cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1019
Views
5
Helpful
15
Replies

ASA5505- PAT

sykesemea
Level 1
Level 1

Hi,

We are replacing PIX 501 with ASA 5505. We are able to get the L2L VPN up but not the Internet access. When we try to add the NAT (Inside) x statement firewall gives warning message saying missing outside command. But If we add the Outside command to end of NAT statement we loose L2L vpns but Internet access works. Below is the config ..

global (outside) 1 interface

nat (inside) 0 access-list nonat

nat (inside) 1 0.0.0.0 0.0.0.0

Below are the Warning messeges

WARNING: Binding inside nat statement to outermost interface.

WARNING: Keyword "outside" is probably missing.

*** Output from config line 94, "nat (inside) 1 0.0.0.0 0...

We have tried 2 diffrent IOS

!

Cisco Adaptive Security Appliance Software Version 8.0(4) and Version 7.2.4.9

thanks in advance for the help.

1 Accepted Solution

Accepted Solutions

Unless you made an error when pasted config into this forum, you need to set your security-level for outside interface to 0 and inside security-level to 100. Your above message showed outside at 100 and inside at 0.

View solution in original post

15 Replies 15

andrew.prince
Level 10
Level 10

Check to make sure that the physical interface that is your outside interface is actually configured with "nameif outside"

HTH>

Hello there,

Yes, We have configured this correctly and here is the config. I guess.. no issue with that as my Site to Site VPNs are working.

interface Vlan1

description Inside

nameif inside

security-level 0

ip address 172.x.x.x 255.255.255.0

!

interface Vlan2

description outside

nameif outside

security-level 100

ip address 195.x.x.x 255.255.255.248

!

interface Ethernet0/0

description outside

switchport access vlan 2

!

interface Ethernet0/1

description inside

speed 100

duplex full

OK try the below:-

global (outside) 2 195.x.x.x (next unused IP address)

nat (inside) 2 172.x.x.x 255.255.255.0

then clear xlate

HTH>

we have only 1 IP for this connnection and wont be able to try this.

your initial config shows:-

ip address 195.x.x.x 255.255.255.248

You have 1 IP for the interface

1 IP for the next hop routing device?

you have 4 other IP addresses?

Hi Andrew,

Sorry for confusion, this is a xDSL link and we have only Static IP.

how many static IP's do you have?

What is the license on the ASA - post the output of show ver

We already have PIX501 working with is setup and i am not sure ASA not workin with the GLobal (Outside)1 Interace

Here is sh ver

Cisco Adaptive Security Appliance Software Version 8.0(4)

Device Manager Version 6.1(3)

Compiled on Thu 07-Aug-08 20:53 by builders

System image file is "disk0:/asa804-k8.bin"

Config file at boot was "startup-config"

defraasa01 up 2 days 18 hours

Hardware: ASA5505, 256 MB RAM, CPU Geode 500 MHz

Internal ATA Compact Flash, 128MB

BIOS Flash M50FW080 @ 0xffe00000, 1024KB

Encryption hardware device : Cisco ASA-5505 on-board accelerator (revision 0x0)

Boot microcode : CN1000-MC-BOOT-2.00

SSL/IKE microcode: CNLite-MC-SSLm-PLUS-2.03

IPSec microcode : CNlite-MC-IPSECm-MAIN-2.05

0: Int: Internal-Data0/0 : address is 0024.97b1.e40a, irq 11

1: Ext: Ethernet0/0 : address is 0024.97b1.e402, irq 255

2: Ext: Ethernet0/1 : address is 0024.97b1.e403, irq 255

3: Ext: Ethernet0/2 : address is 0024.97b1.e404, irq 255

4: Ext: Ethernet0/3 : address is 0024.97b1.e405, irq 255

5: Ext: Ethernet0/4 : address is 0024.97b1.e406, irq 255

6: Ext: Ethernet0/5 : address is 0024.97b1.e407, irq 255

7: Ext: Ethernet0/6 : address is 0024.97b1.e408, irq 255

8: Ext: Ethernet0/7 : address is 0024.97b1.e409, irq 255

9: Int: Internal-Data0/1 : address is 0000.0003.0002, irq 255

10: Int: Not used : irq 255

11: Int: Not used : irq 255

Licensed features for this platform:

Maximum Physical Interfaces : 8

VLANs : 3, DMZ Restricted

Inside Hosts : 10

Failover : Disabled

VPN-DES : Enabled

VPN-3DES-AES : Enabled

VPN Peers : 10

WebVPN Peers : 2

Dual ISPs : Disabled

VLAN Trunk Ports : 0

AnyConnect for Mobile : Disabled

AnyConnect for Linksys phone : Disabled

Advanced Endpoint Assessment : Disabled

UC Proxy Sessions : 2

This platform has a Base license.

post the output of a show arp?

You only have a license to 10 inside hosts, and remote IP addresses over a VPN count as an inside host.

How many computers do you have behind the ASA?

Hi,

I dont have this ASA in production right now as we had this issue. During the testing , we have only 2 hosts in network. When Licenses get over, traselation wont happen?

FYI.. our currnt pix is also has only 10 host license and all working.

Does pix and ASA work diffrenlty in terms of licesnse?

We have orderd 50 hosts license for this and will be getting it soon.

Regards,

Venky

Post your current config for review - remove any sensitive information.

Also, you got any documents on how the Cisco ASA Licensing works?

Below is the ASA license matrix:-

http://www.cisco.com/en/US/products/ps6120/prod_models_comparison.html

Are you sure your outside Ip addresses don't allow for my suggestion? You have a default gateway pointing to .241 which is the first IP address in the /248 subnet? What Ip address are you using for the outside?

Its issue with Security Level and Tks for the help

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: