01-14-2009 01:48 AM - edited 03-04-2019 12:50 AM
Hello,
I'm sure, the problem is not a big one, however I'm stuck for now.
I managed to configure an ASA 5505 under home circumstances, with ADSL internet connection. All went smooth, I could rease the internet, and could reach the device from the internet.
The device is deployed now in a server park, with internet connection through a fixed IP and the first hop is a switch of the ISP.
The other side is a small LAN.
I can remotely manage the device, even port forwarding works to LAN, however there is no LAN communication with the WAN. I cannot ping and/or reach anything outside.
I added one static route on the outside, pointing to my ISP switch.
On the LAN I gave the inside leg of the ASA as the default gateway.
Could someone give me some clue where to proceed?
Thank you in advance!
Solved! Go to Solution.
01-14-2009 03:11 AM
Hi,
Do u have nat configured ?
if configs provided it would be better to guide you.
reagrds,
01-14-2009 03:11 AM
Hi,
Do u have nat configured ?
if configs provided it would be better to guide you.
reagrds,
01-14-2009 03:46 AM
Hi,
Thank you for your reply!
You should be right.
In the meantime I started to compare the old "working" config and the live one, and realized, that I miss natting.
I will make a try late during the night and will notify.
Thanks again!
01-14-2009 03:49 AM
These are the configs you should be looking at
access-list NoNAT extended permit ip
nat (inside) 0 access-list NoNAT
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
Hope this helps
01-14-2009 03:57 AM
Hello,
I have only the global line, but the working only had the nat line, nothing else.
Do I really need the above 2, you mentioned?
If so, which IP and mask - IP and mask do I need?
Thanks again!
01-14-2009 05:52 AM
Could you please post your ASA configuration? you can alter some information such as public IP addresses and so on.
Regards,
01-14-2009 05:59 AM
interface Vlan1
nameif inside
security-level 100
ip address
no shutdown
!
interface Vlan2
nameif outside
security-level 0
ip address
no shutdown
!
interface Ethernet0/0
switchport access vlan 2
no shutdown
!
interface Ethernet0/1
switchport access vlan 1
no shutdown
!
management-access inside
!
! Default route to the provider
route outside 0.0.0.0 0.0.0.0
!
! ASDM access
asdm image disk0:/asdm-611.bin
asdm history enable
!
!
! NAT Translation for Internet access
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
!
! NAT Exempt configuration
access-list nonat_acl extended permit ip any 192.0.0.0 255.0.0.0
nat (inside) 0 access-list nonat_acl
!
! Specification on what to encrypt
access-list outside_100_cryptomap extended permit ip
!
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
!
crypto map outside_map 100 match address outside_100_cryptomap
crypto map outside_map 100 set peer
crypto map outside_map 100 set pfs
crypto map outside_map 100 set transform-set ESP-3DES-SHA
crypto map outside_map interface outside
!
tunnel-group 209.235.2.6 type ipsec-l2l
tunnel-group 209.235.2.6 ipsec-attributes
pre-shared-key testtest
hope this helps
01-14-2009 06:16 AM
the nat(inside)1 0.0.0.0 0.0.0.0 should work. Just to narrow this, I would first change the nat (inside)1 to the inside address. Such as
nat (inside)1 10.1.1.0 255.255.255.0
Also you might to enable logging so that you can see what is taking placing.
01-14-2009 06:22 AM
show xlate will show u the nat translations
01-14-2009 06:28 AM
yes, it will but you want to find out why the internal LAN is being blocked. I don't see a route inside command in your config so I only can assume that the inside is on the same subnet as the VLAN1 address.
Enable loggin to see why the traffic is being denied. You can use ASDM as well.
01-14-2009 06:30 AM
the route inside would depends on your network setup.
best of luck
01-14-2009 06:35 AM
Hi Pravinxyz,
I totally agree with you. I actually thaught the posting was from the original poster, I didn't realize it was you replying :-)
01-14-2009 06:44 AM
Hi,
Thanks, I really appreciate your good help!.
Will inform later.
01-14-2009 06:55 AM
Hi,
It is my pleasure to let you know, that I inserted the single NAT line, and can reach WAN.
Thank you! You saved my day.
01-14-2009 09:48 PM
thats good.
Nice to see thats it working
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: