Need ACL/NAT help with new router

tbeardsley22 · ‎04-08-2019

nat

luis_cordova · ‎04-08-2019

Hi @tbeardsley22 ,

You have to specify your problem.

Regards

tbeardsley22 · ‎04-08-2019

Not sure what happened but original post didn't show.

tbeardsley22 · ‎04-08-2019

I have no clue what happened but none of it posted. Here's the post:

Hi everyone. First time posting as I'm just stuck. My router/firewall skills are weak at best so I'm hoping for some insight. We are coming from a Cisco 5510 to Cisco 5508-x. Both are connected to the same downstream layer 3 switch. I cannot for the life of me get routing figured out. The Cisco 5508 attaches to a switch with a default gateway of 10.10.10.154 which is the inside interface of the old cisco 5510. There is also a static route to the new Cisco 5508 (172.16.1.10)inside interface for a vlan I'm trying to route. Config is below but all I'm trying to do is get 172.16.30.0 network to route out public IP of 68.133.87.40 which is part of a block on Interface/1 on the cisco 5508. What i have configured here doesn't allow any traffic to pass. Logs show tcp connect messages and then it ends with 0 syn timeout after 30 seconds. So what am I doing wrong? Thanks for any help!

ASA Version 9.10(1)

interface GigabitEthernet1/1

nameif outside

security-level 0

ip address 68.133.87.34 255.255.255.0

!

interface GigabitEthernet1/2

nameif inside

security-level 100

ip address 172.16.1.10 255.255.255.0

interface GigabitEthernet1/3

nameif DMZ1

security-level 75

ip address 192.168.2.1 255.255.255.0

no asdm history enable

arp timeout 14400

arp permit-nonconnected

arp rate-limit 16384

nat (inside,outside) source static CTX_VLAN30 CTX_Servers_Edge

object network obj_any

nat (any,outside) dynamic interface

access-group outside_access_in in interface outside

access-group inside_access_in in interface inside

access-group pacs_access_in in interface DMZ1

route outside 0.0.0.0 0.0.0.0 68.133.87.1 1

route inside 172.16.30.0 255.255.255.0 172.16.1.11 1

paul driver · ‎04-08-2019

Hello

Can you post what your acls look like?

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

tbeardsley22 · ‎04-08-2019

Sure here they are. Thanks for any help! The VLAN30 I'm trying to get to work is part of the Object-Group Inside_VLANS_Web_Allowed.

access-list inside_access_in extended permit ip object-group Inside_VLANs_Web_Allowed any
access-list inside_access_in extended deny ip object-group Inside_VLANs_Web_Denied any
ccess-list pacs_access_in extended permit ip object PACS_Proxy_Private object GE_PACS_Private
access-list pacs_access_in extended permit ip any any
access-list outside_access_in extended permit tcp any object PACS_Proxy_Private object-group DM_INLINE_TCP_1
access-list outside_access_in extended permit tcp any object CTX_VLAN30 object-group DM_INLINE_TCP_2
access-list outside_cryptomap_5 extended permit ip object-group Oppor_VPN_Hosts_Internal object-group Oppor_VPN_Hosts_External

object-group service DM_INLINE_TCP_2 tcp
port-object eq www
port-object eq https

tbeardsley22 · ‎04-08-2019

And i miss-typed the inside interface of the old cisco 5510 is 10.10.10.154. New 5508 is 172.16.1.10.