ASA with a connetion to my router into port 0 and an ip address asigned from the router.
The ASA has a subinterface assigned to port 1 with a VLAN of 100 assigned to it.
The ASA has a security context with port 0 assigned as the outside interface and with port 1.100 assigned as the inside interface.
The security context described above is set up to dish out dhcp addresses from a private address space (192.168).
A Catalyst 3500 XL switch with port 24 set up for dot1q trunking and port 1 set up with access to VLAN 100.
Now, here's what I can do so far:
I can plug a machine into port 1 of the switch and get a dhcp address from the security context configured in the ASA, so I know my VLAN trunking is working.
I can ping the inside address of the security context from my machine.
From the ASA I can ping the outside address of the security context as well as the router the ASA is connected to.
And... here's what I can't do:
I can't ping the router the ASA is connected to (which has a routable address) from my machine (which has a private address assigned to it by the security context).
I cannot get to any web sites from my machine.
I'm assuming this all has to do with me not having any NAT rules or ACLs set up in my security context. I attempted to set them up but to no avail. Can anyone give me some suggestions as to how to get this working?
Typically a PIX or ASA will allow you access to all outside IP addresses with out having to NAT them (outbound traffic) as long as you have either internal routable IP address or you have the following command in place which NAT's all outgoing packets to the external interface IP address
global 0 (outside)
PAT is now configured
you could also present you entire internal (gloablly routeable) network addresses) by configuring the following command
the above command will allow outside addresses to reach internal addresses.
If you're on a private network, trying to ping a public network, you most likely need a couple of things:
1) make sure nat is correct
nat (inside) 1 0.0.0.0 0.0.0.0
global (outside) 1 interface
do a clear xlate and then try to ping again.
2) Remember that ICMP is not stateful (unless you have 'inspect icmp' in a policy-map). So an echo-request will go from high to low (inside to outside) without an acl entry, but the reply coming back will get blocked unless there in an acl permitting it on the outside interface.
access-list outside-test permit icmp any any eq echo-repy
access-group outside-test in interface outside
Please rate this message if it helped resolve some or all of your issue.
Thank you for your help, as your recommendations made it possible for me to ping my outside router on the other side of my ASA. However, now I have another question:
As I said, I can now ping the router on the outside of my ASA from a machine on the inside. However, I still cannot reach any websites on the internet. The router only allows a few IP addresses to access web content, but the IP assigned to the outside interface of my ASA is one of those addresses. If all of my private addresses are getting transformed to the outside interface IP address, shouldn't I be able to reach the internet?
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...