Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1013
Views
0
Helpful
5
Replies

877W and ASA 5505 NAT issue

luke.brain
Level 1
Level 1

‎07-24-2011 03:05 AM - edited ‎03-11-2019 02:02 PM

I have a Cisco 877W router which has no issues and working fine. However, I'd like to introduce my ASA5505 as the firewall in between LAN (192.168.0.0/24) and Router private range (10.1.1.0/24).

My setup: internet <- -> outside int (Dialer1) 122.x.x.x (Cisco 877W) <- -> inside 10.1.1.1 (FE0/0) <- -> outside int 10.1.1.2 (E0/0) (ASA5505) -> inside int 192.168.0.1 -> LAN

877W Ethernet0 -> ASA5505 Ethernet0 and is the only cable connected from 877 to ASA.

ASA 5505 Ethernet0/1-6 is used for wired devices on my LAN.

ASA 5505 Ethernet0/7 I'll reserve for DMZ server later.

From PC on LAN, I can ping 192.168.0.1 but, cannot access 10.1.1.1 or 10.1.1.2.

On the ASDM 192.168.0.1 using ping tool, I can ping 10.1.1.1 and 10.1.1.2.

When I run packet tracer, it fails under NAT check.

I'm unable to get to the internet and I think it's the NAT part of ASA that's letting me down.

If anyone has any hints, it would be gladly appreciated.

I've attached my config's for 877W and ASA5505.

PS. The setup is *similar* to http://mcse-ccnp.blogspot.com/2009/05/cisco-asa-for-internet-access-sample.html

thanks,

Luke

Labels:
103744-asa5505 config.txt.zip
103745-877w config.txt.zip
0 Helpful
5 Replies 5

Anu M Chacko
Cisco Employee
Cisco Employee

‎07-24-2011 03:39 AM

Hi Luke,

So the issue is that you're not able to ping 10.1.1.1 from the PC on the inside LAN, correct? Please confiure th following and let me know if it resolves the issue:

1. Configure "inspect icmp" for the ping replies to get back.

policy-map global_policy

class inspection_default

  inspect icmp

2. Add a static route to the outside next hop:

route outside 0.0.0.0 0.0.0.0 10.1.1.1 1

Let me know.

Regards,

Anu

0 Helpful

luke.brain
Level 1
Level 1
In response to Anu M Chacko

‎07-24-2011 03:53 AM

Thanks, I'll give that a try.

I also cannot reach the internet.

The ASDM packet inspect tool ,says that there is a NAT problem.

0 Helpful

luke.brain
Level 1
Level 1

‎07-24-2011 04:34 AM

Inspect icmp. Was the trick but cannot route Internet to LAN

Can ping 8.8.8.8 from router and can get to Internet but LAN inside asa cannot. still think it's NAT issue.

Sent from Cisco Technical Support iPhone App

0 Helpful

luke.brain
Level 1
Level 1
In response to luke.brain

‎07-24-2011 05:08 AM

Internet now works I had route inside instead of the below correct line.

route outside 0.0.0.0 0.0.0.0 10.1.1.1 1

Thnks for your help.

Sent from Cisco Technical Support iPhone App

0 Helpful

Anu M Chacko
Cisco Employee
Cisco Employee
In response to luke.brain

‎07-24-2011 07:12 AM

Hi Luke,

Sorry i missed your posts. Anyhow, i'm glad it works now!

Please mark this post as answered. Do rate the post if it was helpful!

Regards,

Anu

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card