Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
New Member

ASA5510 firewall

     Hi,

        F0/0            F0/1

------------------R1----------------------------------------------FW------------------------------PC---------------

10.97.37.22      24.234.0.1          24.234.0.100       192.168.2.100              192.168.2.101

I could not able to ping from PC to R1 router interface F0/0 (10.97.37.222) and I can able to ping F0/1 (24.234.0.1) from my PC.

From firewall I can able to reach this network 10.97.37.0/24 .Please let me know is there any additional command needs to be add in the firewall.

!
interface Ethernet0/0
nameif inside
security-level 100
ip address 192.168.2.100 255.255.0.0
!
interface Ethernet0/1
no nameif
no security-level
no ip address
!
interface Ethernet0/1.11
vlan 11
nameif DMZ1
security-level 0
ip address 172.16.11.100 255.255.255.0
!
interface Ethernet0/1.22
vlan 22
nameif DMZ2
security-level 0
ip address 172.16.22.100 255.255.255.0
!
interface Ethernet0/2
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet0/3
nameif ouside
security-level 0
ip address 24.234.0.100 255.255.255.0
!
interface Management0/0
nameif management
security-level 100
ip address 10.97.37.112 255.255.255.0
management-only
!
ftp mode passive
dns server-group DefaultDNS
domain-name securitylab.com
pager lines 24
logging enable
logging timestamp
logging buffered informational
logging trap informational
logging asdm informational
logging host inside 192.168.2.101
mtu inside 1500
mtu DMZ1 1500
mtu DMZ2 1500
mtu ouside 1500
mtu management 1500
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-633.bin
no asdm history enable
arp timeout 14400
global (ouside) 1 interface
nat (inside) 1 192.168.0.0 255.255.0.0
!
router eigrp 1
network 192.168.0.0 255.255.0.0
redistribute static
!
router ospf 1
network 24.234.0.0 255.255.255.0 area 100
log-adj-changes
redistribute eigrp 1 subnets
!
route ouside 0.0.0.0 0.0.0.0 24.234.0.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 10.97.37.0 255.255.255.0 management
http 192.168.2.101 255.255.255.255 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
telnet timeout 5
ssh 192.168.2.4 255.255.255.255 inside
ssh timeout 5
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns migrated_dns_map_1
parameters
  message-length maximum 512
  message-length maximum client auto
policy-map global_policy
class inspection_default
  inspect dns migrated_dns_map_1
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
  inspect icmp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:06ba103dd7cff94af995f24404a3f139
: end

1 REPLY
Cisco Employee

Re: ASA5510 firewall

Hi,

On the firewall you seem to have a dynamic PAT from inside to outside. Hence, you will not be able to initiate connections from outside to inside unless you have an ACL to allow that traffic and a Static nat or Nat exemption.

I would suggest you to add the nat exemption for traffic from the PC to R1 and an access-list on the outside interface to allow traffioc from R1 to PC. The nat exemption would be of the form below:

access-list NONAT permit ip host 192.168.2.101 host 10.97.37.22

nat (inside) 0 access-list NONAT

Ensure to allow the traffic from R1 to the PC using an access-list on the outside interface.

Let me know how it goes!!

Thanks and Regards,

Prapanch

147
Views
0
Helpful
1
Replies
CreatePlease to create content