Reposting in a new thread since the old one seems to have died...
I'm migrating from a PIX 515 to an ASA 5520. The config was created using the PIX to ASA migration tool. The ASDM Packet Tracer shows outbound traffic failing due to NAT.
nat (inside) 1 0.0.0.0 0.0.0.0
match ip inside any outside any
dynamic translation to pool 1 (188.8.131.52)
translate_hits = 971, untranslate_hits = 74
The old PIX config:
global (outside) 1 184.108.40.206
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
The new ASA config:
global (outside) 1 220.127.116.11 netmask 255.255.255.255
nat (inside) 1 0.0.0.0 0.0.0.0
Any thoughts on why it might be failing?
Try taking the netmask off of the global config. If your outside address is the one that you want to nat to, you can just put interface:
global (outside) 1 interface
nat (inside) 1 0 0
In your screenshot it says that "flow is denied by configured rule." Do you have any acls on the inside interface?
No - no ACL on the inside interface, just the 2 implicit rules that are there by default - permit all traffic to a less secure interface (in this case inside is 100 by default and outside is 0 so all traffic should pass) and the implicit deny any any.
Not familiar with ASDM but -
1) Can you try to access Internet from internal client
2) If you have tied this what is result ?
3) Do you have correct routing setup ?
Perhaps you could post config with description of IP addresses ie. src/destination etc..
1) No internet access, page cannot be displayed. Can't ping from a client either.
3) Yes. All physical and logical connections are the same. I've even spoofed the MAC addresses of the PIX on the ASA interfaces.
When monitoring the ASA, there's plenty of traffic coming IN, so the ACL I have on that interface seems to be working. However there is absolutely zero traffic going out the outside interface.
I'm about ready to ship this thing back to Cisco.
Posting a config.
I just want to know where the default route is. (Go fix it)
"I'm about ready to ship this thing back to Cisco. " Guys , Don't give up.(grin)
You don't have a default route so the ASA doesn't know where to send packets. So you need to add
route (outside) 0.0.0.0 0.0.0.0
where next-hop IP is the ISP router address. It will be out of the 18.104.22.168/24 subnet.
Sorry in my haste (and frustration) I posted an incomplete config. The default route (and some other static routes) are there. I'm uploading the correct output.
I'm actually getting a "Network Timeout" when trying to browse from a client machine. Traffic looks like it's leaving but maybe not coming back?
With the PIX in place I can ping that default route - 22.214.171.124 - however with the ASA in place I cannot - although I suspect that might just be ICMP traffic being denied.
No problem. Can you specify the source IP address you are pinging from and the destination IP address you are pinging to ?
I was pinging from 172.16.130.67 to 126.96.36.199 (the default route).
Also tried pinging google - 188.8.131.52 - same source IP.
Ever see Office Space? This ASA is looking more and more like the fax machine from that movie... :)
"Ever see Office Space? This ASA is looking more and more like the fax machine from that movie... :)"
Is that a movie ? - never seen it but don't despair.
172.16.130.67 is part of the management vlan. What happens if you ping from an internal IP address that is not part of the management vlan. Is this possible ?
Yes it's a movie and I recommend it. :)
Now some good news - I can surf from our remote sites on other subnets. Jon thank you for suggesting that. Some progress!
What do I need to change to allow 172.16.128.0/22 ?
"What do I need to change to allow 172.16.128.0/22 ?"
Not sure to be honest. Is there a reason why you want the management vlan to be able to access the Internet as the management vlan is primarily for managing the ASA device not providing access ?
Office Space - okay if i can find it i'll have a look but it had better be good :-)
It's not actually the management vlan it's the subnet of our main office where the device is housed. I was using that to remote configure the device.
Ultimately I need to change the ip/subnet/vlan of the management interface.
I suspect the issues you are experiencing are to do with the fact you are using the management interface.
It's times like these i wish i had an ASA device to play with :-)
Well, I removed all references to that management interface - shut it right down and unplugged it.
I remain able to surf at our remote sites, but not here at the central office.