Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
Community Member

New ASA installation

I have a new ASA 5510 that is behind our router/firewall. I am having some problems with configuration and not sure where I am hung up. I can't ping the internal Lan, 192.168.1. addresses. I have attached my configuration.

9 REPLIES
Green

Re: New ASA installation

Seeing as you're not natting, the clients on 192.168.1.0 that you are trying to ping would have to have a route to the 192.168.10.0 network via the outside interface of the ASA, 192.168.1.22.

Also, this route stament is not correct as 192.168.1.0 is on the outside of the ASA.

route inside 192.168.0.0 255.255.0.0 192.168.10.1 1

Community Member

Re: New ASA installation

copy paste this two lines

!

access-list acl_in permit ip any any

access-group acl_in in interface inside

!

Community Member

Re: New ASA installation

Sorry for my ignorance as I am new to the ASA's. I have attached my "new" config. I tried adding the two lines and had no luck. I also changed the route inside to outside and had no luck.

Green

Re: New ASA installation

I would disregard the previous post, as you do not need that inside acl.

This is not right either...

route outside 192.168.0.0 255.255.0.0 192.168.10.1 1

You can put back what you had, but would be a good idea to be more specific as all 192.168.0.0/16 networks are not on the inside as 192.168.1.0 is on the outside. For exmaple, if the networks accessed by 192.168.10.1 were 192.168.2.0 and 192.168.3.0 then...

route inside 192.168.2.0 255.255.255.0 192.168.10.1

route inside 192.168.3.0 255.255.255.0 192.168.10.1

You need a way for the clients on 192.168.1.0 to route to 192.168.1.22 when accessing 192.168.10.0. For example, if you had an outside router you could do...

ip route 192.168.10.0 255.255.255.0 192.168.1.22

Community Member

Re: New ASA installation

What you can do is, just check the gateway of that 192.168.1.0 clients it should be 192.168.1.22 if that clients have different gateway address (another router) then that router should have route back to the ASA for your 192.168.10.0 network.

for an example in the router command should be

ip route 192.168.10.0 255.255.255.0 192.168.1.22

Community Member

Re: New ASA installation

What you can do is, just check the gateway of that 192.168.1.0 clients it should be 192.168.1.22 if that clients have different gateway address (another router) then that router should have route back to the ASA for your 192.168.10.0 network.

for an example in the router command should be

ip route 192.168.10.0 255.255.255.0 192.168.1.22

Community Member

Re: New ASA installation

remove your current nat statement

and add the following statement

static (inside,outside) 192.168.10.0 192.168.10.0 netmask 255.255.255.0 0 0

Community Member

Re: New ASA installation

Thanks, got it working. I need to know the ports than I need to pass to the ASA with my existing router/firewall as the ASA will be behind the existing.

Can you help me with that?

Community Member

Re: New ASA installation

which command solved your pinging problem?

from inside ping to outside?

158
Views
5
Helpful
9
Replies
CreatePlease to create content