08-04-2015 03:53 AM - edited 03-11-2019 11:22 PM
Hi,
im using a lab with an ASA5520 Image V8.4 and im trying to set up a basic connectivity between inside and outside. host inside should be able to ping host outside.
Host inside IP Address: 192.168.0.2
Host outisde IP Address: 10.0.0.2
Each host can ping its own gateway(x.x.x.1)
if configured the IPs of each interface and named it
interface GigabitEthernet0
nameif outside
security-level 0
ip address 10.0.0.1 255.0.0.0
!
interface GigabitEthernet1
nameif inside
security-level 100
ip address 192.168.0.1 255.255.255.0
!
interface GigabitEthernet2
nameif dmz
security-level 50
ip address 192.168.1.1 255.255.255.0
I have set up NAT
object network inside_pat
subnet 192.168.0.0 255.255.255.0
object network inside_pat
nat (inside,outside) dynamic interface
......i also tried with
object network inside_pat
nat (inside,outside) static 10.0.0.1
I have defined a deafult route
route outside 0.0.0.0 0.0.0.0 10.0.0.1 1
And finally and very helpless i tried to permit any(in case of ACL denied my traffic)
access-list outside standard permit any
access-list inside standard permit any
So....what am i doing wrong?
Thanks in Advance
08-04-2015 05:24 AM
hi,
could you post a brief network topology?
you'll probably need an identity NAT for 'inside' subnet to be able to talk to your 'outside' subnet.
object network INSIDE-SUBNET
subnet 192.168.0.0 255.255.255.0
object network INSIDE-IDENTITY-NAT
subnet 192.168.0.0 255.255.255.0
nat (inside,outside) static INSIDE-SUBNET
also, the static default route should be pointed to a next hop layer 3 IP and NOT to the exit IP of the ASA:
route outside 0.0.0.0 0.0.0.0 <NEXT HOP IP>
08-04-2015 09:04 AM
08-05-2015 05:06 AM
i have checkd your suggestions, but this didnt solve my issue
Here is the asa config
interface GigabitEthernet0
nameif outside
security-level 0
ip address 10.0.0.1 255.0.0.0
!
interface GigabitEthernet1
nameif inside
security-level 100
ip address 192.168.0.1 255.255.255.0
!
interface GigabitEthernet2
nameif dmz
security-level 50
ip address 192.168.1.1 255.255.255.0
!
interface GigabitEthernet3
shutdown
no nameif
no security-level
no ip address
!
ftp mode passive
object network INSIDE-SUBNET
subnet 192.168.0.0 255.255.255.0
object network INSIDE-IDENTITY-NAT
subnet 192.168.0.0 255.255.255.0
access-list outside standard permit any
access-list inside standard permit any
pager lines 24
mtu outside 1500
mtu inside 1500
mtu dmz 1500
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
!
object network INSIDE-IDENTITY-NAT
nat (inside,outside) static INSIDE-SUBNET
route outside 0.0.0.0 0.0.0.0 10.0.0.2 1
192.168.0.2 can ping gateway 192.168.0.1, but not 10.0.0.1 or 10.0.0.2
Any other suggestions?
Thanks in advance
08-05-2015 05:25 AM
Hi,
You could first check if the ASA sees anything on the "outside" interface regarding ARP
show arp | inc outside
Confirm that you can see the gateway IP address 10.0.0.2 there. If not you can try to ping it from the ASA and then check the output of the above command again. If you can not see anything yet then there is some problem between the ASA and the device behind "outside" interface.
You have also changed your original Dynamic PAT to Identity NAT. Though if you dont want any NAT on the ASA then you could simply leave out all NAT configurations. You would not need a Identity NAT at all. You will need it only if you have some broader Dynamic NAT/PAT configurations that would match the traffic otherwise.
Since you now have Identity NAT, are you sure your device behind "outside" interface has a route that will forward traffic to the subnet 192.168.0.0/24 through the IP address 10.0.0.1 which is the ASA?
With the Dynamic PAT this route would not be needed as all user traffic would be PATed to the ASA "outside" interface IP address and as this belongs to the directly connected network between ASA and the other device then that other device would naturally know where to forward the traffic. I would personally not use a 10.0.0.0/8 network on a single interface but rather a subnet. Even in LAB environment.
You could also check the output of the "show run policy-map" configuration. Check the output to see if there is "inspect icmp" and "inspect icmp error" configurations. If not, then you should add them under the configuration mode that the other "inspect" command are.
- Jouni
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide