02-06-2015 03:19 PM - edited 03-11-2019 10:28 PM
I'm trying to get an ASA5515-X up and running and I'm at my wits' end. I have a very simple configuration with an inside and an outside interface. the outside interface connects to a Cisco 2811 router with the Internet circuit. The inside interface connects to a 3750 switch stack.
On the router there is a static route for the internal, 10.160.192.0, subnet pointing to the Firewall's outside interface.
The basic access-list configuration is:
- access-list inside_access_in extended permit ip 10.160.192.0 255.255.248.0 any
There is a static route on the outside pointing to the connected router's ISP facing interface (serial0/0) . There is no static route on inside.
NAT statement:
-nat (inside,outside) source static 'internal_subnet' interface
I ran the Packet Tracer utility a couple of times using the inside interface as source and 10.160.192.5 as the source IP, destination 8.8.8.8, source and destination ports 'domain'. When ran, it confirms that every step along the way upto the Outside interface is correct.
Yet, neither DNS resolution or HTTP seem to work. The connections open, stay open for a few seconds and then they time out and close.
Any input will be greatly appreciated.
Steve K.
02-06-2015 03:44 PM
If you doing the NAT for the 10.160.192.0/21 network on the ASA you do not need a route on the 2811 router because it won't see those IPs.
There is a static route on the outside pointing to the connected router's ISP facing interface (serial0/0) . There is no static route on inside.
It's not clear what you mean by this. You need -
1) a default route on your 3750 eg. -
ip route 0.0.0.0 0.0.0.0 <ASA inside interface IP address>
and
2) a default route on the ASA pointing to the inside interface of the 2811 ie -
route outside 0.0.0.0 0.0.0.0 <2811 inside interface IP>
the inside interface of the 2811 will be from the same subnet as the ASA outside IP.
I'm assuming that the ASA has a public IP on the outside interface as you are doing NAT for all internal clients.
If so just follow the above.
If it doesn't and only the 2811 outside interface connecting to the ISP has a public IP then you would need to do NAT on the router
In which case there is little point on doing it on the ASA as well although you could leave it but if you do remove it then make sure you leave the route for your internal network on the 2811 as it would then be needed.
Finally if the ASA inside interface IP is not using a 255.255.248.0 subnet mask then I assume that means there are other subnets within that summary address range being routed on the 3750.
In which case you would need additional routes on the ASA for those subnets it is not directly connected to pointing to the 3750.
I hope the above helps out and i'll check in with this thread tomorrow if you are still having problems and nobody else has joined in.
Jon
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide