Hi,

you received your default route from DHCP so you can delete the static default you configured.

if the pings don't work then traceroute and do the packet-tracer command I posted above.

Did you verify on the routers that the  5.0 addresses are correct and which one has the 1.0-2.0 and 3.0 because then you'll have to modify your static routes on the ASA.

Alain.

For some reason I can't get the packet-tracer to work on the CL, but on and ADSM, it is dropped due to config implicit rule

hi,

Can you ping 3.1 from 2.1 ? what is a packet-tracer telling you for this?

Can you try with no nat-control

Alain.

NAT dropped it:

dynamic translation to pool 1 (no matching global)

ciscoasa# packet-tracer input inside icmp 192.168.1.1 22 22 192.168.3.1 detail$

Phase: 1

Type: ROUTE-LOOKUP

Subtype: input

Result: ALLOW

Config:

Additional Information:

in   192.168.3.0     255.255.255.0   inside

Phase: 2

Type: ACCESS-LIST

Subtype:

Result: ALLOW

Config:

Implicit Rule

Additional Information:

Forward Flow based lookup yields rule:

in  id=0xd7da7018, priority=3, domain=permit, deny=false

        hits=94, user_data=0x0, cs_id=0x0, flags=0x4000, protocol=0

        src ip=0.0.0.0, mask=0.0.0.0, port=0

        dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0

Phase: 3

Type: IP-OPTIONS

Subtype:

Result: ALLOW

Config:

Additional Information:

Forward Flow based lookup yields rule:

in  id=0xd7da8688, priority=0, domain=inspect-ip-options, deny=true

        hits=3580, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0

        src ip=0.0.0.0, mask=0.0.0.0, port=0

        dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0

Phase: 4

Type: INSPECT

Subtype: np-inspect

Result: ALLOW

Config:

class-map inspection_default

match default-inspection-traffic

policy-map global_policy

class inspection_default

  inspect icmp

service-policy global_policy global

Additional Information:

Forward Flow based lookup yields rule:

in  id=0xd83dfff0, priority=70, domain=inspect-icmp, deny=false

        hits=28, user_data=0xd83dfe98, cs_id=0x0, use_real_addr, flags=0x0, protocol=1

        src ip=0.0.0.0, mask=0.0.0.0, port=0

        dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0

Phase: 5

Type: INSPECT

Subtype: np-inspect

Result: ALLOW

Config:

Additional Information:

Forward Flow based lookup yields rule:

in  id=0xd7da8300, priority=66, domain=inspect-icmp-error, deny=false

        hits=219, user_data=0xd7da81e8, cs_id=0x0, use_real_addr, flags=0x0, protocol=1

        src ip=0.0.0.0, mask=0.0.0.0, port=0

        dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0

Phase: 6

Type: NAT

Subtype:

Result: DROP

Config:

nat (inside) 1 0.0.0.0 0.0.0.0

  match ip inside any inside any

    dynamic translation to pool 1 (No matching global)

    translate_hits = 95, untranslate_hits = 0

Additional Information:

Forward Flow based lookup yields rule:

in  id=0xd53930d8, priority=1, domain=nat, deny=false

        hits=125, user_data=0xd5393018, cs_id=0x0, flags=0x0, protocol=0

        src ip=0.0.0.0, mask=0.0.0.0, port=0

        dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0

Result:

input-interface: inside

input-status: up

input-line-status: up

output-interface: inside

output-status: up

output-line-status: up

Action: drop

Drop-reason: (acl-drop) Flow is denied by configured rule

Hi,

Have you tried disabling nat-control with no nat-control before doing the packet-tracer?

if so then reenable it and try again

Regards.

Alain.

No luck at all.....I have redone my setup to use only two routers. 

Internet--->ASA (192.168.1.1) ---->Belkin n750 (192.168.3.1) ----> internal devices

                                                ---->WRT-310N (192.168.2.1) --->internal devices

Like before my goal is to get both networks talking to each other.

Here is the running config as of right now:

ASA Version 8.4(1)

!

hostname ciscoasa

enable password 8Ry2YjIyt7RRXU24 encrypted

passwd 2KFQnbNIdI.2KYOU encrypted

names

!

interface Vlan1

nameif inside

security-level 100

ip address 192.168.1.1 255.255.255.0

!

interface Vlan2

nameif outside

security-level 0

ip address dhcp setroute

!

interface Ethernet0/0

switchport access vlan 2

!

interface Ethernet0/1

!

interface Ethernet0/2

!

interface Ethernet0/3

!

interface Ethernet0/4

!

interface Ethernet0/5

!

interface Ethernet0/6

!

interface Ethernet0/7

!

ftp mode passive

object network obj_any

subnet 0.0.0.0 0.0.0.0

pager lines 24

logging asdm informational

mtu outside 1500

mtu inside 1500

icmp unreachable rate-limit 1 burst-size 1

no asdm history enable

arp timeout 14400

!

object network obj_any

nat (inside,outside) dynamic interface

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

dynamic-access-policy-record DfltAccessPolicy

http server enable

http 192.168.1.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart

telnet timeout 5

ssh timeout 5

console timeout 0

dhcpd auto_config outside

!

!

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

webvpn

!

!

prompt hostname context

Cryptochecksum:e5b1dd8953c2a0ad36aec4a546a47d18

: end

Hi,

I hink changing the device or topology and here the ASA OS version everytime you get into trouble and the solution is not given fast enough won't help you comprehend things and will make our task more complicated but it's your network anyway but I just wanted to give my point of view about the way you apprehend stuffs.

Now you changed ASA version, why that? the NAT operations are completely different from previous versions, I don't think the version had anything to do with your problem.

You also changed the topology, it would be great to post your new topology diagram it will be simpler to troubleshoot your configuration.

But I noticed you have no route anymore in this config.

Regards.

Alain.

I removed the thrid router because it was extra and not needed.  The ASA software update, I thought might help.  Error on my end I guess.

Here is my update diagram.....like before, just want to be able to communicate between the two networks.  Right now the internet is work on both, just need to be able to access one from another.

Thanks for the help, and I promise no more changes unless directed to.......

Hi,

the IP addresses on your diagram do not correspond to your config, in config inside is 1.0 but in diagram there is no such network.

You will also get the same problem which is same-security traffic which wasn't working.

I found interesting info from Cisco configuration guide and it seems you have to nat traffic for same security interface.

Here is the part:

NAT and Same Security Level Interfaces

NAT is not required between same security level interfaces even if you  enable NAT control. You can optionally configure NAT if desired.  However, if you configure dynamic NAT when NAT control is enabled, then  NAT is required. See Chapter 27 "Configuring NAT Control," for more information. Also, when you specify a group of IP addresses  for dynamic NAT or PAT on a same security interface, then you must  perform NAT on that group of addresses when they access any lower or  same security level interface (even when NAT control is not enabled). Traffic identified for static NAT is not affected.

This was surely your problem and it will still be in this topology.I thought no nat-control would have solved the problem but Cisco says it is not.

So with older OS version you would have to do this:

global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
global (inside) 1 interface

As I'm not used to newer syntax I can't tell you how to do it for sure but I think this should do it:

object network obj_any

nat (inside,inside) dynamic interface

Don't forget to add your routes for the subnets on the ASA as there are none in your config.

Regards.

Alain.

When I apply that I loose my connection to the internet.  Also what routes should I have?

ASA = 192.168.1.1

Router 1 = 192.168.3.1

Router 2 = 192.168.2.1

Thanks

Hi,

ok so it is replacing the other nat statement I'm gonna look at the ASA config guide for NAT on 8.4 and tell you but it would have been simpler to leave the old version.

concerning routes: see my previous posts and adapt,in short you must have a route for every subnet not connected that points to the next-hop( ip address in the same subnet as ASA of the router which owns the subnet)

Regards.

Alain.

Applied the routes, at least I think I did them right...

Router 1 = 192.168.3.1 connecto ted ASA port0/1 -----> ASA IP 192.168.1.2

Router 2= 192.168.2.1 connected to ASA port0/2-----> ASA IP 192.168.1.5

ASA = 192.168.1.1

ISP Default Gateway = 68.108.9.1

This is the route I applied:

route outside 0.0.0.0 0.0.0.0 68.108.9.1 1

route inside 192.168.2.0 255.255.255.0 192.168.1.5 1

Here is the show route:

Gateway of last resort is 68.108.12.1 to network 0.0.0.0

C    68.108.12.0 255.255.255.0 is directly connected, outside

C    192.168.1.0 255.255.255.0 is directly connected, inside

S    192.168.2.0 255.255.255.0 [1/0] via 192.168.1.5, inside

d*   0.0.0.0 0.0.0.0 [1/0] via 68.108.12.1, outside

                     [1/0] via 68.108.9.1, outside

Current Config:

ASA Version 8.4(1)

!

hostname ciscoasa

enable password 8Ry2YjIyt7RRXU24 encrypted

passwd 2KFQnbNIdI.2KYOU encrypted

names

!

interface Vlan1

nameif inside

security-level 100

ip address 192.168.1.1 255.255.255.0

!

interface Vlan2

nameif outside

security-level 0

ip address dhcp setroute

!

interface Ethernet0/0

switchport access vlan 2

!

interface Ethernet0/1

!

interface Ethernet0/2

!

interface Ethernet0/3

!

interface Ethernet0/4

!

interface Ethernet0/5

!

interface Ethernet0/6

!

interface Ethernet0/7

!

ftp mode passive

object network obj_any

subnet 0.0.0.0 0.0.0.0

pager lines 24

logging asdm informational

mtu outside 1500

mtu inside 1500

icmp unreachable rate-limit 1 burst-size 1

no asdm history enable

arp timeout 14400

!

object network obj_any

nat (inside,outside) dynamic interface

route outside 0.0.0.0 0.0.0.0 68.108.9.1 1

route inside 192.168.2.0 255.255.255.0 192.168.1.5 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

dynamic-access-policy-record DfltAccessPolicy

http server enable

http 192.168.1.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart

telnet timeout 5

ssh timeout 5

console timeout 0

dhcpd auto_config outside

!

!

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

webvpn

!

!

prompt hostname context

Cryptochecksum:71d6ba76d5c5c74a6ad9b7403b8258ff

: end

Hi,

you forgot the route for 3.0: route inside 192.168.3.0 255.255.255.0  192.168.1.2

You already have a default route advertised by dhcp from ISP:

d*   0.0.0.0 0.0.0.0 [1/0] via 68.108.12.1, outside

                     [1/0] via 68.108.9.1, outside

So here you're gonna do load balancing. I would remove the static route you configured

for the nat on same-security interface: try this

same-security-traffic permit intra-interface

object network obj_inside

subnet 192.168.1.0 255.255.255.0

nat(inside,inside) dynamic interface

Regards.

Alain.