11-07-2013 10:00 AM - edited 03-11-2019 08:02 PM
Hello people,
Help please
I have simple setup as explained in the diagram and the config of the ASA attached
LAN-->L3 SW 3750G-->ASA5510-->Eclipse modem-->PPPOE
-any subnet on the LAN can not ping ASA outside and any public IP (even after I apply ACL, NAT,ICMP...Please see attached)
-any device on the Internet can not ping my ASA outside interface (even after I allow everything...Please see attached)
-If I replace my ASA with a normal small router (netgear) I can ping the router public IP from the Internet
Please find attached config and debug for the ASA.
any help will be much appriciated
Regards
Solved! Go to Solution.
11-07-2013 10:21 AM
Hi,
You wont be able to ICMP the "WAN" interface from behind the "INSIDE" interface. This is not possible with any configuration. You can only send ICMP to the interface "WAN" from behind that interface.
For the "WAN" interface to reply to ICMP from the Internet please add
icmp permit any echo WAN
The traffic from "INSIDE" to "WAN" is blocked by this missconfigured route. Remove it
no route INSIDE 0.0.0.0 0.0.0.0 10.15.15.1 1
If you have seceral networks behind the "INSIDE" interface then use other routes for them, not the default route. The default route should point towards the "WAN" link.
Hope this helps
- Jouni
11-08-2013 02:09 PM
Hi,
How does the routing tables look?
Does ASA have routes for the LAN networks and does the L3 Switch have default route towards the ASA?
If the ASA and L3 switch are the only routing devices in your network then you dont really need to run a dynamic routing protocol in the network.
With static routes configured you would need
ASA
route INSIDE 192.168.0.0 255.255.255.0 10.15.15.1
route INSIDE 192.168.1.0 255.255.255.0 10.15.15.1
route INSIDE 192.168.2.0 255.255.255.0 10.15.15.1
route INSIDE 192.168.3.0 255.255.255.0 10.15.15.1
route INSIDE 192.168.14.0 255.255.255.0 10.15.15.1
route INSIDE 10.4.0.0 255.255.255.0 10.15.15.1
route INSIDE 10.0.0.0 255.255.255.0 10.15.15.1
L3 Switch
ip route 0.0.0.0 0.0.0.0 10.15.15.2
To enable Dynamic PAT for all internal networks on the ASA you could add
nat (INSIDE,WAN) after-auto source dynamic any interface
- Jouni
11-07-2013 10:21 AM
Hi,
You wont be able to ICMP the "WAN" interface from behind the "INSIDE" interface. This is not possible with any configuration. You can only send ICMP to the interface "WAN" from behind that interface.
For the "WAN" interface to reply to ICMP from the Internet please add
icmp permit any echo WAN
The traffic from "INSIDE" to "WAN" is blocked by this missconfigured route. Remove it
no route INSIDE 0.0.0.0 0.0.0.0 10.15.15.1 1
If you have seceral networks behind the "INSIDE" interface then use other routes for them, not the default route. The default route should point towards the "WAN" link.
Hope this helps
- Jouni
11-08-2013 01:56 PM
Hi Jouni,
Thanks for your help.
Here is what I done
-I add icmp permit any echo WAN which let me ping my WAN from the Internet (Perfect / Thanks)
-I removed route INSIDE 0.0.0.0 0.0.0.0 10.15.15.1 1 and I did advertise the connection between ASA-SW by EIGRP as shown in the config
-I did applied the NAT/PAT
Result
-From any subnet on the LAN I can ping the ASA Inside Interface
-I can ping the ASA/WAN from the Internet
-I can't ping the outside world / Internet even though it shows on the packet tracer it's allowed
-I can't get Internet access
Not sure I need to redistribute the EIGRP
Config attached
Thanks
11-08-2013 02:09 PM
Hi,
How does the routing tables look?
Does ASA have routes for the LAN networks and does the L3 Switch have default route towards the ASA?
If the ASA and L3 switch are the only routing devices in your network then you dont really need to run a dynamic routing protocol in the network.
With static routes configured you would need
ASA
route INSIDE 192.168.0.0 255.255.255.0 10.15.15.1
route INSIDE 192.168.1.0 255.255.255.0 10.15.15.1
route INSIDE 192.168.2.0 255.255.255.0 10.15.15.1
route INSIDE 192.168.3.0 255.255.255.0 10.15.15.1
route INSIDE 192.168.14.0 255.255.255.0 10.15.15.1
route INSIDE 10.4.0.0 255.255.255.0 10.15.15.1
route INSIDE 10.0.0.0 255.255.255.0 10.15.15.1
L3 Switch
ip route 0.0.0.0 0.0.0.0 10.15.15.2
To enable Dynamic PAT for all internal networks on the ASA you could add
nat (INSIDE,WAN) after-auto source dynamic any interface
- Jouni
11-09-2013 04:16 AM
Thanks Jouni,
it worked, it was routing issue.
ASA
route INSIDE 10.4.0.0 255.255.255.0 10.15.15.1
L3 Switch
ip route 0.0.0.0 0.0.0.0 10.15.15.2
Thanks and much appreciate
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide