hello for all
i bought cisco asa 5540
i have cisco router 2811 with static ip
and make nat to conected to internet pat nat
184.108.40.206/29 for exchange server
i want to confiure asa behind router
i mean leave all configure on cisco router
when i make out side and inside lan all is ok
but all pc conected on inside interface of asa 5540 cannot access to internet
and also cannot ping from pc ip on interface outside i permet icmp in servise poilcy and incpection icmp
but i mean no conection not ping only
lan------------------ asa -------------------- cisco router ----------internet
i will post configration for asa
ASA Version 8.4(2)
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
ip address 192.168.193.3 255.255.255.0
ip address 192.168.191.1 255.255.255.0
no ip address
no ip address
ip address 192.168.1.1 255.255.255.0
ftp mode passive
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
access-list OUTSIDE extended permit ip any any
access-list inside_access_in extended permit icmp any interface outside
access-list cap extended permit icmp any host 220.127.116.11
access-list cap extended permit icmp host 18.104.22.168 any
pager lines 24
logging asdm informational
mtu outside 1500
mtu inside 1500
mtu management 1500
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
access-group OUTSIDE in interface outside
access-group inside_access_in in interface inside
route outside 0.0.0.0 0.0.0.0 192.168.193.2 1
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
user-identity default-domain LOCAL
http server enable
http 192.168.1.0 255.255.255.0 management
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
telnet timeout 5
ssh timeout 5
console timeout 0
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
username admin password .Yb5gwK7xqjZkYI4 encrypted privilege 15
policy-map type inspect dns preset_dns_map
message-length maximum client auto
message-length maximum 512
inspect dns preset_dns_map
inspect h323 h225
inspect h323 ras
inspect icmp error
service-policy global_policy global
prompt hostname context
my router access to internet and all lan access to intenet without asa
so what is missing or wrong conigration to access to internet
You don't need acl inside_access_in because traffic from higher to lower security level interfaces is permitted by default.
Check PCs default gateway to be the ASA inside interface.
Check if PCs can ping ASA inside interface. Then make a traceroute from pc command line to check where the packets are begin blocked.
Do an arp -a on the PC to see if the MAC address for the ASA G0/1 interface is Ok.
Do a packet-tracer in the ASA console to see where the block is.
Aaron response is only Valid if Nat Control isn't enabled.
First, I don't see NAT even configured. So, in this diagram, your inside hosts, are not going to be NAT / PAT'ed.
Which version of ASA code? This will dictate how NAT is configured, since it changes in v.8.3+
First - Verify your in-to-out hosts are getting a translation
"sh run xlate local <inside host IP> debug"
That will tell you if it's being translated before it tries to exit.
Also, make sure there is a return route, on your router for the inside network, if you're not PAT'ing on the outside of the ASA. if you ARE PAT'ing on the ASA, you'll still want to make sure the router-to-ASA LAN is either same subnet, or, if not, there's a route on the INET router pointing to ASA outside intf for any routed network you might NAT from.
Looks like your ASA E0 is on 192.x.x.x.x and your router (WAN) is on public IP.
Tell me, which IP is the inside LAN interface of your router ?
Also, that public IP you want to use for your Exchange (84.x.x.x) , is that going to be behind the ASA ?
If so you need a route on your router, telling it how to route back to 84.x.x.x. (since it is behind the ASA logically, the ASA Will be the MAC for 84.x.x.x. so the router need to send packets to the ASA E0 to get to that NATted host.
Make sense ?