Re: ASA 5510 - struggling with static routes

aebert · ‎11-24-2005

Hi

Situation (best viewed with 'courier new'):

(OfficeLAN) (ProdLAN)

Internet|--|Router|---------|ASA|--------

|

(DMZ)

I want to use the ASA BOX as the default Gateway for the LAN. on the ASA is a default route configured wich forwards the 'internet-traffic' to the Internet.

but somehow the asa simply ignores its duties to forward the traffic to the internet. Traffic destined to the production LAN and the DMZ is working fine.

Any hints for a depressive technician?

ciscopixguy · ‎11-28-2005

Hi,

Turn on logging so you can see any error messages when you try to ping something on the Internet from the Inside or DMZ.

pix#(config) logging on

pix#(config) logging console debug

If your return packet is being denied on the outside interface, modify your outside ACL.

access-list inbound permit icmp any any echo-reply

access-group inbound in interface outside

If you see that DNS replies are being blocked by the outside interface, add this command:

dns domain-lookup outside

If you have a DNS server on the DMZ, add it as well.

dns domain-lookup DMZ

Hope this helps,

Dave

jackko · ‎11-28-2005

just wondering what exactly you are referring to when you mentioned "the asa simply ingores its duties to forward the traffic to the internet".

do "debug icmp trace" in order to verify whether the asa is performing as expected.

also please verify that the nat/pat has been configured for internet browsing.

e.g.

global (outside) 1 interface

nat (inside) 1 0.0.0.0 0.0.0.0 0 0