Firewall connection

Boguwyrw · ‎11-08-2021

Hello,

I am student and I need help with firewall connection.

I can ping to 192.168.10.2 but I can not ping 192.168.10.1

How can I configure firewall to connect it with different subnet?

Thank you for help.

Regards B.

Karsten Iwen · ‎11-08-2021

It is just a guess as you don't provide any config:

The ASA needs a route to any remote destination. If you have a default rout to the internet (on the left) and no other route, the ASA does not know that the 192.168.100.0 network is on the right. Add a static route for that network pointing to the next hop 192.168.10.2 and it could start working.

Boguwyrw · ‎11-08-2021

I do not understand.

Georg Pauwen · ‎11-08-2021

Hello,

post the zipped Packet Tracer project (.pkt) file...

Boguwyrw · ‎11-08-2021

Here you go.

paul driver · ‎11-10-2021

Hello
See attached revised PT file,
It seems in packet tracer network translation(NAT) doesn’t work, so i changed your static routing to accommodate connectivity from host to r2,
Lastly applied an access-list for external echo-reply to be allowed through firewall

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

Boguwyrw · ‎11-28-2021

Hello,

Thank you for working connection, but I do not understand what did you change and where.

I will be very grateful for explanations.

I want to understand this, not just have a working solution.

Regards

Bogumił

Georg Pauwen · ‎11-28-2021

Hello,

the easiest way to resolve this is probably to change the default inside route to a more specific route:

--> no route inside 0.0.0.0 0.0.0.0 192.168.10.2 1

--> route inside 192.168.100.0 255.255.255.0 192.168.10.2

Boguwyrw · ‎11-28-2021

Hello,

It not helps. Ping does not cross firewall. I get message: Destination host unreachable.

I do not how to solve the problem.

Regards

Bogumił

Georg Pauwen · ‎11-28-2021

Hello,

your original question was:

--> I can ping to 192.168.10.2 but I can not ping 192.168.10.1

From which source IP address can you not ping 192.168.10.1 ?

Boguwyrw · ‎11-28-2021

Ping from PC0 reach IP 192.168.10.1

I do not know why but from other side of firewall (IP 192.168.1.2 and the rest) returns: Destination host unreachable.

paul driver · ‎11-29-2021

Hello
As stated I changed the static routing you had to allow host to rtr communication and allowed ICMP echo (ping reply) to enter the ASA fw.

By default ASA firewalls (like majority of all firewall) block traffic originating from a low security interface ( such as a wan/public interface) to enter the FW unless you allow it through so any ping originating from within your network (behind the firewall) to a wan host will be allowed however its return ping reply(echo reply will be blocked

You can allow this traffic by either enabling icmp inspection via its global inspection policy or use an access-list.

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

Boguwyrw · ‎11-29-2021

Hello,

I am the beginner. I do not understand. I do not know what rtr communication is.

I need explanation step by step. In which devices what command you wrote?

Without this information I am not able recreate your solution.

Regards

Bogumił