Hi Julio,

I can ping 10.1.1.2, this router is managed by another company, they are not able to access devices on 10.4.3.0 network.

Do I need to make any changes to my config ?

Thanks

hasrat

Hello Hasrat,

Good so there is connectivity between your ASA and the default-gateway.

Right now they should not be able to access your internal network as you have not created any rule or nat translation to make it happen.

The thing here is why are you not able to access the internet.

I have you 2 different test to try:

1- ping 4.2.2.2 from the asa

2- packet-tracer input inside tcp 10.4.3.20 1025 4.2.2.2 80

Regards,

Julio

Hi Julio,

Thank you for the reply, I have following nat statement:

object network Corporate_Internal

subnet 10.4.3.0 255.255.255.0 object network Corporate_Internal

nat (inside,outside) source dynamic Corporate_Internal interface

Do I need to add something to it ?

Thanks

hasrat

Hello Hasrat,

Based on that you did not answer my question I would say you can ping 4.2.2.2

Regarding the nat query, the configuration is perfect.

Please do the packet tracer

packet-tracer input inside tcp 10.4.3.20 1025 4.2.2.2 80

Remember to rate all the helpful posts

Julio

Hi Julio,

Sorry for the late response, I got the information that my device will not get internet access. My ASA is connecting to the VPN  router for other company which they will use to access our internal devices, they are not able to get to them, I have pasted packet tracer output below:

ASA# packet-tracer input inside tcp 10.4.3.20 1025 4.2.2.2 80

Phase: 1
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
MAC Access list

Phase: 2
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in   0.0.0.0         0.0.0.0         outside

Phase: 3
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 4
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
Additional Information:

Phase: 5
Type: NAT
Subtype:
Result: ALLOW
Config:
nat (inside,outside) source dynamic Corporate_Internal interface
Additional Information:
Dynamic translate 10.4.3.20/1025 to 10.1.1.1/1025

Phase: 6
Type: HOST-LIMIT
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 7
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 8
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 41, packet dispatched to next module

Result:
input-interface: inside
input-status: up
input-line-status: up
output-interface: outside
output-status: up
output-line-status: up
Action: allow

ASA#
ASA#
ASA#
ASA# ping 4.2.2.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 4.2.2.2, timeout is 2 seconds:
?????
Success rate is 0 percent (0/5)
ASA#

thanks

hasrat

Hello Hasrat,

Okay, the other side of the tunnel will not make it as you do not have connectivity to the outside world.

Please check the connection from your ASA to the default gateway router .

Can you paste the configuration from the default gateway of the ASA?

Regards,

Julio

Remember to rate the helpful posts

Hi Julio,

I don't have access to VPN router.

thanks

hasrat

Hello Hasrat,

Can you ping the vpn router from the ASA?

Ping 10.1.1.2 1

ping 4.2.2.2

What do you get?

"Rate a post is also or even more importan than a thank you for the community users, remember to rate the helpful posts"

Julio