08-07-2013 03:12 PM - edited 03-11-2019 07:23 PM
A few months ago I wasn't able to spell Cisco's name and here I am trying to configure an ASA 5520 on a small network I was tasked to put together. I saw this as a great learning opportunity, especially becoming familiar with Cisco's networking philosophy, so I went for it. I'm at a point though I need an expert's eye to give me a lead on the following issue:
Have VLANs 201, 202 and 203 physical and virtual machines on inside and dmz access the internet.
The guest network router has already configured with static routes to go from the non-routable 192.168.132.y to a public ip address. The laptop on the guest network (please see network.jpg) has internet access to confirm the aforementioned.
Also, the ASA 5520, with its config as shown on the log attached, can ping the laptop on 192.168.132.32, all 10.0.x.y interfaces (10.0.201.1, 10.0.202.1 and the 10.0.200.1), the outside FW interface (currently at 192.168.132.105) and the guest network router's public ip address. That, and a lot of packet tracing, led me to believe I'm missing something on my ACLs or my config is wrong somewhere I can't see.
Although the CLI is more convenient to me I attached a few screen-shots for clarification purposes.
The files attached carry self-explanatory names, however, if they miss pieces of info that'll expedite your assistance comments I'll be glad to follow up.
By the way, can somebody recommend a book (or books) on switching & routing that gradually introduce the concepts, (it's more than intutive that design exercises and hands-on experience are an absolute MUST to gain further knowledge) so a novice in the field will work slowly on building a theoretical foundation as a start?
Appreciate your help.
sk
Solved! Go to Solution.
08-09-2013 12:07 PM
Hi,
You have tested with the "packet-tracer" connection from network 192.168.132.0/24 to one of the 10-networks.
This is not possible with teh current configurations are you are doing Dynamic PAT from the LAN/DMZ interfaces to the "outside" interface.
To be able to access the 10-network from the 192.168.132.0/24 network directly you would need NAT0 configuration.
Notice that you CANT test return traffic with "packet-tracer". The "packet-tracer" always tests a incoming first packet for some connection. So if no Dynamic PAT translation is active at the moment on the firewall then you wont be able to test any return traffic for a non existing connection.
I can't see anything wrong with the firewall configuration at the moment.
I guess you can try the "packet-tracer" command from the CLI to simulate outbound Internet connection
packet-tracer input ins_cli tcp 10.0.201.100 12345 8.8.8.8 80
packet-tracer input ins_srv tcp 10.0.202.100 12345 8.8.8.8 80
Use the exact above commands and post the output from CLI
- Jouni
08-09-2013 01:06 PM
Hi,
You dont have ACL on the INS_SRV interface allowing that traffic. To allow all traffic from INS_SRV you would need the following ACL rule
access-list ins_srv_access_in extended permit ip 10.0.201.0 255.255.255.0 any
- Jouni
08-07-2013 08:38 PM
Hi,
So are you saying that you cant reach the Internet from the networks that are located behind the ASA firewall?
Whit what are you trying to test Internet connectivity?
Incase you are trying to test with ICMP try adding these configurations
policy-map global_policy
class inspection_default
inspect icmp
inspect icmp error
Then try ICMP again.
I would suggest doing the following changes.
Remove all the interface ACLs that are attached in the Outbound direction (out)
no access-group outout out interface outside
no access-group ins_srv_access_out out interface ins_srv
Its usually best to control the traffic entering an interface of the ASA and not the traffic leaving it.
To clarify
This is why using Inbound interface ACL would make the most sense. You very rarely need to apply Outbound ACLs. Most of the time they cause more problems and add complexity to the setup.
With regards to the NAT configurations, you seem to have a basic Dynamic PAT configuration for all the 3 LAN/DMZ networks. The PAT IP address seems to be from the network 192.168.132.0/24 which is directly connected to the Internet router also. This should already mean that there should be no problem with routing between the ASA and the Internet router. I would presume also that the Internet router is doing NAT for the ASAs "outside" interface IP address.
Can you clarify a bit what the situation is at the moment?
Hope this helps
- Jouni
08-09-2013 08:49 AM
Hello Jouni,
First of all I appreciate your prompt resourceful response.
Answers to your Qs follow:
Q>
So are you saying that you cant reach the Internet from the networks that are located behind the ASA firewall?
Answer: That is correct. In other words all machines (phys. & virtual) in 10.0.0.0/16 (covering 10.0.201.0, 10.0.202.0, and 10.0.200.0) can NOT access the internet.
Q>
what are you trying to test Internet connectivity?
Incase you are trying to test with ICMP try adding these configurations
Answer: My attempt to go out was by using icmp packets (ping), if I'm using the right terms. So, I go to various machines in 10.0.0.0/16 and try to ping beyond the gateway. For example, from machine with ip 10.0.201.215 I ping 10.0.201.1 successfully BUT when i try to ping 192.168.132.105 (outside interf. on the ASA5520) I get a "request timed out".
Also, from 10.0.201.215 machine, after a changing the ACL Rules (see latest copy of ASA5520 config) based upon the advice of your response, I can successfully ping the following in the guest network.
192.168.132.32 (laptop)
192.168.132.1 (gateway)
192.168.132.11 (switch)
From an ssh session on ASA5520 I can successfully ping all the above and more:
10.0.201.1
192.168.132.105 (outside interf. of ASA5520)
192.168.132.1
192.168.132.32
192.168.132.11
and the routable ip address on the outside interf. of the guest network router
Q>
Trying
policy-map global_policy
class inspection_default
inspect icmp
inspect icmp error
Answer: the above 4 icmp lines and the ACL Rule changes you recommended together, I presume, changed the response from the machines in the 10.0.0.0/16, in other words I can ping IP address in the 192.168.132.0/24 from 10.0.201.215 for example, as mentioned up above.
Still can NOT ping ASA's outside interf. from a machine located in a inside VLAN but according to the following thread
I am not supposed to.
Q>
Remove all the interface ACLs that are attached in the Outbound direction (out)
no access-group outout out interface outside
no access-group ins_srv_access_out out interface ins_srv
Answer:
This comment makes absolute sense.
This is why using Inbound interface ACL would make the most sense. You very rarely need to apply Outbound ACLs. Most of the time they cause more problems and add complexity to the setup.
I should have thought of that.
Q>
With regards to the NAT configurations, you seem to have a basic Dynamic PAT configuration for all the 3 LAN/DMZ networks. The PAT IP address seems to be from the network 192.168.132.0/24 which is directly connected to the Internet router also.
Answer: the above statement is correct
Q>
This should already mean that there should be no problem with routing between the ASA and the Internet router. I would presume also that the Internet router is doing NAT for the ASAs "outside" interface IP address.
Answer: You are correct there's no problem routing between the ASA and the guest network router since I can ping the outside routable IP on the router from an ssh session on the ASA.
Indeed, the internet route is doing NAT for the ASAs outside interf. IP address.
I'm attaching the latest & greatest ASA5520 config.
Please ask me more Qs that'll clarify the env'nt and will expedite troubleshooting. Meanwhile, I'm thinking about this day and night and I am reading about Staic.Dynamic NAT/PAT, etc on cisco's web site continuously to educate myself so I figure out I'm doing wrong.
Thanks in advance,
Stavros
I cannot attach a doc so I'm copying & pasting the latest (Aug. 9th) ASA's config down below
ASA Version 8.2(1)
!
interface GigabitEthernet0/0
nameif outside
security-level 0
ip address 192.168.132.105 255.255.255.0
!
interface GigabitEthernet0/1
nameif ins_srv
security-level 100
ip address 10.0.201.1 255.255.255.0
!
interface GigabitEthernet0/2
nameif ins_cli
security-level 100
ip address 10.0.202.1 255.255.255.0
!
interface GigabitEthernet0/3
nameif dmz
security-level 50
ip address 10.0.200.1 255.255.255.0
!
interface Management0/0
nameif management
security-level 90
ip address 10.0.203.10 255.255.255.0
management-only
!
ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
dns domain-lookup outside
dns domain-lookup ins_srv
dns domain-lookup ins_cli
dns domain-lookup dmz
dns domain-lookup management
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object-group service IBM_TivoliEndPointMngr tcp-udp
description Patch Mngt SW
port-object eq 52311
object-group protocol TCPUDP
protocol-object udp
protocol-object tcp
object-group service KiwiSyslog
description Solarwinds Kiwi
service-object udp eq syslog
object-group service TeredoPackets udp
description Blocks UDP port 3544 traffic inbound and outbound
port-object eq 3544
object-group service DM_INLINE_SERVICE_2
service-object ip
service-object tcp eq echo
service-object tcp eq www
service-object udp eq www
service-object icmp
service-object icmp6
object-group protocol DM_INLINE_PROTOCOL_1
protocol-object ip
protocol-object icmp
protocol-object tcp
object-group protocol DM_INLINE_PROTOCOL_2
protocol-object ip
protocol-object icmp
protocol-object udp
protocol-object tcp
object-group protocol DM_INLINE_PROTOCOL_3
protocol-object ip
protocol-object icmp
object-group protocol DM_INLINE_PROTOCOL_4
protocol-object ip
protocol-object icmp
object-group protocol DM_INLINE_PROTOCOL_5
protocol-object ip
protocol-object icmp
protocol-object udp
protocol-object tcp
access-list ins_srv_nat0_outbound extended permit ip 10.0.202.0 255.255.255.0 any
access-list ins_srv_nat0_outbound extended permit ip 10.0.200.0 255.255.255.0 any
access-list outside_nat_outbound extended permit tcp 192.168.132.0 255.255.255.0 eq www 10.0.201.0 255.255.255.0 eq www
access-list ins_cli_access_in extended permit ip 10.0.202.0 255.255.255.0 any
access-list dmz_access_in extended permit ip any any
access-list ins_cli_nat0_outbound extended permit ip 10.0.202.0 255.255.255.0 10.0.201.0 255.255.255.0
access-list ins_srv_access_in extended permit object-group DM_INLINE_PROTOCOL_2 10.0.201.0 255.255.255.0 10.0.202.0 255.255.255.0
access-list ins_srv_access_in extended permit object-group DM_INLINE_PROTOCOL_2 10.0.201.0 255.255.255.0 10.0.200.0 255.255.255.0
access-list ins_srv_access_in extended permit object-group DM_INLINE_PROTOCOL_2 10.0.201.0 255.255.255.0 192.168.132.0 255.255.255.0
access-list dmz extended permit object-group KiwiSyslog host 10.0.200.100 host 10.0.201.215
access-list dmz extended permit object-group TCPUDP host 10.0.200.100 host 10.0.201.215 object-group IBM_TivoliEndPointMngr
access-list dmz extended deny ip 10.0.200.0 255.255.255.0 10.0.201.0 255.255.255.0
access-list dmz extended deny ip 10.0.200.0 255.255.255.0 10.0.202.0 255.255.255.0
access-list dmz extended permit ip 10.0.200.0 255.255.255.0 any
access-list ins_srv_mpc extended permit ip any any
access-list outside_mpc extended permit ip any any
access-list ins_cli_mpc extended permit ip any any
access-list dmz_mpc extended permit ip any any
access-list outside_access_in extended permit object-group DM_INLINE_PROTOCOL_2 192.168.132.0 255.255.255.0 10.0.201.0 255.255.255.0
access-list ins_srvnat0_outbound extended permit ip 10.0.201.0 255.255.255.0 10.0.201.0 255.255.255.0
pager lines 24
logging enable
logging timestamp
logging trap debugging
logging asdm informational
logging mail emergencies
logging host ins_srv 10.0.201.215
mtu outside 1500
mtu ins_srv 1500
mtu ins_cli 1500
mtu dmz 1500
mtu management 1500
no failover
icmp unreachable rate-limit 10 burst-size 5
no asdm history enable
arp timeout 14400
nat-control
global (outside) 1 interface
nat (ins_srv) 0 access-list ins_srv_nat0_outbound
nat (ins_srv) 1 10.0.201.0 255.255.255.0
nat (ins_cli) 0 access-list ins_cli_nat0_outbound
nat (ins_cli) 1 10.0.202.0 255.255.255.0
nat (dmz) 1 10.0.200.0 255.255.255.0
access-group outside_access_in in interface outside
access-group ins_srv_access_in in interface ins_srv
access-group ins_cli_access_in in interface ins_cli
access-group dmz in interface dmz
route outside 0.0.0.0 0.0.0.0 192.168.132.105 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
aaa authentication ssh console LOCAL
aaa authentication http console LOCAL
aaa authentication enable console LOCAL
aaa authentication serial console LOCAL
aaa authentication telnet console LOCAL
aaa authorization command LOCAL
aaa local authentication attempts max-fail 3
aaa authorization exec authentication-server
filter java 80 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0
filter activex 80 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0
http server enable
http 0.0.0.0 0.0.0.0 management
http 10.0.201.0 255.255.255.0 ins_srv
no snmp-server location
no snmp-server contact
telnet timeout 5
ssh 10.0.201.0 255.255.255.0 ins_srv
ssh timeout 30
ssh version 2
console timeout 5
threat-detection basic-threat
threat-detection scanning-threat
threat-detection statistics
threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
ntp authentication-key 1 md5 *
ntp authenticate
ntp trusted-key 1
ntp server 64.90.182.55 key 1 source outside
ntp server 96.47.67.105 key 1 source outside
ssl trust-point ASDM_TrustPoint0 outside
webvpn
enable outside
svc image disk0:/anyconnect-win-2.4.1012-k9.pkg 1
svc enable
tunnel-group-list enable
group-policy DfltGrpPolicy attributes
vpn-tunnel-protocol IPSec webvpn
vpn-tunnel-protocol svc webvpn
webvpn
url-list value OtherLinks
svc ask enable default webvpn
class-map ins_cli-class
match access-list ins_cli_mpc
class-map ins_srv-class
match access-list ins_srv_mpc
class-map inspection_default
match default-inspection-traffic
class-map dmz-class
match access-list dmz_mpc
class-map outside-class
match access-list outside_mpc
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect icmp
inspect icmp error
class class-default
set connection decrement-ttl
policy-map outside-policy
class outside-class
ips inline fail-open
policy-map dmz-policy
class dmz-class
ips inline fail-open
policy-map ins_cli-policy
class ins_cli-class
ips inline fail-open
policy-map ins_srv-policy
class ins_srv-class
ips inline fail-open
!
service-policy global_policy global
service-policy outside-policy interface outside
service-policy ins_srv-policy interface ins_srv
service-policy ins_cli-policy interface ins_cli
service-policy dmz-policy interface dmz
smtp-server 173.194.76.108
prompt hostname context
08-09-2013 09:19 AM
Hi,
Can you clarify if you are still having problems with ICMP from the LAN/DMZ networks to the Internet?
As you said in the above post already, you are NOT able to ICMP an ASA interface behind another interface.
Only hosts located behind an interface can ICMP that interface and receive a reply. Sending ICMP from a host to an ASA interface IP address that is NOT where the host is located at will always fail.
- Jouni
08-09-2013 11:48 AM
Hello Jouni,
Can you clarify if you are still having problems with ICMP from the LAN/DMZ networks to the Internet?
Answer: I cannot ICMP from the LAN/DMZ networks to the Internet. The way I try to do that is by opening a command prompt on
Windows of an internal host (10.0.201.215 in this case) and try to ping the outside IP address of the guest network router or ping yahoo.com for example. The response I get is "Request timed out".
As you said in the above post already, you are NOT able to ICMP an ASA interface behind another interface.
Answer: You're correct. I cannot ping 192.168.132.105 (ASA outside interf. IP address) from a windows prompt of an internal host, such as 10.0.201.215
Only hosts located behind an interface can ICMP that interface and receive a reply. Sending ICMP from a host to an ASA interface IP address that is NOT where the host is located at will always fail.
Answer: That's correct.
I also attached 3 images that show an ASA packet tracer image for IP packets travelling from 10.0.201.215 to 192.168.132.32 (guest network laptop) and back. The forward traffic stops at a NAT Rule and the reverse traffic stops at the impicit Deny any any Rule of the incoming ACL rules of the ins_srv internal.
However, a packet tracer monitoring TCP packets from the same source (10.0.201.215) to the same destination (192.168.132.32) goes all the way w/o a problem. The reverse traffic of TCP packets stops also at the impicit Deny any any Rule of the incoming ACL rules of the ins_srv internal.
I hope I answered your Qs.
Thanks in advance for your time and consultation.
08-09-2013 12:07 PM
Hi,
You have tested with the "packet-tracer" connection from network 192.168.132.0/24 to one of the 10-networks.
This is not possible with teh current configurations are you are doing Dynamic PAT from the LAN/DMZ interfaces to the "outside" interface.
To be able to access the 10-network from the 192.168.132.0/24 network directly you would need NAT0 configuration.
Notice that you CANT test return traffic with "packet-tracer". The "packet-tracer" always tests a incoming first packet for some connection. So if no Dynamic PAT translation is active at the moment on the firewall then you wont be able to test any return traffic for a non existing connection.
I can't see anything wrong with the firewall configuration at the moment.
I guess you can try the "packet-tracer" command from the CLI to simulate outbound Internet connection
packet-tracer input ins_cli tcp 10.0.201.100 12345 8.8.8.8 80
packet-tracer input ins_srv tcp 10.0.202.100 12345 8.8.8.8 80
Use the exact above commands and post the output from CLI
- Jouni
08-09-2013 12:33 PM
Thanks Jouni.
Q>
are you are doing Dynamic PAT from the LAN/DMZ interfaces to the
"outside" interface.
I had switched the ASA config to Static PAT. I have assigned the ASA's outside's interf. IP to play that role.
Static PAT mya not be the best choice here so I'll switch the ASA to Dynamic PAT.
I'm reading on NAT0 to familiarize more.
Here's the ASA's response
=~=~=~=~=~=~=~=~=~=~=~= PuTTY log 2013.08.09 15:14:46 =~=~=~=~=~=~=~=~=~=~=~=
PC2ZFW#
PC2ZFW# packet-tracer input ins_cli tcp 10.0.201.100 12345 8.8.8.8 80
Phase: 1
Type: FLOW-LOOKUP
Subtype:
Result: ALLOW
Config:
Additional Information:
Found no matching flow, creating a new flow
Phase: 2
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 0.0.0.0 0.0.0.0 outside
Phase: 3
Type: ACCESS-LIST
Subtype:
Result: DROP
Config:
Implicit Rule
Additional Information:
Result:
input-interface: ins_cli
input-status: up
input-line-status: up
output-interface: outside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule
PC2ZFW# packet-tracer input ins_srv tcp 10.0.202.100 12345 8.8.8.8 80
Phase: 1
Type: FLOW-LOOKUP
Subtype:
Result: ALLOW
Config:
Additional Information:
Found no matching flow, creating a new flow
Phase: 2
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 0.0.0.0 0.0.0.0 outside
Phase: 3
Type: ACCESS-LIST
Subtype:
Result: DROP
Config:
Implicit Rule
Additional Information:
Result:
input-interface: ins_srv
input-status: up
input-line-status: up
output-interface: outside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule
PC2ZFW# exit
Logoff
08-09-2013 12:44 PM
Hi,
Sorry, I misstyped the IP address of the "packet-tracer" commands
packet-tracer input ins_cli tcp 10.0.202.100 12345 8.8.8.8 80
packet-tracer input ins_srv tcp 10.0.201.100 12345 8.8.8.8 80
I had the address spaces wrong
- Jouni
08-09-2013 01:01 PM
No worries Jouni.
The 10.0.201.x can't hit 8.8.8.8 whereas 10.0.202.y can. I am trying to find out why this is happening.
Here you go:
=~=~=~=~=~=~=~=~=~=~=~= PuTTY log 2013.08.09 15:53:37 =~=~=~=~=~=~=~=~=~=~=~=
PC2ZFW#
PC2ZFW# packet-tracer input ins_cli tcp 10.0.202.100 12345 8.8.8.8 80
Phase: 1
Type: FLOW-LOOKUP
Subtype:
Result: ALLOW
Config:
Additional Information:
Found no matching flow, creating a new flow
Phase: 2
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 0.0.0.0 0.0.0.0 outside
Phase: 3
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group ins_cli_access_in in interface ins_cli
access-list ins_cli_access_in extended permit ip 10.0.202.0 255.255.255.0 any
Additional Information:
<--- More --->
Phase: 4
Type: CONN-SETTINGS
Subtype:
Result: ALLOW
Config:
class-map class-default
match any
policy-map global_policy
class class-default
set connection decrement-ttl
service-policy global_policy global
Additional Information:
Phase: 5
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 6
Type: FILTER
Subtype: filter-java
<--- More --->
Result: ALLOW
Config:
Additional Information:
Phase: 7
Type: FILTER
Subtype: filter-activex
Result: ALLOW
Config:
Additional Information:
Phase: 8
Type: IDS
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 9
Type: NAT
Subtype:
Result: ALLOW
Config:
nat (ins_cli) 1 10.0.202.0 255.255.255.0
nat-control
match ip ins_cli 10.0.202.0 255.255.255.0 outside any
dynamic translation to pool 1 (192.168.132.105 [Interface PAT])
translate_hits = 134750, untranslate_hits = 0
Additional Information:
Dynamic translate 10.0.202.100/12345 to 192.168.132.105/34539 using netmask 255.255.255.255
Phase: 10
Type: NAT
Subtype: host-limits
Result: ALLOW
Config:
nat (ins_cli) 1 10.0.202.0 255.255.255.0
nat-control
match ip ins_cli 10.0.202.0 255.255.255.0 outside any
dynamic translation to pool 1 (192.168.132.105 [Interface PAT])
translate_hits = 134750, untranslate_hits = 0
Additional Information:
Phase: 11
Type: IDS
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 12
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 13
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 3844340, packet dispatched to next module
Result:
input-interface: ins_cli
input-status: up
input-line-status: up
output-interface: outside
output-status: up
output-line-status: up
Action: allow
PC2ZFW#
PC2ZFW# packet-tracer input ins_srv tcp 10.0.201.100 12345 8.8.8.8 80
Phase: 1
Type: FLOW-LOOKUP
Subtype:
Result: ALLOW
Config:
Additional Information:
Found no matching flow, creating a new flow
Phase: 2
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 0.0.0.0 0.0.0.0 outside
Phase: 3
Type: ACCESS-LIST
Subtype:
Result: DROP
Config:
Implicit Rule
Additional Information:
Result:
input-interface: ins_srv
input-status: up
input-line-status: up
output-interface: outside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule
PC2ZFW# exit
Logoff
08-09-2013 01:03 PM
Confirming I'm hitting google.com from the 10.202 machine.
08-09-2013 01:06 PM
Hi,
You dont have ACL on the INS_SRV interface allowing that traffic. To allow all traffic from INS_SRV you would need the following ACL rule
access-list ins_srv_access_in extended permit ip 10.0.201.0 255.255.255.0 any
- Jouni
08-09-2013 01:06 PM
just added another ACL from ins_srv to any on incoming rules of ins_srv and I'm hitting google's 8.8.8.8
08-09-2013 01:08 PM
see how educational was your input,
I just done that and I'm on the web (our responses came in at exactly the same time)
Now, I need to sit down and understand what I did wrong and learn from this mistake so I won't do it again.
Any recoemmdations for books. Cisco's a great resource but I need to start with a more digestable recommendation.
I really appreciate your input and the valuable help you provide to all of us.
08-09-2013 01:11 PM
Hi,
So is everything working now?
If so, please remember to mark a reply as the correct answer if it answered your question.
Feel free to ask more though.
And if you run into some other problems dont hesitate to post here on the CSC
- Jouni
08-09-2013 01:18 PM
Yes everything is working fine. I'll pick your reply-recommendation that came closer to solve this issue.
Please feel free to leave me some book/web site recommendations for learning to go.
Thanks again.
The network config items I changed to resolve the issue were in a nutshell:
1) Static NAT -> Dynamic NAT
2) Removed all outgoing ACLs
3) Added ACL for internal ins_srv -> any
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide