04-06-2009 12:41 AM - edited 03-11-2019 08:15 AM
Hi,
We are replacing PIX 501 with ASA 5505. We are able to get the L2L VPN up but not the Internet access. When we try to add the NAT (Inside) x statement firewall gives warning message saying missing outside command. But If we add the Outside command to end of NAT statement we loose L2L vpns but Internet access works. Below is the config ..
global (outside) 1 interface
nat (inside) 0 access-list nonat
nat (inside) 1 0.0.0.0 0.0.0.0
Below are the Warning messeges
WARNING: Binding inside nat statement to outermost interface.
WARNING: Keyword "outside" is probably missing.
*** Output from config line 94, "nat (inside) 1 0.0.0.0 0...
We have tried 2 diffrent IOS
!
Cisco Adaptive Security Appliance Software Version 8.0(4) and Version 7.2.4.9
thanks in advance for the help.
Solved! Go to Solution.
04-06-2009 03:47 AM
Unless you made an error when pasted config into this forum, you need to set your security-level for outside interface to 0 and inside security-level to 100. Your above message showed outside at 100 and inside at 0.
04-06-2009 12:53 AM
Check to make sure that the physical interface that is your outside interface is actually configured with "nameif outside"
HTH>
04-06-2009 01:03 AM
Hello there,
Yes, We have configured this correctly and here is the config. I guess.. no issue with that as my Site to Site VPNs are working.
interface Vlan1
description Inside
nameif inside
security-level 0
ip address 172.x.x.x 255.255.255.0
!
interface Vlan2
description outside
nameif outside
security-level 100
ip address 195.x.x.x 255.255.255.248
!
interface Ethernet0/0
description outside
switchport access vlan 2
!
interface Ethernet0/1
description inside
speed 100
duplex full
04-06-2009 01:05 AM
OK try the below:-
global (outside) 2 195.x.x.x (next unused IP address)
nat (inside) 2 172.x.x.x 255.255.255.0
then clear xlate
HTH>
04-06-2009 01:15 AM
we have only 1 IP for this connnection and wont be able to try this.
04-06-2009 01:30 AM
your initial config shows:-
ip address 195.x.x.x 255.255.255.248
You have 1 IP for the interface
1 IP for the next hop routing device?
you have 4 other IP addresses?
04-06-2009 01:43 AM
Hi Andrew,
Sorry for confusion, this is a xDSL link and we have only Static IP.
04-06-2009 02:03 AM
how many static IP's do you have?
What is the license on the ASA - post the output of show ver
04-06-2009 02:06 AM
We already have PIX501 working with is setup and i am not sure ASA not workin with the GLobal (Outside)1 Interace
Here is sh ver
Cisco Adaptive Security Appliance Software Version 8.0(4)
Device Manager Version 6.1(3)
Compiled on Thu 07-Aug-08 20:53 by builders
System image file is "disk0:/asa804-k8.bin"
Config file at boot was "startup-config"
defraasa01 up 2 days 18 hours
Hardware: ASA5505, 256 MB RAM, CPU Geode 500 MHz
Internal ATA Compact Flash, 128MB
BIOS Flash M50FW080 @ 0xffe00000, 1024KB
Encryption hardware device : Cisco ASA-5505 on-board accelerator (revision 0x0)
Boot microcode : CN1000-MC-BOOT-2.00
SSL/IKE microcode: CNLite-MC-SSLm-PLUS-2.03
IPSec microcode : CNlite-MC-IPSECm-MAIN-2.05
0: Int: Internal-Data0/0 : address is 0024.97b1.e40a, irq 11
1: Ext: Ethernet0/0 : address is 0024.97b1.e402, irq 255
2: Ext: Ethernet0/1 : address is 0024.97b1.e403, irq 255
3: Ext: Ethernet0/2 : address is 0024.97b1.e404, irq 255
4: Ext: Ethernet0/3 : address is 0024.97b1.e405, irq 255
5: Ext: Ethernet0/4 : address is 0024.97b1.e406, irq 255
6: Ext: Ethernet0/5 : address is 0024.97b1.e407, irq 255
7: Ext: Ethernet0/6 : address is 0024.97b1.e408, irq 255
8: Ext: Ethernet0/7 : address is 0024.97b1.e409, irq 255
9: Int: Internal-Data0/1 : address is 0000.0003.0002, irq 255
10: Int: Not used : irq 255
11: Int: Not used : irq 255
Licensed features for this platform:
Maximum Physical Interfaces : 8
VLANs : 3, DMZ Restricted
Inside Hosts : 10
Failover : Disabled
VPN-DES : Enabled
VPN-3DES-AES : Enabled
VPN Peers : 10
WebVPN Peers : 2
Dual ISPs : Disabled
VLAN Trunk Ports : 0
AnyConnect for Mobile : Disabled
AnyConnect for Linksys phone : Disabled
Advanced Endpoint Assessment : Disabled
UC Proxy Sessions : 2
This platform has a Base license.
04-06-2009 02:14 AM
post the output of a show arp?
You only have a license to 10 inside hosts, and remote IP addresses over a VPN count as an inside host.
How many computers do you have behind the ASA?
04-06-2009 02:35 AM
Hi,
I dont have this ASA in production right now as we had this issue. During the testing , we have only 2 hosts in network. When Licenses get over, traselation wont happen?
FYI.. our currnt pix is also has only 10 host license and all working.
Does pix and ASA work diffrenlty in terms of licesnse?
We have orderd 50 hosts license for this and will be getting it soon.
Regards,
Venky
04-06-2009 03:04 AM
Post your current config for review - remove any sensitive information.
04-06-2009 03:30 AM
04-06-2009 03:44 AM
Below is the ASA license matrix:-
http://www.cisco.com/en/US/products/ps6120/prod_models_comparison.html
Are you sure your outside Ip addresses don't allow for my suggestion? You have a default gateway pointing to .241 which is the first IP address in the /248 subnet? What Ip address are you using for the outside?
04-06-2009 03:54 AM
Its issue with Security Level and Tks for the help
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: