Solved: How to Allow Internet Traffic

dissai · ‎04-15-2024

Hello Community,

I need assistance to allow internet traffic from Cisco ASA Firewall version 9.14 to Cisco Router. I want user when to connect to the internet from Cisco Router where I configured DHCP Pool. See below configuration output For Cisco ASA Firewall and Cisco Router.

!
interface GigabitEthernet0/0
description OUTSIDE
nameif OUTSIDE
security-level 0
ip address 172.29.129.10 255.255.255.0
!
interface GigabitEthernet0/1
Description connected to Cisco ROUTER Interface
description INSIDE
nameif INSIDE
security-level 100
ip address 192.168.10.253 255.255.255.252
!
interface GigabitEthernet0/2
description DMZ
nameif DMZ
security-level 80
ip address 172.18.200.253 255.255.255.0
!
!
interface Management0/0
description MGMT
no management-only
no nameif
no security-level
ip address 192.168.50.253 255.255.255.0
!
ftp mode passive
dns domain-lookup OUTSIDE
dns server-group DefaultDNS
name-server 8.8.8.8
name-server 8.8.4.4
object network inside-network
subnet 192.168.10.252 255.255.255.252

access-list outside_access_in extended permit tcp any any eq www
access-list outside_access_in extended permit tcp any any eq https
pager lines 23
mtu OUTSIDE 1500
mtu INSIDE 1500
mtu DMZ 1500
no monitor-interface service-module
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
arp rate-limit 8192
!

access-group outside_access_in in interface OUTSIDE
router ospf 1
router-id 192.168.10.253
network 172.29.129.0 255.255.255.0 area 0
network 192.168.10.0 255.255.255.0 area 0
log-adj-changes
redistribute connected
redistribute static
default-information originate
!
route OUTSIDE 0.0.0.0 0.0.0.0 172.29.129.254 1
route INSIDE 0.0.0.0 0.0.0.0 192.168.10.254 2

ciscoasa# show route ospf

Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2, V - VPN
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route, + - replicated route
SI - Static InterVRF
Gateway of last resort is 172.29.129.254 to network 0.0.0.0

O 192.168.200.0 255.255.255.0
[110/20] via 192.168.10.254, 00:40:27, INSIDE

ciscoasa#
---------------------------------------------------------------------------------------
ROUTER

!

ip dhcp excluded-address 192.168.200.1
!
ip dhcp pool LAN_POOL
network 192.168.200.0 255.255.255.0
default-router 192.168.200.1
dns-server 8.8.8.8 8.8.4.4

!
interface Ethernet0/0
Description connected to Cisco ASA INSIDE Interface
ip address 192.168.10.254 255.255.255.252
ip nat outside
ip virtual-reassembly in
duplex auto
!
interface Ethernet0/1
ip address 192.168.200.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
duplex auto
!
interface Ethernet0/2
no ip address
shutdown
duplex auto
!
interface Ethernet0/3
no ip address
shutdown
duplex auto
!
router ospf 1
redistribute connected subnets
redistribute static subnets
network 192.168.10.252 0.0.0.3 area 0
network 192.168.200.0 0.0.0.255 area 0
neighbor 192.168.10.253
default-information originate
!
ip forward-protocol nd

ip nat inside source list 10 interface Ethernet0/0 overload
ip route 0.0.0.0 0.0.0.0 192.168.10.253
!
ipv6 ioam timestamp
!
!
access-list 10 permit 0.0.0.0 255.255.255.0

!
Router#show ip route ospf
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP
a - application route
+ - replicated route, % - next hop override, p - overrides from PfR

Gateway of last resort is 192.168.10.253 to network 0.0.0.0

172.29.0.0/24 is subnetted, 1 subnets
O 172.29.129.0 [110/20] via 192.168.10.253, 00:41:27, Ethernet0/0
Router#
Router#
Router#

MHM Cisco World · ‎04-15-2024

route OUTSIDE 0.0.0.0 0.0.0.0 172.29.129.254 1 <- this OK
route INSIDE 0.0.0.0 0.0.0.0 192.168.10.254 2 <- this wrong' you run opsf in router why you dont use opsf between ASA and router?

MHM

View solution in original post

Marius Gunnerud · ‎04-15-2024

Unless you have omitted the configuration from your original post, you are missing NAT on your ASA! I mentioned this in my previous post.

--
Please remember to select a correct answer and rate helpful posts

View solution in original post

Marius Gunnerud · ‎04-15-2024

is this a lab or a production environment you are setting up? Where is NAT being done? If the ASA is connecting directly to the internet / ISP, and you have changed IPs to hide your public IP, then you are missing dynamic PAT / NAT statement on the ASA.

--
Please remember to select a correct answer and rate helpful posts

MHM Cisco World · ‎04-15-2024

route OUTSIDE 0.0.0.0 0.0.0.0 172.29.129.254 1 <- this OK
route INSIDE 0.0.0.0 0.0.0.0 192.168.10.254 2 <- this wrong' you run opsf in router why you dont use opsf between ASA and router?

MHM

dissai · ‎04-15-2024

Hi MHM,

I have removed the static route on the ASA, OSPF has come up but from the router still i can not get to the internet.

what is missing on my configuration on both Cisco ASA and the router?

ciscoasa# show ospf neighbor

Neighbor ID Pri State Dead Time Address Interface
192.168.200.1 1 FULL/DR 0:00:38 192.168.10.254 INSIDE

Router#
Router#
Router#show ip ospf neighbor

Neighbor ID Pri State Dead Time Address Interface
192.168.10.253 1 FULL/BDR 00:00:30 192.168.10.253 Ethernet0/0
Router#
Router#
Router#ping 8.8.8.8
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 8.8.8.8, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)
Router#
Router#
Router#

Marius Gunnerud · ‎04-15-2024

Unless you have omitted the configuration from your original post, you are missing NAT on your ASA! I mentioned this in my previous post.

--
Please remember to select a correct answer and rate helpful posts

MHM Cisco World · ‎04-15-2024

No we solve the routing as @Marius Gunnerud mention you need now NAT

Object network router

Subnet <any preifx learn from router>

Nat (inside'outside) dynamic interface

MHM

dissai · ‎04-15-2024

Hi MHM,

I put below it work but wonder when I try to put nat (Inside,Outside) source static obj_inside obj_inside destination static obj_inside obj_inside. Is not working

object network obj_inside
subnet 0.0.0.0 0.0.0.0

nat (INSIDE,OUTSIDE) dynamic interface

it seems working.

Router#ping www.google.com source 192.168.200.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 216.58.223.68, timeout is 2 seconds:
Packet sent with a source address of 192.168.200.1
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 9/9/10 ms
Router#
Router#
Router#ping 8.8.8.8 source 192.168.200.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 8.8.8.8, timeout is 2 seconds:
Packet sent with a source address of 192.168.200.1
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 12/12/14 ms
Router#
Router#
Router#

Marius Gunnerud · ‎04-15-2024

nat (Inside,Outside) source static obj_inside obj_inside destination static obj_inside obj_inside

When you put the above statement you are translating the inside hosts to their original IPs. not to mention you are doing static translation which will not scale. if you are testing / lab you could change this statement to be "source dynamic obj_inside interface" and it should work.

But the issue with it not working is that your inside network is not reachable by the L3 device that is the next hop from the ASA on the outside interface, and / or that L3 device is not doing NAT for the inside subnet.

--
Please remember to select a correct answer and rate helpful posts

MHM Cisco World · ‎04-15-2024

(Inside,Outside) source static obj_inside obj_inside destination static obj_inside obj_inside.

This identity NAT must not effect the dyanmic NAT since the destiantion is different'

Can I see

Show run nat

Thanks

MHM

dissai · ‎04-15-2024

Hi MHM,

Here is the output

ciscoasa(config)# show run nat
!
object network obj_inside
nat (INSIDE,OUTSIDE) dynamic interface
ciscoasa(config)#
ciscoasa(config)#
ciscoasa(config)#

Kind Regards,

DI

Marius Gunnerud · ‎04-15-2024

You have a private IP configured on your outside interface, so where is NAT being done if it is not on the ASA?

you could set up a capture on the ASA inside and outside interfaces for your test traffic and see if you see your test traffic on both interfaces.

Also, if you are only testing with ping, make sure that you have "inspect icmp" configured in your policy map:

policy-map global_policy

class inspection_default

inspect icmp

--
Please remember to select a correct answer and rate helpful posts