Re: Can't ping internet? What could be the issue?

tauriq · ‎08-13-2020

Hi guys, i'm at a loss. I'm busy with my final project however i ran into some trouble. my intervlan routing is working but when i try to ping from QCpc1 to the internet router my pings don't work however when i try to ping from QCR1 to internet pings are successful. any help would be much appreciated. my servers run dhcp, syslog and dns is this a good idea for 1 server? I will upload my pktracer file here for you guys to see. Currently focusing on just getting access to internet via QCR1 as QCR2 is there for "redundancy" and load balancing so i'll just mirror the config. Also note i have configured NAT on firewall-1 but it doesn't translate any addresses but i think thats because i haven't sorted out my basic connectivity yet. Any guidance and advice would be appreciated please

Georg Pauwen · ‎08-13-2020

Hello,

it is a bug in the ASA version of Packet Tracer. The ASA only allows you to NAT directly translated networks. The workaround is to change the interface (Vlan 1 in your case) IP address to match the subnet you are translating, and to configure 'ip proxy-arp' on the interface of the OCR1 router directly connected to the Firewall-1. Attached the working file. There is (almost) no way you can figure this out yourself, unless you have run into it yourself before...

Firewall-1

interface Vlan1
nameif inside
security-level 100
ip address 172.16.1.2 255.255.0.0
!
object network INSIDE-NET
subnet 172.16.0.0 255.255.0.0
!
object network INSIDE-NET
nat (inside,outside) dynamic interface

QCR1

interface FastEthernet0/0
ip address 172.16.1.1 255.255.255.0
duplex auto
speed auto
--> ip proxy-arp (not visible in the running config)

tauriq · ‎08-13-2020

@Georg Pauwen Thank you man, this definitely helped my cause. Also 1 more question before I try to configure IPsec on ASA to router, is this possible on packet tracer I've tried to do it before as a practice lab but encountered problems trying to ping. Due to corona i'm unable to practice on real equipment at university so would like to know if it also might be a bug with packet tracer?

Georg Pauwen · ‎08-13-2020

Hello,

IPsec tunnel between ASA and IOS router should be possible. What are you running into ?

tauriq · ‎08-14-2020

Hello @Georg Pauwen , Sorry for the delay in my reply.

1) Attached is my packet tracer file with ipsec enabled. I can ping the loopback on the Torronto router but my packets aren't being encrypted as its supposed to be. Now I'm not sure as it is a packet tracer glitch again or my config is wrong.

2) DHCP snooping was enabled but kept giving me "%DHCP_SNOOPING-5-DHCP_SNOOPING_NONZERO_GIADDR: DHCP_SNOOPING drop message with non-zero giaddr or option82 value on untrusted port, message type: DHCP DISCOVER, MAC sa: 00D0.FF37.95D1" error so I disabled it. However I made all the connected ports trusted so therefore i'm confused as to why I get this error?

Update: I managed to configure a working IPSEC vpn as a practice lab on a different topology but however when i try to do it between IOS router and ASA firewall my pings aren't successful.

Your response would be much appreciated.