09-17-2019 08:09 AM - edited 09-17-2019 08:15 AM
Hello All,
We have an IR829GW router. I need to use it as a typical old school NAT router such that whatever devices are behind it use a NAT IP for the traffic that's going outbound ( for Internet access). For now, we just want to give devices behind it, access to internet using PAT.
The GE0 GigabitEthernet0 interface has the WAN/Internet uplink connection. Our NAT IP is 10.100.0.50, which i have assigned to this interface. All the internal devices are connected to a L2 switch that in turn is connected to the GigabitEthernet1 interface of this IR829. Please refer to the attached running config file for my current config.
If i assign my internal device an ip-address out of the 192.168.5.0/24 block , it can ping the default gateway 192.168.5.1 which is the IP of the vlan1 interface but nothing beyond that. I still can't get out to internet or ping any external facing stuff.
Also, i tried running the below commands to make GigabitEthernet1 part of vlan 1 membership to see if this makes any difference but these don't take effect or get saved despite doing a "wr mem".
interface GigbitEthernet1
switchport access vlan 1 switchport mode access
Can somebody please advise where am i going wrong ? All i need is my internal devices which are out of 192.168.5.0/24 block (access list 1) to be able to NAT while making any outbound requests using the GE0 interface ip-address (10.100.0.50)
Thanks in advance.
Solved! Go to Solution.
09-18-2019 08:34 AM - edited 09-18-2019 11:33 AM
Hello
Okay then obviously it’s a cal rule of some kind negating reply,
What you could do is do the same test again sourcing from the other active interfaces and see which is being allowed
then cross check that with possible acl rules in the asa
Edited:
Thanks for posting your asa config, was wondering why these two interfaces both have a security level of 0,
The lan interface should have if possible the highest security level of any other asa interface so allow it to reach all other security levels - DMZ or outside without any access-lists..
The DMZ interface should have a security level between 0 - 100 so it can reach the outside interface without any access-lists but will require an acl for it to reach the LAN interface.
Possible suggestion:
interface GigabitEthernet0/1
description Inside LAN Network Default GW
nameif inside
security-level 100
interface GigabitEthernet0/4
description DMZ Default GW interface
nameif dmz
security-level 50
access-list 100 remark allow DMZ to reach lan subnet
access-list 100 extended permit icmp any network-object Testbed-LAN-Network echo-reply
access-group 100 in interface DMZ
09-17-2019 01:40 PM
Hello,
post the full configuration of the ASA...
09-18-2019 11:07 AM
Hello,
looking at your configuration, I have a feeling that something fundamental is not right. The ASA has several objects with IP addresses in the same range as the L3 link between your 829 and the interface the 829 is presumably connected to (GigabitEthernet0/1). What are these objects, are they valid, or leftover in the config and redundant ?
interface GigabitEthernet0/1
description Inside LAN Network Default GW
nameif inside
cts manual
propagate sgt preserve-untag
policy static sgt disabled trusted
security-level 0
ip address 10.100.0.1 255.255.255.0
object network LAN-AD01-DNS-Server
host 10.100.0.17
object network CRS-NAT-IP
host 10.100.0.20
description Robotics NAT IP
object network Veeam
host 10.100.0.10
description Veeam.lan.lab
Can you even ping 10.100.0.1 from the 829 with the source being interface GigabitEthernet0 ?
IR800#ping 10.100.0.1 source 10.100.0.50
09-19-2019 08:31 AM
Hello @Georg Pauwen @paul driver
We have resolved the issue. I thank you both for helping me troubleshoot.
It turned out that In my original running-config, this line was incorrect: access-list 1 permit 192.168.5.0 . It was missing the wildcard. Upon changing it to access-list 1 permit 192.168.5.0 0.0.0.255 resolved the issue.
The GigabitEthernet0 interface of the IR829 ( ip: 10.100.0.50 ) and the IP of inside interface of the ASA (10.100.0.1) are in same subnet so the communication had to work and it had to something really fundamental that i was overlooking.
Once again, thank you very much for all your help.
09-19-2019 09:17 AM
Hello,
glad that you got it resolved. Odd though, as usually the router would not require a subnet mask for a classful network...
Either way, something to keep in mind next time something like this shows up...
09-20-2019 12:26 PM
Hello,
out of curiosity: you said the solution was to add a wildcard mask to the NAT access list, but you marked a change to the default route as the solution. Which one was it (or were both changes necessary) ?
09-20-2019 12:48 PM
Hello @Georg Pauwen , Both the changes were necessary. The change to default-route was the 1st helpful piece. Then i had to add the wildcard mask to eventually get it working. I thought it wouldn't make sense to mark my own solution as the answer.
I personally want to thank you as well for taking time to review my ASA config.
09-20-2019 01:30 PM
Hello,
thanks for the info. I was just curious to what actually solved this. Glad that it is working now.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide