5 Replies Latest reply: Jun 20, 2012 2:14 PM by Aaron RSS

    please help urgantly


      hello for all

      i bought cisco asa 5540
      i have cisco router 2811 with static ip
      and make nat to conected to internet pat nat
      and have for exchange server


      i want to confiure asa behind router
      i mean leave all configure on cisco router
      when i make out side and inside lan all is ok
      but all pc conected on inside interface of asa 5540 cannot access to internet
      and also cannot ping from pc ip on interface outside i permet icmp in servise poilcy and incpection icmp
      but i mean no conection not ping only
      my senaro

      lan------------------ asa -------------------- cisco router ----------internet


      i will post configration for asa

      ASA Version 8.4(2)
      hostname ciscoasa
      enable password 8Ry2YjIyt7RRXU24 encrypted
      passwd 2KFQnbNIdI.2KYOU encrypted
      interface GigabitEthernet0/0
      nameif outside
      security-level 0
      ip address
      interface GigabitEthernet0/1
      nameif inside
      security-level 100
      ip address
      interface GigabitEthernet0/2
      no nameif
      no security-level
      no ip address
      interface GigabitEthernet0/3
      no nameif
      no security-level
      no ip address
      interface Management0/0
      nameif management
      security-level 100
      ip address
      ftp mode passive
      same-security-traffic permit inter-interface
      same-security-traffic permit intra-interface
      access-list OUTSIDE extended permit ip any any
      access-list inside_access_in extended permit icmp any interface outside
      access-list cap extended permit icmp any host
      access-list cap extended permit icmp host any
      pager lines 24
      logging asdm informational
      mtu outside 1500
      mtu inside 1500
      mtu management 1500
      no failover
      icmp unreachable rate-limit 1 burst-size 1
      no asdm history enable
      arp timeout 14400
      access-group OUTSIDE in interface outside
      access-group inside_access_in in interface inside
      route outside 1


      timeout tcp-proxy-reassembly 0:01:00
      timeout floating-conn 0:00:00
      dynamic-access-policy-record DfltAccessPolicy
      user-identity default-domain LOCAL
      http server enable
      http management
      no snmp-server location
      no snmp-server contact
      snmp-server enable traps snmp authentication linkup linkdown coldstart
      telnet timeout 5
      ssh timeout 5
      console timeout 0


      threat-detection basic-threat
      threat-detection statistics access-list
      no threat-detection statistics tcp-intercept
      username admin password .Yb5gwK7xqjZkYI4 encrypted privilege 15
      class-map inspection_default
      match default-inspection-traffic
      policy-map type inspect dns preset_dns_map
      message-length maximum client auto
      message-length maximum 512
      policy-map global_policy
      class inspection_default
      inspect dns preset_dns_map
      inspect ftp
      inspect h323 h225
      inspect h323 ras
      inspect rsh
      inspect rtsp
      inspect esmtp
      inspect sqlnet
      inspect skinny
      inspect sunrpc
      inspect xdmcp
      inspect sip
      inspect netbios
      inspect tftp
      inspect ip-options
      inspect icmp
      inspect icmp error
      service-policy global_policy global
      prompt hostname context
      : end

      my router access to internet and all lan access to intenet without asa

      so what is missing or wrong conigration to access to internet

      best regards

        • 1. Re: please help urgantly



          You don't need  acl  inside_access_in because traffic from higher to lower security level interfaces is permitted by default.

          Check PCs default gateway to be the ASA inside interface.


          Check if PCs can ping ASA inside interface. Then make a traceroute from pc command line to check where the packets are begin blocked.

          Do an arp -a on the PC to see if the MAC address for the ASA G0/1 interface is Ok.


          Do a packet-tracer in the ASA console to see where the block is.


          Post results



          • 2. Re: please help urgantly

            Aaron response is only Valid if Nat Control isn't enabled.



            First, I don't see NAT even configured. So, in this diagram, your inside hosts, are not going to be NAT / PAT'ed.


            Which version of ASA code? This will dictate how NAT is configured, since it changes in v.8.3+



            First - Verify your in-to-out hosts are getting a translation


            "sh run xlate local <inside host IP> debug"



            That will tell you if it's being translated before it tries to exit.



            Also, make sure there is a return route, on your router for the inside network, if you're not PAT'ing on the outside of the ASA. if you ARE PAT'ing on the ASA, you'll still want to make sure the router-to-ASA LAN is either same subnet, or, if not, there's a route on the INET router pointing to ASA outside intf for any routed network you might NAT from.



            Looks like your ASA E0 is on 192.x.x.x.x and your router (WAN) is on public IP.


            Tell me, which IP is the inside LAN interface of your router ?


            Also, that public IP you want to use for your Exchange (84.x.x.x) , is that going to be behind the ASA ?


            If so you need a route on your router, telling it how to route back to 84.x.x.x. (since it is behind the ASA logically, the ASA Will be the MAC for 84.x.x.x. so the router need to send packets to the ASA E0 to get to that NATted host.


            Make sense ?

            • 3. Re: please help urgantly



              There are many reasons why packets are not going through the ASA. That's the reason I asked him to post results.



              • 4. Re: please help urgantly

                oh i gotcha, i wasn't a flame at all. ..  just reminding him of what NAT-control does.

                • 5. Re: please help urgantly

                  No problem at all. Let's wait for Mohammed results.