Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1880
Views
10
Helpful
4
Replies

Not able to ping 8.8.8.8 and internal host no access to web server

hakim17
Level 1
Level 1

‎01-10-2023 06:30 AM

I have internal network on 192.168.10.0/24 on different VLANs.

Web server on 192.168.10.6

There's ASA firewall between internal host and web server

Problem:
R1 is not able to ping 8.8.8.8
Internal host is not able to ping 192.168.10.6

 

Preview file
9 KB
Preview file
9 KB
Preview file
3 KB
Preview file
11 KB
Preview file
12 KB
Preview file
7 KB
Preview file
37 KB
4 Replies 4

Shambhu-Kumar
Cisco Employee
Cisco Employee

‎01-11-2023 11:58 AM

Hello Hakim17,

access list is missing , please add
access-list 1 permit 192.168.10.0 0.0.0.255, this will ping 8.8.8.8 from R1 with source 192.168.10.1


Why there is same IP address in
R1 - GigabitEthernet0/0 172.27.47.25 255.255.255.248
ASA FW - GigabitEthernet0/0 172.27.47.25 255.255.255.248

could you clarify, is R1 GigabitEthernet0/1, connected to ASA FW GigabitEthernet0/1
What is the gateway of Webserver?
where is the routing for 192.168.10.6

Georg Pauwen
VIP
VIP

‎01-11-2023 12:06 PM

Hello,

in addition to the missing access list mentioned by @Shambhu-Kumar , this does not look right either:

interface GigabitEthernet0/1
description - INTERNAL -
--> ip address 192.168.10.1 255.255.255.252
ip nat inside
ip virtual-reassembly in
duplex auto
speed auto

Make sure the mask is correct (probably 255.255.255.0)

0 Helpful

MHM Cisco World
VIP
VIP

‎01-11-2023 12:07 PM 

nat (inside,outside) source static internal_network internal_network destination static all_network all_network

what is this  NAT !!
internal network no-NAT if the traffic go to 0.0.0.0 ?
I dont get this no-NAT

0 Helpful

paul driver
VIP
VIP

‎01-12-2023 03:36 AM

Hello

You have multiple configuration errors.

Rtr
On the rtr you have acl applied negating traffic that need to be allowed and doesnt have any route for 192.168.10.8/29 residning on the ASA

interface GigabitEthernet0/0
no ip access-group ACL_Outside2Inside in
ip unreachables

ip nat inside source list 1 interface GigabitEthernet0/0 overload
no ip route 0.0.0.0 0.0.0.0 GigabitEthernet0/0
no ip route 0.0.0.0 0.0.0.0 GigabitEthernet0/0 172.27.47.x

access-list 100 permit ip 192.168.10.8 0.0.0.7 any
ip nat inside source list 100 interface GigabitEthernet0/0 overload
ip route 192.168.10.8 255.255.255.248 GigabitEthernet0/1 192.168.10.2



ASA
Looks like conflicting manual/auto nat statements, and given your topology it seems you may only require section 3 (After-auto) nat to work, plus the static inside route is incorrect.

no nat (inside,outside) source static internal_network internal_network destination static all_network all_network
no route inside 192.168.10.0 255.255.255.0 192.168.10.10
route inside 192.168.10.8 255.255.255.248 192.168.10.10


policy-map global_policy
class inspection_default
inspect icmp


Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul
0 Helpful
Customers Also Viewed These Support Documents