Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
452
Views
0
Helpful
5
Replies

ASA 8.2(4) Having problem with basic setup

Go to solution
Joshua Engels
Level 1
Level 1

‎06-01-2011 06:59 AM - edited ‎03-11-2019 01:40 PM

I know my ASA has internet connectivity.  From my ASA I can ping out to 4.2.2.2.  When I put my PC behind the firewall, for some reason I cannot browse the internet.  I'm not sure what the issue is but the config is very basic and it is attached.  My first thought was that I do not have NAT setup correctly but I'm not 100% sure on that.  See attached config.

Labels:
87249-NAT Problem.txt.zip
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Kureli Sankar
Cisco Employee
Cisco Employee
In response to Joshua Engels

‎06-01-2011 08:34 AM

Joshua,

This is causing asymmetry. The management network cannot live behind the inside.

You cannot use mgmt ip address and go to the internet via the inside interface. When the response traffic comes back, it will try to take the mgmt interface and fail.

You need to take the same path going and coming.

Best option to solve this is to use a route-map on the switch.

access-list 120 per ip 192.168.99.0 0.0.0.255 any

route-map mgmt per 10

match ip address 120

set ip next-hop 192.168.99.100

-KS

View solution in original post

0 Helpful
5 Replies 5

Go to solution
varrao
Level 10
Level 10

‎06-01-2011 07:19 AM

Hi Joshua,

Are you able to ping the firewall fro the PC?? are you able to ping the next hop from the PC?? Have you tried packet-tracer from firewall?/

packet-tracer input inside tcp ho 23456 ho 2.2.2.2 80 detailed.

can you provide the output for it??

try taking acptures as well on the firewall to check if the packets are reaching the firewall or not.

packet-captures:

https://supportforums.cisco.com/docs/DOC-1222

The config looks fine.

Thanks,

Varun

Thanks,
Varun Rao
0 Helpful

Go to solution
Joshua Engels
Level 1
Level 1

‎06-01-2011 07:36 AM

Found the issue.  It is with my Management interface.  As soon as I disabled the management interface everything started working.  Any ideas why this is?

0 Helpful

Go to solution
varrao
Level 10
Level 10
In response to Joshua Engels

‎06-01-2011 07:42 AM

Hi Joshua,

On which interface had you connected the laptop???

Varun

Thanks,
Varun Rao
0 Helpful

Go to solution
Joshua Engels
Level 1
Level 1
In response to varrao

‎06-01-2011 08:06 AM

So here is how I am setup.  Diagram attached.

I route through the core switch and then through the ASA to the internet.

To manage the ASA I setup the managment interface on the same vlan I am on so that I can connect directly to it.  It seems that this may be confusing the ASA's return path or something.

27 KB
0 Helpful

Go to solution
Kureli Sankar
Cisco Employee
Cisco Employee
In response to Joshua Engels

‎06-01-2011 08:34 AM

Joshua,

This is causing asymmetry. The management network cannot live behind the inside.

You cannot use mgmt ip address and go to the internet via the inside interface. When the response traffic comes back, it will try to take the mgmt interface and fail.

You need to take the same path going and coming.

Best option to solve this is to use a route-map on the switch.

access-list 120 per ip 192.168.99.0 0.0.0.255 any

route-map mgmt per 10

match ip address 120

set ip next-hop 192.168.99.100

-KS

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card