Hello,
I'm working on a basic configuration of a 5510 ASA.
inside network of 192.168.23.0 /24
outside network 141.0.x.0 /24
config is as follows:
interface Ethernet0/0
nameif OUTSIDE
security-level 0
ip address 141.0.x.0 255.255.255.0
!
interface Ethernet0/1
nameif INSIDE
security-level 50
ip address 192.168.23.1 255.255.255.0
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
access-list OUTSIDE_access_in extended permit icmp any any
access-list OUTSIDE_access_in extended permit tcp any interface OUTSIDE eq https
access-list INSIDE_access_in extended permit icmp any any
global (OUTSIDE) 1 interface
nat (INSIDE) 1 192.168.23.0 255.255.255.0
access-group OUTSIDE_access_in in interface OUTSIDE
access-group INSIDE_access_in in interface INSIDE
route OUTSIDE 0.0.0.0 0.0.0.0 141.0.x.57 1
In the LAB When I plug a laptop into the outside interface with address 141.0.x.57 I can ping it from a laptop from the inside interface and I can even access the IIS page. However, when I connect the ISP's firewall into the outside interface with the same address that I used the testing laptop with, I cannot seem to be able to access the outside world.
I can ping from the ASA's outside interface (x.58, to the ISP's x.57), but I cannot ping from the inside 192.168.23.x to it or access anything.
So traffic between inside and outside interface is not going through when in live setup. However, when in the lab it works fine.
Any ideas please?
Solved! Go to Solution.
10-22-2014 05:43 AM
The output in Phase7 still looks very strange. Please upgrade your ASA before testing any further. 8.2(1) was a horrible release.
10-22-2014 04:06 AM
And:
The line "access-list OUTSIDE_access_in extended permit tcp any interface OUTSIDE eq https" is probably not needed in your setup as there is no static NAT for an internal server.
10-22-2014 04:32 AM
Hi Karsten,
1. From ASA outside interface I can ping 8.8.8.8
2. From inside interface I cannot ping x.57
However, in the lab when I have a laptop plugged into the outside interface with the x.57, i can ping it. I've statically assigned the laptop with x.57, correct subnet, and a default GW of the ASA outside interface of 58.
Do I need to setup a static NAT?
This setup is for public internet where I will have devices on the inside interface pick up a dhcp address of 192.168.23.x accessing the internet (ISP's Juniper 1x.0.x.57)
10-22-2014 04:32 AM
That shows that your external setup is fine. But it's strange that you can ping your external PC but not the provider-device.
Make sure that you have the icmp-inspection active:
policy-map global_policy
class inspection_default
inspect icmp
Please show the output of the following command:
packet-tracer input INSIDE 192.168.23.10 8 0 144.0.44.47
10-22-2014 05:22 AM
Version of FW:
Cisco Adaptive Security Appliance Software Version 8.2(1)
Device Manager Version 6.3(1)
Output of Packet-Trace Command is:
SDH-PUBLIC-ASA(config)# packet-tracer input INSIDE icmp 192.168.23.10 8 0 1xpacket-tracer input INSIDE icmp 192.168.23.10 8 0 141.$
Phase: 1
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
MAC Access list
Phase: 2
Type: FLOW-LOOKUP
Subtype:
Result: ALLOW
Config:
Additional Information:
Found no matching flow, creating a new flow
Phase: 3
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 141.0.x.0 255.255.255.0 OUTSIDE
Phase: 4
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group INSIDE_access_in in interface INSIDE
access-list INSIDE_access_in extended permit icmp any any
Additional Information:
Phase: 5
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 6
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
class-map inspection_default
match default-inspection-traffic
policy-map global_policy
class inspection_default
inspect icmp
service-policy global_policy global
Additional Information:
Phase: 7
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
Additional Information:
Phase: 8
Type: NAT
Subtype:
Result: ALLOW
Config:
nat (INSIDE) 0 192.168.23.0 255.255.255.0
match ip INSIDE 192.168.23.0 255.255.255.0 OUTSIDE any
identity NAT translation, pool 0
translate_hits = 104, untranslate_hits = 0
Additional Information:
Dynamic translate 192.168.23.10/0 to 192.168.23.10/0 using netmask 255.255.255.255
Phase: 9
Type: NAT
Subtype: host-limits
Result: ALLOW
Config:
nat (INSIDE) 0 192.168.23.0 255.255.255.0
match ip INSIDE 192.168.23.0 255.255.255.0 OUTSIDE any
identity NAT translation, pool 0
translate_hits = 107, untranslate_hits = 0
Additional Information:
Phase: 10
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 11
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 141, packet dispatched to next module
Result:
input-interface: INSIDE
input-status: up
input-line-status: up
output-interface: OUTSIDE
output-status: up
output-line-status: up
Action: allow
10-22-2014 05:22 AM
obviously you didn't show us the complete NAT-config:
You have to correct you NAT-Exemption (nat 0).
And you really should upgrade your ASA to at least 8.2.(5).
10-22-2014 05:32 AM
That was the complete NAT in the OP. Since then I rebooted the FW and it picket up the original config with a different NAT.
I have run the command with the same NAT config now on the OP.
Apologies for the confusion..
10-22-2014 05:43 AM
Sorry, I've made the following change to Nat
global (OUTSIDE) 1 interface
nat (INSIDE) 1 192.168.23.0 255.255.255.0
And here is the result of the same packet-trace command:
SDH-PUBLIC-ASA(config)# packet-tracer input INSIDE icmp 192.168.23.10 8 0 141.$
Phase: 1
Type: FLOW-LOOKUP
Subtype:
Result: ALLOW
Config:
Additional Information:
Found no matching flow, creating a new flow
Phase: 2
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 141.0.x.0 255.255.255.0 OUTSIDE
Phase: 3
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group INSIDE_access_in in interface INSIDE
access-list INSIDE_access_in extended permit icmp any any
Additional Information:
Phase: 4
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 5
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
class-map inspection_default
match default-inspection-traffic
policy-map global_policy
class inspection_default
inspect icmp
service-policy global_policy global
Additional Information:
Phase: 6
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
Additional Information:
Phase: 7
Type: NAT
Subtype:
Result: ALLOW
Config:
nat (INSIDE) 1 192.168.23.0 255.255.255.0
match ip INSIDE 192.168.23.0 255.255.255.0 OUTSIDE any
dynamic translation to pool 1 (141.0.x.58 [Interface PAT])
translate_hits = 66, untranslate_hits = 0
Additional Information:
Dynamic translate 192.168.23.10/0 to 192.168.23.10/0 using netmask 255.255.255.255
Phase: 8
Type: NAT
Subtype: host-limits
Result: ALLOW
Config:
nat (INSIDE) 1 192.168.23.0 255.255.255.0
match ip INSIDE 192.168.23.0 255.255.255.0 OUTSIDE any
dynamic translation to pool 1 (141.0.x.58 [Interface PAT])
translate_hits = 66, untranslate_hits = 0
Additional Information:
Phase: 9
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 10
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 286, packet dispatched to next module
Result:
input-interface: INSIDE
input-status: up
input-line-status: up
output-interface: OUTSIDE
output-status: up
output-line-status: up
Action: allow
10-22-2014 05:43 AM
The output in Phase7 still looks very strange. Please upgrade your ASA before testing any further. 8.2(1) was a horrible release.
10-22-2014 06:22 AM
Hi Karsten,
Many thanks for your help mate.
I've upgraded both the image and ASDM and it's flying.
:)
10-22-2014 04:44 AM
config looks like good
problem can be like mac filtering from provider side
10-22-2014 04:57 AM
10-22-2014 05:15 AM
Hi Tagir,
Thought of this and used another laptop to connect straight into ISP's 44.57 and was able to access the internet. If it was MAC filtering, then laptop test should've failed.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide
> problem can be like mac filtering from provider side