Skip navigation
Cisco Learning Home > Certifications > CCIE Security > Discussions

_Communities

761 Views 5 Replies Latest reply: Jun 20, 2012 2:14 PM by Aaron RSS

Currently Being Moderated

please help urgantly

Apr 23, 2012 9:14 AM

Mohamed 12 posts since
Nov 27, 2011

hello for all

i bought cisco asa 5540
i have cisco router 2811 with static ip
84.219.22.96/30
and make nat to conected to internet pat nat
and have
84.219.22.80/29 for exchange server

 

i want to confiure asa behind router
i mean leave all configure on cisco router
when i make out side and inside lan all is ok
but all pc conected on inside interface of asa 5540 cannot access to internet
and also cannot ping from pc ip on interface outside i permet icmp in servise poilcy and incpection icmp
but i mean no conection not ping only
my senaro

lan------------------ asa -------------------- cisco router ----------internet

 

i will post configration for asa

ASA Version 8.4(2)
!
hostname ciscoasa
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface GigabitEthernet0/0
nameif outside
security-level 0
ip address 192.168.193.3 255.255.255.0
!
interface GigabitEthernet0/1
nameif inside
security-level 100
ip address 192.168.191.1 255.255.255.0
!
interface GigabitEthernet0/2
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
nameif management
security-level 100
ip address 192.168.1.1 255.255.255.0
management-only
!
ftp mode passive
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
access-list OUTSIDE extended permit ip any any
access-list inside_access_in extended permit icmp any interface outside
access-list cap extended permit icmp any host 4.2.2.2
access-list cap extended permit icmp host 4.2.2.2 any
pager lines 24
logging asdm informational
mtu outside 1500
mtu inside 1500
mtu management 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
access-group OUTSIDE in interface outside
access-group inside_access_in in interface inside
route outside 0.0.0.0 0.0.0.0 192.168.193.2 1

 

timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
http server enable
http 192.168.1.0 255.255.255.0 management
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
telnet timeout 5
ssh timeout 5
console timeout 0

 

!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
username admin password .Yb5gwK7xqjZkYI4 encrypted privilege 15
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
inspect icmp
inspect icmp error
!
service-policy global_policy global
prompt hostname context
: end

my router access to internet and all lan access to intenet without asa

so what is missing or wrong conigration to access to internet

best regards

  • Aaron 129 posts since
    Aug 23, 2009
    Currently Being Moderated
    1. Jun 18, 2012 4:00 PM (in response to Mohamed)
    Re: please help urgantly

    Hi,

     

    You don't need  acl  inside_access_in because traffic from higher to lower security level interfaces is permitted by default.

    Check PCs default gateway to be the ASA inside interface.

     

    Check if PCs can ping ASA inside interface. Then make a traceroute from pc command line to check where the packets are begin blocked.

    Do an arp -a on the PC to see if the MAC address for the ASA G0/1 interface is Ok.

     

    Do a packet-tracer in the ASA console to see where the block is.

     

    Post results

     

    Cheers,

  • Eminence_Front 8 posts since
    Apr 17, 2011
    Currently Being Moderated
    2. Jun 20, 2012 7:26 AM (in response to Aaron)
    Re: please help urgantly

    Aaron response is only Valid if Nat Control isn't enabled.

     

     

    First, I don't see NAT even configured. So, in this diagram, your inside hosts, are not going to be NAT / PAT'ed.

     

    Which version of ASA code? This will dictate how NAT is configured, since it changes in v.8.3+

     

     

    First - Verify your in-to-out hosts are getting a translation

     

    "sh run xlate local <inside host IP> debug"

     

     

    That will tell you if it's being translated before it tries to exit.

     

     

    Also, make sure there is a return route, on your router for the inside network, if you're not PAT'ing on the outside of the ASA. if you ARE PAT'ing on the ASA, you'll still want to make sure the router-to-ASA LAN is either same subnet, or, if not, there's a route on the INET router pointing to ASA outside intf for any routed network you might NAT from.

     

     

    Looks like your ASA E0 is on 192.x.x.x.x and your router (WAN) is on public IP.

     

    Tell me, which IP is the inside LAN interface of your router ?

     

    Also, that public IP you want to use for your Exchange (84.x.x.x) , is that going to be behind the ASA ?

     

    If so you need a route on your router, telling it how to route back to 84.x.x.x. (since it is behind the ASA logically, the ASA Will be the MAC for 84.x.x.x. so the router need to send packets to the ASA E0 to get to that NATted host.

     

    Make sense ?

  • Aaron 129 posts since
    Aug 23, 2009
    Currently Being Moderated
    3. Jun 20, 2012 9:23 AM (in response to Eminence_Front)
    Re: please help urgantly

    Hi,

     

    There are many reasons why packets are not going through the ASA. That's the reason I asked him to post results.

     

    Cheers,

  • Eminence_Front 8 posts since
    Apr 17, 2011
    Currently Being Moderated
    4. Jun 20, 2012 9:54 AM (in response to Aaron)
    Re: please help urgantly

    oh i gotcha, i wasn't a flame at all. ..  just reminding him of what NAT-control does.

  • Aaron 129 posts since
    Aug 23, 2009
    Currently Being Moderated
    5. Jun 20, 2012 2:14 PM (in response to Eminence_Front)
    Re: please help urgantly

    No problem at all. Let's wait for Mohammed results.

Actions

More Like This

  • Retrieving data ...

Bookmarked By (0)