topic cannot access the internet router through ASA in Network Security

cannot access the internet router through ASA

mohamed_makled — Mon, 11 Mar 2019 13:16:54 GMT

Dear all

i have an ASA in the main site , the users in this site can access internet properly without any problems.

But after installing the firewall between the internet router and the BB switch , i cannot ping nor telnet on the internet router from my pc in the LAN.

There is a WAN router connected to a dmz interface on the ASA ( its name is wan ) . From the LAN , i can ping & telnet on the wan router but i cannot do that on the internet router.

routing on the internet router:

-------------------------------

ip route 0.0.0.0 0.0.0.0 10.82.212.169

ip route 10.1.0.0 255.255.0.0 82.35.212.169

ip route 172.18.100.0 255.255.255.0 82.35.212.169

82.35.212.169 is the outside interface of the ASA.

please find the attached files for the topology and the ASA configuration

please i need your advice.

regards

Re: cannot access the internet router through ASA

a.alekseev — Sat, 19 Jul 2008 16:55:23 GMT

can you ping the inet router from the asa?

what default gateway do you have on PC?

Re: cannot access the internet router through ASA

mohamed_makled — Sat, 19 Jul 2008 17:20:38 GMT

Dear a.alekseev

Thanks for your reply . form the ASA i can ping the internet router . Also i can ping my pc from the ASA.

From the internet router i can ping the outside interface of the ASA .

But when trying to ping my pc from the internet router i cannot & the following log appears on the ASA :

%ASA-3-305005 : No translation group found for icmp src outside:82.35.212.172 dst inside:10.1.2.48(type8,code0).

The default gateway on my pc (10.1.2.48) is the interface vlan on the BB switch (10.1.2.1) .

From my pc i can ping my gateway , the inside interface of the ASA and the outside interface of the ASA.

regards

Re: cannot access the internet router through ASA

JORGE RODRIGUEZ — Sat, 19 Jul 2008 17:51:25 GMT

you may need couple of things in your config.

in global policy add inspec icmp

i.e

policy-map global_policy

class inspection_default

inspect icmp

even though you have nat (inside) 1 0.0, you may need to explitcitly specify 10.1.0.0/16 network seating behind another L3 device behind asa in nat.

you could get 10.1.0.0/16 nated through outside interface to get to internet router using outside interface as PAT , try.

nat (inside) 1 10.1.0.0 255.255.0.0

you may also do a no nat acl to connect to internet router but preferrabe do it through interface PAT.. try that.. this would also include get you outbound internet via PAT for the 10.1.0.0/16 network.

Rgds

Jorge

Re: cannot access the internet router through ASA

mohamed_makled — Sat, 19 Jul 2008 18:02:04 GMT

Dear jorge

Thanks for your reply . i will do that and feed back you again but i need to remind you that i can ping the wan router interface from my pc which is connected to the ASA , also i can telnet on this router , why i cannot do that for the internet router???

Re: cannot access the internet router through ASA

sundar.palaniappan — Sat, 19 Jul 2008 18:07:26 GMT

Does the BB switch have a route to 82.35.212.172 or it's default route is pointing to the inside address of the ASA?

With the existing configuration you won't be able to ping from outside to inside PC. However, the configuration looks good and you should be able to ping from inside to outside as long as routing on your inside is good to the ASA.

Have you tried doing a 'clear xlate' in the ASA and test connectivity from inside to the Inetneret router?

Re: cannot access the internet router through ASA

mohamed_makled — Sat, 19 Jul 2008 18:15:27 GMT

Dear sundar

Thanks for your reply . on the BB switch there is a default route to the inside interface of the ASA only .

ip route 0.0.0.0 0.0.0.0 172.18.100.254

i do clear xlate on the ASA many times but i am still facing the same problem.

regards

Re: cannot access the internet router through ASA

sundar.palaniappan — Sat, 19 Jul 2008 18:19:29 GMT

Try this.

Do a 'debug ip icmp' on the Internet router.

Try to ping from your PC and see if the echo packets are making it to the router.

Re: cannot access the internet router through ASA

mohamed_makled — Sat, 19 Jul 2008 18:24:22 GMT

Dear sundar

ok i will do that and feedback you again.

thanks

Re: cannot access the internet router through ASA

JORGE RODRIGUEZ — Sat, 19 Jul 2008 18:42:54 GMT

Sundar , long time .. greedings!

Momahed is geting bellow message, it seems from begining of the post he is trying to ping from internet router to pc inside subnet 10.1.0.0/16,yet there is not static nat for 10.1.0.0/16 hosts nor specific rule for this. If we observe the nat statement in config for WAN router that works we see the difference.

%ASA-3-305005 : No translation group found for icmp src outside:82.35.212.172 dst inside:10.1.2.48(type8,code0).

you can do debug ip icmp as suggested , but I believe the issue is the nating , first to ping from outide ASA to inside you need some form of NATing and access rules as traffic from outside to inside is denied but in his case he is permiting icmp but there is no translations happening from outside to inside 10.1.0.0/16.

ON the other hand, local to ASA firewall it is aware of 10.1.0.0/16 but it does not know how to translate to outside when traffic is going outside internet router.

Just a thought.. do the changes step at a time.. as suggested debug ip icmp will help to see whats happening.

Rgds

Jorge

Re: cannot access the internet router through ASA

a.alekseev — Sat, 19 Jul 2008 18:58:09 GMT

But when trying to ping my pc from the internet router i cannot & the following log appears on the ASA :

%ASA-3-305005 : No translation group found for icmp src outside:82.35.212.172 dst inside:10.1.2.48(type8,code0).

This is normal.

You cannot ping internal hosts from outside because you are doing PAT.

Re: cannot access the internet router through ASA

JORGE RODRIGUEZ — Sun, 20 Jul 2008 21:34:15 GMT

Mohammed, any update with your problem? is it resolved, pls let us know.

Re: cannot access the internet router through ASA

mohamed_makled — Mon, 21 Jul 2008 11:41:00 GMT

Dear jorge

The problem is solved now and every thing is ok . The situation before the firewall that the BB switch is connected directly to the internet router , so it was must to create interface vlan on the BB for internet , it was 82.35.212.169.

After installing the firewall between the BB switch and the internet router , we must delete the above interface vlan on the BB.

now after deleting it , i can ping and telnet on the router.

i would like to thank you jorge and everyone for helping me in this issue.

Re: cannot access the internet router through ASA

sundar.palaniappan — Mon, 21 Jul 2008 13:37:37 GMT

Thanks for updating us.

That makes sense as it was a LAN routing issue.