11-07-2006 12:18 PM - edited 03-09-2019 04:48 PM
hello all,
So here's what I have set up so far:
ASA with a connetion to my router into port 0 and an ip address asigned from the router.
The ASA has a subinterface assigned to port 1 with a VLAN of 100 assigned to it.
The ASA has a security context with port 0 assigned as the outside interface and with port 1.100 assigned as the inside interface.
The security context described above is set up to dish out dhcp addresses from a private address space (192.168).
A Catalyst 3500 XL switch with port 24 set up for dot1q trunking and port 1 set up with access to VLAN 100.
Now, here's what I can do so far:
I can plug a machine into port 1 of the switch and get a dhcp address from the security context configured in the ASA, so I know my VLAN trunking is working.
I can ping the inside address of the security context from my machine.
From the ASA I can ping the outside address of the security context as well as the router the ASA is connected to.
And... here's what I can't do:
I can't ping the router the ASA is connected to (which has a routable address) from my machine (which has a private address assigned to it by the security context).
I cannot get to any web sites from my machine.
I'm assuming this all has to do with me not having any NAT rules or ACLs set up in my security context. I attempted to set them up but to no avail. Can anyone give me some suggestions as to how to get this working?
Thanks!
11-07-2006 02:57 PM
Typically a PIX or ASA will allow you access to all outside IP addresses with out having to NAT them (outbound traffic) as long as you have either internal routable IP address or you have the following command in place which NAT's all outgoing packets to the external interface IP address
global 0 (outside)
PAT is now configured
you could also present you entire internal (gloablly routeable) network addresses) by configuring the following command
static (inside,outside)
the above command will allow outside addresses to reach internal addresses.
11-07-2006 03:49 PM
If you're on a private network, trying to ping a public network, you most likely need a couple of things:
1) make sure nat is correct
Something like:
nat (inside) 1 0.0.0.0 0.0.0.0
global (outside) 1 interface
do a clear xlate and then try to ping again.
2) Remember that ICMP is not stateful (unless you have 'inspect icmp' in a policy-map). So an echo-request will go from high to low (inside to outside) without an acl entry, but the reply coming back will get blocked unless there in an acl permitting it on the outside interface.
example:
access-list outside-test permit icmp any any eq echo-repy
access-group outside-test in interface outside
--Jason
Please rate this message if it helped resolve some or all of your issue.
11-08-2006 07:55 AM
Jason,
Thank you for your help, as your recommendations made it possible for me to ping my outside router on the other side of my ASA. However, now I have another question:
As I said, I can now ping the router on the outside of my ASA from a machine on the inside. However, I still cannot reach any websites on the internet. The router only allows a few IP addresses to access web content, but the IP assigned to the outside interface of my ASA is one of those addresses. If all of my private addresses are getting transformed to the outside interface IP address, shouldn't I be able to reach the internet?
Thanks again!
11-08-2006 01:56 PM
Ok,
Check routing - make sure you have a default route pointing to the router.
Check access-lists - make sure if you do have an access list on your inside interface, that it is allowing the traffic to go through.
Check to make sure that your firewalls interface IP address is allowed and that network is publicly routable and reachable from the internet.
--Jason
Please rate this message if it helped solve some or all of your issue!
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide