08-13-2020 05:40 AM
Hi guys, i'm at a loss. I'm busy with my final project however i ran into some trouble. my intervlan routing is working but when i try to ping from QCpc1 to the internet router my pings don't work however when i try to ping from QCR1 to internet pings are successful. any help would be much appreciated. my servers run dhcp, syslog and dns is this a good idea for 1 server? I will upload my pktracer file here for you guys to see. Currently focusing on just getting access to internet via QCR1 as QCR2 is there for "redundancy" and load balancing so i'll just mirror the config. Also note i have configured NAT on firewall-1 but it doesn't translate any addresses but i think thats because i haven't sorted out my basic connectivity yet. Any guidance and advice would be appreciated please
08-13-2020 06:20 AM
Hello,
it is a bug in the ASA version of Packet Tracer. The ASA only allows you to NAT directly translated networks. The workaround is to change the interface (Vlan 1 in your case) IP address to match the subnet you are translating, and to configure 'ip proxy-arp' on the interface of the OCR1 router directly connected to the Firewall-1. Attached the working file. There is (almost) no way you can figure this out yourself, unless you have run into it yourself before...
Firewall-1
interface Vlan1
nameif inside
security-level 100
ip address 172.16.1.2 255.255.0.0
!
object network INSIDE-NET
subnet 172.16.0.0 255.255.0.0
!
object network INSIDE-NET
nat (inside,outside) dynamic interface
QCR1
interface FastEthernet0/0
ip address 172.16.1.1 255.255.255.0
duplex auto
speed auto
--> ip proxy-arp (not visible in the running config)
08-13-2020 06:44 AM
@Georg Pauwen Thank you man, this definitely helped my cause. Also 1 more question before I try to configure IPsec on ASA to router, is this possible on packet tracer I've tried to do it before as a practice lab but encountered problems trying to ping. Due to corona i'm unable to practice on real equipment at university so would like to know if it also might be a bug with packet tracer?
08-13-2020 07:14 AM
Hello,
IPsec tunnel between ASA and IOS router should be possible. What are you running into ?
08-14-2020 05:03 AM - edited 08-16-2020 04:44 PM
Hello @Georg Pauwen , Sorry for the delay in my reply.
1) Attached is my packet tracer file with ipsec enabled. I can ping the loopback on the Torronto router but my packets aren't being encrypted as its supposed to be. Now I'm not sure as it is a packet tracer glitch again or my config is wrong.
2) DHCP snooping was enabled but kept giving me "%DHCP_SNOOPING-5-DHCP_SNOOPING_NONZERO_GIADDR: DHCP_SNOOPING drop message with non-zero giaddr or option82 value on untrusted port, message type: DHCP DISCOVER, MAC sa: 00D0.FF37.95D1" error so I disabled it. However I made all the connected ports trusted so therefore i'm confused as to why I get this error?
Update: I managed to configure a working IPSEC vpn as a practice lab on a different topology but however when i try to do it between IOS router and ASA firewall my pings aren't successful.
Your response would be much appreciated.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide