cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

1733
Views
0
Helpful
11
Replies
Highlighted
Beginner

Outside traffic not coming in to the ASA.

Hello Experts,

I have a ASA 5505 in my lab and I have Verizon router.

I have a second network behind the ASA and routing is done on the ASA. All traffic from the "inside" interface goes out through "Outside" interface without any issues. However, no traffic comes in from outside to inside. I have access-list to allow any from outside to inside. PLease see the ACL picture attached.

I am thinking that it could be routing issue from the Verizon router to the ASA but I wanted to check with you all. 

Thanks to you all in advance!!

Regards,

Saji

11 REPLIES 11
Highlighted
Beginner

Hi Saji,

Are you facing the issue which is originated outside and destined to the ASA inside network? Please confirm this.

If this is the case then you need a NAT which maps the inside host to outside IP.

As per the ACL it should allow all the traffic.

You can run a packet tracer on the ASA via CLI to see the flow.

packet-tracer input outside tcp <source IP> 12345 <destination IP> 443 det

packet-tracer input outside tcp <source IP> 12345 <destination IP> 22 det

P.S. Please rate helpful posts.

Thanks,

Shivapramod M

Highlighted

What license are you running on the 5505? You will need a security plus license to have more than 3 active vlans.  If you have a base license you will only be able to have the 3rd vlan comminicate with one of the other VLANs.

What version ASA are you running?

issue the command show run nat-control

if you have nat-control configured issue the no nat-control global configuration command.

--

Please remember to select a correct answer and rate helpful posts

--
Please remember to select a correct answer and rate helpful posts
Highlighted

Hello Shiva,

Your point is correct and that is what I thought initially. However, this is the configuration and the problem.

1. The ASA is connected to Verizon network 192.168.1.x on port 0/1 (vlan 2 outside ip address 192.168.1.200). The port has no ip address.

2. The inside network 192.168.10.x is connected to port 0/2 (vlan 1 inside ip address 192.168.10.200). This port also have no ip address.

3. Routing is done on inside as "ip route 0.0.0.0 0.0.0.0 192.168.1.1"

4. All inside network (192.168.10.x) can ping to the outside network (192.168.1.x) and everything works fine.

5. I can ping the Outside vlan IP address 192.168.1.200 from 192.168.1.x so that is also not a problem.

Problem:

Nothing comes in to 192.168.10.x from outside 192.168.1.x OR in other words nothing comes in from vlan 2 to vlan 1.

Is it because they are on different VLANS? Will I need to create some kind of route or NAT from the outside interface to inside. 

Also, there are many computers in the inside network that will need access from the outside from inside.

I ran the packet tracer and everything from 1 to 6 is allow but 7th is drop. Picture is attached.

Thanks!

Saji Thomas

 

Highlighted

That drop in packet tracer comes because you are using the wrong destination IP.  In this case you would need to use the outside IP as the destination IP.

Do you have static NATs in place? if you have a dynamic NAT configured you will need to configure static NAT to the inside IP to be able to reach it.

Since you are running version 8.2...or earlier...could you also please check the running configuration to see if you have nat-control enabled, as I mentioned previously.

--

Please remember to select a correct answer and rate helpful posts

--
Please remember to select a correct answer and rate helpful posts
Highlighted

I am trying to ping 192.168.10.21 (which is inside network on ASA) from 192.168.1.x network (which is outside network on ASA)

When I do packet tracer, input is outside interface and the ping packet source is from 192.168.1.x trying to to reach 192.168.10.21. So I believe the source and destination is correct in my command. Or is that other way around?

That would really confuse me.

Thanks!

Saji

Highlighted

Hi Saji,

If I consider everything to be as mentioned, you are using private IP on both the side. I expect that you might be performing NAT  on verizon router to get internet access. I believe it is something which you might need to configure on Verizon Router instead of ASA.

When you wish to have access to some of you inside hosts, you need to have one to one static nat mapping instead of dynamic or many to one through ports(whether it is ASA or Router).

If Verizon is the one which is giving Internet access to your inside hosts, then you could remove the dynamic nat from ASA and let Verizon router perform nat for everything. In any case Verizon needs to know the mapping of specific port or IP to that of inside to untranslate the traffic. Therefore perform one to one static nat on Verizon.

Hope it helps.

Regards,

Akshay Rastogi

Regards,

Akshay Rastogi

Highlighted

Akshay, I think ASA will not allow you to  have the "same IP address range" on outside and inside interfaces. I remember trying to do that and got the error. But I may be wrong.

Let me know if you have ever tried it that way. 

Highlighted

As I have tried to mention above, you are using the wrong destination IP when running the packet-tracer.  You have a dynamic NAT on the outside interface and you will therefore need to use the outside interface IP.  the rfp-check drop on the outside interface is 99% of the time a wrong destination address when using the packet tracer.

You need to add a static nat to be able to reach the host server on the inside.

--

Please remember to select a correct answer and rate helpful posts

--
Please remember to select a correct answer and rate helpful posts
Highlighted

Marius, I have a feeling that you are correct. I will create a static NAT and check.

I will update you all.

Thanks!

Saji

Highlighted
VIP Advocate

could you please paste the outside interface config.

I had run into similar issue. i fixed it by changing the outside secuity level to 0

please do not forget to rate.
Highlighted

Outside is 0.

DMZ is 50 (thou not used).

Inside is 100.

I am sure it has to do something with NAT. 

Content for Community-Ad