08-24-2012 11:21 AM - edited 03-11-2019 04:46 PM
Hi ,
I have configured an ASA 5505 to coonect a single internal network to internet, it is not working.
I have attached the config, please let me know what is missing.
Thank you for your help.
hasrat
08-24-2012 04:24 PM
Hello Hasrat,
Basic configuration, should be workin.
Can you ping 10.1.1.2 from the ASA?
Regards,
Julio
08-26-2012 03:45 PM
Hi Julio,
I can ping 10.1.1.2, this router is managed by another company, they are not able to access devices on 10.4.3.0 network.
Do I need to make any changes to my config ?
Thanks
hasrat
08-26-2012 09:45 PM
Hello Hasrat,
Good so there is connectivity between your ASA and the default-gateway.
Right now they should not be able to access your internal network as you have not created any rule or nat translation to make it happen.
The thing here is why are you not able to access the internet.
I have you 2 different test to try:
1- ping 4.2.2.2 from the asa
2- packet-tracer input inside tcp 10.4.3.20 1025 4.2.2.2 80
Regards,
Julio
08-27-2012 09:58 AM
Hi Julio,
Thank you for the reply, I have following nat statement:
object network Corporate_Internal
subnet 10.4.3.0 255.255.255.0 object network Corporate_Internal
nat (inside,outside) source dynamic Corporate_Internal interface
Do I need to add something to it ?
Thanks
hasrat
08-27-2012 12:48 PM
Hello Hasrat,
Based on that you did not answer my question I would say you can ping 4.2.2.2
Regarding the nat query, the configuration is perfect.
Please do the packet tracer
packet-tracer input inside tcp 10.4.3.20 1025 4.2.2.2 80
Remember to rate all the helpful posts
Julio
08-28-2012 09:06 AM
Hi Julio,
Sorry for the late response, I got the information that my device will not get internet access. My ASA is connecting to the VPN router for other company which they will use to access our internal devices, they are not able to get to them, I have pasted packet tracer output below:
ASA# packet-tracer input inside tcp 10.4.3.20 1025 4.2.2.2 80
Phase: 1
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
MAC Access list
Phase: 2
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 0.0.0.0 0.0.0.0 outside
Phase: 3
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 4
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
Additional Information:
Phase: 5
Type: NAT
Subtype:
Result: ALLOW
Config:
nat (inside,outside) source dynamic Corporate_Internal interface
Additional Information:
Dynamic translate 10.4.3.20/1025 to 10.1.1.1/1025
Phase: 6
Type: HOST-LIMIT
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 7
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 8
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 41, packet dispatched to next module
Result:
input-interface: inside
input-status: up
input-line-status: up
output-interface: outside
output-status: up
output-line-status: up
Action: allow
ASA#
ASA#
ASA#
ASA# ping 4.2.2.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 4.2.2.2, timeout is 2 seconds:
?????
Success rate is 0 percent (0/5)
ASA#
thanks
hasrat
08-28-2012 11:29 AM
Hello Hasrat,
Okay, the other side of the tunnel will not make it as you do not have connectivity to the outside world.
Please check the connection from your ASA to the default gateway router .
Can you paste the configuration from the default gateway of the ASA?
Regards,
Julio
Remember to rate the helpful posts
08-28-2012 01:05 PM
Hi Julio,
I don't have access to VPN router.
thanks
hasrat
08-28-2012 01:11 PM
Hello Hasrat,
Can you ping the vpn router from the ASA?
Ping 10.1.1.2 1
ping 4.2.2.2
What do you get?
"Rate a post is also or even more importan than a thank you for the community users, remember to rate the helpful posts"
Julio
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: