Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
New Member

Getting internet access on an ASA5510

Hi,

I see this is a popular one, but I can't see what I have done wrong.

the set-up is: a DSL modem in half bridge (it does all the PPPoE connection) passes our static IP (55.167.x.x) to the ASA's outside interface ... (the modem has an IP of 192.168.1.1, but not sure this matters)

then I have one inside interface on 192.168.43.1, which connects to a server and we have a working site-to-site VPN between this server and a client.. so I know most of it's set up right ... nothing else is on the 192.168.43.0/24 network.

the management interface is on 200.200.1.0/24 so it's out of the way and incidently connected to a dedcated PC, which also has console aqccess via the blue serial cable.

the last interface Main_Network is on the 192.168.0.0/24 network and it's this that I'm trying to get to work... at the moment I just have one Windows PC connected directly (does it need to go through a switch?) into the ASA for testing with a static IP (192.168.0.72), but I can't ping anything outside from the PC... only the ASA's interface (at 192.168.0.30).. I have the gateway on the PC set as 192.168.0.30 by the way.

The ASA can ping all the inside machines and anything I like outside.

Here's my config ... the static routes are there for when this replaces the current modem/router and the whole network plugs into the ASA.

ciscoasa(config)# show running-config

: Saved

:

ASA Version 8.2(5)

!

hostname ciscoasa

domain-name XXXXXXS

enable password xxxxxxxxx encrypted

passwd xxxxxxxxxxxxxx encrypted

names

name 192.168.0.33 Mail02

name 150.101.x.x VOIP_ADSL

name 59.167.x.x SOHO_ADSL

!

interface Ethernet0/0

description Internode VOIP

nameif Outside

security-level 0

ip address dhcp setroute

!

interface Ethernet0/1

description COnnects to the ME3 server for IPsec

nameif Inside

security-level 100

ip address 192.168.43.1 255.255.255.0

!

interface Ethernet0/2

description Connect to the main network

nameif Main_Network

security-level 100

ip address 192.168.0.30 255.255.255.0

!

interface Ethernet0/3

shutdown

no nameif

no security-level

no ip address

!

interface Management0/0

nameif management

security-level 100

ip address 200.200.1.1 255.255.255.0

management-only

!

ftp mode passive

dns domain-lookup Outside

dns server-group DefaultDNS

name-server 192.231.203.132

name-server 192.231.203.3

domain-name TANTALUS

object-group protocol TCPUDP

protocol-object udp

protocol-object tcp

access-list Outside_1_cryptomap extended permit ip 192.168.43.0 255.255.255.0 10

.0.0.0 255.0.0.0

access-list Inside_nat0_outbound extended permit ip 192.168.43.0 255.255.255.0 1

0.0.0.0 255.0.0.0

access-list Inside_access_in extended permit ip 10.0.0.0 255.0.0.0 192.168.43.0

255.255.255.0

access-list Inside_access_in extended permit ip 192.168.43.0 255.255.255.0 10.0.

0.0 255.0.0.0

access-list outside extended permit ip any 192.168.0.0 255.255.255.0

access-list outside extended permit ip any any

access-list Main_Network_access_in extended permit ip 192.168.0.0 255.255.255.0

any

access-list Main_Network_access_in extended permit ip any 192.168.0.0 255.255.25

5.0

access-list Main_Network_nat0_outbound extended permit ip 192.168.0.0 255.255.25

5.0 any

pager lines 24

logging asdm informational

mtu Outside 1492

mtu Inside 1500

mtu Main_Network 1500

mtu management 1500

icmp unreachable rate-limit 1 burst-size 1

no asdm history enable

arp timeout 14400

nat-control

global (Outside) 1 interface

nat (Inside) 0 access-list Inside_nat0_outbound

nat (Inside) 0 0.0.0.0 0.0.0.0

nat (Main_Network) 0 access-list Main_Network_nat0_outbound

nat (Main_Network) 0 192.168.0.0 255.255.255.0

static (Main_Network,Outside) tcp interface www Mail02 www netmask 255.255.255.2

55

static (Main_Network,Outside) tcp interface smtp Mail02 smtp netmask 255.255.255

.255

static (Main_Network,Outside) tcp interface ssh Mail02 ssh netmask 255.255.255.2

55

static (Main_Network,Outside) tcp interface 993 Mail02 993 netmask 255.255.255.2

55

static (Main_Network,Outside) tcp interface 995 Mail02 995 netmask 255.255.255.2

55

static (Main_Network,Outside) tcp interface https Mail02 https netmask 255.255.2

55.255

static (Main_Network,Outside) tcp interface domain 192.168.0.32 domain netmask 2

55.255.255.255

static (Main_Network,Outside) udp interface domain 192.168.0.32 domain netmask 2

55.255.255.255

static (Main_Network,Outside) tcp interface ftp 192.168.0.32 ftp netmask 255.255

.255.255

static (Main_Network,Outside) udp interface 60001 192.168.0.185 3389 netmask 255

.255.255.255

static (Main_Network,Outside) tcp interface 60001 192.168.0.185 3389 netmask 255

.255.255.255

static (Main_Network,Outside) tcp interface 60002 192.168.0.72 3389 netmask 255.

255.255.255

static (Main_Network,Outside) udp interface 60002 192.168.0.72 3389 netmask 255.

255.255.255

access-group outside in interface Outside

access-group Inside_access_in in interface Inside

access-group Main_Network_access_in in interface Main_Network

route Outside 10.0.0.0 255.255.255.0 VOIP_ADSL 1

route Outside 192.168.0.0 255.255.255.0 VOIP_ADSL 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

timeout floating-conn 0:00:00

dynamic-access-policy-record DfltAccessPolicy

http server enable

http 200.200.1.0 255.255.255.0 management

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

crypto map Outside_map 1 match address Outside_1_cryptomap

crypto map Outside_map 1 set pfs

crypto map Outside_map 1 set peer 159.153.222.18

crypto map Outside_map 1 set transform-set ESP-3DES-MD5

crypto map Outside_map interface Outside

crypto ca trustpoint _SmartCallHome_ServerCA

crl configure

crypto ca certificate chain _SmartCallHome_ServerCA

certificate ca 6ecc7aa5a7032009b8cebcf4e952d491

<-- snip -->

    6c2527b9 deb78458 c61f381e a4c4cb66

  quit

crypto isakmp enable Outside

crypto isakmp policy 10

authentication pre-share

encryption 3des

hash md5

group 2

lifetime 86400

crypto isakmp policy 130

authentication pre-share

encryption 3des

hash md5

group 2

lifetime 10800

telnet timeout 5

ssh timeout 5

console timeout 0

vpdn username xxxxxxx@xxxx.com password ***** store-local

dhcp-client client-id interface Outside

dhcpd address 200.200.1.2-200.200.1.200 management

dhcpd enable management

!

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

webvpn

tunnel-group 159.x.x.x type ipsec-l2l

tunnel-group 159.x.x.x ipsec-attributes

pre-shared-key *****

tunnel-group 159.x.x.x.16 type ipsec-l2l

tunnel-group 159.x.x.x.16 ipsec-attributes

pre-shared-key *****

!

class-map inspection_default

match default-inspection-traffic

!

!

policy-map type inspect dns preset_dns_map

parameters

  message-length maximum client auto

  message-length maximum 512

policy-map global_policy

class inspection_default

  inspect dns preset_dns_map

  inspect ftp

  inspect h323 h225

  inspect h323 ras

  inspect rsh

  inspect rtsp

  inspect esmtp

  inspect sqlnet

  inspect skinny

  inspect sunrpc

  inspect xdmcp

  inspect sip

  inspect netbios

  inspect tftp

  inspect ip-options

!

service-policy global_policy global

prompt hostname context

call-home reporting anonymous

Cryptochecksum:d41d8icd98f00b20475886

ciscoasa(config)#

Thanks in advance for looking into this, hopefully I'll get there.

Joss

4 REPLIES

Getting internet access on an ASA5510

Here is you nat config-

global (Outside) 1 interface

nat (Inside) 0 access-list Inside_nat0_outbound

nat (Inside) 0 0.0.0.0 0.0.0.0

nat (Main_Network) 0 access-list Main_Network_nat0_outbound

nat (Main_Network) 0 192.168.0.0 255.255.255.0

***************************************

Now if i understood your question correctly then you want to acess internet from Main Network 192.168.0.0/24.

Now two things when we mention nat 0 mean there should not be any nat but to access internet from private subnets nat is required.

Now for that you already configured global (outside) 1 interface --- instance 1 should be mated with lan subnets.

From main network for internet -add following

nat(Main_Network) 1 192.168.0.0 255.255.255.0

however you can also use -

nat(Main_Network) 1 0.0.0.0 0.0.0.0

Thanks

Ajay

New Member

Getting internet access on an ASA5510

Thanks for the reply Ajay,

Yes you are correct, I need devices on the 192.168.0.0/24 network to be able to connect to the Internet.

I changed the offending line as per your suggestion but the Windows PC I'm testing this with still cannot ping outside locations.

so (for easy reading) my nat control section now reads:-

nat-control

global (Outside) 1 interface

nat (Inside) 0 access-list Inside_nat0_outbound

nat (Inside) 0 0.0.0.0 0.0.0.0

nat (Main_Network) 0 access-list Main_Network_nat0_outbound

nat (Main_Network) 1 192.168.0.0 255.255.255.0

and the access lists are

access-list Main_Network_access_in extended permit ip 192.168.0.0 255.255.255.0 any

access-list Main_Network_access_in extended permit ip any 192.168.0.0 255.255.255.0

access-list Main_Network_nat0_outbound extended permit ip 192.168.0.0 255.255.255.0 any

all the config setting in the OP are the same apart from this one line nat change.

Thanks

Joss

New Member

Getting internet access on an ASA5510

Resolved and working ... thank you

of course I needed both the nat_id entries for Main_Network to be 1

nat (Main_Network) 1 access-list Main_Network_nat0_outbound

nat (Main_Network) 1 192.168.0.0 255.255.255.0

Thanks again

Joss

Getting internet access on an ASA5510

Both statement has got same meanning any one you can remove.

398
Views
0
Helpful
4
Replies
CreatePlease to create content