11-03-2013 02:58 AM - edited 03-11-2019 07:59 PM
Hi
I'm new to firewalls, so apologies if i'm wrong anhywhere.
Here is my setup.
I have a cisco C3560 switch with multiple VLans
It is connected to ASA 5505 which is further connected to Internet.
C3560 <--> G0/46 <--> 10.40.250.2 <--> 10.40.250.1 <--> E0/1 <--> ASA 5505
My problem is I'm not able to ping internet hosts from switch. Reverse route is fine. I'm able to ping switch and hosts on other Vlans.
And from switch I'm able to ping 10.40.250.1 (ASA interface). But from switch or my desktop i'm not able to go to internet.
Following are my configurations. Kindly help.
ASA Configuration
<code>
:
ASA Version 8.2(2)
!
hostname sg-fw2
names
!
interface Ethernet0/0
nameif OUTSIDE
security-level 0
ip address dhcp setroute
!
interface Ethernet0/1
nameif INSIDE
security-level 100
ip address 10.40.250.1 255.255.255.0
!
interface Ethernet0/2
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
shutdown
no nameif
no security-level
no ip address
!
ftp mode passive
object-group network INTERNAL_RANGE
pager lines 24
logging enable
logging asdm informational
logging mail critical
mtu OUTSIDE 1500
mtu INSIDE 1500
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
!
router eigrp 321
no auto-summary
default-metric 100000 1 255 1 1500
network 0.0.0.0 0.0.0.0
redistribute static
!
route INSIDE 10.40.0.0 255.255.0.0 10.40.250.2 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
aaa authentication ssh console LOCAL
http server enable
http 10.40.0.0 255.255.0.0 INSIDE
snmp-server host INSIDE 10.40.12.210 poll community ***** version 2c
no snmp-server location
no snmp-server contact
snmp-server community *****
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
telnet timeout 5
ssh 10.40.0.0 255.255.0.0 INSIDE
ssh timeout 5
ssh version 2
console timeout 0
threat-detection basic-threat
threat-detection statistics port
threat-detection statistics protocol
threat-detection statistics access-list
threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
webvpn
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect ip-options
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
inspect http
inspect icmp
!
service-policy global_policy global
prompt hostname context
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email callhome@cisco.com
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:3b4c6840cb9a7b2b490bcc2574f65371
: end
</code>
C3560 Swittch Configuration
<code>
Building configuration...
Current configuration : 10370 bytes
!
! Last configuration change at 19:05:13 WST Sat Nov 2 2013 by sysadmin
!
version 15.0
no service pad
no service timestamps debug uptime
service timestamps log datetime
service password-encryption
service sequence-numbers
!
!
boot-start-marker
boot-end-marker
!
!
!
aaa new-model
!
!
aaa authentication login default local
!
!
!
!
!
!
aaa session-id common
clock timezone WST 8 0
clock summer-time GMT recurring last Sun Mar 1:00 last Sun Oct 2:00
system mtu routing 1500
ip routing
!
!
!
ip dhcp snooping vlan 522
ip dhcp snooping
!
!
!
!
!
!
!
!
errdisable recovery cause udld
errdisable recovery cause bpduguard
errdisable recovery cause security-violation
errdisable recovery cause channel-misconfig (STP)
errdisable recovery cause pagp-flap
errdisable recovery cause dtp-flap
errdisable recovery cause link-flap
errdisable recovery cause sfp-config-mismatch
errdisable recovery cause gbic-invalid
errdisable recovery cause l2ptguard
errdisable recovery cause psecure-violation
errdisable recovery cause dhcp-rate-limit
errdisable recovery cause vmps
errdisable recovery cause storm-control
errdisable recovery cause arp-inspection
errdisable recovery cause loopback
!
spanning-tree mode pvst
spanning-tree extend system-id
spanning-tree vlan 1-999 priority 24576
!
vlan internal allocation policy ascending
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
interface Loopback0
ip address 3.3.3.3 255.255.255.255
!
interface Port-channel1
switchport trunk encapsulation dot1q
switchport mode trunk
!
interface GigabitEthernet0/1
switchport access vlan 522
switchport mode access
!
interface GigabitEthernet0/2
switchport access vlan 522
switchport mode access
!
interface GigabitEthernet0/3
switchport access vlan 522
switchport mode access
!
interface GigabitEthernet0/4
switchport access vlan 522
switchport mode access
!
interface GigabitEthernet0/5
switchport access vlan 512
switchport mode access
!
interface GigabitEthernet0/6
switchport access vlan 522
switchport mode access
!
interface GigabitEthernet0/7
switchport access vlan 522
switchport mode access
!
interface GigabitEthernet0/8
switchport access vlan 522
switchport mode access
!
interface GigabitEthernet0/9
switchport access vlan 522
switchport mode access
!
interface GigabitEthernet0/10
switchport access vlan 522
switchport mode access
!
interface GigabitEthernet0/11
switchport access vlan 522
switchport mode access
!
interface GigabitEthernet0/12
switchport access vlan 522
switchport mode access
!
interface GigabitEthernet0/13
switchport access vlan 522
switchport mode access
!
interface GigabitEthernet0/14
switchport access vlan 522
switchport mode access
!
interface GigabitEthernet0/15
switchport access vlan 522
switchport mode access
!
interface GigabitEthernet0/16
switchport access vlan 522
switchport mode access
!
interface GigabitEthernet0/17
switchport access vlan 523
!
interface GigabitEthernet0/18
description trunk to bm-sg-sw3 in other server room
switchport trunk encapsulation dot1q
switchport mode trunk
!
interface GigabitEthernet0/19
description link to 3com switch for 10.40.12.x network
switchport access vlan 512
ip dhcp snooping trust
!
interface GigabitEthernet0/20
description link to drac card on xen server
switchport access vlan 523
switchport mode access
mls qos trust cos
!
interface GigabitEthernet0/21
switchport access vlan 512
switchport mode access
!
interface GigabitEthernet0/22
switchport access vlan 512
switchport mode access
!
interface GigabitEthernet0/23
switchport access vlan 512
switchport mode access
!
interface GigabitEthernet0/24
switchport access vlan 512
switchport mode access
!
interface GigabitEthernet0/25
switchport access vlan 512
switchport mode access
!
interface GigabitEthernet0/26
switchport access vlan 512
switchport mode access
!
interface GigabitEthernet0/27
switchport access vlan 512
switchport mode access
!
interface GigabitEthernet0/28
switchport access vlan 512
switchport mode access
!
interface GigabitEthernet0/29
switchport access vlan 512
switchport mode access
!
interface GigabitEthernet0/30
switchport access vlan 512
switchport mode access
!
interface GigabitEthernet0/31
switchport access vlan 512
switchport mode access
!
interface GigabitEthernet0/32
switchport access vlan 512
switchport mode access
ip dhcp snooping trust
!
interface GigabitEthernet0/33
description servers in engineering room
switchport access vlan 523
mls qos trust cos
!
interface GigabitEthernet0/34
description link to rack for engineering network
switchport access vlan 523
mls qos trust cos
!
interface GigabitEthernet0/35
description C1841-F0/1
switchport access vlan 600
switchport mode access
spanning-tree portfast
!
interface GigabitEthernet0/36
description ASA5510-F0/1
switchport access vlan 600
switchport mode access
mls qos trust cos
spanning-tree portfast
!
interface GigabitEthernet0/37
description C2811-F0/0
switchport access vlan 600
switchport mode access
mls qos trust cos
spanning-tree portfast
!
interface GigabitEthernet0/38
description vmserver1
switchport access vlan 512
ip dhcp snooping trust
!
interface GigabitEthernet0/39
switchport access vlan 512
switchport mode access
!
interface GigabitEthernet0/40
description build server nas
switchport access vlan 512
switchport mode access
!
interface GigabitEthernet0/41
description server farm b
switchport access vlan 522
!
interface GigabitEthernet0/42
switchport access vlan 523
switchport mode access
mls qos trust cos
!
interface GigabitEthernet0/43
description hub for engineering server farm
switchport access vlan 522
!
interface GigabitEthernet0/44
description connection for voip 2851
no switchport
ip address 10.40.40.1 255.255.255.0
!
interface GigabitEthernet0/45
no switchport
no ip address
!
interface GigabitEthernet0/46
description connection to ASA inside
no switchport
ip address 10.40.250.2 255.255.255.0
duplex full
!
interface GigabitEthernet0/47
description span port
!
interface GigabitEthernet0/48
!
interface GigabitEthernet0/49
description trunk to 3560-POE switch 2
switchport trunk encapsulation dot1q
switchport mode trunk
channel-group 1 mode desirable
!
interface GigabitEthernet0/50
!
interface GigabitEthernet0/51
!
interface GigabitEthernet0/52
!
interface Vlan1
ip address 10.10.100.1 255.255.255.0
!
interface Vlan10
ip address 10.40.10.3 255.255.255.0
!
interface Vlan300
ip address 10.40.255.1 255.255.255.248
!
interface Vlan512
description corp_serv
ip address 10.40.12.1 255.255.255.0
!
interface Vlan520
description corp_con
ip address 10.40.200.1 255.255.254.0
!
interface Vlan522
description workstations
ip address 10.40.224.1 255.255.254.0 secondary
ip address 10.40.220.1 255.255.254.0
ip helper-address 10.40.12.253
ip helper-address 10.40.12.252
!
interface Vlan523
description office_lab
ip address 10.40.230.1 255.255.254.0
ip access-group vlan523_access_in in
no ip unreachables
!
!
router eigrp 321
network 3.0.0.0
network 10.0.0.0
eigrp stub connected summary
!
ip http server
ip http authentication local
ip http secure-server
!
!
ip route 0.0.0.0 0.0.0.0 10.40.250.1
ip route 10.1.0.0 255.255.0.0 10.40.10.254
ip route 10.1.1.0 255.255.255.0 10.40.250.1
ip route 10.40.240.0 255.255.254.0 10.40.40.2
ip route 202.56.195.121 255.255.255.255 10.40.10.254
ip route 202.152.162.174 255.255.255.255 10.40.10.254
ip route 202.152.162.177 255.255.255.255 10.40.10.254
ip route 203.145.131.152 255.255.255.255 10.40.10.254
ip route 203.196.249.7 255.255.255.255 10.40.10.254
!
ip access-list extended search_for_192.168
permit ip any host 216.246.60.14 log-input
ip access-list extended vlan523_access_in
remark permit any tcp connection into this vlan to return
permit tcp any any established
remark allow DNS query
permit udp any host 10.40.12.253 eq domain
remark http access to fumes
permit tcp any host 10.26.156.51 eq www
permit tcp any host 10.26.156.51 eq 443
remark http access to 3.0 build machine
permit tcp any host 10.26.156.30 eq www
permit tcp any host 10.26.156.30 eq 443
remark allow communication between 10.40.231.205 and cisco cme
permit ip host 10.40.231.205 host 10.40.240.1
permit ip host 10.40.231.205 host 10.40.40.2
remark Allow IANA ephemeral port
permit udp any any range 49152 65535
permit udp any any range 25000 35000
permit udp any any range 40001 45000
remark permit connection to SingNet Proxy
permit tcp any host 220.255.4.9 eq 8080
remark http and NFS access to filesvr
permit tcp any host 10.40.12.248 eq www
permit tcp any host 10.40.12.248 eq 443
permit tcp any host 10.40.12.248 eq sunrpc
permit udp any host 10.40.12.248 eq sunrpc
permit tcp any host 10.40.12.248 eq 2049
permit udp any host 10.40.12.248 eq 2049
permit tcp any host 10.40.12.248 range 4000 4002
permit udp any host 10.40.12.248 range 4000 4002
remark permit sip traffic
permit tcp any any range 5060 5063
permit udp any any range 5060 5063
permit udp any any range 5000 5003
permit udp any any range 5010 5013
permit udp any any range 16384 32767
remark permit access to ldap server
permit tcp any host 10.40.12.247 eq 389
deny icmp any any redirect
deny icmp any any mask-request
permit icmp any any
permit ip 0.0.0.0 255.255.254.0 0.0.0.0 255.255.254.0
permit tcp 0.0.0.0 255.255.254.0 0.0.0.0 255.255.254.0
permit ip any any
permit tcp any any
!
logging trap warnings
logging facility syslog
logging source-interface Loopback0
logging host 10.40.12.210
!
!
!
!
!
line con 0
logging synchronous
line vty 0 4
privilege level 15
password 7 120F0B0F1F08545D79
transport preferred none
transport input telnet
transport output none
line vty 5 15
privilege level 15
password 7 120F0B0F1F08545D79
transport preferred none
transport input telnet
transport output none
!
!
monitor session 1 source vlan 1 - 4094
monitor session 1 destination interface Gi0/47
ntp server 10.40.12.253 prefer
end
</code>
Solved! Go to Solution.
11-03-2013 05:17 AM
Hi,
Seems you have posted the same thread twice (they probably moved your threads to this section from some other section)
So postin same reply here as in the other thread
Hi,
The ASA is lacking NAT configurations.
You can do the basic Dynamic PAT translation with either of the below ways
global (OUTSIDE) 1 interface
nat (INSIDE) 1 0.0.0.0 0.0.0.0
global (OUTSIDE) 1 interface
nat (INSIDE) 1 10.0.0.0 255.0.0.0
Hope this helps
- Jouni
- Jouni
11-03-2013 05:17 AM
Hi,
Seems you have posted the same thread twice (they probably moved your threads to this section from some other section)
So postin same reply here as in the other thread
Hi,
The ASA is lacking NAT configurations.
You can do the basic Dynamic PAT translation with either of the below ways
global (OUTSIDE) 1 interface
nat (INSIDE) 1 0.0.0.0 0.0.0.0
global (OUTSIDE) 1 interface
nat (INSIDE) 1 10.0.0.0 255.0.0.0
Hope this helps
- Jouni
- Jouni
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide