cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

1835
Views
0
Helpful
4
Replies
Jan Bar
Beginner

VLANs can't access Internet through ASA5505 firewall

Hi,

I'm doing project of network in Packet Tracer, but I encountered a problem with connection between vlans and Internet.

I have ASA5005, two layer 3 switches (3560, one for each building) and bunch of layer 2 switches (one for each floor of building).

I can ping Internet server (8.8.8.8) only from firewall and this layer 3 switch. Pings from anywhere else are denied (including second layer3 switch and all PCs regardless of vlan).

The last IP I can reach from PCs is interface on ASA (inside) - 192.168.0.1

Can you tell me where is the problem? I configured all ip routes, but seems like I did something wrong and ASA can't allow traffic.

I attached screen with part of the topology (above is second layer 3 switch for second building and some more layer 2 switches and PCs etc) and current configs of ASA, layer 3 switch and layer 2 switch.

Thanks in advance.

4 REPLIES 4
Joel
Beginner

On your ASA you have the following ACL:

access-list inside_to_internet extended permit tcp any any
access-list inside_to_internet extended permit icmp any any

It is applied to the outside interface not the inside interface
access-group inside_to_internet in interface outside

Once changed run packet-tracer on the ASA and make sure a flow from an inside address to 8.8.8.8 is working.

You mean I have to change "access-group inside_to_internet in interface outside" to "access-group inside_to_internet in interface inside"?

I don't think thats the case, because after that I can't even ping 8.8.8.8 from layer 3 switch, but I could earlier.

The ACL is applied to incoming requests on the outside interface. Not incoming requests from inside to outside. However, with security-levels set you should be able to route out from a more trusted interface. You will not have any ACL's applied.

I would run packet-tracer on the ASA, replace source IP with whatever address you feel relevent. Send over the output.

packet-tracer input inside icmp 192.168.2.5 8 8 8.8.8.

Can your nodes ping the inside address of the ASA? i.e. 192.168.0.1? Routing appears to be correct between the ASA and layer3 switch.

I'm afraid I can't use this command on ASA5505 in packet tracer.

FW#packet-tracer input inside icmp 192.168.2.5 8 8 8.8.8
            ^
% Invalid input detected at '^' marker.

FW#packet-tracer ?
% Unrecognized command

Yes, I can ping this interface literally from every PC.

I attach my PT project, could you look at it if you have PT installed? Note that not all PCs have correct IP, because DHCP is not configured, but some PCs have correct static IP assigned e.g. PC01 and PC33.

// I can't attach *.pkt file here, so here is link http://www78.zippyshare.com/v/V2GnzpBW/file.html

Create
Recognize Your Peers
Content for Community-Ad