cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

554
Views
0
Helpful
33
Replies
Enthusiast

Re: Cisco ASA 5510 don't allow access to the LAN services from r

check and post result of

show access-list inside_nat0_outbound

Highlighted
Beginner

Re: Cisco ASA 5510 don't allow access to the LAN services from r

ok gimme a min !

Advocate

Re: Cisco ASA 5510 don't allow access to the LAN services from r

I don't think nat exemption acl's typically show a hitcount.

Enthusiast

Re: Cisco ASA 5510 don't allow access to the LAN services from r

Adam,

It does show packets hitcounts increase. If you ping any host inside you should see hitcount increase by two , 1 for echo packet and one for echo reply pkt.

Beginner

Re: Cisco ASA 5510 don't allow access to the LAN services from r

i did ping -t but results is same ! :(

abc-fire(config)# show access-list inside_nat0_outbound

access-list inside_nat0_outbound; 1 elements

access-list inside_nat0_outbound line 1 extended permit ip 192.168.134.0 255.255.255.0 192.168.166.0 255.255.255.0 (hitcnt=0) 0x67872ef8

Beginner

Re: Cisco ASA 5510 don't allow access to the LAN services from r

abc-fire(config)# show access-list inside_nat0_outbound

access-list inside_nat0_outbound; 1 elements

access-list inside_nat0_outbound line 1 extended permit ip 192.168.134.0 255.255.255.0 192.168.166.0 255.255.255.128 (hitcnt=0) 0x65bde8b9

abc-fire(config)#

oops ! i dunno why this is happening.. just now i have reset my ASA to factory defaults and did the configuration from the begining..but still that subnet mask is there .. !!

please advice !!

Beginner

Re: Cisco ASA 5510 don't allow access to the LAN services from r

again corrected,

abc-fire(config)# show access-list inside_nat0_outbound

access-list inside_nat0_outbound; 1 elements

access-list inside_nat0_outbound line 1 extended permit ip 192.168.134.0 255.255.255.0 192.168.166.0 255.255.255.0 (hitcnt=0) 0x67872ef8

Enthusiast

Re: Cisco ASA 5510 don't allow access to the LAN services from r

did you connect the vpn client? ping any host in inside network and then check hitcounts.

Enthusiast

Re: Cisco ASA 5510 don't allow access to the LAN services from r

Although this command is enabled by default but still input this command and then connect by vpn and try to ping host in inside network

:

sysopt connection permit-vpn

Enthusiast

Re: Cisco ASA 5510 don't allow access to the LAN services from r

Your access-list still does not reflect the change , also why have you changed 192.168.134.0 's subnet mask to 255.255.255.128 ??

your access-list should look as following:

access-list inside_nat0_outbound line 1 extended permit ip 192.168.134.0 255.255.255.0 192.168.166.0 255.255.255.0

Enthusiast

Re: Cisco ASA 5510 don't allow access to the LAN services from r

Your access-list still does not reflect the change , also why have you changed 192.168.134.0 's subnet mask to 255.255.255.128 ??

your access-list should look as following:

access-list inside_nat0_outbound line 1 extended permit ip 192.168.134.0 255.255.255.0 192.168.166.0 255.255.255.0

Advocate

Re: Cisco ASA 5510 don't allow access to the LAN services from r

Let's back up here. There is no reason why you should not be able to assign a 255.255.255.128 mask to his inside interface and also use this mask for your local network in your nat exemption acl. Just be consistent.

Enthusiast

Re: Cisco ASA 5510 don't allow access to the LAN services from r

he did not show interface ip subnet in the config so i was assuming it to be /24 and not /25 , also he was using /24 in original configuration for the nat 0 acl . but now i have checked the interface ip address in the second config that he posted is indeed /25 subnet .

Advocate

Re: Cisco ASA 5510 don't allow access to the LAN services from r

You're right, I would have made that assumption as well.

Beginner

Re: Cisco ASA 5510 don't allow access to the LAN services from r

wht should i do now :( ???