Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1327
Views
0
Helpful
4
Replies

Basic Asa Configuration 8.4

holgerdenu
Level 1
Level 1

‎08-04-2015 03:53 AM - edited ‎03-11-2019 11:22 PM

Hi,

im using a lab with an ASA5520 Image V8.4 and im trying to set up a basic connectivity between inside and outside. host inside should be able to ping host outside.

Host inside IP Address: 192.168.0.2

Host outisde IP Address: 10.0.0.2

Each host can ping its own gateway(x.x.x.1)

 

if configured the IPs of each interface and named it


interface GigabitEthernet0
 nameif outside
 security-level 0
 ip address 10.0.0.1 255.0.0.0
!
interface GigabitEthernet1
 nameif inside
 security-level 100
 ip address 192.168.0.1 255.255.255.0
!
interface GigabitEthernet2
 nameif dmz
 security-level 50
 ip address 192.168.1.1 255.255.255.0

 

I have set up NAT

object network inside_pat
 subnet 192.168.0.0 255.255.255.0


object network inside_pat
 nat (inside,outside) dynamic interface
 

......i also tried with


object network inside_pat
 nat (inside,outside) static 10.0.0.1

 

I have defined a deafult route

route outside 0.0.0.0 0.0.0.0 10.0.0.1 1

 

And finally and very helpless i tried to permit any(in case of ACL denied my traffic)

access-list outside standard permit any
access-list inside standard permit any

 

So....what am i doing wrong?
 

 

Thanks in Advance



 


 


 

Labels:
0 Helpful
4 Replies 4

johnlloyd_13
Level 9
Level 9

‎08-04-2015 05:24 AM

hi,

could you post a brief network topology?

you'll probably need an identity NAT for 'inside' subnet to be able to talk to your 'outside' subnet.

object network INSIDE-SUBNET
 subnet 192.168.0.0 255.255.255.0

object network INSIDE-IDENTITY-NAT
 subnet 192.168.0.0 255.255.255.0
 nat (inside,outside) static INSIDE-SUBNET

 

also, the static default route should be pointed to a next hop layer 3 IP and NOT to the exit IP of the ASA:

route outside 0.0.0.0 0.0.0.0 <NEXT HOP IP>

0 Helpful

holgerdenu
Level 1
Level 1
In response to johnlloyd_13

‎08-04-2015 09:04 AM

Here is the simple topology

I will check your suggestions as soon as im able to acces my testlab.

 

Thanks

 

 

Preview file
18 KB
0 Helpful

holgerdenu
Level 1
Level 1
In response to holgerdenu

‎08-05-2015 05:06 AM

i have checkd your suggestions, but this didnt solve my issue

Here is the asa config


interface GigabitEthernet0
 nameif outside
 security-level 0
 ip address 10.0.0.1 255.0.0.0
!
interface GigabitEthernet1
 nameif inside
 security-level 100
 ip address 192.168.0.1 255.255.255.0
!
interface GigabitEthernet2
 nameif dmz
 security-level 50
 ip address 192.168.1.1 255.255.255.0
!
interface GigabitEthernet3
 shutdown
 no nameif
 no security-level
 no ip address
!
ftp mode passive
object network INSIDE-SUBNET
 subnet 192.168.0.0 255.255.255.0
object network INSIDE-IDENTITY-NAT
 subnet 192.168.0.0 255.255.255.0
access-list outside standard permit any
access-list inside standard permit any
pager lines 24
mtu outside 1500
mtu inside 1500
mtu dmz 1500
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
!
object network INSIDE-IDENTITY-NAT
 nat (inside,outside) static INSIDE-SUBNET
route outside 0.0.0.0 0.0.0.0 10.0.0.2 1
 

 

192.168.0.2 can ping gateway 192.168.0.1, but not 10.0.0.1 or 10.0.0.2

Any other suggestions?

 

Thanks in advance

 

0 Helpful

Jouni Forss
VIP Alumni
VIP Alumni
In response to holgerdenu

‎08-05-2015 05:25 AM

Hi,

 

You could first check if the ASA sees anything on the "outside" interface regarding ARP

 

show arp | inc outside

 

Confirm that you can see the gateway IP address 10.0.0.2 there. If not you can try to ping it from the ASA and then check the output of the above command again. If you can not see anything yet then there is some problem between the ASA and the device behind "outside" interface.

 

You have also changed your original Dynamic PAT to Identity NAT. Though if you dont want any NAT on the ASA then you could simply leave out all NAT configurations. You would not need a Identity NAT at all. You will need it only if you have some broader Dynamic NAT/PAT configurations that would match the traffic otherwise.

 

Since you now have Identity NAT, are you sure your device behind "outside" interface has a route that will forward traffic to the subnet 192.168.0.0/24 through the IP address 10.0.0.1 which is the ASA?


With the Dynamic PAT this route would not be needed as all user traffic would be PATed to the ASA "outside" interface IP address and as this belongs to the directly connected network between ASA and the other device then that other device would naturally know where to forward the traffic. I would personally not use a 10.0.0.0/8 network on a single interface but rather a subnet. Even in LAB environment.

 

You could also check the output of the "show run policy-map" configuration. Check the output to see if there is "inspect icmp" and "inspect icmp error" configurations. If not, then you should add them under the configuration mode that the other "inspect" command are.

 

- Jouni

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card