Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
Community Member

Please critique my ASA5505 NAT & ACL Setup

Please critique my ASA5505 NAT & ACL Setup and let me know why devices are not connecting to Internet/WAN.

(If my addresses are a bit off by any chance, they have been changed in haste).

interface Vlan1

nameif inside

security-level 100

ip address 192.168.1.1 255.255.255.0

!

interface Vlan2

nameif outside

security-level 0

ip address dhcp setroute

access-list inside_access_in extended permit ip any any

access-list outside_access_in extended permit ip any any

nat (inside) 1 0.0.0.0 0.0.0.0

route outside 0.0.0.0 0.0.0.0 112.74.71.71 1

global (outside) 1 interface

Thanks.

1 ACCEPTED SOLUTION

Accepted Solutions

Re: Please critique my ASA5505 NAT & ACL Setup

Hello,

Okey, so now you have connectivity to the outside world.

That's good.

From the ASA perspective DNS should be allowed as you do not have any ACL

do show run access-group just to make sure.

Make sure the client has a DNS configured.

For more information about Core and Security Networking follow my website at http://laguiadelnetworking.com

Any question contact me at jcarvaja@laguiadelnetworking.com

Cheers,

Julio Carvajal Segura

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
7 REPLIES

Please critique my ASA5505 NAT & ACL Setup

Hello,

Do the following

From the ASA itself

ping 112.74.71.71

ping 4.2.2.2

What are the results, if succesfull do

packet-tracer input inside tcp 192.168.1.10 1025 4.2.2.2 80

For more information about Core and Security Networking follow my website at http://laguiadelnetworking.com

Any question contact me at jcarvaja@laguiadelnetworking.com

Cheers,

Julio Carvajal Segura

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
Community Member

Re: Please critique my ASA5505 NAT & ACL Setup

ping 112.74.71.71 works with 100%.

ping 4.2.2.2 fails at 0% though.


Please critique my ASA5505 NAT & ACL Setup

remove this line:

route outside 0.0.0.0 0.0.0.0 112.74.71.71 1

if you want DHCP to set the default route for you, then you don't need to fix it yourself:

ip address dhcp setroute

Patrick

Community Member

Re: Please critique my ASA5505 NAT & ACL Setup

Shall I remove all static routes then?

Edit: I removed all static routes and I can ping 74.125.228.35 (Google).

But I still can't get any DNS or other apps to work.

Thanks.

Re: Please critique my ASA5505 NAT & ACL Setup

Hello,

Okey, so now you have connectivity to the outside world.

That's good.

From the ASA perspective DNS should be allowed as you do not have any ACL

do show run access-group just to make sure.

Make sure the client has a DNS configured.

For more information about Core and Security Networking follow my website at http://laguiadelnetworking.com

Any question contact me at jcarvaja@laguiadelnetworking.com

Cheers,

Julio Carvajal Segura

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
Community Member

Re: Please critique my ASA5505 NAT & ACL Setup

show run access-group

access-group inside_access_in in interface inside

access-group outside_access_in in interface outside

Do I manually set DNS server on clients?

How do I make my ASA give DNS info?

Update:

If I type 74.125.225.102 directly into browser, it works.

But if i type google.com, it doens't

Almost there but DNS isn't!! argh

Thanks.

Please critique my ASA5505 NAT & ACL Setup

Hello,

Well, if the ASA is configured as a DHCP server just do

dhcpd dns  4.2.2.2

It's a DNS issue, you can configure it manually on the PC but if you want to do it via DHCP this is the way to do it

Regards,

Jcarvaja

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
200
Views
10
Helpful
7
Replies
CreatePlease to create content