I had originally included

Carl Fitzsimmons · ‎06-29-2017

I have a development network that functions through another router inside the network. That internal dev network cannot reach the internet however you can ping, telnet etc to or from. I include a simple network diagram, sho route, sho ver and sho nat.

I have attempted several NAT statements in the ASA5506 to allow 10.1.1.0 network internet capability but have not been successful. Any suggestions on what I am not doing correctly?

Thanks

Rahul Govindan · ‎06-29-2017

Your NAT rule looks right. What I think might be a problem is the route for the 10.1.1.0 network.

You have 10.1.0.0 255.255.192.0 reachable via 10.2.1.254. The ASA will then try to find a route for 10.2.1.254, which is pointing to the default gateway on the outside. Shouldn't you have a route for the 10.1.1.0 pointing to the 10.8.31.1 ip address on your core switch?

When you mentioned you could ping, telnet etc, did you mean between the ASA and that network or from elsewhere?

Also, you can run a packet tracer as below to check what your ASA does for this traffic

packet-tracer input inside tcp 10.1.1.1 12345 4.2.2.2 80 detailed

Carl Fitzsimmons · ‎06-30-2017

Thanks for your suggestions.

I had originally included route inside 10.1.1.0 255.255.255.0 10.2.1.254 1 because that was the next hop to the 10.1.1.0 network.

10.2.1.254 is a port on 10.8.31.1 and that port is connected to 10.1.1.1 on the inside router of the dev network

I have updated the static routes to the following:

route inside 10.1.1.0 255.255.255.0 10.8.31.1 1

route inside 10.2.1.0 255.255.255.0 10.8.31.1 1

route inside 10.8.0.0 255.255.0.0 10.8.31.1 1

route inside 172.16.1.0 255.255.255.0 10.8.31.1 1

I attach the packet-tracer pdf which is taken after the static route updates

You are correct. When inside the ASA I can ping 10.1.1.0 and 10.2.1.0 networks

Still the 10.1.1.0 network cannot reach internet. Inside that 2821 I am not performing any NAT statements

Static routes in the 2821 inside development router are as follows:

ip route 0.0.0.0 0.0.0.0 172.16.1.1

ip route 0.0.0.0 0.0.0.0 10.8.36.1 200

ip route 10.8.32.20 255.255.255.255 10.8.36.1

172 is for external SIP, .20 is for CUCM PUB and 0.0.0.0 0.0.0.0 10.8.36.1 200 is to get everything else to the main L2 device that is directly connected to the ASA.

Carl Fitzsimmons · ‎07-16-2017

Thanks to all for your suggestions.

I went over and over the ASA setup and could not find anything. We decided to upgrade ASDM and FirePower. During that process we noticed DNS still did not work with ASA removed. Then I looked at the DNS primary and secondary addresses and they were wrong on the development server that places such info on DHCP requests.

One fat finger can ruin the whole bunch.

After that discovery we determined that web traffic was not checked on the development network after ASA integration. So we thought the ASA was root problem. Turned out internet traffic never worked on development network.

Thanks to your input it made us look deeper into the network

ASA5506 second network cannot reach internet