01-17-2020 07:29 AM
Hi all
I have just bought a cisco 5505 to do some basic testing on.
This is running the base licence.
I am having a issue with natting.
Version of the asa 9.2
My setup is as follows:
Broadband router to ASA outside interface with security 0
ASA inside interface to a Cisco 2960 switch and has a security of 100
Cisco 2960 has a single VLAN on it.
I have setup my ASA with 2 interfaces, inside and outside.
Inside interface has an Ip address range 10.0.1.0/24 ( inside is .254)
Outside interface has the same IP address as my broadband rourter, 192.168.0.254 ( my broadband router is .1)
I have setup a default route : route outside 0.0.0.0 0.0.0.0 192.168.0.1 ( this should send all traffic to the outside interface, right?)
I have also setup an ohjbect group any with a subnet of 0.0.0.0 0.0.0.0 and assigned a NAT address to this:
nat (inside,outside) dynamic interface.
When I do show nat, it is telling me it is natting 0.0.0.0/0.0.0.0 to 192.168.0.254 which is ok as my BB router understands this range.
Both interfaces are setup as access ports in 2 different VLANs as the base licence doesn't allow trunks.
On my 2960, I have the link between ASA and 2960 setup as a access port.
Both ends sit on the same network ( 10.0.1.0/24) : ASA .254 and the 2960 is .1
I have also setup a static route on the 2960 and sending all traffic to .254 ( inside interface on the ASA).
From the switch I can ping the inside interface of the ASA
From the ASA I can ping the switch SVI on the inside interface
From the ASA I can ping 8.8.8.8 on outside interface which proves the link to BB works.
What i can't do:
1. I can't ping the outside interface of the ASA from the switch . I thought I should be able to as I am going from security level 100 to 0?
2. I can't ping 8.8.8.8 from switch sourcing from the inside VLAN. If I check the NAT entries on the ASA, it is counting up both translated and untranslated counters equally when I try and ping an outside address.
I am pretty sure this is something simple and lack of my ability to setup a firewall from scratch.
Thanks for your help
01-17-2020 07:37 AM
01-17-2020 02:35 PM
Thank you for the response.
I would have expected the ping not to have worked from the ASA cli either if icmp echo wasn't enabled?
01-17-2020 02:42 PM
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide