cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
9505
Views
0
Helpful
22
Replies

TCP not working. ICMP and DNS working.

Spaceman73
Level 1
Level 1

Hi,

 

I'm hoping someone can help me out a little here.

This started out as a little bit of a lockdown project that I didn't have time to do until now.

 

First the setup:

Standard home broadband router with wifi (Netgear) (has the network 192.168.0.0/24) Really want to leave this alone as the family connect to it for entertainment etc.
--------------------------------------------------
The broadband router connects to a Cisco 1941 router. Cisco Router has IP NAT configured to get traffic through the broadband router.

interface GigabitEthernet0/0
ip address 192.168.0.2 255.255.255.0
ip nat outside
ip virtual-reassembly in
no ip route-cache
duplex auto
speed auto
end

interface GigabitEthernet0/1
ip address 192.168.10.1 255.255.255.128
ip nat inside
ip virtual-reassembly in
no ip route-cache
duplex auto
speed auto

 

access-list 7 permit 192.168.0.0 0.0.255.255

 

ip nat pool no-overload 192.168.0.101 192.168.0.150 prefix-length 24
ip nat inside source list 7 pool no-overload

 

------------------------------------------------
Cisco router connects to vlan 5 on a cisco 2960
interface GigabitEthernet1/0/1
description LINKTORTR0/0/0
switchport access vlan 5
switchport mode access
spanning-tree portfast

 

interface Vlan5
description **192.168.10.0/25**
ip address 192.168.10.2 255.255.255.128
ip helper-address 192.168.10.2
no ip route-cache cef
no ip route-cache

 

Any device connected to the switch on vlan 5 can access the Internet (Currently connected and writing this)

----------------------------------------------
An ASA 5525x is connected to vlan 20 (the outside interface is connected to vlan 5)

 

Switch configuration to the firewall OUTSIDE interface is configured as:

interface GigabitEthernet1/0/2
description EXT-ASA5516x
switchport access vlan 5
switchport mode access
spanning-tree portfast

 

Firewall outside interface is:
interface GigabitEthernet0/0
nameif Internet
security-level 0
ip address 192.168.10.10 255.255.255.128

 

The inside interface is connected to vlan 20 with an IP of 192.168.20.66

 

Switch configuration to the firewall inside interface is configured as:

interface GigabitEthernet1/0/24
description INT-ASA5516x
switchport access vlan 20
switchport mode access
spanning-tree portfast

 

The firewall Inside interface is

interface GigabitEthernet0/7
nameif inside
security-level 100
ip address 192.168.20.66 255.255.255.240

 

The switch VLAN20 is:
interface Vlan20
ip address 192.168.20.65 255.255.255.240
ip helper-address 192.168.20.66
ip directed-broadcast
no ip route-cache cef
no ip route-cache

Completely wide open acl's applies at this point and the inspect allows icmp and dns
-------------------------------------------------

So, A client connected to the switch on vlan 20 gets it's DHCP from the ASA.
IP:192.168.20.67
SM: 255.255.255.240
DG: 192.168.20.66

DNS lookup works a treat:

Default Server: resolver1.opendns.com
Address: 208.67.222.222

> www.bbc.co.uk
Server: resolver1.opendns.com
Address: 208.67.222.222

Non-authoritative answer:
Name: www.bbc.net.uk
Addresses: 212.58.233.251
212.58.237.251
Aliases: www.bbc.co.uk

 

ICMP also works fine all the way to Google.

 

However (!) TCP in general doesn't seem to be working. No HTTP, SSL etc.

 

What I'm seeing in the logs doesn't make a lot of sense to me:

I'm seeing this on occasion:
Apr 24 2020 15:09:12: %ASA-6-106015: Deny TCP (no connection) from 192.168.20.67/63650 to 40.122.160.14/443 flags RST on interface inside

 

and I'm seeing these:
Apr 24 2020 15:09:11: %ASA-6-106100: access-list inside-in permitted tcp inside/192.168.20.67(62609) -> Internet/40.122.160.14(443) hit-cnt 8 300-second interval [0x503914ad, 0x00000000]
Apr 24 2020 15:09:11: %ASA-6-106100: access-list internet-out permitted tcp inside/192.168.20.67(62609) -> Internet/40.122.160.14(443) hit-cnt 4 300-second interval [0x79a467e6, 0x00000000]

--------------------------------------------------------------

So now the question: What have I done wrong? or what have I missed?
I've spend a couple of days on this now and am now probably too close to the trees to see the woods.

Could someone point my way out of the woods please?

Thanks in advance

 

2 Accepted Solutions

Accepted Solutions

Hello,

 

I am bit confused about the switch: do you have Vlan 5 and Vlan 20 interfaces with IP addresses configured on the switch, and is ip routing enabled ?

 

 

View solution in original post

I hope I am not completely misunderstanding your topology...

 

The reason I am asking is that if your topology is:

 

Router --> Layer 3 Switch --> ASA

 

the default route on the ASA needs to point to the Vlan 5 interface of the switch, which has IP address 192.168.10.2. It currently points to the interface of the router:

 

route Internet 0.0.0.0 0.0.0.0 192.168.10.1

 

So try and change that to:

 

route Internet 0.0.0.0 0.0.0.0 192.168.10.2

View solution in original post

22 Replies 22

Hello,

 

can you replace:

 

ip nat pool no-overload 192.168.0.101 192.168.0.150 prefix-length 24
ip nat inside source list 7 pool no-overload

 

with just 

 

ip nat inside source list 7 interface GigabitEthernet0/0 overload

 

on the router ?

 

I have a feeling the problem is with the config of the ASA, can you post that config ?

I dont think that changing from address translation using a pool and not overloading to address translation overloading on the outside interface is going to relate to problems with tcp on the ASA. I do agree that it sounds like an issue on the ASA and seeing the config would be helpful. I am wondering if there is an acl permitting dns and icmp but not including tcp? Or a translate for dns and icmp but not for tcp.

HTH

Rick

Hi,

 

Thanks for the reply.

 

The acl's are wide open. and I don't have NAT set up on the ASA.

HomeFW1#
HomeFW1# sh run access-list
access-list internet-out extended permit ip any4 any4 log
access-list inside-in extended permit ip any any log
HomeFW1# sh run nat
HomeFW1#

The inspect maps are set up for ICMP and DNS.

policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 4096
no tcp-inspection
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
inspect icmp

 

 

Thanks for the additional information. Agree that access lists are not an issue. If address translation is not configured on ASA am I correct in assuming that traffic from ASA is translated on your Cisco router? If so would you attempt a tcp connection from a device connected to ASA, and then show the translate table from your Cisco router and post it, also post the log messages generated on ASA when you tested tcp. What are you using to test tcp on device connected to ASA?

HTH

Rick

Hi,

 

Apologies for not making the NAT bit clear but yes, the Cisco router is running NAT.

I can see translations for my client behind the firewall and I can see the firewall logs showing hits on  the ACL's (see below)

 

As for TCP testing, I'm just trying to open up a browser to any website (HTTPS), or an SSH session to an external target. I'm then checking the logs.

 

HomeRTR1#sh ip nat trans | i 192.168.20.67
udp 192.168.0.2:49195 192.168.20.67:49195 208.67.220.220:53 208.67.220.220:53
udp 192.168.0.2:49195 192.168.20.67:49195 208.67.222.222:53 208.67.222.222:53
tcp 192.168.0.2:51568 192.168.20.67:51568 13.107.43.12:443 13.107.43.12:443
tcp 192.168.0.2:51578 192.168.20.67:51578 52.114.133.61:443 52.114.133.61:443
tcp 192.168.0.2:51579 192.168.20.67:51579 52.114.133.61:443 52.114.133.61:443
tcp 192.168.0.2:51580 192.168.20.67:51580 52.114.133.61:443 52.114.133.61:443
tcp 192.168.0.2:51590 192.168.20.67:51590 84.39.157.9:80 84.39.157.9:80
tcp 192.168.0.2:51596 192.168.20.67:51596 38.132.116.195:443 38.132.116.195:443
tcp 192.168.0.2:51601 192.168.20.67:51601 52.114.133.61:443 52.114.133.61:443
tcp 192.168.0.2:51602 192.168.20.67:51602 52.114.133.61:443 52.114.133.61:443
tcp 192.168.0.2:51608 192.168.20.67:51608 45.87.212.67:443 45.87.212.67:443
tcp 192.168.0.2:51609 192.168.20.67:51609 185.156.173.179:443 185.156.173.179:443
tcp 192.168.0.2:51610 192.168.20.67:51610 212.103.49.67:443 212.103.49.67:443
tcp 192.168.0.2:51611 192.168.20.67:51611 31.210.107.195:443 31.210.107.195:443
tcp 192.168.0.2:51613 192.168.20.67:51613 52.157.234.37:443 52.157.234.37:443
tcp 192.168.0.2:51614 192.168.20.67:51614 185.232.20.195:443 185.232.20.195:443
tcp 192.168.0.2:51615 192.168.20.67:51615 38.132.116.195:443 38.132.116.195:443
tcp 192.168.0.2:51616 192.168.20.67:51616 204.44.112.67:443 204.44.112.67:443
tcp 192.168.0.2:51617 192.168.20.67:51617 23.105.171.78:443 23.105.171.78:443
tcp 192.168.0.2:51618 192.168.20.67:51618 91.195.99.163:443 91.195.99.163:443
tcp 192.168.0.2:51619 192.168.20.67:51619 31.210.107.195:443 31.210.107.195:443
tcp 192.168.0.2:51620 192.168.20.67:51620 213.128.80.35:443 213.128.80.35:443
tcp 192.168.0.2:51621 192.168.20.67:51621 161.129.70.3:443 161.129.70.3:443
tcp 192.168.0.2:51624 192.168.20.67:51624 204.44.112.67:443 204.44.112.67:443
tcp 192.168.0.2:51625 192.168.20.67:51625 23.105.171.78:443 23.105.171.78:443
tcp 192.168.0.2:51626 192.168.20.67:51626 91.195.99.163:443 91.195.99.163:443
tcp 192.168.0.2:51627 192.168.20.67:51627 185.189.112.67:443 185.189.112.67:443


HomeFW1# sh logg | i 192.168.20.67
Apr 24 2020 16:46:37: %ASA-6-106100: access-list internet-out permitted tcp inside/192.168.20.67(52061) -> Internet/198.96.95.131(443) hit-cnt 1 first hit [0x79a467e6, 0x00000000]
Apr 24 2020 16:46:37: %ASA-6-302013: Built outbound TCP connection 149490 for Internet:198.96.95.131/443 (198.96.95.131/443) to inside:192.168.20.67/52061 (192.168.20.67/52061)
Apr 24 2020 16:46:37: %ASA-6-106100: access-list inside-in permitted tcp inside/192.168.20.67(52062) -> Internet/185.236.200.19(443) hit-cnt 1 first hit [0x503914ad, 0x00000000]
Apr 24 2020 16:46:37: %ASA-6-106100: access-list internet-out permitted tcp inside/192.168.20.67(52062) -> Internet/185.236.200.19(443) hit-cnt 1 first hit [0x79a467e6, 0x00000000]
Apr 24 2020 16:46:37: %ASA-6-302013: Built outbound TCP connection 149491 for Internet:185.236.200.19/443 (185.236.200.19/443) to inside:192.168.20.67/52062 (192.168.20.67/52062)
Apr 24 2020 16:46:37: %ASA-6-106100: access-list inside-in permitted tcp inside/192.168.20.67(52063) -> Internet/45.87.212.67(443) hit-cnt 1 first hit [0x503914ad, 0x00000000]
Apr 24 2020 16:46:37: %ASA-6-106100: access-list internet-out permitted tcp inside/192.168.20.67(52063) -> Internet/45.87.212.67(443) hit-cnt 1 first hit [0x79a467e6, 0x00000000]
Apr 24 2020 16:46:37: %ASA-6-302013: Built outbound TCP connection 149492 for Internet:45.87.212.67/443 (45.87.212.67/443) to inside:192.168.20.67/52063 (192.168.20.67/52063)
Apr 24 2020 16:46:37: %ASA-6-106100: access-list inside-in permitted tcp inside/192.168.20.67(52064) -> Internet/185.156.173.179(443) hit-cnt 1 first hit [0x503914ad, 0x00000000]
Apr 24 2020 16:46:37: %ASA-6-106100: access-list internet-out permitted tcp inside/192.168.20.67(52064) -> Internet/185.156.173.179(443) hit-cnt 1 first hit [0x79a467e6, 0x00000000]
Apr 24 2020 16:46:37: %ASA-6-302013: Built outbound TCP connection 149493 for Internet:185.156.173.179/443 (185.156.173.179/443) to inside:192.168.20.67/52064 (192.168.20.67/52064)
Apr 24 2020 16:46:37: %ASA-6-106100: access-list inside-in permitted tcp inside/192.168.20.67(52065) -> Internet/212.103.49.67(443) hit-cnt 1 first hit [0x503914ad, 0x00000000]
Apr 24 2020 16:46:37: %ASA-6-106100: access-list internet-out permitted tcp inside/192.168.20.67(52065) -> Internet/212.103.49.67(443) hit-cnt 1 first hit [0x79a467e6, 0x00000000]
Apr 24 2020 16:46:37: %ASA-6-302013: Built outbound TCP connection 149494 for Internet:212.103.49.67/443 (212.103.49.67/443) to inside:192.168.20.67/52065 (192.168.20.67/52065)
Apr 24 2020 16:46:37: %ASA-6-302014: Teardown TCP connection 149486 for Internet:212.102.63.2/443 to inside:192.168.20.67/52057 duration 0:00:00 bytes 0 TCP Reset-I from inside
Apr 24 2020 16:46:37: %ASA-6-302014: Teardown TCP connection 149489 for Internet:194.59.249.243/443 to inside:192.168.20.67/52060 duration 0:00:00 bytes 0 TCP Reset-I from inside
Apr 24 2020 16:46:37: %ASA-6-302014: Teardown TCP connection 149492 for Internet:45.87.212.67/443 to inside:192.168.20.67/52063 duration 0:00:00 bytes 0 TCP Reset-I from inside
Apr 24 2020 16:46:37: %ASA-6-302014: Teardown TCP connection 149493 for Internet:185.156.173.179/443 to inside:192.168.20.67/52064 duration 0:00:00 bytes 0 TCP Reset-I from inside
Apr 24 2020 16:46:37: %ASA-6-302014: Teardown TCP connection 149485 for Internet:52.114.133.61/443 to inside:192.168.20.67/52048 duration 0:00:00 bytes 0 TCP Reset-I from inside
Apr 24 2020 16:46:37: %ASA-6-302014: Teardown TCP connection 149487 for Internet:178.211.43.67/443 to inside:192.168.20.67/52058 duration 0:00:00 bytes 0 TCP Reset-I from inside
Apr 24 2020 16:46:37: %ASA-6-302014: Teardown TCP connection 149488 for Internet:38.132.120.67/443 to inside:192.168.20.67/52059 duration 0:00:00 bytes 0 TCP Reset-I from inside
Apr 24 2020 16:46:37: %ASA-6-302014: Teardown TCP connection 149490 for Internet:198.96.95.131/443 to inside:192.168.20.67/52061 duration 0:00:00 bytes 0 TCP Reset-I from inside
Apr 24 2020 16:46:37: %ASA-6-302014: Teardown TCP connection 149491 for Internet:185.236.200.19/443 to inside:192.168.20.67/52062 duration 0:00:00 bytes 0 TCP Reset-I from inside
e:192.168.20.67/52140 duration 0:00:00 bytes 0 TCP Reset-I from inside
Apr 24 2020 16:46:53: %ASA-6-106015: Deny TCP (no connection) from 192.168.20.67/52140 to 23.62.2.114/80 flags RST on interface inside
Apr 24 2020 16:46:53: %ASA-6-302014: Teardown TCP connection 149699 for Internet:52.114.133.61/443 to inside:192.168.20.67/52126 duration 0:00:00 bytes 0 TCP Reset-I from inside
Apr 24 2020 16:46:53: %ASA-6-106015: Deny TCP (no connection) from 192.168.20.67/52126 to 52.114.133.61/443 flags RST on interface inside
Apr 24 2020 16:46:53: %ASA-6-302013: Built outbound TCP connection 149701 for Internet:52.114.133.61/443 (52.114.133.61/443) to inside:192.168.20.67/52127 (192.168.20.67/52127)
Apr 24 2020 16:46:53: %ASA-6-302013: Built outbound TCP connection 149702 for Internet:52.114.133.61/443 (52.114.133.61/443) to inside:192.168.20.67/52128 (192.168.20.67/52128)
Apr 24 2020 16:46:53: %ASA-6-302014: Teardown TCP connection 149701 for Internet:52.114.133.61/443 to inside:192.168.20.67/52127 duration 0:00:00 bytes 0 TCP Reset-I from inside
Apr 24 2020 16:46:53: %ASA-6-106015: Deny TCP (no connection) from 192.168.20.67/52127 to 52.114.133.61/443 flags RST on interface inside
Apr 24 2020 16:46:54: %ASA-6-302014: Teardown TCP connection 149702 for Internet:52.114.133.61/443 to inside:192.168.20.67/52128 duration 0:00:00 bytes 0 TCP Reset-I from inside
Apr 24 2020 16:46:54: %ASA-6-106015: Deny TCP (no connection) from 192.168.20.67/52128 to 52.114.133.61/443 flags RST on interface inside
Apr 24 2020 16:46:54: %ASA-6-106015: Deny TCP (no connection) from 192.168.20.67/52149 to 13.107.42.12/443 flags RST on interface inside
Apr 24 2020 16:46:54: %ASA-6-106100: access-list inside-in permitted tcp inside/192.168.20.67(51038) -> Internet/23.62.2.114(80) hit-cnt 4 300-second interval [0x503914ad, 0x00000000]
Apr 24 2020 16:46:54: %ASA-6-106100: access-list internet-out permitted tcp inside/192.168.20.67(51038) -> Internet/23.62.2.114(80) hit-cnt 2 300-second interval [0x79a467e6, 0x00000000]
Apr 24 2020 16:46:54: %ASA-6-106100: access-list inside-in permitted tcp inside/192.168.20.67(51039) -> Internet/23.62.2.114(80) hit-cnt 4 300-second interval [0x503914ad, 0x00000000]
Apr 24 2020 16:46:54: %ASA-6-106100: access-list internet-out permitted tcp inside/192.168.20.67(51039) -> Internet/23.62.2.114(80) hit-cnt 2 300-second interval [0x79a467e6, 0x00000000]
Apr 24 2020 16:46:54: %ASA-6-106100: access-list inside-in permitted tcp inside/192.168.20.67(51040) -> Internet/198.8.85.225(443) hit-cnt 1 300-second interval [0x503914ad, 0x00000000]
Apr 24 2020 16:46:54: %ASA-6-106100: access-list internet-out permitted tcp inside/192.168.20.67(51040) -> Internet/198.8.85.225(443) hit-cnt 1 300-second interval [0x79a467e6, 0x00000000]
Apr 24 2020 16:46:54: %ASA-6-106100: access-list inside-in permitted tcp inside/192.168.20.67(51041) -> Internet/71.19.252.152(443) hit-cnt 1 300-second interval [0x503914ad, 0x00000000]
Apr 24 2020 16:46:54: %ASA-6-106100: access-list internet-out permitted tcp inside/192.168.20.67(51041) -> Internet/71.19.252.152(443) hit-cnt 1 300-second interval [0x79a467e6, 0x00000000]
Apr 24 2020 16:46:54: %ASA-6-106100: access-list inside-in permitted tcp inside/192.168.20.67(51042) -> Internet/23.154.160.161(443) hit-cnt 1 300-second interval [0x503914ad, 0x00000000]
Apr 24 2020 16:46:54: %ASA-6-106100: access-list internet-out permitted tcp inside/192.168.20.67(51042) -> Internet/23.154.160.161(443) hit-cnt 1 300-second interval [0x79a467e6, 0x00000000]
Apr 24 2020 16:46:54: %ASA-6-106100: access-list inside-in permitted tcp inside/192.168.20.67(51043) -> Internet/155.94.250.67(443) hit-cnt 1 300-second interval [0x503914ad, 0x00000000]
Apr 24 2020 16:46:54: %ASA-6-106100: access-list internet-out permitted tcp inside/192.168.20.67(51043) -> Internet/155.94.250.67(443) hit-cnt 1 300-second interval [0x79a467e6, 0x00000000]
Apr 24 2020 16:46:54: %ASA-6-106100: access-list inside-in permitted tcp inside/192.168.20.67(52150) -> Internet/104.129.18.195(443) hit-cnt 1 first hit [0x503914ad, 0x00000000]
Apr 24 2020 16:46:54: %ASA-6-106100: access-list internet-out permitted tcp inside/192.168.20.67(52150) -> Internet/104.129.18.195(443) hit-cnt 1 first hit [0x79a467e6, 0x00000000]
Apr 24 2020 16:46:54: %ASA-6-302013: Built outbound TCP connection 149703 for Internet:104.129.18.195/443 (104.129.18.195/443) to inside:192.168.20.67/52150 (192.168.20.67/52150)

To be honest this really feels like a routing loop / assymetric routing... however (!) why would dns (nslookup) work?

 

The routing tables of each device are below.

 

Router
Gateway of last resort is 192.168.0.1 to network 0.0.0.0

S* 0.0.0.0/0 [1/0] via 192.168.0.1
192.168.0.0/24 is variably subnetted, 2 subnets, 2 masks
C 192.168.0.0/24 is directly connected, GigabitEthernet0/0
L 192.168.0.2/32 is directly connected, GigabitEthernet0/0
192.168.10.0/24 is variably subnetted, 2 subnets, 2 masks
C 192.168.10.0/25 is directly connected, GigabitEthernet0/1
L 192.168.10.1/32 is directly connected, GigabitEthernet0/1
192.168.20.0/28 is subnetted, 1 subnets
S 192.168.20.64 [1/0] via 192.168.10.2


Switch
Gateway of last resort is 192.168.10.1 to network 0.0.0.0

192.168.10.0/25 is subnetted, 1 subnets
C 192.168.10.0 is directly connected, Vlan5
192.168.20.0/28 is subnetted, 1 subnets
C 192.168.20.64 is directly connected, Vlan20
S* 0.0.0.0/0 [1/0] via 192.168.10.1


ASA

Gateway of last resort is 192.168.10.1 to network 0.0.0.0

S* 0.0.0.0 0.0.0.0 [1/0] via 192.168.10.1, Internet
C 192.168.10.0 255.255.255.128 is directly connected, Internet
L 192.168.10.10 255.255.255.255 is directly connected, Internet
C 192.168.20.64 255.255.255.240 is directly connected, inside
L 192.168.20.66 255.255.255.255 is directly connected, inside

Thanks for the additional information, especially for the log messages. It is good to see the entries in the translate table. In the logs we see the attempt to establish a tcp session go through, and we see the ASA build an entry in the state table. Then we see a log message that Inside issued a reset and tears down the tcp connection entry

Apr 24 2020 16:46:37: %ASA-6-302014: Teardown TCP connection 149486 for Internet:212.102.63.2/443 to inside:192.168.20.67/52057 duration 0:00:00 bytes 0 TCP Reset-I from inside

I am puzzled why we seem to be getting a reset? Is there possibly some security policy on your device that is impacting this?

HTH

Rick

I agree with the puzzlement ... You're pretty much where I am now.

 

The Router doesn't have any security policies (That's later on)

The switch doesn't have any ACL's either.

 

I'll check the policies tomorrow as I'm giving my brain a break now.

 

Thanks for coming back to me so quickly.

Found it!

 

I managed to get a hold of another Cisco Catalyst 2960 (12 port)

 

I removed the vlan from the original switch and recreated it on the new switch.

 

I added a route for the client network behind the ASA firewall on the original switch.

 

For clarity:

Client laptop connects to 12 port Catalyst

12 port catalyst has a connection to the ASA 5525x inside interface

The ASA5525x has an outside connection to a Cisco 2960s (my original switch in all this)

That switch connects to a Cisco router and that connects to my broadband.

 

OK. The solution to add an additional switch behind the firewall and the ip route on the original switch worked.

 

This leads me to theorise that the original switch was routing the return packet back incorrectly. I hadn't configured it correctly and the VLAN 5 being connected meant I had introduced assymetric routing which the ASA5525x didn't like.

Could it be something else?

 

Thank you to the contributors looking at this. This is my first question on these forums and I'm pleasantly pleased with the response.

 

Thank you,

 

Thanks for the update. Glad to know that you got it working.

HTH

Rick

Hi,

 

Thanks for the reply.

 

The ASA config is below. I'm not worried about redacting anything as this isn't production and I've only really just started.

 

The ASA config should be attached.

What was wrong with the nat I had originally? (I changed it to your suggestion by the way, no change to the end result)

Hello,

 

I am bit confused about the switch: do you have Vlan 5 and Vlan 20 interfaces with IP addresses configured on the switch, and is ip routing enabled ?

 

 

That is correct.

 

I hope I am not completely misunderstanding your topology...

 

The reason I am asking is that if your topology is:

 

Router --> Layer 3 Switch --> ASA

 

the default route on the ASA needs to point to the Vlan 5 interface of the switch, which has IP address 192.168.10.2. It currently points to the interface of the router:

 

route Internet 0.0.0.0 0.0.0.0 192.168.10.1

 

So try and change that to:

 

route Internet 0.0.0.0 0.0.0.0 192.168.10.2