09-26-2022 12:18 AM
Hi,
I am trying to configure my asa to give internet access to my "LOCAL_NETWORK" endpoints. The ASA can ping out to google but endpoints inside the "LOCAL_NETWORK" cannot get to the internet. Also enpoints in the "LOCAL_HOME_NETWORK" can get to the internet.
Please see the configuration and let me know what I am doing wrong. Any pointers will be much appreciated.
Thanks
Solved! Go to Solution.
09-26-2022 08:43 AM - edited 09-26-2022 08:45 AM
@Nogie the ACL on the inside interface was only permitting traffic to CENTOS.ORG. You would need to add other rules to permit DNS/ICMP and anything else, such as wells fargo.
Example: permit ICMP and DNS.
access-list IN-OUT extended permit icmp any any
access-list IN-OUT extended permit udp any any eq 53
Or remove the ACL on the inside interface for testing.
09-26-2022 12:29 AM
@Nogie you've no NAT configured for LOCAL_NETWORK, try this:-
object network LOCAL_NETWORK
nat (inside,outside) dynamic interface
09-26-2022 07:21 AM
09-26-2022 07:23 AM
@Nogie Run "show nat detail" and provide the output for review.
Run packet-tracer from the CLI to simulate the traffic flow and provide the output for review.
09-26-2022 07:39 AM
09-26-2022 07:42 AM - edited 09-26-2022 07:43 AM
@Nogie well the output of the packet-tracert confirms it should work, it uses the new NAT rules as suggested....so not sure why you it should not work.
How have you been testing this? Generate real traffic, you will need to do this from a device connected to the "inside" interface, with the ASA as it's default gateway.
09-26-2022 07:52 AM
Yes, I am using an endpoint within the LOCAL_NETWORK to test trying to actually reach https://mirrorlist.centos.org also tried https://wellsfargo.com.
It appears as if the nat rule catching the traffic is the one going to the .71 site-to-site VPN network.
09-26-2022 08:01 AM - edited 09-26-2022 08:15 AM
@Nogie you've got a manual NAT rule that only translates traffic if it matches the exact source and destination (192.168.71.0), so unless centos.org and wellsfargo.com matches 192.168.71.0 I don't see why it would match that NAT rule. Your packet-tracer simulated the same traffic flow to centos.org and that hit the correct NAT rule.
Besides your ACL only permits traffic to CENTOS.ORG, not wellsfargo.com unless you've modified that ACL now?
How are you testing? Can the client even resolve the centos and wellsfargo websites, is DNS configured and can the DNS server reach the internet?
09-26-2022 08:40 AM
Clearly my understanding of this is very poor, please be patient with me.
The endpoints cannot resolve centos as of yet. I just tested wellsfargo as a comparison. DNS is configured on the endpoint as 8.8.8.8 but it cannot reach 8.8.8.8 to get any DNS information.
Since the endpoints can see the ASA, can I setup the ASA as a DNS (as well as the default gateway as it is now?).
09-26-2022 08:43 AM - edited 09-26-2022 08:45 AM
@Nogie the ACL on the inside interface was only permitting traffic to CENTOS.ORG. You would need to add other rules to permit DNS/ICMP and anything else, such as wells fargo.
Example: permit ICMP and DNS.
access-list IN-OUT extended permit icmp any any
access-list IN-OUT extended permit udp any any eq 53
Or remove the ACL on the inside interface for testing.
09-26-2022 09:04 AM
I owe you a bottle of wine (or spirit of your choice!). I really appreciate your patience and expertise.
Thanks
09-26-2022 07:22 AM
Hi, I tried this but still having the same problem. Any thoughts?
Thanks
09-26-2022 07:35 AM - edited 09-26-2022 07:35 AM
you can ping 8.8.8.8 after you add dynamic NAT as @Rob Ingram mention ?
09-26-2022 07:47 AM - edited 09-26-2022 07:52 AM
see comment below
09-26-2022 07:49 AM
Yes, from the ASA itself I have always been able to ping 8.8.8.8 but not from any endpoint within the LOCAL_NETWORK subnet.
#####
Mt-Kilimanjaro-ASA5506X-CLN(config-network-object)# ping 8.8.8.8
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 8.8.8.8, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 20/20/20 ms
Mt-Kilimanjaro-ASA5506X-CLN(config-network-object)# exit
Mt-Kilimanjaro-ASA5506X-CLN(config)# sh ru
####
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: