10-27-2014 02:09 AM - edited 03-03-2019 07:38 AM
I want to use internet through this.
I attached a diagram and also define the public and private ip,s
also show version of the ASA 5520
ciscoasa# sh version
Cisco Adaptive Security Appliance Software Version 8.4(2)
Compiled on Wed 15-Jun-11 18:17 by builders
System image file is "Unknown, monitor mode tftp booted image"
Config file at boot was "startup-config"
ciscoasa up 6 secs
Hardware: ASA 5520, 1024 MB RAM, CPU Pentium II 1000 MHz
Internal ATA Compact Flash, 256MB
BIOS Flash unknown @ 0x0, 0KB
0: Ext: GigabitEthernet0 : address is 0000.ab45.d200, irq 0
1: Ext: GigabitEthernet1 : address is 0000.ab1e.9401, irq 0
2: Ext: GigabitEthernet2 : address is 0000.abd1.cc02, irq 0
3: Ext: GigabitEthernet3 : address is 0000.ab93.7903, irq 0
4: Ext: GigabitEthernet4 : address is 0000.ab28.ec04, irq 0
5: Ext: GigabitEthernet5 : address is 0000.abc9.e905, irq 0
Licensed features for this platform:
Maximum Physical Interfaces : Unlimited perpetual
Maximum VLANs : 100 perpetual
Inside Hosts : Unlimited perpetual
Failover : Disabled perpetual
VPN-DES : Disabled perpetual
VPN-3DES-AES : Disabled perpetual
Security Contexts : 0 perpetual
GTP/GPRS : Disabled perpetual
AnyConnect Premium Peers : 5000 perpetual
AnyConnect Essentials : Disabled perpetual
Other VPN Peers : 5000 perpetual
Total VPN Peers : 0 perpetual
Shared License : Disabled perpetual
AnyConnect for Mobile : Disabled perpetual
AnyConnect for Cisco VPN Phone : Disabled perpetual
Advanced Endpoint Assessment : Disabled perpetual
UC Phone Proxy Sessions : 2 perpetual
Total UC Proxy Sessions : 2 perpetual
Botnet Traffic Filter : Disabled perpetual
Intercompany Media Engine : Disabled perpetual
This platform has an ASA 5520 VPN Plus license.
Serial Number: 123456789AB
Running Permanent Activation Key: 0x00000000 0x00000000 0x00000000 0x00000000 0x00000000
Configuration register is 0x0
Configuration has not been modified since last system restart.
Solved! Go to Solution.
10-29-2014 05:41 AM
OK, add this to the ASA:
!
class-map icmp-class
match default-inspection-traffic
!
policy-map icmp_policy
class icmp-class
inspect icmp
!
service-policy icmp_policy interface outside
!
cheers,
Seb.
10-27-2014 03:03 AM
Hi there,
Assuming you have configured your inside and outside interfaces with nameif then the following global NAT command should work for your PC subnet:
!
object range inside_pc_subnet_range
range 172.16.20.1 172.16.20.254
!
nat (inside,outside) source dynamic inside_pc_subnet_range interface
!
This is an excellent write up of NAT on the ASA, worth a read!:
https://supportforums.cisco.com/document/132066/asa-nat-83-nat-operation-and-configuration-format-cli
cheers,
Seb.
10-28-2014 04:29 AM
I configured as pwe your instruction but its not working.
I attached the configuration files of the devices and also topology.
Thanks Seb
ASA# sh run
ASA# sh running-config
: Saved
:
ASA Version 8.4(2)
!
hostname ASA
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface GigabitEthernet0
nameif inside
security-level 100
ip address 172.16.20.254 255.255.255.0
!
interface GigabitEthernet1
nameif ouside
security-level 0
ip address 125.209.70.90 255.255.255.248
!
interface GigabitEthernet2
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet3
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet4
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet5
shutdown
no nameif
no security-level
no ip address
!
ftp mode passive
object network outside-inside
range 172.16.20.1 172.16.20.254
access-list test extended permit ip any any
pager lines 24
mtu inside 1500
mtu ouside 1500
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
nat (inside,ouside) source dynamic outside-inside interface
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
telnet timeout 5
ssh timeout 5
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
!
!
prompt hostname context
call-home reporting anonymous prompt 2
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email callhome@cisco.com
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
crashinfo save disable
Cryptochecksum:3530380abf486888d4f99051441c9e63
: end
ASA#
OUTSIDE ROUTER
!
version 12.2
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname Outside
!
!
!
!
ip subnet-zero
no ip icmp rate-limit unreachable
!
!
ip tcp synwait-time 5
no ip domain-lookup
!
!
!
!
!
!
!
!
!
!
!
interface FastEthernet0/0
ip address 125.209.70.89 255.255.255.248
duplex auto
speed auto
!
ip classless
no ip http server
ip pim bidir-enable
!
!
!
call rsvp-sync
!
!
mgcp profile default
!
dial-peer cor custom
!
!
!
!
line con 0
exec-timeout 0 0
privilege level 15
logging synchronous
line aux 0
exec-timeout 0 0
privilege level 15
logging synchronous
line vty 0 4
login
!
!
end
INTSIDE ROUTER
!
version 12.2
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname Inside
!
!
!
!
ip subnet-zero
no ip icmp rate-limit unreachable
!
!
ip tcp synwait-time 5
no ip domain-lookup
!
!
!
!
!
!
!
!
!
!
!
interface FastEthernet0/0
ip address 172.16.20.42 255.255.255.0
duplex auto
speed auto
!
interface Group-Async0
physical-layer async
no ip address
no group-range
!
ip classless
ip route 125.209.70.88 255.255.255.248 FastEthernet0/0
no ip http server
ip pim bidir-enable
!
!
!
call rsvp-sync
!
!
mgcp profile default
!
dial-peer cor custom
!
!
!
!
line con 0
exec-timeout 0 0
privilege level 15
logging synchronous
line aux 0
exec-timeout 0 0
privilege level 15
logging synchronous
line vty 0 4
login
!
!
end
10-28-2014 08:18 AM
Hi there,
Hopefully and easy fix, you have a typo in the ASA - gi1:
!
interface GigabitEthernet1
nameif ouside
!
...should be 'outside' .
cheers,
Seb.
10-28-2014 09:26 PM
Thanks for the reply
I change the interface outside but its not working
and is there any route add to ping outside router or outside interface of the ASA
the below route add in the inside router is
ip route 125.209.70.88 255.255.255.248 fastethernet 0/0
and the routing table output is as below
Inside(config)#do sh ip route
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route
Gateway of last resort is not set
172.16.0.0/24 is subnetted, 1 subnets
C 172.16.20.0 is directly connected, FastEthernet0/0
125.0.0.0/29 is subnetted, 1 subnets
S 125.209.70.88 is directly connected, FastEthernet0/0
Inside(config)#
and the below route add in the outside router to pinf the inside router or inside interface of the ASA
ip route 172.16.20.0 255.255.255.0 fastethernet 0/0
and the routing table output is as below of
Outside(config)#do sh ip route
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route
Gateway of last resort is not set
172.16.0.0/24 is subnetted, 1 subnets
S 172.16.20.0 is directly connected, FastEthernet0/0
125.0.0.0/29 is subnetted, 1 subnets
C 125.209.70.88 is directly connected, FastEthernet0/0
Outside(config)#
Routing table of ASA
ASA(config)# sh route
Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP
i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
* - candidate default, U - per-user static route, o - ODR
P - periodic downloaded static route
Gateway of last resort is not set
C 172.16.20.0 255.255.255.0 is directly connected, inside
C 125.209.70.88 255.255.255.248 is directly connected, outside
ASA(config)#
10-29-2014 01:55 AM
Hello again,
Remove your existing static routes and use the following routes:
Outside:
!
ip route 172.16.20.0 255.255.255.0 125.209.70.90
!
ASA:
!
route outside 0.0.0.0 0.0.0.0 125.209.70.89 1
!
Inside:
!
ip route 0.0.0.0 0.0.0.0 172.16.20.254
!
Ideally you would use OSPF / EIGRP instead of static routes in the scenario, but this should get it working.
cheers,
Seb.
10-29-2014 03:00 AM
its ping from inside to outside but its not pinging outside to inside.
10-29-2014 05:41 AM
OK, add this to the ASA:
!
class-map icmp-class
match default-inspection-traffic
!
policy-map icmp_policy
class icmp-class
inspect icmp
!
service-policy icmp_policy interface outside
!
cheers,
Seb.
10-30-2014 04:01 AM
Even after this i didnt telnet from inside to outside but its working from outside to inside
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: