03-30-2015 03:08 AM - edited 03-11-2019 10:43 PM
Hello All,
I have a Server connected to the Vlan on 2960 switch which is connected to the ASA 5545.
The Server is accessed from outside as iam able to ping its public ip as well as able to ssh it,however the problem is iam not able to access the Internet from the Server.
I am using ASA version 9.1,also i created access-list and Nat rule through Public Server feature of the ASDM.
kindly help where iam wrong.
Thanks
03-30-2015 03:19 AM
Hi,
If you check the NAT for the Server , Is this a Static PAT/Port Forward or One-one Static NAT ?
If it is port Forward/Static PAT , Outbound ping would need a Dynamic NAT for the ping to be allowed to the internet.
Also , other than this , check these things:-
1) ICMP inspection is no ACL is applied on the Private Interface
2) Allow ICMP ACE on the ACL is applied on the private interface
Thanks and Regards,
Vibhor Amrodia
03-30-2015 03:47 AM
thanks Vibhor,
I have a static one to one Nat applied,no port forwarding is done.
Kindly let me know how to allow icmp inspect for a particular interface.
Thanks
03-30-2015 04:29 AM
Hi,
You just need to run this command:- fixup protocol icmp
This is a global feature and will be enabled for the complete device.
Also , run a packet trace to find out what policies are being hit on the ASA device for this traffic ?
Refer:-
https://supportforums.cisco.com/document/29601/troubleshooting-access-problems-using-packet-tracer
Thanks and Regards,
Vibhor Amrodia
03-30-2015 07:51 AM
i have a ubunto server which i am not able to update or upgrade as its not able to access the internet...
not sure where the problem is....i ran the packet tracer it shows the implicit configured rule is the problem for the configured dmz and when i checked that rule its there by default as iam unable to edit or delete it.
03-30-2015 08:04 AM
How are you trying to access the internet from the server ie. what port are you testing on ?
Can you post the ASA configuration.
Jon
03-30-2015 08:59 AM
I have a Ubuntu Server which is connected to the dmz port of the ASA and from there i try to ping google dns which iam not,also iam not able to update and upgrade my server.
object network water_private
nat (dmz5,Jeraisy) static waterlevel_public
access-group Jeraisy_access in interface Jeraisy
access-list Jeraisy_access extended permit object-group DM_INLINE_SERVICE_6 any4 object water_private
route Jeraisy 0.0.0.0 0.0.0.0 83.101.xx.xx 2
03-30-2015 05:45 PM
Hi,
I see that you mentioned the packet tracer drops this traffic ? Can you post the trace output ?
Thanks and Regards,
Vibhor Amrodia
03-31-2015 07:45 AM
03-31-2015 08:17 AM
I thought "Jeraisy" was your outside interface but that's not what your packet tracer is saying.
Can you just post the configuration of the firewall.
Jon
03-31-2015 08:42 AM
03-31-2015 09:02 AM
Can you post "sh route"
Jon
04-01-2015 04:07 AM
Hi,
I agree with Jon on this issue that because you have two ISP and the one which is secondary , would never be used for routing the traffic outbound to the internet.
There is a Workaround that can be used but that should only be used cautiously:-
If you are okay to route all the outbound traffic for a specific destination port out through the ISP 2 (Jeraisy ) For ex:-
If you want all the outbound traffic destined to port 80 to go out through this interface , you can create a statement like this:-
static (Jeraisy ,DMZ5) tcp 0.0.0.0 80 0.0.0.0 80
You can refer to these articles for all the possible options in this scenario:-
https://supportforums.cisco.com/document/49756/asapix-load-balancing-between-two-isp-options
https://supportforums.cisco.com/document/59986/loadbalancing-dual-isp-asa
Thanks and Regards,
Vibhor Amrodia
04-01-2015 07:10 AM
thanks Vibhor,
Do i need to add router also in my topology?
04-01-2015 10:05 AM
A router in front of your firewall would allow you to connect both ISPs to the router and only have one outside interface on the ASA.
Then you can use PBR on the router to direct traffic via whichever ISP you wanted based on the source IP address of the device i.e you would translate your server to a specific IP and then send it down the Jeraisy link.
PBR can also distinguish with ports as well which gives you more flexibility.
That said I believe there is a release of code for the ASA due soon that will support PBR and that would also solve your issue.
Perhaps Vibhor could provide some more details on that.
Jon
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: