07-28-2008 10:19 PM - edited 03-06-2019 12:29 AM
Hi,
Internet link is terminated into router with public ip.
Router & firewall connected with private ip.
DMZ is having 2 ip segments that are being accessed from inside & outside zone.
LAN zone: 10.0.0.0
WAN: 212.x.y.z
DMZ1: 172.16.1.0
DMZ2: 172.16.2.0
Can someone help me with config script of both router & firewall
08-06-2008 02:59 AM
With this config, from router i can ping any public ip but from firewall pinging outside ip is not happening. From firewall inside ip & vlan is pinging.
=========================================
interface GigabitEthernet0/1
nameif inside
security-level 100
ip address 10.20.10.21 255.255.0.0
route inside 10.0.0.0 255.0.0.0 10.20.10.6 (10.20.10.6--> inside vlan interface ip )
08-06-2008 03:13 AM
CHANGE the interface SUBNETMAKS MUST BE
(255.0.0.0)
first u dont need this command
route inside 10.0.0.0 255.0.0.0 10.20.10.6
and if u pinging from inside to the router outside
then the config i have sent u is working!!
and for ur knowledge
in ASA firewall u cant ping an interface from another interface
please, if helpful rate
08-06-2008 03:35 AM
did u get it work?
dont forget the interface subnet mask should be 255.0.0.0
als all ur hosts in that inside network
should be in subnet 255.0.0.0
as we configured the nating with 255.0.0.0
and let me know
good luck
08-06-2008 03:39 AM
my inside network is not /8, i have /24,/25 etc. what u suggest in that case!!
08-06-2008 03:48 AM
can u send simple diagram with current config please
to save the time
08-06-2008 04:02 AM
08-06-2008 04:33 AM
ok then keep ur config as it is
and do the static nat as i told u befor
also
enable icmp inspection for ping:
policy-map global_policy
class inspection_default
inspect icmp
inspect icmp error
exit
also do the following to let the firewall do ping its self
permit icmp any interface outside echo
permit icmp any interface outside echo-reply
by the way the config u sent me withiut any nating configured?
so sure when u do show xlate will give u 0
and one more question when u done my config have u get ur inside network working normaly i mean cna go out the router and ping ?
check u r network behind the switch if it has the right config and right defuale gateways conffigured
and let me know
it should work just do it care fully and step by step
good luck
08-06-2008 06:04 AM
Hi,
My LAN is working fine. I can ping asa inside interface, i am not able to ping asa outside or rouetr laninterface.
08-06-2008 06:24 AM
do u have route to ur inside network on ur router?
i mean for 10.0.0.0/8?
u need to have on ur router somthing like:
ip route 10.0.0.0 255.0.0.0 [asa ouside ip]
also for icmp
have u don on ur asa:
permit icmp any inside echo
permit icmp any outside echo
and i told u cant ping the asa outside interface from inside or dmz
in other words u cant ping any asa interface from other interface
just u need to get the ping to the router
please after u finish all the config post them to me if didnt work
with full config
08-06-2008 08:43 PM
i will do this & let you know. Bye the way..thank u very much for your help.
08-06-2008 10:37 PM
u welocme
and good luck
please, rate the helful post
08-08-2008 01:44 AM
It's working..thanx a lot.
but access is happening only from 10.20.x.x/16. i did this into asa:
static(inside, outside) 10.0.0.0 10.0.0.0 netmask 255.255.0.0.
My asa inside interface ip: 10.20.10.21 /16.
But i have number of vlans in the range /24,/25,/26 etc with 10.145.x.x series in LAN. from such ddresses internet is not happening.
your suggestion on tjis any !!!
08-08-2008 01:49 AM
do u have the right vlan and default gateways configured
also route
now it is routing problem
first check the default gateway configuration and make sure they can oping the asa
also make sure u have the route configured through the inside interface on the ASA
please, rate the helpful post
and good luck
08-21-2008 07:41 PM
Hi,
I tried to do this ut not happening.
From user side i can ping the asa inside interface. In my switch default route o.o.o.o o.o.o.o 10.20.10.X (asa inside ip) is given.
In switch vlan 900 is created & asa inside is assigned an ip from that segment.
Internet access is happen ing from only vlan 900..from other vlan i can't access internet.
plz suggest.
08-27-2008 12:19 AM
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide