04-05-2007 10:09 AM - edited 03-11-2019 02:56 AM
I'm having no luck here. I have tried entering default routes, static routes, etc from both the CLI and the ASDM console.
I am replacing a 2621 router which we had working just fine, but I can't duplicate the functionality we had with the router.
I have attached a visio drawing which should explain what I am doing.
From the PC on the test network I can only ping as far as the .225 interface. From a PC connected to SWITCh 1, I can ping the 105 interface but no further.
From the Firewall itself I can ping just about anything I want. So the problem seems to be that the ETH 0 and ETH 1 interfaces are not communicating.
Any Ideas?
04-05-2007 06:18 PM
A copy of your configuration on the ASA would be necessary to tell you what is wrong. What are the subnet masks of the 2 interfaces?
04-06-2007 06:56 AM
04-06-2007 05:45 PM
Remove these
access-group outside_access_out out interface outside
access-group inside_access_in in interface inside
route outside 199.222.135.0 255.255.255.0 199.222.135.1 1
route inside 0.0.0.0 0.0.0.0 199.222.135.0 1
route inside 0.0.0.0 0.0.0.0 199.222.135.1 1
Add
global (outside) 1 interface
route outside 0.0.0.0 0.0.0.0 199.222.135.1
04-07-2007 12:50 PM
04-07-2007 01:37 PM
ummm you have no access lists to permit traffic through the device, hence the previous post to remove them. But if you remove them then it blocks by default.
You have an
icmp permit any outside
for replying to pings outside, but you should also have one for the inside so:
icmp permit any inside
Also your inside nat is a bit hmm lets just say open. What you should have is this for your inside to outside nat:
nat (inside) 0 199.222.135.224 255.255.255.240 0 0
Now put these statements in for your access lists:
access-list outside_access_in permit ip any any
access-list inside_access_in permit ip any any
Then add the access lists to the interface with:
access-group outside_access_in in interface outside
access-group inside_access_in in interface inside
Give that a go
Cheers,
Peter
04-07-2007 05:20 PM
04-08-2007 04:01 AM
You don't have the access lists applied to the interfaces as per below:
access-group outside_access_in in interface outside
access-group inside_access_in in interface inside
04-08-2007 08:42 PM
04-09-2007 02:25 AM
Hi there,
Sorry but I bow out at this point. It looks fine as far as I'm concerned. You may want to try removing your inspection rules for now as another attempt at diagnosing what is stopping this working.
Another option is to take it back to it's factory default settings and adding in what I have given you from the stock standard config and see if that works at that point.
Are you putting in the config I've given you through the commmand line or through the GUI?
I am not too crash hot with the ASA devices as we haven't moved away from the PIX yet, and I can see there are some slight differences in the commmands you are using for the ASA in particular the NAT command if you have a look at the one I sent you compared to how it's showing in your config.
Cheers,
Peter
04-09-2007 04:39 AM
Actually i just twigged on something - your global (outside) 1 interface - is defining the global NAT to instance 1 - so your NAT (inside) should point to that - not 0.
So try changing your NAT statement from:
nat (inside) 0 199.222.135.224 255.255.255.240
to:
nat (inside) 1 199.222.135.224 255.255.255.240
Hope this works - if not then I'm fresh out of ideas :)
Peter
04-09-2007 07:07 AM
Twig? Or the whole tree???
That did it.
Thank you very much.
Now we're on to applying rules and opening and closing ports. I'm sure you guys will be hearing from me again.
Peter, thanks. 5 star help my friend.
How do I go about rating you?
04-09-2007 10:59 AM
No problems man :) Glad I could help out - god knows I had plenty of dramas myself when I first started out with Cisco's - they are complicated but that's what makes them interesting - getting your head around how to configure them correctly is the hard part, but once you do it's smooth sailing :)
A tip for you on configuring the groups have a look at an old config of mine for a PIX 515e. Looks complicated but getting your IP's named, and put into groups etc makes admin a damn site easier through the GUI - just naming groups or device names instead of IP's - obviously then making changes to IP's etc can be done without having to clean up in 50 other places etc and for other reasons aswell.
Have fun :)
Peter
04-12-2007 07:53 AM
Peter,
Thanks to all your help I can now go from the inside interface out, but I still can't go from my outside interface in. I have some web servers sitting on the inside network which I can hit from other machines on my inside network, but I can not hit them from the network on my outside interface.
I have been playing with this quite a bit as my gut tells me that it has to do with global interfaces and NAT (even though I'm not translating), but I can't make it work.
I am attaching my config so that you could maybe take a look at it and see where I've gone wrong.
I have added a bunch of access lists and the appropriate groups and added them to the correct interfaces (I think), but I am open to being told they are all wrong.
Nothing I have been able to do with other global interfaces or NATs has worked so I have removed all those attempts.
Any help would be appreciated.
John
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide