just reload... .. i'm still

CATYO · ‎04-16-2014

Hi there.

I just trying to do PAT with gns3. but not working and i don't have any idea.

(Cisco Adaptive Security Appliance Software Version 8.4(2))

and also i figure out that there are some changes in nat configuration. i did but didn't work.

I cannot ping from my host 192.168.100.116 to 1.1.12.1 ~ 1.1.12.2, 8.8.8.8

i turn debug in R1 and i can see the icmp.

R1#
*Mar 1 01:31:28.091: ICMP: echo reply sent, src 1.1.12.1, dst 10.10.10.1
R1#
*Mar 1 01:31:32.739: ICMP: echo reply sent, src 1.1.12.1, dst 10.10.10.1
R1#

And also can see xlate on ASA

ASA-1# sh xlate
1 in use, 9 most used
Flags: D - DNS, i - dynamic, r - portmap, s - static, I - identity, T - twice
ICMP PAT from inside:192.168.100.116/1 to outside:10.10.10.1/6370 flags ri idle 0:00:04 timeout 0:00:30
ASA-1#

This is my topology.

[ASA1]

ASA-1# sh run ip
!
interface GigabitEthernet0
nameif outside
security-level 0
ip address 10.10.10.1 255.255.255.0
!
interface GigabitEthernet1
nameif inside
security-level 100
ip address 10.10.20.1 255.255.255.0
!
ASA-1# sh run object network

object network obj-192.168.100.0
subnet 0.0.0.0 0.0.0.0
ASA-1# conf t
ASA-1(config)# ob
ASA-1(config)# object net
ASA-1(config)# object network obj-192.168.100.0
ASA-1(config-network-object)# nat (in
ASA-1(config-network-object)# nat (inside,ou
ASA-1(config-network-object)# nat (inside,outside) dy
ASA-1(config-network-object)# nat (inside,outside) dynamic inter
ASA-1(config-network-object)# nat (inside,outside) dynamic interface
ASA-1(config-network-object)# end

[R4]

interface FastEthernet0/0
ip address 10.10.20.254 255.255.255.0
duplex auto
speed auto
!
interface FastEthernet0/1
ip address 192.168.100.254 255.255.255.0
duplex auto
speed auto
!
no ip http server
no ip http secure-server
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 10.10.20.1

[HOST]

ip address 192.168.100.116/24

[R1]

interface FastEthernet0/0
ip address 10.10.10.254 255.255.255.0
duplex auto
speed auto
!
interface FastEthernet0/1
ip address 1.1.12.1 255.255.255.0
duplex auto
speed auto
!
no ip http server
no ip http secure-server
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 FastEthernet0/0
!

what am i mssing ?

please corret me.

Thank you in advance.

Marvin Rhoads · ‎04-16-2014

Does your ASA have a route back to the 192.168.100.0/24 subnet? If not, you will need one (as I've shown below) - otherwise the return traffic from your ping will not know to use the proper egress interface.

route inside 192.168.100.0 255.255.255.0 192.168.10.254

CATYO · ‎04-16-2014

Thank you.

on ASA interface e1(down stream) is facing fa0/1 not f0/0 :)

It has already..

ASA-1# sh route inside

Gateway of last resort is 10.10.10.254 to network 0.0.0.0

C 10.10.20.0 255.255.255.0 is directly connected, inside
S 192.168.100.0 255.255.255.0 [1/0] via 10.10.20.254, inside
ASA-1#

...

Thank you T-T

CATYO · ‎04-16-2014

I realize that i can't ping from R4 to ASA's 10.10.10.1 which is outside interface.

ASA-1# sh route

Gateway of last resort is 10.10.10.254 to network 0.0.0.0

C 10.10.10.0 255.255.255.0 is directly connected, outside
C 10.10.20.0 255.255.255.0 is directly connected, inside
S 192.168.100.0 255.255.255.0 [1/0] via 10.10.20.254, inside
S* 0.0.0.0 0.0.0.0 [1/0] via 10.10.10.254, outside
ASA-1#

R4#sh ip route
Gateway of last resort is 10.10.20.1 to network 0.0.0.0

10.0.0.0/24 is subnetted, 2 subnets
S 10.10.10.0 [1/0] via 10.10.20.1
C 10.10.20.0 is directly connected, FastEthernet0/0
C 192.168.100.0/24 is directly connected, FastEthernet0/1
S* 0.0.0.0/0 [1/0] via 10.10.20.1
R4#

Marvin Rhoads · ‎04-16-2014

Can you ping your 192.168.100.116 host from the ASA?

If so, can you ping the ASA's default gateway (10.10.10.254) from your host?

If not, please provide the output from the following command:

packet-tracer input inside icmp 192.168.100.116 8 0 10.10.10.254

CATYO · ‎04-16-2014

just reload... .. i'm still stuck in the ping.

changed topology more simple. but still not working.

Here is all what i did.

[ASA]

access-list ICMP extended permit icmp any any echo-reply
access-list ICMP extended permit icmp any any time-exceeded

access-group ICMP in interface outside

interface GigabitEthernet0
description To_UP
nameif outside
security-level 0
ip address 10.10.10.2 255.255.255.0
!
interface GigabitEthernet1
description To_DOWN
nameif inside
security-level 100
ip address 10.10.20.1 255.255.255.0

[R1]

interface FastEthernet0/0
ip address 10.10.10.1 255.255.255.0
!
ip route 10.10.20.0 255.255.255.0 10.10.10.2 (I don't think i need this)

[R4]

interface FastEthernet0/0
ip address 10.10.20.2 255.255.255.0
!
ip route 10.10.10.0 255.255.255.0 10.10.20.1 (same as well)

[outout tracer]

ciscoasa# packet-tracer input inside icmp 10.10.20.1 8 0 10.10.10.1

Phase: 1
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 10.10.10.0 255.255.255.0 outside

Phase: 2
Type: ACCESS-LIST
Subtype:
Result: DROP <---??????????????????????????
Config:
Implicit Rule
Additional Information:

Result:
input-interface: inside
input-status: up
input-line-status: up
output-interface: outside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule

ciscoasa#

[ASA]

ciscoasa# show access-list
access-list cached ACL log flows: total 0, denied 0 (deny-flow-max 4096)
alert-interval 300
access-list ICMP; 2 elements; name hash: 0x2d2cf426
access-list ICMP line 1 extended permit icmp any any echo-reply (hitcnt=0) 0x0b307247
access-list ICMP line 2 extended permit icmp any any time-exceeded (hitcnt=0) 0x1e6b1395
ciscoasa#

I created acl and permit it

Thank you.

Marvin Rhoads · ‎04-16-2014

Your access-list only allows icmp echo reply and time-exceeded. Any ping request destined to or through the firewall will be a simple icmp echo request and thus be dropped.

We typically do not put access-lists on the inside interface because anything not explicitly allowed will be implicitly denied. That's the "implicit rule" reason you see for the drop in packet-tracer.

Pat is not working on my asa