Solved

Internet Access Through ASA5510 using PAT having Issues

Posted on 2009-07-03
5
161 Views
Last Modified: 2012-05-07
Hi Team,
Could any one please assist urgently with the Internet Access Issue using ASA5510. It is pretty simple setup but i sem to have been struck with it forever.
Below is the running config, Can you please pick up any mistake and corrective command to get Inetrnet Access working.
Urgent reponse wll be highly appriciated. At the moment i do not have access to the device, so any corrective command would do.
i have picked up Security level is wrong on outside and inside ( should be otehr way around) but getting PAT wrong
===============================

Result of the command: "sh run"

: Saved
:
ASA Version 8.0(3)
!
hostname ASA
domain-name default.domain.invalid

names
dns-guard
!
interface Ethernet0/0
 nameif outside
 security-level 100
 ip address 203.x.x.x 255.255.255.252
!
interface Ethernet0/1
 description Inside Network
 nameif inside
 security-level 0
 ip address 10.30.0.1 255.255.255.0
!
interface Ethernet0/2
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Ethernet0/3
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Management0/0
 nameif management
 security-level 100
 ip address 192.168.0.50 255.255.255.0
 management-only
!
passwd .2KYOU encrypted
boot system disk0:/asa803-k8.bin
ftp mode passive
clock timezone EST 10
clock summer-time EDT recurring last Sun Oct 2:00 last Sun Mar 3:00
dns server-group DefaultDNS
 domain-name default.domain.invalid
object-group protocol DM_INLINE_PROTOCOL_1
 protocol-object ip
 protocol-object icmp
object-group protocol DM_INLINE_PROTOCOL_2
 protocol-object ip
 protocol-object icmp
access-list out extended permit object-group DM_INLINE_PROTOCOL_1 any 10.30.0.0 255.255.255.0
access-list inside extended permit icmp any any
access-list inside_access_in extended permit object-group DM_INLINE_PROTOCOL_2 10.30.0.0 255.255.255.0 any
pager lines 24
logging enable
logging asdm debugging
mtu outside 1500
mtu inside 1500
mtu management 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-603.bin
no asdm history enable
arp timeout 14400
nat-control

global (outside) 1 interface
nat (inside) 1 10.30.0.0 255.255.255.0 dns outside


access-group out in interface outside
access-group inside_access_in in interface inside
route outside 0.0.0.0 0.0.0.0 203.27.207.101 1
route inside 10.80.0.0 255.255.0.0 10.30.0.1 1
route inside 10.90.0.0 255.255.0.0 10.30.0.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
aaa authentication ssh console LOCAL
http server enable
http 0.0.0.0 0.0.0.0 management
http 0.0.0.0 0.0.0.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
telnet 0.0.0.0 0.0.0.0 inside
telnet 192.168.0.0 255.255.255.0 management
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 inside
ssh timeout 5
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list

!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns migrated_dns_map_1
 parameters
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns migrated_dns_map_1
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny  
  inspect sunrpc
  inspect xdmcp
  inspect sip  
  inspect netbios
  inspect tftp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:ba0d6dba6f69b2ad38c2f5eb63f32d03
: end

=================================
0
Comment
Question by:tariqmansoor
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 2
5 Comments
 
LVL 33

Expert Comment

by:MikeKane
ID: 24772403
Right here:

Change
nat (inside) 1 10.30.0.0 255.255.255.0 dns outside

to
nat (inside) 1 10.30.0.0 255.255.255.0
0
 

Author Comment

by:tariqmansoor
ID: 24772435
Thanks for that, I saw few examples on the net, those suggests
nat (inside) 0.0.0.0 0.0.0.0
Is this correct ? also the command "nat-control" confuses me should it still stay there ?
Thanks,
0
 
LVL 33

Accepted Solution

by:
MikeKane earned 500 total points
ID: 24772551
Nat (inside) 0.0.0.0 0.0.0.0 will allow any IP using the inside interface to get NAt'ed outbound.    

This one   "nat (inside) 1 10.30.0.0 255.255.255.0"  will only nat that 1 subnet.  


Nat-Control  requires that packets traversing from an inside interface to an outside interface match a NAT rule.  
http://www.cisco.com/en/US/docs/security/asa/asa80/command/reference/no.html#wp1753422


Hope that helps.


0
 

Author Comment

by:tariqmansoor
ID: 24772585
Excellent, thanks for, I will try this and will let you know after i test, as i dont have access to the ASA at the moment, Will have in the morning.
0
 

Author Closing Comment

by:tariqmansoor
ID: 31599557
Great Help...All Worked Good....
Thank You.
0

Featured Post

Migrating Your Company's PCs

To keep pace with competitors, businesses must keep employees productive, and that means providing them with the latest technology. This document provides the tips and tricks you need to help you migrate an outdated PC fleet to new desktops, laptops, and tablets.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Exchange server is not supported in any cloud-hosted platform (other than Azure with Azure Premium Storage).
This past year has been one of great growth and performance for OnPage. We have added many features and integrations to the product, making 2016 an awesome year. We see these steps forward as the basis for future growth.
As a trusted technology advisor to your customers you are likely getting the daily question of, ‘should I put this in the cloud?’ As customer demands for cloud services increases, companies will see a shift from traditional buying patterns to new…
Both in life and business – not all partnerships are created equal. Spend 30 short minutes with us to learn:   • Key questions to ask when considering a partnership to accelerate your business into the cloud • Pitfalls and mistakes other partners…
Suggested Courses

726 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question