cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2790
Views
30
Helpful
12
Replies

ASA NAT PROBLEM PACKET TRACER

lfernandesc
Level 1
Level 1

err..JPG

 

 

Hi,

I'm having trouble setting up my network. I can't get the 2 points to communicate. Could anyone help?

I have a point-to-point link with the other office, the machines communicate internally, and can reach the internal ASA vlan, but from there they cannot connect. Both sides are equal.

 

 

 

12 Replies 12

TJ-20933766
Spotlight
Spotlight

Attached is your topology. The WAN link between the two ASA's needed some rework with the IP addresses on every router and ASA interface along with all the static routes. The issue mainly was the subnet mask. Each interface was in it's own subnet instead of directly connected interfaces sharing a common subnet.

I was able to ping from one ASA to the the other. Please let me know if that was what you were looking to accomplish and if you need further help.

Tyson,

Now the firewall communicates with the other, but I cannot ping the laptops. I need the internal networks in each office to communicate with each other.

 

Could you check for me?

Hello,

 

I saw that somebody else already answered. All your static routing and IP addressing starting from the switches to the firewalls and the routers is wrong. I have attached a file where I tried to fix as much as possible, there still is no end to end connectivity, but maybe you can figure out the rest yourself.

Hello,

 

there is a flaw in the ASAs in Packet Tracer that keeps not directly connected networks from being translated. The trick is to change the source to include the entire class A network, to change the IP address on the interface on the ASA that connects to the switch with a /8 mask, and to enable 'ip proxy-arp' on the interface on the switch connecting to the firewall.

 

Attached the working file with end to end connectivity. You might have to wait for a while for everything to converge.

ping.JPG

 

Friend,

I tried to ping a laptop from the Rio de Janeiro office to the São Paulo office but it didn't work.

I made a tracert for the routers, and one machine arrives and the other does not.

What would it be in this case?

Hello,

 

I made some more adjustments and basically made both sides identical. File attached. 

ping.2.JPG

 

Friend,

Thanks for your help, it's been instrumental to me.

See below, I can communicate with each office's firewall, but I can't get the internal machines to communicate. The idea would be for the internal machines of the offices to communicate for file sharing.

@Georg PauwenIs this actually "end-to-end connectivity" since a laptop at Sao Pauo cannot ping a laptop at Rio de Janeiro? I attempted (and have failed thus far) to create a site-to-site IPSec VPN tunnel between the ASAs. The main issue I have is that there is not way to create a manual NAT rule to exclude the the traffic going between sites. Have you found a solution for that in the Packet Tracer world?

@TJ-20933766

 

I actually had end to end connectivity with the subnet/ip proxy-arp 'trick' configured one one side, with one ASA, but as soon as I configured the other side identically, everything went haywire, and all connectivity stopped.

 

I don't think it works with two ASAs doing NAT. Packet Tracer has quite a few flaws, that is one of them.

Friend,

What can be done for this type of problem?

It seems that all you can do in Packet Tracer (considering all it's limitations) is to remove NAT from the ASAs and create an access list allowing ICMP from any IP address on the outside zone to any IP address on the inside zone. This really takes away from the realism in the simulation but Packet Tracer is limited. You might consider Cisco Modeling Labs (formerly known as Virl). A free alternative is GNS3 but you have to acquire the router/switch/firewall software which may be difficult.

@Georg PauwenGood find about that NAT issue. I was really scratching my head as to why I couldn't NAT any of the subnets through the ASAs