08-26-2013 05:44 AM - edited 03-11-2019 07:30 PM
Hi,
I've this configuration on a brand new 5510 with software 8.4.1:
ASA Version 8.4(4)1
!
hostname ciscoasa
!
interface Ethernet0/0
nameif outside
security-level 0
ip address <PUBLIC_IP_ROUTER+2> 255.255.255.248
!
interface Ethernet0/1
nameif inside
security-level 100
ip address 192.168.3.251 255.255.255.0
!
interface Ethernet0/2
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
shutdown
nameif management
security-level 100
ip address 192.168.1.1 255.255.255.0
management-only
!
ftp mode passive
clock timezone CEST 1
clock summer-time CEDT recurring last Sun Mar 2:00 last Sun Oct 3:00
same-security-traffic permit intra-interface
object network OBJ_GENERIC_ALL
subnet 0.0.0.0 0.0.0.0
object-group protocol TCPUDP
protocol-object udp
protocol-object tcp
access-list global_access extended permit tcp 192.168.3.0 255.255.255.0 any eq https
access-list global_access extended permit tcp 192.168.3.0 255.255.255.0 any eq www
access-list global_access extended permit object-group TCPUDP 192.168.3.0 255.255.255.0 any eq domain
access-list inside_access_in extended permit object-group TCPUDP 192.168.3.0 255.255.255.0 any eq domain
access-list inside_access_in extended permit tcp 192.168.3.0 255.255.255.0 any eq www
access-list inside_access_in extended permit tcp 192.168.3.0 255.255.255.0 any eq https
pager lines 24
logging enable
logging asdm informational
mtu outside 1500
mtu inside 1500
mtu management 1500
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
!
nat (inside,outside) after-auto source dynamic any interface
access-group inside_access_in in interface inside
access-group global_access global
route inside 0.0.0.0 0.0.0.0 <PUBLIC_IP_ROUTER> 1
My problem is that I cannot go to internet (i.e. surf a web site). I have 8 public IPs, from <PUBLIC_IP_ROUTER> -1 to <PUBLIC_IP_ROUTER> +7: with a firewall with 8.2 version on the same public IP I can access internet, but with this one no way.
I suspect a NAT problem, since it's changed a lot, but I don't know how to debug it / what's wrong.
Can you help me please?
Thanks in advance.
Ciao
Solved! Go to Solution.
08-26-2013 05:48 AM
Hi,
You have the wrong interface specified in the Default Route
no route inside 0.0.0.0 0.0.0.0
Use this instead
route outside 0.0.0.0 0.0.0.0
- Jouni
08-26-2013 05:48 AM
Hi,
You have the wrong interface specified in the Default Route
no route inside 0.0.0.0 0.0.0.0
Use this instead
route outside 0.0.0.0 0.0.0.0
- Jouni
08-26-2013 06:04 AM
You're right (I'm a chump!) but still now way.
Any hint?
BTW
I have a 8.2 nat that says (and works):
nat (inside) 1 0.0.0.0 0.0.0.0
global (outside) 1 interface
This should translate in a 8.4.1:
object network OBJ_GENERIC_ALL
subnet 0.0.0.0 0.0.0.0
nat (inside,outside) dynamic OBJ_GENERIC_ALL
but this give me an error with the caret pointing to the "d" of "dynamic".
What's worng???
Ciao and thanks
08-26-2013 06:11 AM
Hi,
You basically already had a Dynamic PAT configuration in the above configuration
nat (inside,outside) after-auto source dynamic any interface
This should do Dynamic PAT for "any" source address behind "inside" interface.
There is also a problem with your above example
You are trying to use the "object" you just created as the "object" that defines the NAT IP address.
I would suggest using the allready existing NAT configuration
nat (inside,outside) after-auto source dynamic any interface
One other thing comes to mind though. Are you saying that you have an older firewall that you have replaced with this one OR are we talking about the same device with never software?
If we are talking about a different device completely THEN you should take into consideration that while your public IP address stays the same, the change in the actual physical device holding the public IP address causes change to the ARP (IP paired to the device MAC address) and it might be that the upstream router still has the old devices MAC address in its ARP table.
If this is the case, you do have the option to actually configure the old firewalls WAN ports MAC address (shown with "show interface" command) to the new firewalls WAN port and this way avoid any problems with ARP.
- Jouni
08-26-2013 06:13 AM
My mistake. It works.
Thanks!!!!
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide