Also just to confirm,

Seems to me that the R1 is mentioned to having IP 192.168.200.1 though it also seems that the ASA is configured with the same IP address of 192.168.200.1?

Are these the actual configurations as this naturally wouldnt work.

What are the interface IP address of R1 and ASA "inside" interface at the moment?

Does the R1 have a default route poiting towards the ASA "inside" interface IP address so R1 knows where to send traffic destined to other networks?

- Jouni

Hi,

If you see in the config R1 is 192.168.200.1 and ASA is .254.

Yes the R1 have the route to the 62.28.190.64 network through interface f0/0.

Does have to be through the next hope?

In a minute ill have the output. Initiating the VM

Hi.

Here are the screen shots:

HI,

The firewall lets pass it. So its very strange man. The routing in r1 and ISP_R1 and fine. Correct?

-AS

Hi,

Both Router routing tables list the 62.28.190.64/30 network as directly connected? Also the network 192.168.200.0/24 is mentioned on both routers? Those dont really make sense.

The R1 should have a Static Route

ip route 62.28.190.64 255.255.255.252 192.168.200.254

Or typically it would probably have a default route if the router doesnt have any other way out of the network.

ip route 0.0.0.0 0.0.0.0 192.168.200.254

Also the other discussion you linked says that the ASA "inside" is configured with IP address 192.168.200.1

interface GigabitEthernet4

nameif inside

security-level 100

ip address 192.168.200.1 255.255.255.0

- Jouni

And as you can see, the ASA "packet-tracer" simulation goes through without problems.

The actual problems seems to be related to the routers in the setup.

- Jouni

Jouni,

I´ll correct the routing problems and ill tell you more about it later.

Many thanks. You saved me a lot of time.

[]´s

António

Hi Jouni,

I were totaly rigth. Routing problems.

Jouni Rocks

Take care man.

- AS

Hi,

Glad to hear you got it working

- Jouni

Hi Jouni,

At this moment I´m experiencing a problem with NAT. Can you checks this plz?

Network Diagram:

ASA configs:

: Saved

: Written by enable_15 at 19:26:55.559 UTC Wed Sep 4 2013

!

ASA Version 8.4(2)

!

hostname ciscoasa

enable password 8Ry2YjIyt7RRXU24 encrypted

passwd 2KFQnbNIdI.2KYOU encrypted

names

!

interface GigabitEthernet0

nameif outside

security-level 0

ip address 62.28.190.66 255.255.255.252

!

interface GigabitEthernet1

shutdown

no nameif

security-level 0

no ip address

!

interface GigabitEthernet2

shutdown

no nameif

no security-level

no ip address

!

interface GigabitEthernet3

nameif dmz

security-level 70

ip address 192.168.100.254 255.255.255.0

!

interface GigabitEthernet4

nameif inside

security-level 100

ip address 192.168.200.254 255.255.255.0

!

interface GigabitEthernet5

shutdown

no nameif

no security-level

no ip address

!

no ftp mode passive

object network Net-Inside

subnet 192.168.200.0 255.255.255.0

object network Net-Dmz

subnet 192.168.100.0 255.255.255.0

object network webserver-dmz

host 192.168.100.1

access-list OUTSIDE_DMZ_WEB extended permit tcp any host 192.168.100.1 eq www

access-list OUTSIDE_DMZ_WEB extended permit tcp any host 192.168.100.1 eq https

access-list OUTSIDE_DMZ_WEB extended permit tcp any host 192.168.100.1 eq whois

access-list OUTSIDE_DMZ_WEB extended permit icmp any host 192.168.100.1

pager lines 24

mtu outside 1500

mtu dmz 1500

mtu inside 1500

icmp unreachable rate-limit 1 burst-size 1

asdm image disk0:/asdm-702.bin

no asdm history enable

arp timeout 14400

!

object network Net-Inside

nat (inside,outside) dynamic interface

object network Net-Dmz

nat (dmz,outside) dynamic interface

object network webserver-dmz

nat (dmz,outside) static interface service tcp www www

access-group OUTSIDE_DMZ_WEB in interface outside

route outside 10.0.0.0 255.255.255.0 62.28.190.65 1

route inside 192.168.15.0 255.255.255.0 192.168.200.1 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

timeout floating-conn 0:00:00

dynamic-access-policy-record DfltAccessPolicy

user-identity default-domain LOCAL

http server enable

no snmp-server location

no snmp-server contact

telnet timeout 5

ssh timeout 5

console timeout 0

no threat-detection basic-threat

no threat-detection statistics access-list

no threat-detection statistics tcp-intercept

!

class-map inspection_default

match default-inspection-traffic

!

!

policy-map type inspect dns preset_dns_map

parameters

  message-length maximum client auto

  message-length maximum 512

policy-map global_policy

class inspection_default

  inspect dns preset_dns_map

  inspect ftp

  inspect h323 h225

  inspect h323 ras

  inspect ip-options

  inspect netbios

  inspect rsh

  inspect rtsp

  inspect skinny 

  inspect esmtp

  inspect sqlnet

  inspect sunrpc

  inspect tftp

  inspect sip 

  inspect xdmcp

  inspect icmp

!

service-policy global_policy global

prompt hostname context

no call-home reporting anonymous

call-home

profile CiscoTAC-1

  no active

  destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService

  destination address email callhome@cisco.com

  destination transport-method http

  subscribe-to-alert-group diagnostic

  subscribe-to-alert-group environment

  subscribe-to-alert-group inventory periodic monthly

  subscribe-to-alert-group configuration periodic monthly

  subscribe-to-alert-group telemetry periodic daily

crashinfo save disable

Cryptochecksum:cb29abf617f52ce87c186e7aacc36cb5

: end

Packet tracer for ICMP from outside to DMZ

Packet tracer for HTTP from outside to DMZ will be post in message the insert picture crasshed.

Pass both.

Forget man, I was testing in wrong way.

I tried to access and ping 192.168.100.1(Private Adress). Access Private addresses from outside ins´t possible with this config.

Thanks again.