I'm using ASA5510 ver8.0(3), still having trouble with the routing. Sorry to keep reposting on same topic, I thought I had it resolved....
From PC (GW pointing to ASA) I'm able to ping all Network devices and servers with the nonat ACL setup. I just can't do anything other than ping. RDP, telnet, ssh, smtp any port I try to use on an alternate subnet fails.
Even when I try packet-trace command from ASA it allows the flow.
I don't understand why it takes 14 phases in packet tracer (4 of them being nat) when there's no natting involved.
Things that work:
-Nat from Inside host to outside (internet)
-ping from ASA to any internal subnet on inside interface (learned from EIGRP)
-have this command enabled: same-security-traffic permit intra-interface
-other subnets are reachable via inside interface
-nat (inside) 0 acess-list nonat ~setup
-icmp is allowed through the firewall
What I'm trying to accomplish is, I want to be able to access all internal subnets from ASA (besides ping).
I've attached config and packet trace, if anyone could help much appreciated.
I was going through your issue.. I really dont get your setup.. I can see , from config that u have an internal network 10.0.0.0/16 and an extrnal IP x.x.x.x (public IP ?)
I can also see a lot of nonat statements pointing to different subnets in 10.x segment ? where are thse connected ? hows ur lan setup ? PC connects to layer 2 switch, and gateway directly to ASA ? how is the 10.1.x.x, 10.2.x.x segments connected ? through outside ?
I've attached a PDF I made in visio, to better explain my setup.
10.0.0.0/16 is internal network.
x.x.x.x is public IP address.
10.1.101.0, 10.1.x.x, 10.2.x.x, etc are all internal subnets to the ASA. The ASA learns of all the 10.x.x.x LAN segments from an internal router through EIGRP. PC connects directly to L2 switch, and PC GW is set directly to ASA.
What I'm trying to do is be able to get the PC(on 10.0.0.0/16) to be able to access other internal subnets learned by ASA (through EIGRP) such as 10.1.101.0.
Currently, with nonat, I'm able to ping devices off the PC subnet(10.0.0.0/16) so PC 10.0.0.20 can ping 10.1.101.20, but cannot do anything else.
When I take the nonat statment out I can't ping from 10.0.0.20 to 10.1.101.20.
I don't understand why the PC's default gw is pointing towards routerA instead of the PIX. Is this not possible?? There's no reason explaining why the PC's default gw is pointing towards the router instead of the PIX.
DocumentationCode download linksGoalRequirementLimitationsSupported ISR
and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity
options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in
HA DocumentationCode download linksGoalRequirementLimitationsSupported
ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationCo...
Question I am currently unable to specify "crypto keyring" command when
configuring VPN connection on my cisco 2901 router. The following
licenses have been activated on my router :