03-05-2008 12:03 PM - edited 03-11-2019 05:12 AM
Hi,
I'm not sure if this would be more suited in the R&S forums but I figure some
security people must have worked on something similar....
I have an ASA sitting behind a 2800 router with 2 Internet circuits. I'm trying to
NAT everthing from the ASA inbound & outbound.
I can't ping from the DMZ to the inside of the router, icmp is allowed. I can't
see any deny's on the logs either, yet I can see an e-mail appliance (192.168.10.9)
getting NAT'd and I know it's receiving updates:
tcp 83.x.x.69:80 192.168.10.9:80 217.198.148.6:52782 217.198.148.6:52782
I was trying to do the NAT on the ASA but I've wiped that so now there's just a
172.16.90.2 address on the outside interface as well as the Inside (10.1.10.0/24)
and DMZ (192.168.10.0/24) interfaces.
!
interface GigabitEthernet0/0
description Link to Outside Interface of ASA
ip address 172.16.90.1 255.255.255.0
ip nat inside
!
interface GigabitEthernet0/1
description Primary Circuit
ip address 83.x.x.66 255.255.255.248
ip nat outside
!
interface FastEthernet0/0/0
description Backup Circuit
ip address 89.x.x.159 255.255.255.254
ip nat outside
!
ip route 0.0.0.0 0.0.0.0 FastEthernet0/0/0
ip route 0.0.0.0 0.0.0.0 GigabitEthernet0/1
ip route 83.x.x.64 255.255.255.248 GigabitEthernet0/0
ip route 89.x.x.159 255.255.255.255 GigabitEthernet0/0
ip route 10.1.1.0 255.255.255.0 GigabitEthernet0/0
ip route 192.168.10.0 255.255.255.0 GigabitEthernet0/0
!
!
ip nat pool NAT_INT 83.x.x.67 83.x.x.69 prefix-length 29
ip nat inside source list 11 pool NAT_INT overload
!
access-list 11 permit any
access-list 11 permit 192.168.10.0 0.0.0.255
access-list 11 permit 10.1.1.0 0.0.0.255
access-list 11 permit 172.16.90.0 0.0.0.255
!
I'm trying to figure out where things are going wrong, the packet-tracer on the ASA
suggests everything is fine there, and there doesn't seem to be a whole lot going on
with the NAT...maybe something on the routing...
Anybody got any ideas?!
Thanks,
Denis
03-05-2008 12:11 PM
the asa/pix platform denies ICMP by default. the easiest way around this is to enable icmp ispection.
assuming you're running the default global inspection policy, enter the following:
policy-map global_policy
class inspection_default
inspect icmp
------------
besides that, what else was wrong?
for communications between networks that reside on different interfaces of the ASA, additional configuration will be required, depending on the security-levels of each interface.
03-05-2008 12:36 PM
Yup, I enabled that for icmp alright. I'm happy enough with how things are working on the ASA. The problem just seems to be when I try to get out past the router, so I thought there's a problem with how the statics are configured for the internal networks.
I'm stretching my understanding a bit here but if I can provide any more information please let me know.
03-05-2008 01:08 PM
Dennis,
Can you reconfigure the static route;
Remove:
ip route 192.168.10.0 255.255.255.0 GigabitEthernet0/0
Add:
ip route 192.168.10.0 255.255.255.0 172.16.90.2
If that doesn't help can you share a sanitized copy of the ASA configuration.
HTH
Sundar
03-06-2008 07:11 AM
Ok, so somehow I resolved this...
I changed the ip routes as you mentioned above but it didn't have any effect. I also changed the NAT configuration to the the following:
ip nat inside source list 10 interface GigabitEthernet0/1 overload
ip nat inside source static 172.16.90.2 83.x.x.70
...this didn't seem to have any effect either.
I gave the redundant circuit a higher metric and messed about with the DNS servers and then things started working...
Not sure what happened but it works now so it'll do!
Thanks for your input guys,
Denis
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide