Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1029
Views
10
Helpful
4
Replies

ASA 5505 PAT

Alexis1
Level 1
Level 1

‎03-22-2018 07:07 AM - edited ‎02-21-2020 07:33 AM

Hello everyone!

This is my first time configuring an ASA 5505. That’s why I wanted to try a configuration in Packet Tracer.

Captura de pantalla 2018-03-22 a las 13.57.12.png

I have a problem with PAT configuration, there are 2 vlan behind the firewall, they are connected to L3 Switch. If I try pinging from L3 switch connected to ASA work fine the translation NAT from inside ip (10.10.10.2) to outside ip (192.168.137.253) and vice versa.

Captura de pantalla 2018-03-22 a las 13.14.23.png

But when I try pinging from any of the 2 plans the NAT doesn’t work. I don’t know what I’m doing wrong.

This is ASA configuration:

interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Vlan1
nameif inside
security-level 100
ip address 10.10.10.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address 192.168.137.253 255.255.255.0
!
object network LAN
subnet 10.10.10.0 255.255.255.0
object network VLAN10
subnet 172.16.0.0 255.255.255.0
object network VLAN20
subnet 192.168.0.0 255.255.255.0
!
route outside 0.0.0.0 0.0.0.0 192.168.137.1 1
route inside 172.16.0.0 255.255.255.0 10.10.10.2 1
route inside 192.168.0.0 255.255.255.0 10.10.10.2 1
!
access-list OUTSIDE_INSIDE extended permit icmp any any echo-reply
!
!
access-group OUTSIDE_INSIDE in interface outside
object network LAN
nat (inside,outside) dynamic interface
object network VLAN10
nat (inside,outside) dynamic interface
object network VLAN20
nat (inside,outside) dynamic interface
!
class-map inspection_default
match default-inspection-traffic
!
policy-map global_policy
class inspection_default
inspect icmp
!
service-policy global_policy global

 

Sorry for my English. Can some help me ?

Thanks for all.

Labels:
0 Helpful
4 Replies 4

Bogdan Nita
VIP Alumni
VIP Alumni

‎03-22-2018 09:31 AM

The ASA outside interface IP will not respond when pinged from inside (at least on real equipment, may be different on packet tracer). You should try pinging the router IP 192.168.137.1 .

Alexis1
Level 1
Level 1
In response to Bogdan Nita

‎03-23-2018 03:07 AM

Hi Bogdan.
Thank you for you answer, but I think that I can pinging because if you add this ACL rule in ASA
access-list OUTSIDE_INSIDE extended permit icmp any any echo-reply

There will be response from inside to outside and vice versa.
0 Helpful

Florin Barhala
Level 6
Level 6
In response to Alexis1

‎03-23-2018 06:39 AM

This is not ACL related, it's just a built in ASA specific rule: you cannot ping from any "behind inside" host the outside interface IP.

Bogdan Nita
VIP Alumni
VIP Alumni
In response to Alexis1

‎03-23-2018 07:57 AM

Hi Alexis,

The ACL mentioned by you should not be necessary because you are doing inspect icmp, so return icmp replies would be allowed even if you do not explicitly allow them.

To allow icmp to the ASA itself icmp permit command would need to be used.

Non of the above permissions would help in order to permit the PCs to ping 192.168.137.253, but I believe you were trying to test your PAT config (which looks ok) and for that purpose you can use the routers IP 192.168.137.1.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card