06-26-2012 03:31 AM - edited 03-04-2019 04:47 PM
I have lan 10.100.10.0 network access the internet through ASA5505. The WAN IP is 203.86.x.21 255.255.255.248.
I tried to setup the static NAT internal 10.100.10.7 outside 203.86.x.19 and allow all trafice in and out. After the NAT rules create, 10.100.10.7 cannot access the internet and cannot ping the WAN gateway 203.86.x.22.
I tried to ping 203.86.x.19 from outside network, I can't see any log in ASA.
Please help, Any idea?
I using similar configuration in other site ASA5505, it working normally, only different is the ASA and ASDM version is different.
Here I use ASA Version 8.2(1).
Thanks a lot
06-26-2012 07:39 AM
hi,
perhaps you can post the config here?
regards,
06-26-2012 08:56 PM
Config here, I filter something already.
Thanks!!
: Saved
:
ASA Version 8.2(1)
!
names
name 10.100.10.0 LOffice
name 10.6.0.0 ServerFarm
dns-guard
!
interface Vlan1
nameif inside
security-level 50
ip address 10.110.10.254 255.255.255.0
!
interface Vlan2
nameif outside
security-level 1
ip address 203.86.x.21 255.255.255.248
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
switchport access vlan 2
!
interface Ethernet0/7
switchport access vlan 2
!
ftp mode passive
clock timezone HKST 8
dns domain-lookup inside
dns server-group DefaultDNS
retries 3
name-server 10.110.10.33
name-server 128.107.241.185
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object-group network DM_INLINE_NETWORK_3
network-object host 10.110.10.48
network-object host 10.110.10.118
network-object host 10.110.10.39
network-object host 10.110.10.45
network-object host 10.110.10.56
object-group service DM_INLINE_TCP_1 tcp
port-object eq 3306
port-object eq www
port-object eq ssh
port-object eq ftp
port-object eq ftp-data
object-group service rdp tcp
port-object eq 3389
object-group service DM_INLINE_TCP_2 tcp
port-object eq www
port-object eq https
group-object rdp
object-group network DM_INLINE_NETWORK_4
network-object host 10.110.10.11
network-object host 10.110.10.5
network-object host 10.110.10.61
network-object host 10.110.10.65
network-object host 10.110.10.13
object-group network DM_INLINE_NETWORK_6
network-object host 10.110.10.71
network-object host 10.110.10.72
network-object host 10.110.10.73
network-object host 10.110.10.74
network-object host 10.110.10.75
network-object host 10.110.10.76
network-object host 203.86.x.21
object-group service DM_INLINE_TCPUDP_1 tcp-udp
port-object eq 1503
port-object eq 1720
port-object range 3230 3237
port-object eq 3603
port-object eq sip
object-group service DM_INLINE_TCP_3 tcp
port-object eq 8887
port-object eq 8888
object-group protocol TCPUDP
protocol-object udp
protocol-object tcp
object-group network DM_INLINE_NETWORK_8
network-object host 10.110.10.62
network-object host 10.10.5.11
network-object host 203.86.x.13
object-group network DM_INLINE_NETWORK_18
network-object TM2F 255.255.255.0
network-object TMPOLO 255.255.255.0
network-object TMOther 255.255.255.0
object-group service DM_INLINE_SERVICE_5
service-object ip
service-object tcp range 1 65535
service-object icmp
service-object udp range 1 65535
object-group network DM_INLINE_NETWORK_14
network-object ServerFarm 255.255.0.0
object-group network DM_INLINE_NETWORK_13
network-object host 203.86.x.20
network-object host 203.86.x.21
object-group service smtp587 tcp
port-object eq 587
object-group network DM_INLINE_NETWORK_16
network-object ServerFarm 255.255.0.0
network-object LOffice 255.255.255.0
object-group service DM_INLINE_SERVICE_7
service-object ip
service-object tcp eq 3389
service-object tcp-udp eq domain
service-object tcp eq 3128
service-object tcp eq www
service-object tcp eq https
service-object tcp eq imap4
service-object tcp eq pop3
service-object tcp eq smtp
service-object tcp eq 587
service-object tcp eq 1433
service-object tcp eq 3306
service-object tcp eq 445
service-object tcp eq netbios-ssn
service-object tcp eq 5800
service-object tcp eq 5900
service-object tcp-udp eq 3306
object-group service DM_INLINE_SERVICE_8
service-object icmp
service-object icmp echo-reply
service-object tcp-udp eq echo
service-object tcp eq 3128
service-object tcp eq ftp
service-object tcp eq www
service-object tcp eq https
service-object tcp-udp eq domain
service-object tcp eq telnet
service-object tcp eq 8800
service-object tcp eq 993
service-object tcp eq imap4
service-object tcp eq 587
service-object tcp eq 3389
service-object tcp eq smtp
service-object tcp eq 3306
object-group service DM_INLINE_SERVICE_9
service-object icmp
service-object icmp6
service-object tcp eq www
service-object tcp eq https
object-group network DM_INLINE_NETWORK_22
network-object LOffice 255.255.255.0
network-object host 203.86.x.21
object-group service DM_INLINE_TCP_8 tcp
port-object eq www
port-object eq https
port-object eq telnet
object-group service DM_INLINE_SERVICE_10
service-object ip
service-object tcp range 1 65535
service-object udp range 1 65535
object-group service DM_INLINE_SERVICE_11
service-object ip
service-object tcp-udp range 1 65535
object-group network DM_INLINE_NETWORK_12
network-object host 10.110.10.63
network-object host 10.110.10.65
network-object host 10.110.10.60
object-group network DM_INLINE_NETWORK_23
network-object LOffice 255.255.255.0
network-object ServerFarm 255.255.0.0
object-group network DM_INLINE_NETWORK_25
network-object host 10.110.10.221
network-object host 203.86.x.21
object-group network DM_INLINE_NETWORK_28
network-object host 10.110.10.221
network-object host 203.86.x.21
object-group network DM_INLINE_NETWORK_31
network-object host 10.110.10.221
network-object host 203.86.x.21
object-group network DM_INLINE_NETWORK_11
network-object LOffice 255.255.255.0
network-object 10.110.10.0 255.255.255.0
object-group network DM_INLINE_NETWORK_2
network-object LOffice 255.255.255.0
network-object 10.110.10.0 255.255.255.0
object-group network DM_INLINE_NETWORK_15
network-object host 10.110.10.13
network-object host 10.110.10.212
network-object host 203.86.x.21
object-group service DM_INLINE_TCP_5 tcp
port-object range 25558 25559
port-object eq 29009
object-group network DM_INLINE_NETWORK_5
network-object LOffice 255.255.255.0
network-object host 10.110.20.91
object-group network DM_INLINE_NETWORK_7
network-object LOffice 255.255.255.0
network-object host 10.110.20.91
object-group service DM_INLINE_TCP_4 tcp
port-object eq 55000
port-object eq 9000
port-object range 9100 9500
object-group service DM_INLINE_SERVICE_3
service-object ip
service-object tcp eq ftp
object-group network DM_INLINE_NETWORK_21
network-object LOffice 255.255.255.0
network-object 203.86.x.16 255.255.255.248
object-group network DM_INLINE_NETWORK_1
network-object host 10.110.10.7
network-object host 203.86.x.19
object-group network DM_INLINE_NETWORK_10
network-object LOffice 255.255.255.0
network-object ServerFarm 255.255.0.0
object-group service DM_INLINE_SERVICE_1
service-object ip
service-object icmp
service-object icmp echo
service-object icmp echo-reply
service-object tcp eq www
service-object tcp eq https
object-group network DM_INLINE_NETWORK_9
network-object host 10.110.10.7
network-object host 203.86.x.19
object-group service DM_INLINE_TCP_6 tcp
port-object range 29010 29011
port-object eq 29090
object-group network DM_INLINE_NETWORK_17
network-object host 203.86.x.19
network-object host 203.86.x.20
access-list inside_access_in extended permit ip object-group DM_INLINE_NETWORK_1 any
access-list inside_access_in extended permit ip object-group DM_INLINE_NETWORK_11 object-group DM_INLINE_NETWORK_2
access-list inside_access_in extended permit object-group DM_INLINE_SERVICE_7 object-group DM_INLINE_NETWORK_23 object-group DM_INLINE_NETWORK_16
access-list inside_access_in remark Polo FTP
access-list inside_access_in extended permit object-group DM_INLINE_SERVICE_3 host 10.110.10.28 any
access-list inside_access_in extended permit object-group DM_INLINE_SERVICE_10 host 10.110.10.33 any
access-list inside_access_in extended permit ip object-group DM_INLINE_NETWORK_12 any
access-list inside_access_in extended permit tcp LOffice 255.255.255.0 host 10.110.10.12 object-group DM_INLINE_TCP_8
access-list inside_access_in extended permit object-group TCPUDP host 10.110.10.221 any eq 3306
access-list inside_access_in extended permit ip host 10.110.10.221 any
access-list inside_access_in extended permit object-group TCPUDP any object-group DM_INLINE_NETWORK_25 eq 3306 inactive
access-list inside_access_in extended permit tcp any object-group DM_INLINE_NETWORK_31 range 1 65535 inactive
access-list inside_access_in extended permit object-group DM_INLINE_SERVICE_8 LOffice 255.255.255.0 any
access-list inside_access_in extended permit ip LOffice 255.255.255.0 any
access-list outside_access_in extended permit ip any object-group DM_INLINE_NETWORK_17
access-list outside_access_in extended permit ip host 203.86.x.20 any
access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_1 any object-group DM_INLINE_NETWORK_9
access-list outside_access_in extended permit ip host 203.86.x.19 any
access-list outside_access_in extended permit object-group TCPUDP any object-group DM_INLINE_NETWORK_28 eq 3306
access-list outside_access_in extended permit tcp any object-group DM_INLINE_NETWORK_15 object-group DM_INLINE_TCP_6
access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_11 any host 10.110.10.33
access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_9 any object-group DM_INLINE_NETWORK_22
access-list outside_access_in remark NOD Server
access-list outside_access_in extended permit tcp any host 10.110.10.9 eq 8888 log disable
access-list outside_access_in remark Booking
access-list outside_access_in extended permit tcp any host 203.86.x.21 object-group DM_INLINE_TCP_1
access-list outside_access_in remark BWDB
access-list outside_access_in extended permit tcp any host 203.86.x.21 object-group DM_INLINE_TCP_2
access-list outside_access_in remark Printer
access-list outside_access_in extended permit tcp any object-group DM_INLINE_NETWORK_3 range 9100 9102
access-list outside_access_in remark Polo FTP
access-list outside_access_in extended permit ip host 77.93.255.102 any
access-list outside_access_in remark Garek RDP
access-list outside_access_in extended permit tcp any object-group DM_INLINE_NETWORK_4 object-group rdp
access-list outside_access_in remark NOD32
access-list outside_access_in extended permit tcp any host 10.110.10.17 object-group DM_INLINE_TCP_3
access-list outside_access_in remark PVX
access-list outside_access_in extended permit object-group TCPUDP any host 10.110.10.64 object-group DM_INLINE_TCPUDP_1
access-list outside_access_in remark IPCAM
access-list outside_access_in extended permit tcp any object-group DM_INLINE_NETWORK_6 range 20001 20010
access-list outside_access_in remark Licence for RMC
access-list outside_access_in extended permit tcp any host 10.110.10.18 object-group rdp
access-list outside_access_in remark Alex
access-list outside_access_in extended permit tcp any host 203.86.x.21 object-group DM_INLINE_TCP_5
access-list outside_access_in remark Alex
access-list outside_access_in extended permit tcp any LOffice 255.255.255.0 object-group rdp
access-list outside_access_in remark Alex
access-list outside_access_in extended permit tcp any object-group DM_INLINE_NETWORK_14 object-group rdp
access-list outside_access_in remark Alex
access-list outside_access_in extended permit tcp any object-group DM_INLINE_NETWORK_13 object-group rdp
access-list outside_access_in remark PABX
access-list outside_access_in extended permit object-group TCPUDP any host 10.110.10.239 eq 20000
access-list outside_access_in remark Client01 RDP
access-list outside_access_in extended permit object-group TCPUDP any any range 29001 29020
access-list outside_access_in extended permit tcp ServerFarm 255.255.0.0 host 10.110.10.18 eq 20000
access-list outside_access_in remark Alex
access-list inside_nat0_outbound extended permit ip LOffice 255.255.255.0 object-group DM_INLINE_NETWORK_10
access-list inside_nat0_outbound extended permit ip host 10.110.10.63 host 203.86.x.19
access-list outside_cryptomap_1 extended permit ip LOffice 255.255.255.0 10.110.30.0 255.255.255.0
access-list outside_cryptomap_3 extended permit ip LOffice 255.255.255.0 ServerFarm 255.255.0.0
access-list outside_cryptomap_2 extended permit ip LOffice 255.255.255.0 AirportOffice 255.255.255.0
access-list outside_cryptomap_4 extended permit ip LOffice 255.255.255.0 object-group DM_INLINE_NETWORK_18
access-list Wanbackup_access_in extended permit object-group DM_INLINE_SERVICE_5 any any inactive
access-list outside_cryptomap_5 extended permit ip LOffice 255.255.255.0 10.100.0.0 255.255.255.0
access-list outside_cryptomap_6 extended permit ip LOffice 255.255.255.0 10.100.20.0 255.255.255.0
access-list outside_cryptomap_7 extended permit ip LOffice 255.255.255.0 10.100.30.0 255.255.255.0
access-list global_mpc remark SunAcc
access-list global_mpc extended permit tcp object-group DM_INLINE_NETWORK_5 object-group DM_INLINE_NETWORK_7 object-group DM_INLINE_TCP_4
access-list outside_nat0_outbound extended permit ip object-group DM_INLINE_NETWORK_21 LOffice 255.255.255.0
access-list outside_cryptomap_9 extended permit ip LOffice 255.255.255.0 10.110.20.0 255.255.255.0
access-list outside_cryptomap extended permit ip LOffice 255.255.255.0 10.110.40.0 255.255.255.0
access-list outside_cryptomap_10 extended permit ip LOffice 255.255.255.0 10.10.103.0 255.255.255.0
access-list global_mpc_1 extended permit ip host 10.110.10.178 any
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
ip verify reverse-path interface outside
ip audit attack action alarm drop
no failover
icmp unreachable rate-limit 1 burst-size 1
icmp permit any inside
asdm history enable
arp timeout 14400
global (inside) 2 10.110.10.1-10.110.10.253 netmask 255.255.255.0
global (inside) 1 LOffice netmask 255.255.255.0
global (outside) 2 203.86.x.19-203.86.x.20 netmask 255.255.255.0
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 LOffice 255.255.255.0 dns
static (inside,outside) 203.86.x.20 10.10.110.60 netmask 255.255.255.255
static (outside,inside) 10.10.110.60 203.86.x.20 netmask 255.255.255.255
access-group inside_access_in in interface inside
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 203.86.x.22 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http server idle-timeout 5
http LOffice 255.255.255.0 inside
http 203.86.x.21 255.255.255.255 outside
http 0.0.0.0 0.0.0.0 outside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
fragment timeout 20 inside
sysopt noproxyarp inside
sysopt noproxyarp outside
service resetinbound interface inside
service resetinbound interface outside
no service resetoutbound interface inside
no service resetoutbound interface outside
: end
06-27-2012 06:12 PM
I solve the problems by Enable the outside interface Proxy ARP, but anyone can tell me why?
Thanks!
06-27-2012 06:42 PM
Double check your subnet masks...
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide