Solved: Re: I cannot ping an outside webserver - Packet tracer help

TotoCutugno · ‎03-13-2022

Hi There!

I am trying to build a network with a 3-tier firewall. For some reason, i cannot ping the web server outside my firewall from my inside desktop. I have follow all the instructions, i have tried to change the hardware - it does not work. I attach here my both packet tracer files. Probably someone can point at my mistake. I share the files on the google drive: https://drive.google.com/drive/folders/1KYcWK7tngdih63eJzCQU0FICy4zMWehx?usp=sharing

Thanks a lot!

Georg Pauwen · ‎03-14-2022

Hello,

the main problem is the (mis)confguration of the Internet router. Also, the IP address of the ASA outside interface is on a different subnet than that of the router. Make sure the configs look like below (important parts marked in bold). Also, the webserver had no default gateway configured.

Attached the revised file.

Router#sh run
Building configuration...

Current configuration : 668 bytes
!
version 12.4
no service timestamps log datetime msec
no service timestamps debug datetime msec
no service password-encryption
!
hostname Router
!
ip cef
no ipv6 cef
!
spanning-tree mode pvst
!
interface FastEthernet0/0
ip address 8.8.8.1 255.0.0.0
duplex auto
speed auto
!
interface FastEthernet0/1
ip address 10.10.11.10 255.255.255.0
duplex auto
speed auto
!
interface Serial0/0/0
no ip address
clock rate 2000000
!
interface Vlan1
no ip address
shutdown
!
ip classless
ip route 0.0.0.0 0.0.0.0 10.10.11.20
!
ip flow-export version 9
!
line con 0
!
line aux 0
!
line vty 0 4
login
!
end

ciscoasa#sh run
: Saved
:
ASA Version 8.4(2)
!
hostname ciscoasa
names
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
switchport access vlan 3
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
interface Vlan1
nameif inside
security-level 100
ip address 192.168.1.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address 10.10.11.20 255.255.255.0
!
interface Vlan3
no forward interface Vlan1
nameif DMZ
security-level 70
ip address 192.168.2.1 255.255.255.0
!
object network INTERNET
subnet 192.168.1.0 255.255.255.0
nat (inside,outside) dynamic interface
!
route outside 0.0.0.0 0.0.0.0 10.10.11.10 1
!
access-list INTERNET extended permit tcp any any eq www
access-list INTERNET extended permit icmp any any
!
access-group INTERNET in interface outside
!
telnet timeout 5
ssh timeout 5
!
dhcpd dns 8.8.8.8
dhcpd auto_config outside
!
dhcpd address 192.168.1.3-192.168.1.17 inside
dhcpd enable inside
!
ciscoasa#

View solution in original post

Georg Pauwen · ‎03-14-2022

Hello,

what instructions are you following ? The configurations look good, the problem is that especially on the ASA in Packet Tracer, a lot of things don't work as expected, or don't work at all.

TotoCutugno · ‎03-14-2022

Hi Georg,

Thank you for getting back to me. The instruction I am using is this: https://www.youtube.com/watch?v=iNESd1I8E88&t=694s

Georg Pauwen · ‎03-14-2022

Hello,

the main problem is the (mis)confguration of the Internet router. Also, the IP address of the ASA outside interface is on a different subnet than that of the router. Make sure the configs look like below (important parts marked in bold). Also, the webserver had no default gateway configured.

Attached the revised file.

Router#sh run
Building configuration...

Current configuration : 668 bytes
!
version 12.4
no service timestamps log datetime msec
no service timestamps debug datetime msec
no service password-encryption
!
hostname Router
!
ip cef
no ipv6 cef
!
spanning-tree mode pvst
!
interface FastEthernet0/0
ip address 8.8.8.1 255.0.0.0
duplex auto
speed auto
!
interface FastEthernet0/1
ip address 10.10.11.10 255.255.255.0
duplex auto
speed auto
!
interface Serial0/0/0
no ip address
clock rate 2000000
!
interface Vlan1
no ip address
shutdown
!
ip classless
ip route 0.0.0.0 0.0.0.0 10.10.11.20
!
ip flow-export version 9
!
line con 0
!
line aux 0
!
line vty 0 4
login
!
end

ciscoasa#sh run
: Saved
:
ASA Version 8.4(2)
!
hostname ciscoasa
names
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
switchport access vlan 3
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
interface Vlan1
nameif inside
security-level 100
ip address 192.168.1.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address 10.10.11.20 255.255.255.0
!
interface Vlan3
no forward interface Vlan1
nameif DMZ
security-level 70
ip address 192.168.2.1 255.255.255.0
!
object network INTERNET
subnet 192.168.1.0 255.255.255.0
nat (inside,outside) dynamic interface
!
route outside 0.0.0.0 0.0.0.0 10.10.11.10 1
!
access-list INTERNET extended permit tcp any any eq www
access-list INTERNET extended permit icmp any any
!
access-group INTERNET in interface outside
!
telnet timeout 5
ssh timeout 5
!
dhcpd dns 8.8.8.8
dhcpd auto_config outside
!
dhcpd address 192.168.1.3-192.168.1.17 inside
dhcpd enable inside
!
ciscoasa#

TotoCutugno · ‎03-16-2022

Omg, thank you so much! Very detailed and very well explained!