cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
443
Views
10
Helpful
7
Replies

Please critique my ASA5505 NAT & ACL Setup

sendalot7
Level 1
Level 1

Please critique my ASA5505 NAT & ACL Setup and let me know why devices are not connecting to Internet/WAN.

(If my addresses are a bit off by any chance, they have been changed in haste).

interface Vlan1

nameif inside

security-level 100

ip address 192.168.1.1 255.255.255.0

!

interface Vlan2

nameif outside

security-level 0

ip address dhcp setroute

access-list inside_access_in extended permit ip any any

access-list outside_access_in extended permit ip any any

nat (inside) 1 0.0.0.0 0.0.0.0

route outside 0.0.0.0 0.0.0.0 112.74.71.71 1

global (outside) 1 interface

Thanks.

1 Accepted Solution

Accepted Solutions

Hello,

Okey, so now you have connectivity to the outside world.

That's good.

From the ASA perspective DNS should be allowed as you do not have any ACL

do show run access-group just to make sure.

Make sure the client has a DNS configured.

For more information about Core and Security Networking follow my website at http://laguiadelnetworking.com

Any question contact me at jcarvaja@laguiadelnetworking.com

Cheers,

Julio Carvajal Segura

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

View solution in original post

7 Replies 7

Julio Carvajal
VIP Alumni
VIP Alumni

Hello,

Do the following

From the ASA itself

ping 112.74.71.71

ping 4.2.2.2

What are the results, if succesfull do

packet-tracer input inside tcp 192.168.1.10 1025 4.2.2.2 80

For more information about Core and Security Networking follow my website at http://laguiadelnetworking.com

Any question contact me at jcarvaja@laguiadelnetworking.com

Cheers,

Julio Carvajal Segura

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

ping 112.74.71.71 works with 100%.

ping 4.2.2.2 fails at 0% though.


remove this line:

route outside 0.0.0.0 0.0.0.0 112.74.71.71 1

if you want DHCP to set the default route for you, then you don't need to fix it yourself:

ip address dhcp setroute

Patrick

Shall I remove all static routes then?

Edit: I removed all static routes and I can ping 74.125.228.35 (Google).

But I still can't get any DNS or other apps to work.

Thanks.

Hello,

Okey, so now you have connectivity to the outside world.

That's good.

From the ASA perspective DNS should be allowed as you do not have any ACL

do show run access-group just to make sure.

Make sure the client has a DNS configured.

For more information about Core and Security Networking follow my website at http://laguiadelnetworking.com

Any question contact me at jcarvaja@laguiadelnetworking.com

Cheers,

Julio Carvajal Segura

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

show run access-group

access-group inside_access_in in interface inside

access-group outside_access_in in interface outside

Do I manually set DNS server on clients?

How do I make my ASA give DNS info?

Update:

If I type 74.125.225.102 directly into browser, it works.

But if i type google.com, it doens't

Almost there but DNS isn't!! argh

Thanks.

Hello,

Well, if the ASA is configured as a DHCP server just do

dhcpd dns  4.2.2.2

It's a DNS issue, you can configure it manually on the PC but if you want to do it via DHCP this is the way to do it

Regards,

Jcarvaja

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: