cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1351
Views
0
Helpful
4
Replies

Cisco ASA5510 / NAT / ICMP / PPPOE

ie.mustafa
Level 1
Level 1

Hello people,

Help please

I have simple setup as explained in the diagram and the config of the ASA attached

LAN-->L3 SW 3750G-->ASA5510-->Eclipse modem-->PPPOE

-any subnet on the LAN can not ping ASA outside and any public IP (even after I apply ACL, NAT,ICMP...Please see attached)

-any device on the Internet can not ping my ASA outside interface (even after I allow everything...Please see attached)

-If I replace my ASA with a normal small router (netgear) I can ping the router public IP from the Internet

Please find attached config and debug for the ASA.

any help will be much appriciated

Regards

2 Accepted Solutions

Accepted Solutions

Jouni Forss
VIP Alumni
VIP Alumni

Hi,

You wont be able to ICMP the "WAN" interface from behind the "INSIDE" interface. This is not possible with any configuration. You can only send ICMP to the interface "WAN" from behind that interface.

For the "WAN" interface to reply to ICMP from the Internet please add

icmp permit any echo WAN

The traffic from "INSIDE" to "WAN" is blocked by this missconfigured route. Remove it

no route INSIDE 0.0.0.0 0.0.0.0 10.15.15.1 1

If you have seceral networks behind the "INSIDE" interface then use other routes for them, not the default route. The default route should point towards the "WAN" link.

Hope this helps

- Jouni

View solution in original post

Hi,

How does the routing tables look?

Does ASA have routes for the LAN networks and does the L3 Switch have default route towards the ASA?

If  the ASA and L3 switch are the only routing devices in your network then  you dont really need to run a dynamic routing protocol in the network.

With static routes configured you would need

ASA

route INSIDE 192.168.0.0 255.255.255.0 10.15.15.1

route INSIDE 192.168.1.0 255.255.255.0 10.15.15.1

route INSIDE 192.168.2.0 255.255.255.0 10.15.15.1

route INSIDE 192.168.3.0 255.255.255.0 10.15.15.1

route INSIDE 192.168.14.0 255.255.255.0 10.15.15.1

route INSIDE 10.4.0.0 255.255.255.0 10.15.15.1

route INSIDE 10.0.0.0 255.255.255.0 10.15.15.1

L3 Switch

ip route 0.0.0.0 0.0.0.0 10.15.15.2

To enable Dynamic PAT for all internal networks on the ASA you could add

nat (INSIDE,WAN) after-auto source dynamic any interface

- Jouni

View solution in original post

4 Replies 4

Jouni Forss
VIP Alumni
VIP Alumni

Hi,

You wont be able to ICMP the "WAN" interface from behind the "INSIDE" interface. This is not possible with any configuration. You can only send ICMP to the interface "WAN" from behind that interface.

For the "WAN" interface to reply to ICMP from the Internet please add

icmp permit any echo WAN

The traffic from "INSIDE" to "WAN" is blocked by this missconfigured route. Remove it

no route INSIDE 0.0.0.0 0.0.0.0 10.15.15.1 1

If you have seceral networks behind the "INSIDE" interface then use other routes for them, not the default route. The default route should point towards the "WAN" link.

Hope this helps

- Jouni

Hi Jouni,

Thanks for your help.

Here is what I done

-I add icmp permit any echo WAN which let me ping my WAN from the Internet (Perfect / Thanks)

-I removed route INSIDE 0.0.0.0 0.0.0.0 10.15.15.1 1 and I did advertise the connection between ASA-SW by EIGRP as shown in the config

-I did applied the NAT/PAT

Result

-From any subnet on the LAN I can ping the ASA Inside Interface

-I can ping the ASA/WAN from the Internet

-I can't ping the outside world / Internet even though it shows on the packet tracer it's allowed

-I can't get Internet access

Not sure I need to redistribute the EIGRP

Config attached

Thanks

Hi,

How does the routing tables look?

Does ASA have routes for the LAN networks and does the L3 Switch have default route towards the ASA?

If  the ASA and L3 switch are the only routing devices in your network then  you dont really need to run a dynamic routing protocol in the network.

With static routes configured you would need

ASA

route INSIDE 192.168.0.0 255.255.255.0 10.15.15.1

route INSIDE 192.168.1.0 255.255.255.0 10.15.15.1

route INSIDE 192.168.2.0 255.255.255.0 10.15.15.1

route INSIDE 192.168.3.0 255.255.255.0 10.15.15.1

route INSIDE 192.168.14.0 255.255.255.0 10.15.15.1

route INSIDE 10.4.0.0 255.255.255.0 10.15.15.1

route INSIDE 10.0.0.0 255.255.255.0 10.15.15.1

L3 Switch

ip route 0.0.0.0 0.0.0.0 10.15.15.2

To enable Dynamic PAT for all internal networks on the ASA you could add

nat (INSIDE,WAN) after-auto source dynamic any interface

- Jouni

Thanks Jouni,

it worked, it was routing issue.

ASA

route INSIDE 10.4.0.0 255.255.255.0 10.15.15.1

L3 Switch

ip route 0.0.0.0 0.0.0.0 10.15.15.2

Thanks and much appreciate

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: