We are replacing PIX 501 with ASA 5505. We are able to get the L2L VPN up but not the Internet access. When we try to add the NAT (Inside) x statement firewall gives warning message saying missing outside command. But If we add the Outside command to end of NAT statement we loose L2L vpns but Internet access works. Below is the config ..
global (outside) 1 interface
nat (inside) 0 access-list nonat
nat (inside) 1 0.0.0.0 0.0.0.0
Below are the Warning messeges
WARNING: Binding inside nat statement to outermost interface.
WARNING: Keyword "outside" is probably missing.
*** Output from config line 94, "nat (inside) 1 0.0.0.0 0...
We have tried 2 diffrent IOS
Cisco Adaptive Security Appliance Software Version 8.0(4) and Version 18.104.22.168
thanks in advance for the help.
Solved! Go to Solution.
Yes, We have configured this correctly and here is the config. I guess.. no issue with that as my Site to Site VPNs are working.
ip address 172.x.x.x 255.255.255.0
ip address 195.x.x.x 255.255.255.248
switchport access vlan 2
your initial config shows:-
ip address 195.x.x.x 255.255.255.248
You have 1 IP for the interface
1 IP for the next hop routing device?
you have 4 other IP addresses?
We already have PIX501 working with is setup and i am not sure ASA not workin with the GLobal (Outside)1 Interace
Here is sh ver
Cisco Adaptive Security Appliance Software Version 8.0(4)
Device Manager Version 6.1(3)
Compiled on Thu 07-Aug-08 20:53 by builders
System image file is "disk0:/asa804-k8.bin"
Config file at boot was "startup-config"
defraasa01 up 2 days 18 hours
Hardware: ASA5505, 256 MB RAM, CPU Geode 500 MHz
Internal ATA Compact Flash, 128MB
BIOS Flash M50FW080 @ 0xffe00000, 1024KB
Encryption hardware device : Cisco ASA-5505 on-board accelerator (revision 0x0)
Boot microcode : CN1000-MC-BOOT-2.00
SSL/IKE microcode: CNLite-MC-SSLm-PLUS-2.03
IPSec microcode : CNlite-MC-IPSECm-MAIN-2.05
0: Int: Internal-Data0/0 : address is 0024.97b1.e40a, irq 11
1: Ext: Ethernet0/0 : address is 0024.97b1.e402, irq 255
2: Ext: Ethernet0/1 : address is 0024.97b1.e403, irq 255
3: Ext: Ethernet0/2 : address is 0024.97b1.e404, irq 255
4: Ext: Ethernet0/3 : address is 0024.97b1.e405, irq 255
5: Ext: Ethernet0/4 : address is 0024.97b1.e406, irq 255
6: Ext: Ethernet0/5 : address is 0024.97b1.e407, irq 255
7: Ext: Ethernet0/6 : address is 0024.97b1.e408, irq 255
8: Ext: Ethernet0/7 : address is 0024.97b1.e409, irq 255
9: Int: Internal-Data0/1 : address is 0000.0003.0002, irq 255
10: Int: Not used : irq 255
11: Int: Not used : irq 255
Licensed features for this platform:
Maximum Physical Interfaces : 8
VLANs : 3, DMZ Restricted
Inside Hosts : 10
Failover : Disabled
VPN-DES : Enabled
VPN-3DES-AES : Enabled
VPN Peers : 10
WebVPN Peers : 2
Dual ISPs : Disabled
VLAN Trunk Ports : 0
AnyConnect for Mobile : Disabled
AnyConnect for Linksys phone : Disabled
Advanced Endpoint Assessment : Disabled
UC Proxy Sessions : 2
This platform has a Base license.
post the output of a show arp?
You only have a license to 10 inside hosts, and remote IP addresses over a VPN count as an inside host.
How many computers do you have behind the ASA?
I dont have this ASA in production right now as we had this issue. During the testing , we have only 2 hosts in network. When Licenses get over, traselation wont happen?
FYI.. our currnt pix is also has only 10 host license and all working.
Does pix and ASA work diffrenlty in terms of licesnse?
We have orderd 50 hosts license for this and will be getting it soon.
Below is the ASA license matrix:-
Are you sure your outside Ip addresses don't allow for my suggestion? You have a default gateway pointing to .241 which is the first IP address in the /248 subnet? What Ip address are you using for the outside?