05-08-2017 04:08 AM - edited 03-05-2019 08:29 AM
dears ,
i am trying to setup LAN network as attached,pls find the current config
users are not able to acces internet, from switch cannot ping 8.8.8.8, from ASA can ping 8.8.8.8
Solved! Go to Solution.
05-08-2017 06:05 AM
Thank you Edwin, perfect, from the firewall you can ping the ip 8.8.8.8?
Also please remove this line:
no access-list ouside_in extended permit icmp host 172.16.32.253 any
you should have
access-list ouside_in extended permit icmp any any echo
access-list ouside_in extended permit icmp any any echo-reply
05-08-2017 06:24 AM
Thank you
Could you please execute the command ip routing on the switch? and try again.
05-08-2017 05:06 AM
Hi Edwin
Your config looks fine but the access-group configuration is missed. It is essential to enable the ACLs.
access-group <acl name> in interface <namif associated to the acl>
example
access-group <INSIDE-ACL> in interface <inside>
I used to create the NAT using object-groups along with the NAT statement.
Hope it is useful
:-)
05-08-2017 05:06 AM
Hi Julio,
can you help me on it
05-08-2017 05:08 AM
Sure,
Please me provide you an example, before I could confirm communication from the firewall to the gateways of the networks configured on the switch?
05-08-2017 05:15 AM
Hi
Try to executing these command lines:
Your NAT statement is ok so you dont need the following line:
no nat (inside,outside) after-auto source dynamic any interface
To enable the ACLs and apply it to the interface
access-group inside_access_in interface inside.
Please try and keep me posted. Also verify if the computers have the gateway configured and DNS addresses like 8.8.8.8 / 4.2.2.2
:-)
05-08-2017 05:26 AM
05-08-2017 05:36 AM
Hi
They already should have Internet access, in order to enable ping try these commands:
access-list inside_access_in line 1 extended permit icmp 10.10.0.0 255.255.0.0 any echo
access-list inside_access_in line 2 extended permit icmp 10.10.0.0 255.255.0.0 any echo-reply
access-list ouside_in line 1 extended permit icmp host 172.16.32.253 any echo
access-list ouside_in line 2 extended permit icmp host 172.16.32.253 any echo-reply
Usually icmp is not part of IP, you need to enable icmp on both ways.
:-)
05-08-2017 05:45 AM
05-08-2017 05:53 AM
Thanks for the update,
Just a question about the IP configured under the outside interface, is it the IP of the network received through the modem? or it is the gateway? and the default route should be pointing to gateway, do you know what is the gateway for the subnet 172.16.32.0/24?
If you connect a PC to the modem, can you see what IP you obtained from the modem?
interface GigabitEthernet1/1 description to WAN nameif outside security-level 0 ip address 172.16.32.1 255.255.255.0
route outside 0.0.0.0 0.0.0.0 172.16.32.253
05-08-2017 05:53 AM
172.16.32.253 is IP of the DSL MODEM
05-08-2017 05:54 AM
Thank you,
If you connect a PC to the modem, can you see what IP you obtained and its gateway from the modem?
05-08-2017 05:59 AM
05-08-2017 06:05 AM
Thank you Edwin, perfect, from the firewall you can ping the ip 8.8.8.8?
Also please remove this line:
no access-list ouside_in extended permit icmp host 172.16.32.253 any
you should have
access-list ouside_in extended permit icmp any any echo
access-list ouside_in extended permit icmp any any echo-reply
05-08-2017 06:06 AM
yes, I can
05-08-2017 06:11 AM
Hi
Your firewall config looks fine, can you set up a PC manually and use DNS 8.8.8.8 and 4.2.2.2
Also Im assuming the ip routing command is configured on the layer 3 switch, is that correct?
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide