04-18-2010 07:14 AM - edited 03-11-2019 10:34 AM
Hi,
I am trying to configure an ASA but I am overlooking something simple I think. Its been a few years since I have used an ASA. I am trying to get my PC on the Inside Network connected to Ethernet 0/1 on the ASA out to my router.
from the PC I can ping Eth 0/1 (IP 192.168..150.1)
From the ASA I can ping the Interface of the router (IP 10.1.20.1) and from the router I can ping Eth 0/0 on the ASA (IP 10.1.20.10)
I am not able to get the PC past the ASA's Eth 0/1 interface
I am wondering if it is NAT thats missing
PC ------------------------> ASA ---------------------------> Router
E 0/1 E0/0 FE 0/1
IP 192.168.150.2 192.168.150.1 10.1.20.10 10.1.20.1
DG 192.168.150.1
show route
Gateway of last resort is not set
C 192.168.150.0 255.255.255.0 is directly connected, Inside
C 10.1.20.0 255.255.255.0 is directly connected, Outside
access-list cached ACL log flows: total 0, denied 0 (deny-flow-max 4096)
alert-interval 300
access-list Inside_access_in; 3 elements
access-list Inside_access_in line 1 extended permit tcp host 192.168.150.2 10.1.20.0 255.255.255.0 eq www (hitcnt=0) 0xdcb4dc10
access-list Inside_access_in line 2 extended permit udp host 192.168.150.2 10.1.20.0 255.255.255.0 eq domain (hitcnt=0) 0xc6121d1b
access-list Inside_access_in line 3 extended permit icmp any any (hitcnt=100) 0xb34531ad
access-list Outside_access_in; 1 elements
access-list Outside_access_in line 1 extended permit icmp any any (hitcnt=0) 0x2d93ecad
Solved! Go to Solution.
04-20-2010 09:04 AM
Based on your configuration, the security levels that you set for the inside and the outside interfaces are the same - equal to 0.
Traffic will not pass between interfaces that have the same security level.
Either change one interface to have a different security level - typically the inside interface has a security level of 100 (most secure), or allow communication between interface that have the same security levels as documented here : http://www.cisco.com/en/US/docs/security/asa/asa71/configuration/guide/intparam.html#wpxref49092
Let me know if that helps.
Dmitry.
04-18-2010 07:23 AM
niall-wilkins wrote:
Hi,
I am trying to configure an ASA but I am overlooking something simple I think. Its been a few years since I have used an ASA. I am trying to get my PC on the Inside Network connected to Ethernet 0/1 on the ASA out to my router.
from the PC I can ping Eth 0/1 (IP 192.168..150.1)
From the ASA I can ping the Interface of the router (IP 10.1.20.1) and from the router I can ping Eth 0/0 on the ASA (IP 10.1.20.10)
I am not able to get the PC past the ASA's Eth 0/1 interfaceI am wondering if it is NAT thats missing
PC ------------------------> ASA ---------------------------> Router
E 0/1 E0/0 FE 0/1
IP 192.168.150.2 192.168.150.1 10.1.20.10 10.1.20.1
DG 192.168.150.1show route
Gateway of last resort is not setC 192.168.150.0 255.255.255.0 is directly connected, Inside
C 10.1.20.0 255.255.255.0 is directly connected, Outsideaccess-list cached ACL log flows: total 0, denied 0 (deny-flow-max 4096)
alert-interval 300
access-list Inside_access_in; 3 elements
access-list Inside_access_in line 1 extended permit tcp host 192.168.150.2 10.1.20.0 255.255.255.0 eq www (hitcnt=0) 0xdcb4dc10
access-list Inside_access_in line 2 extended permit udp host 192.168.150.2 10.1.20.0 255.255.255.0 eq domain (hitcnt=0) 0xc6121d1b
access-list Inside_access_in line 3 extended permit icmp any any (hitcnt=100) 0xb34531ad
access-list Outside_access_in; 1 elements
access-list Outside_access_in line 1 extended permit icmp any any (hitcnt=0) 0x2d93ecad
Niall
Yes it is NAT. You can do a number of things -
1) turn off NAT globally on the firewall ie. "no nat-control"
2) use a nat exemption on your firewall for your host ie.
access-list NATEX permit ip host 192.168.150.2 any
nat (inside) 0 access-list NATEX
3) use a static ie.
static (inside,outside) 192.168.150.2 192.168.150.2 netmask 255.255.255.255
all of the above will mean your host address is unchanged on the outside
if you want to change the host address then -
4) nat (inside) 1 192.168.150.2 255.255.255.255
global (outside) 1 interface
this will change your IP of 192.168.150.2 to 10.1.20.10 as it goes to the outside. This would mean you wouldn't need a route back on the router to the 192.168.150.0/24 network.
Jon
04-19-2010 02:39 PM
Hi,
Thanks for the repsonse.
I added the no nat-control command and tried again but it still fails.
To simplify things I removed the router and added a PC to the outside interface. However I can ping the outside interface from the outside pc and I can ping the inside interface from the Inside PC but I can get through the firewall.
I have added the following ACL
access-list Inside-Interface_access_in extended permit ip host Inside-Host host Outside-Host
access-list Outside-Interface_access_in extended permit ip any any
Inside-Host is 192.168.150. and Outside-host is 10.1.20.2
PC(192.168.150.2)-------->Eth0/1 (192.168.150.1) ASA Eth0/0 (10.1.20.1)--------->PC2 (10.1.20.2)
If I check the logs I see the following:
%ASA-6-106015: Deny TCP (no connection) from Inside-Host/2360 to 192.168.150.1/443 flags FIN ACK on interface Inside-Interface
%ASA-7-710005: TCP request discarded from Inside-Host/2360 to Inside-Interface:192.168.150.1/443
%ASA-3-106014: Deny inbound icmp src Inside-Interface:Inside-Host dst Outside-Interface:Outside-Host (type 8, code 0)
%ASA-7-710005: UDP request discarded from Inside-Host/137 to Inside-Interface:192.168.150.255/137
SSL-VPN#
SSL-VPN#
I know that it is something really,really simple that I am overlooking but I have not figured it out yet. I have included a copy of my config to assist.
Anyway thanks again
04-20-2010 09:04 AM
Based on your configuration, the security levels that you set for the inside and the outside interfaces are the same - equal to 0.
Traffic will not pass between interfaces that have the same security level.
Either change one interface to have a different security level - typically the inside interface has a security level of 100 (most secure), or allow communication between interface that have the same security levels as documented here : http://www.cisco.com/en/US/docs/security/asa/asa71/configuration/guide/intparam.html#wpxref49092
Let me know if that helps.
Dmitry.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide