05-30-2012 03:56 AM - edited 03-11-2019 04:13 PM
Hi,
I have problem in the configuration of Cisco ASA 5520, IOS version 8.4. The connection is as follows: LAN network--> Firewall --> Routers with GLBP with virtual ip address. the clients can not ping the virtual interface of the GLBP group, but I can ping it from the firewall, and I can ping the clients from the firewall, I checked the packet tracer it gives :
Phase: 7
Type: NAT
Subtype:
Result: DROP
Config:
nat (inside10,outside) source dynamic LAN interface
Additional Information:
Forward Flow based lookup yields rule:
in id=0x74331ed8, priority=6, domain=nat, deny=false
hits=1390, user_data=0x74334578, cs_id=0x0, use_real_addr, flags=0x0, protocol=0
src ip/id=10.X.X.X, mask=255.255.0.0, port=0
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
input_ifc=inside10, output_ifc=outside
The firewall configuration is as follows:
!
interface GigabitEthernet0/0
nameif outside
security-level 0
ip address XX.XX.0.XX 255.255.255.240
!
interface GigabitEthernet0/1
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/1.10
description DataVLAN
vlan 10
nameif inside10
security-level 100
ip address X.X.X.X 255.255.0.0
object-group network LAN
network-object X.X.X.X 255.255.0.0
nat (inside10,outside) source dynamic LAN interface
route outside 0.0.0.0 0.0.0.0 GLBP_Virtual_Interface
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
inspect icmp
The GLBP Routers are configured with natting also as follows:
interface GigabitEthernet0/0
description $ETH-LAN$$ETH-SW-LAUNCH$$INTF-INFO-GE 0/0$
ip address ISP_CLIENT_SIDE 255.255.255.252
ip nat outside
ip virtual-reassembly in
duplex auto
speed auto
!
interface GigabitEthernet0/1
ip address XX.XX.0.XX 255.255.255.240
ip nat inside
ip virtual-reassembly in
glbp 1 ip GLBP_VIRTUAL_IP
duplex auto
speed auto
!
ip nat inside source list 1 interface GigabitEthernet0/0 overload
ip route 0.0.0.0 0.0.0.0 ISP_GW
access-list 1 permit any
Regards
Essa
06-03-2012 09:40 AM
Essa,
Interesting. What do the syslogs show? What is your packet tracer trigger? Could you pls. copy and paste it pls and the entire output as well. What is inside the object LAN?
Thanks,
Kureli
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide