Silly013
asked on
Cisco Equipment - What Am I Missing?
I have the following Cisco network setup: router -> asa -> switch. The ASA provides DHCP for the internal network. My client computer can't see the router, what am I missing? Please help. The config files and visio attached for your review. Thanks.
EE-Post-ASA.txt
EE-Post-Router.txt
EE-Post-Visio.pdf
EE-Post-ASA.txt
EE-Post-Router.txt
EE-Post-Visio.pdf
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
The firewall will by default block ICMP (ping) both to and through, depending on your need, you can add that to the access list either through ASDM or cli based on comfort level. If you need help with that, just let me know.
ASKER
@ionut_mir: I did as suggested (seems to work, explanation below)
@devangshroff: I did want to use the management port as the inside interface. I set up route outside as suggested (seems to work, explanation below)
@ciscoguy69: I did as suggested (seems to work, explanation below)
Okay, here's my explanation to why I did what I did:
I'm an absolute rookie when it comes to these Cisco stuff, I'm learning :) So I followed your suggestions and it seems to work, meaning that I am now able to telnet to the router from a client (after lowering the security level on the outside interface of the ASA to 0). I still can't ping to it, I guess because ICMP is blocked, but I'm not sure if I should unblock it. I only want to turn on certain ports to be accessed from and to the internet.
For instance, I want to allow terminal service to a server on the internal network, I would do:
On router: ip nat inside source static tcp "inside IP" 3389 "public IP" 3389
On ASA: permit tcp any any eq 3389
Is it right?
@devangshroff: I did want to use the management port as the inside interface. I set up route outside as suggested (seems to work, explanation below)
@ciscoguy69: I did as suggested (seems to work, explanation below)
Okay, here's my explanation to why I did what I did:
I'm an absolute rookie when it comes to these Cisco stuff, I'm learning :) So I followed your suggestions and it seems to work, meaning that I am now able to telnet to the router from a client (after lowering the security level on the outside interface of the ASA to 0). I still can't ping to it, I guess because ICMP is blocked, but I'm not sure if I should unblock it. I only want to turn on certain ports to be accessed from and to the internet.
For instance, I want to allow terminal service to a server on the internal network, I would do:
On router: ip nat inside source static tcp "inside IP" 3389 "public IP" 3389
On ASA: permit tcp any any eq 3389
Is it right?
Yes, that should work.
Yes, that will work or you could just do a permit for the specific host on port 3389 on the ASA that way you are not just relying on NAT for security.
ASKER
Thank you!