Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1327
Views
10
Helpful
3
Replies

Basic firewall configuration

nariman197729113
Level 1
Level 1

‎01-17-2020 07:29 AM

Hi all

 

I have just bought a cisco 5505 to do some basic testing on.

This is running the base licence.

 

I am having a issue with natting.

Version of the asa 9.2

 

My setup is as follows:

 

Broadband router to ASA outside interface with security 0

ASA inside interface to a Cisco 2960 switch and has a security of 100

Cisco 2960 has a single VLAN on it.

 

I have setup my ASA with 2 interfaces, inside and outside.

Inside interface has an Ip address range 10.0.1.0/24 ( inside is .254)

Outside interface has the same IP address as my broadband rourter, 192.168.0.254 ( my broadband router is .1)

I have setup a default route : route outside 0.0.0.0 0.0.0.0 192.168.0.1 ( this should send all traffic to the outside interface, right?)

I have also setup an ohjbect group any with a subnet of 0.0.0.0 0.0.0.0 and assigned a NAT address to this:

nat (inside,outside) dynamic interface.

 

When I do show nat, it is telling me it is natting 0.0.0.0/0.0.0.0 to 192.168.0.254 which is ok as my BB router understands this range.

 

Both interfaces are setup as access ports in 2 different VLANs as the base licence doesn't allow trunks.

 

On my 2960, I have the link between ASA and 2960 setup as a access port.

Both ends sit on the same network ( 10.0.1.0/24) : ASA .254 and the 2960 is .1

I have also setup a static route on the 2960 and sending all traffic to .254 ( inside interface on the ASA).

 

From the switch I can ping the inside interface of the ASA

From the ASA I can ping the switch SVI on the inside interface

From the ASA I can ping 8.8.8.8 on outside interface which proves the link to BB works.

 

What i can't do:

 

1. I can't ping the outside interface of the ASA from the switch . I thought I should be able to as I am going from security level 100 to 0?

 

2. I can't ping 8.8.8.8 from switch sourcing from the inside VLAN. If I check the NAT entries on the ASA, it is counting up both translated and untranslated counters equally when I try and ping an outside address.

 

 

I am pretty sure this is something simple and lack of my ability to setup a firewall from scratch.

 

Thanks for your help

 

 

 

Labels:
0 Helpful
3 Replies 3

Rob Ingram
VIP
VIP

‎01-17-2020 07:37 AM

Hi,
1. That is not possible. You cannot be connected to the inside of the ASA and ping the outside interface, that is by design.
2. You should enable ICMP inspection to allow the ICMP response, use the command "fixup protocol icmp"

HTH.
0 Helpful

nariman197729113
Level 1
Level 1
In response to Rob Ingram

‎01-17-2020 02:35 PM

Thank you for the response. 

 

I would have expected the ping not to have worked from the ASA cli either if icmp echo wasn't enabled? 

 

 

0 Helpful

Rob Ingram
VIP
VIP
In response to nariman197729113

‎01-17-2020 02:42 PM

When you ping from the switch, the icmp response is through the ASA, you either need to specifically permit icmp inbound on the outside interface or enable icmp inspection, which is what the command I provided enables.

When you ping from the ASA itself, the response is to the ASA, this is not controlled by the ACL on the outside interface nor icmp inspection.
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card