07-19-2011 07:04 AM - edited 03-11-2019 02:00 PM
I am attaching a basic diagram of what I am trying to do, but I will try and explain in detail in the post.
I have an AT&T Router that is my gateway to the internet, I have no access to it. I do have the inside ip address of it which is on my private LAN. Just for shiggles we will call it 10.25.240.1 255.255.248.0. That is my gateway address for all of my current devices.
I have this shiny new ASA that I want to throw in there to eliminate a proventia and a sidewinder.
The diagram shows two stacks, these are my virtual server clusters with 3560X switches with the vlans configured, and several more switches all configured with vlan 832, connected to a 2950, which is connected to my internal 2600 router. I have 4 Vlans running on 4 different ip ranges, all controlled by the internal router, with only one vlan, let's say 832 that is trunked to the outside world. That vlan has 172.16.1.x 255.255.0.0 network attached to it. All is well, and traffic is routing behind the internal router, but I cannot seem to figure out how to get the traffic to pass thru the ASA.
Gateway 10.25.240.1
Outside of the ASA 10.25.240.25
Inside of the ASA 172.16.1.25
Eth0/0 on the router 172.16.1.1
Eth0/0.1 on the router 172.16.1.2 832
Encapsulation is dot1q
This might be just a bunch of babble, if you need more information just let me know what to throw at you.
Crash
Solved! Go to Solution.
07-19-2011 10:52 AM
Hi David,
Great!!!, this is definitely progress here.
You would not be able to ping outside interface, deafult behavior of ASA (remote interfaces are not pingable), but yes DG should ping from the PC.
Ok now lets take captures and logs on the ASA.
first of all you need to configure this on ASA:
logging enable
logging buffered 7
and then for captures:
lets say your PC ip is 172.16.1.1,
access-list cap permit ip host 172.16.1.1 host 10.25.240.1
access-list cap permit ip host 10.25.240.1 host 172.16.1.1
access-list cap permit ip host 10.25.240.25 host 10.25.240.1
access-list cap permit ip host 10.25.240.1 host 10.25.240.25
cap capin access-list cap interface inside
cap capo access-list cap interface outside
and also enable the debugs:
debug icmp trace
and after enabling the logs, captures and debugs, initiate pings from PC and collect these outputs.
Debugs would pop up themselves
For logs, do " show logging" and copy the ping traffic logs
For captures do " show cap capin" and "show cap capo"
Kindly provide these.
Thanks,
Varun
07-19-2011 08:34 AM
HI David,
OK just for starters, we would need to put some basic config on the firewall and then move on to each requirement:
int eth0/1
ip address 10.25.240.25 255.255.255.0
nameif outside
no shut
int eth0/0
ip add 172.16.1.1 255.255.255.0
nameif inside
no shut
nat (inside) 1 0.0.0.0 0.0.0.0
global (outside) 1 interface these stements would nat the inside traffic to the internet router
route outside 0.0.0.0 0.0.0.0 10.25.240.1 1 -----> DG on the ASA
access-list out_in permit icmp any any
access-group out_in in interface outside -------------> to allow ping replies and requests from outside interface
icmp permit any inside ----------------> to allow ping to firewall inside
This should be the basic for pinging interfaces on the firewall and pinging the router.
Lets do this first and then move on to next issue. Could you also post an output of "show tech-support" from the ASA
Thanks,
Varun
07-19-2011 09:33 AM
07-19-2011 09:42 AM
Hi David,
I am not sure about this config, you have no ip address assigned on isnide interface:
interface Ethernet0/0
nameif inside
security-level 100
no ip address
But you have one on management interface:
interface Management0/0
nameif management
security-level 100
ip address 192.168.1.1 255.255.255.0
management-only
!
Could you verify,which interfaces have you configured????
-Varun
07-19-2011 09:48 AM
OOps, that should be
int e0/0
ip address 10.25.240.248 255.255.255.0
07-19-2011 09:50 AM
I am all confused now
inside 10.25.241.1
outside 10.25.240.248
default gateway 10.25.240.1
07-19-2011 10:04 AM
Hi David,
, well don't worry let's not get confused, you're doing everything right untill now, so now moving ahead:
int eth0/1
ip address 10.25.241.25 255.255.255.0
nameif inside
no shut
int eth0/0
ip add 10.25.240.248 255.255.255.0
nameif outside
no shut
* Remember these no shut commands are very important, as theyw ould bring the firewall interfaces up.
Now try pinging again, first ping interface 10.25.241.25 from the computer, it should be successful.
Then try pinging your DG 10.25.240.1, taht shud also b successful, but if not, lets take captures on ASA, you would need to tell me the ip address of the computer from whr you are pingi8ng and i'll let you know the capture commands.
Thanks,
Varun
07-19-2011 10:35 AM
Ok, progress is being made. I can, from the ASA now ping the DG. I can ping the inside address only if I am plugged directly into the eth0/1 port on the back of the ASA. I did a wr er reload on my switch, and I can now ping the inside interface from the switch. But I cannot get the outside interface or the DG from the PC.
Attaching new run and tech support files
07-19-2011 10:52 AM
Hi David,
Great!!!, this is definitely progress here.
You would not be able to ping outside interface, deafult behavior of ASA (remote interfaces are not pingable), but yes DG should ping from the PC.
Ok now lets take captures and logs on the ASA.
first of all you need to configure this on ASA:
logging enable
logging buffered 7
and then for captures:
lets say your PC ip is 172.16.1.1,
access-list cap permit ip host 172.16.1.1 host 10.25.240.1
access-list cap permit ip host 10.25.240.1 host 172.16.1.1
access-list cap permit ip host 10.25.240.25 host 10.25.240.1
access-list cap permit ip host 10.25.240.1 host 10.25.240.25
cap capin access-list cap interface inside
cap capo access-list cap interface outside
and also enable the debugs:
debug icmp trace
and after enabling the logs, captures and debugs, initiate pings from PC and collect these outputs.
Debugs would pop up themselves
For logs, do " show logging" and copy the ping traffic logs
For captures do " show cap capin" and "show cap capo"
Kindly provide these.
Thanks,
Varun
07-19-2011 11:21 AM
07-19-2011 11:30 AM
Hi David,
Did you try pinging after enabling these commands, if yes, i do not see any packets on the firewall arriving, so dow e have a route on the switch for directing all the traffic to ASA inside interface???
Thanks,
Varun
07-20-2011 06:20 AM
Yeppers, I ran a ping for about 10 minutes. Ran packet tracer, and it seems that the NAT is where it is failing. Result Packett Dropped.
David
07-20-2011 06:38 AM
Ok, so can you provide thos packet captures and the logs that you get on the firewall???
I need to check which nat is failing. Plz provide the latest show run as well.
-Varun
07-20-2011 07:58 AM
I hhave resorted to the BFH configuration method. Big Freaking Hammer!
07-20-2011 08:20 AM
Lol
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: