Kevin

Traffic from a higher to lower security interface is allowed by default so you don't need an acl appliied to the outside interface.

And that acl doesn't make sense, it is going to block all traffic so just remove it.

You also need a default route on the ASA -

"route outside 0.0.0.0 0.0.0.0 <10.10.10.x>"

Finally it looks like you are doing NAT on the router so as far as I understand it you should not need any NAT rules because the ASA should add them for your inside traffic.

That is my undestanding but I may be wrong because I have always used NAT on an ASA.

So if you remove the NAT configuration and do a "sh nat" do you see an default NAT rules ?

Or you could leave it in, up to you.

Jon

Hi Jon,

thanks for the reply.

I have removed that ACL now, and I had a look at the route and I was sure I put in the default route but I must have forgot to wri mem - so here is the route:

C    10.10.10.0 255.255.255.0 is directly connected, outside
S*   0.0.0.0 0.0.0.0 [1/0] via 10.10.10.1, outside

as for the NAT rules there is a rule on there which is on the config:

Auto NAT Policies (Section 2)
1 (inside) to (outside) source static internal-lan inside_mapped
    translate_hits = 852, untranslate_hits = 9

I will try removing these and see if this solves the issue.

Hi kevin

I don't think the NAT part was the thing stopping it working, it was the acl and default route.

It's just that if you are not doing NAT on the ASA then because NAT is a requirement for higher to lower traffic I believe the ASA will add default rules for you.

So it's up to you what you do about that part.

Jon

Hi Jon,

I changed the settings. Route was added, nat rules removed and no access list. I have tested but this still isnt working. I have tried to trace to 8.8.8.8 on the internet from the firewall which works ok, but from a machine connected to the inside interface, this doesnt work.

Any other ideas would be appreciated.

ASA Version 8.4(1)
!
hostname ciscoasa
enable password ncnbYkIeyXTKKIQe encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface Vlan2
 nameif outside
 security-level 0
 ip address 10.10.10.2 255.255.255.0
!
interface Vlan10
 nameif inside
 security-level 100
 ip address 192.168.10.1 255.255.255.0
!
interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
 switchport access vlan 10
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
ftp mode passive
dns domain-lookup outside
dns server-group DefaultDNS
 name-server 8.8.8.8
 name-server 194.72.9.38
object network obj_any
 subnet 0.0.0.0 0.0.0.0
object network inside_mapped
 subnet 192.168.10.0 255.255.255.0
pager lines 24
logging console debugging
logging buffered warnings
logging asdm informational
mtu outside 1500
mtu inside 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-641.bin
no asdm history enable
arp timeout 14400
route outside 0.0.0.0 0.0.0.0 10.10.10.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
aaa authentication http console LOCAL
aaa authentication ssh console LOCAL
http server enable
http 192.168.10.0 255.255.255.0 inside
http 0.0.0.0 0.0.0.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 outside
ssh 0.0.0.0 0.0.0.0 inside
ssh timeout 5
ssh version 2
console timeout 0
dhcpd auto_config outside
!
dhcpd address 192.168.10.5-192.168.10.254 inside
dhcpd enable inside
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
username adminssh password s7VKH.L6lL1y418g encrypted privilege 15
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum client auto
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
  inspect ip-options
!
service-policy global_policy global
prompt hostname context
call-home
 profile CiscoTAC-1
  no active
  destination address http https://tools.cisco.com/its/service/oddce/services/DD                                                                                                ; CEService
  destination address email callhome@cisco.com
  destination transport-method http
  subscribe-to-alert-group diagnostic
  subscribe-to-alert-group environment
  subscribe-to-alert-group inventory periodic monthly
  subscribe-to-alert-group configuration periodic monthly
  subscribe-to-alert-group telemetry periodic dail
Cryptochecksum:5e9026a98ca2a6f9dd4b9b31ec0d72c7
: end

Instead of using traceroute try connecting to a web site and see if that works.

If not can you post "sh nat".

Jon

Hi,

I have tried DNS and web traffic but I am not getting anything back.

If i show NAT then there is nothing in the NAT table either.

I still cant think why this isnt routing out. I am going to double check the DSL box to ensure that this still has the right route back to the 192.168.10 network.

Can you try this on your ASA -

"packet-tracer input inside tcp 192.168.10.3 12345 8.8.8.8 80"

and post results.

Jon

Here are the results:

Have you setup NAT correctly on the ADSL router ?

By the way you won't be able to ping the inside interface of the ASA from the router as the firewall won't allow that.

Jon

I have had a look at the router and I think I might have found an issue:

object-group network Wlan
 range 10.10.10.2 10.10.10.254

ip nat inside source list 2000 interface Dialer0 overload
ip route 0.0.0.0 0.0.0.0 Dialer0
ip route 192.168.10.0 255.255.255.0 10.10.10.2
!
access-list 2000 permit ip 10.10.10.0 0.0.0.255 any
access-list 2000 permit icmp any any
access-list 2000 permit udp any eq domain any
access-list 2000 permit tcp object-group Wlan any
access-list 2000 permit udp object-group Wlan any

it seems that 192.168.10.0 isnt declared as a rule in ACL 2000. I will add an object rule to that and see if that works. You think this is correct ?

Hi Jon,

Sorry for the late reply, I was in a meeting about a network upgrade. I seem to be making a little bit of progress, the interface on windows now shows up being on the internet instead of "unidentifed network" but when I try to connect I still cant ping or use a browser or anything (not going through a proxy here)

Here is the modified config on the router:

object-group network ASA-Network1
 range 192.168.10.0 192.168.10.254

ip nat inside source list 2000 interface Dialer0 overload

access-list 2000 permit ip 10.10.10.0 0.0.0.255 any
access-list 2000 permit icmp any any
access-list 2000 permit udp any eq domain any
access-list 2000 permit tcp object-group Wlan any
access-list 2000 permit udp object-group Wlan any
access-list 2000 permit tcp object-group ASA-Network1 any
access-list 2000 permit udp object-group ASA-Network1 any
access-list 2000 permit ip 192.168.10.0 0.0.0.255 any

In the NAT table it looks like it is working:

Pro Inside global      Inside local       Outside local      Outside global
tcp 86.130.120.112:60763 10.10.10.168:60763 216.58.208.74:443 216.58.208.74:443
tcp 86.130.120.112:60787 10.10.10.168:60787 104.82.192.32:80 104.82.192.32:80
tcp 86.130.120.112:60800 10.10.10.168:60800 216.58.209.238:80 216.58.209.238:80
tcp 86.130.120.112:60808 10.10.10.168:60808 216.58.209.238:443 216.58.209.238:443
tcp 86.130.120.112:49186 192.168.10.6:49186 191.232.139.92:443 191.232.139.92:443
tcp 86.130.120.112:63759 192.168.10.6:63759 161.69.165.58:443 161.69.165.58:443
tcp 86.130.120.112:63762 192.168.10.6:63762 157.56.52.31:40032 157.56.52.31:40032
tcp 86.130.120.112:63776 192.168.10.6:63776 157.56.52.31:40032 157.56.52.31:40032
tcp 86.130.120.112:63779 192.168.10.6:63779 161.69.165.58:443 161.69.165.58:443
tcp 86.130.120.112:64305 192.168.10.6:64305 157.56.52.31:443 157.56.52.31:443

I think everything should be working ok because you can see the NAT translations. So the router can see the ASA internal network and it appears that the ASA is letting everything through ok. There is something I am missing somewhere I think.

The NAT translations suggest it should be working.

Do you have any configuration on the router that may be blocking the traffic ?

When you make a connection from your laptop can you then post -

"sh xlate"

from the firewall.

Jon