06-25-2013 03:30 PM - edited 03-11-2019 07:02 PM
I can't believe this is stumping me and I know the answer will result in a major face-palm, but I'm getting dizzy from running in circles... This is as basic as it gets and from everything I've read, this config should work as is (without requiring access-list to surf from inside vlan). Packet-tracer shows DROP from implicit rule, but I can't figure out why since it's traffic from a low to high security level....
Issue:
Unable to route from inside vlan to outside/internet
Physical Setup (from LANs to Internet):
ASA5505 Eth0/0 to Soho Router(w/ wireless).
Soho Router to ISP modem.
Logical:
Soho Router:
Wan IP: x.x.x.x
LAN IP: 192.168.2.x /24 [dhcp range 1-128].
ASA Config:
ASA Version 8.4(6)
!
hostname HOME-LAB
enable password QgAPCjD3jLFbKB5Z encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface Ethernet0/0
switchport access vlan 10
!
interface Ethernet0/1
switchport access vlan 20
!
interface Ethernet0/2
shutdown
!
interface Ethernet0/3
shutdown
!
interface Ethernet0/4
shutdown
!
interface Ethernet0/5
shutdown
!
interface Ethernet0/6
shutdown
!
interface Ethernet0/7
shutdown
!
interface Vlan10
nameif outside
security-level 0
ip address 192.168.2.254 255.255.255.0
!
interface Vlan20
nameif inside
security-level 100
ip address 10.2.2.1 255.255.255.0
!
ftp mode passive
object network inside-net
subnet 10.2.2.0 255.255.255.0
pager lines 24
mtu outside 1500
mtu inside 1500
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
!
object network inside-net
nat (inside,outside) dynamic interface
route outside 0.0.0.0 0.0.0.0 192.168.2.1 1
! ----- output ommitted -----!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect ip-options
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
inspect icmp
!
service-policy global_policy global
============
Packet-tracer:
HOME-LAB# packet-tracer input inside icmp 10.2.2.1 0 0 1 192.168.2.1
Phase: 1
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 192.168.2.0 255.255.255.0 outside
Phase: 2
Type: ACCESS-LIST
Subtype:
Result: DROP
Config:
Implicit Rule
Additional Information:
Result:
input-interface: inside
input-status: up
input-line-status: up
output-interface: outside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule
=======================
Thanks in advance for your time!
06-25-2013 03:42 PM
Added notes: outside route works fine, and NAT appears to be properly configured...
---- output -----
HOME-LAB# sh nat trans int outside det
Auto NAT Policies (Section 2)
1 (inside) to (outside) source dynamic inside-net interface
translate_hits = 1366, untranslate_hits = 0
Source - Origin: 10.2.2.0/24, Translated: 192.168.2.254/24
HOME-LAB# ping 8.8.8.8
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 8.8.8.8, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 20/28/40 ms
06-25-2013 06:28 PM
Config issue resolved....
For some reason it didn't like my nat statement:
Was within the object group 'inside-net':
nat (inside,outside) dynamic interface
Changed to:
nat (inside,outside) source dynamic inside-net interface
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide