Neadom Tucker
asked on
Cisco ASA 5505 Routing to Internal Network Issues
I have a Cisco ASA 5505 that I have with two interfaces LAN (192.168.70.1/24) and WAN(Static IP from ISP). I only have a base license.
I have another generic router that I have for testing on the network
WAN IP 192.168.70.10 LAN Subnet & IP (10.0.0.1/16).
I have a static route setup on my ASA for 10.0.0.0/16 to go to 192.168.70.10
Inside my generic router I have a server 10.0.10.10. Here is my issue.
From the Cisco I can ping 10.0.10.10. However from my PC I can not. I get request timed out. My PC has the 192.168.70.1 for its Gateway. I can ping 192.168.70.1 (Cisco ASA LAN interface) from my PC so ICMP is working. I have done this several times with Sonicwalls with out issue. What am I doing wrong here? Any ideas?
I have looked at my Secuirty Policies on my inside interfaces and ICMP, TCP and UDP is permitted.
access-list inside_access_out extended permit icmp any any
access-list inside_access_out extended permit tcp any any
access-list inside_access_out extended permit ip any any
access-list inside_access_out extended permit udp any any
Anyone have any great ideas?
Tucker
I have another generic router that I have for testing on the network
WAN IP 192.168.70.10 LAN Subnet & IP (10.0.0.1/16).
I have a static route setup on my ASA for 10.0.0.0/16 to go to 192.168.70.10
Inside my generic router I have a server 10.0.10.10. Here is my issue.
From the Cisco I can ping 10.0.10.10. However from my PC I can not. I get request timed out. My PC has the 192.168.70.1 for its Gateway. I can ping 192.168.70.1 (Cisco ASA LAN interface) from my PC so ICMP is working. I have done this several times with Sonicwalls with out issue. What am I doing wrong here? Any ideas?
I have looked at my Secuirty Policies on my inside interfaces and ICMP, TCP and UDP is permitted.
access-list inside_access_out extended permit icmp any any
access-list inside_access_out extended permit tcp any any
access-list inside_access_out extended permit ip any any
access-list inside_access_out extended permit udp any any
Anyone have any great ideas?
Tucker
Hi,
Can you post the configuration (access-lists, NAT, routes and interface configuration).
Can you post the configuration (access-lists, NAT, routes and interface configuration).
ASKER
Here it is:
Result of the command: "show run"
: Saved
:
ASA Version 7.2(4)
!
hostname oto
domain-name domainname.local
enable password xog1vkvNT9FMcP6g encrypted
passwd xog1vkvNT9FMcP6g encrypted
names
name 174.141.7.122 COMPANYA description 255.255.255.248
name 10.1.0.0 SSOINTERNAL description SSO Network of Servers for Clients
name 10.0.0.0 SSOLAN description Domain Management Network
!
interface Vlan1
nameif inside
security-level 100
ip address 192.168.70.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address 173.165.153.73 255.255.255.248
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
dns domain-lookup outside
dns server-group DefaultDNS
name-server 4.2.2.2
name-server 68.87.68.162
name-server 68.87.74.162
domain-name domainname.local
object-group service Email tcp
port-object eq smtp
object-group service SSL tcp
port-object eq https
object-group service Web-ConnectWise tcp
port-object eq https
object-group service TerminalServices tcp
port-object range 3389 3389
object-group service LDAPSSL udp
port-object range 636 636
port-object range 389 389
object-group service LDAP tcp
port-object eq ldap
port-object eq ldaps
object-group service VPN tcp
description VPN
port-object range pptp pptp
port-object eq https
object-group service VOIP tcp
description Voice Over IP Ports for Phone System
port-object eq sip
object-group service VOIPUDP udp
description UDP Ports for phone system
port-object range 10000 20000
port-object range sip 5082
object-group network Group1
description Desc#1
network-object VENDORIP1 255.255.255.224
network-object VENDORIP2 255.255.255.224
network-object VENDORIP3255.255.255.224
network-object VENDORIP4 255.255.255.240
object-group network Group2
network-object VENDORIP5 255.255.255.224
network-object VENDORIP6 255.255.255.224
object-group network Group3
network-object VENDORIP7 255.255.254.0
object-group service SSL_Outside tcp
description SSL from Outside
port-object range 8888 8888
object-group service ViperRemoteService tcp
port-object eq 18082
access-list outside_access_in extended permit udp any host ISPWANIP#3 object-group VOIPUDP
access-list outside_access_in extended permit tcp any host ISPWANIP#3 object-group VOIP
access-list outside_access_in extended permit tcp any host ISPWANIP#2 object-group SSL
access-list outside_access_in extended permit tcp any host ISPWANIP#1 object-group Web-ConnectWise
access-list outside_access_in extended permit tcp object-group ReflexionMailGroup host ISPWANIP#2 object-group Email
access-list outside_access_in extended permit tcp host VENDORIPADDRESS host ISPWANIP#1 object-group TerminalServices
access-list outside_access_in extended permit tcp object-group Reflexion host ISPWANIP#2 eq ldap
access-list outside_access_in extended permit icmp any any
access-list outside_access_in extended permit tcp any host ISPWANIP#4 eq https
access-list inside_access_out extended permit ip any any log
access-list inside_access_out extended permit udp any any log
access-list inside_access_out extended permit tcp any any log
access-list inside_access_out extended permit icmp any any log
access-list inside_access_out extended permit udp any any object-group VOIPUDP
access-list inside_access_out extended permit tcp any any object-group VOIP
access-list outside_20_cryptomap extended permit ip 192.168.70.0 255.255.255.0 10.31.0.0 255.255.255.0
access-list DomainTech_splitTunnelAcl standard permit any
access-list Test_splitTunnelAcl standard permit CLIENTIPADDRESS 255.255.255.248
access-list outside_40_cryptomap extended permit ip 192.168.70.0 255.255.255.0 10.52.9.0 255.255.255.0
access-list PRIORITY extended permit ip any host CLIENTIPADDRESS2
access-list PRIORITY extended permit ip host CLIENTIPADDRESS2 any
access-list DomainVPN_splitTunnelAcl standard permit any
access-list inside_nat0_outbound extended permit ip any 172.16.24.96 255.255.255.240
pager lines 24
logging enable
logging asdm-buffer-size 300
logging monitor debugging
logging asdm debugging
logging from-address router@domainname.com
logging recipient-address jdoe@domainname.com level errors
mtu inside 1500
mtu outside 1500
ip local pool VPNPool 172.16.24.100-172.16.24.11 0 mask 255.255.255.0
ip verify reverse-path interface outside
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-524.bin
asdm history enable
arp timeout 14400
global (outside) 1 interface
global (outside) 1 ISPWANIP#4 netmask 255.0.0.0
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 192.168.70.0 255.255.255.0
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) tcp ISPWANIP#4 https 192.168.70.3 https netmask 255.255.255.255
static (inside,outside) ISPWANIP#1 192.168.70.210 netmask 255.255.255.255
static (inside,outside) ISPWANIP#2 192.168.70.220 netmask 255.255.255.255
static (inside,outside) ISPWANIP#3 192.168.70.222 netmask 255.255.255.255
access-group inside_access_out in interface inside
access-group outside_access_in in interface outside
route inside SSOLAN 255.255.0.0 192.168.70.10 1
route inside SSOINTERNAL 255.255.0.0 192.168.70.10 1
route outside 0.0.0.0 0.0.0.0 ISPWANIPGATEWAY 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
aaa-server DomainTech protocol radius
accounting-mode simultaneous
aaa-server DomainTech (inside) host 192.168.70.220
key password
radius-common-pw password
aaa-server test protocol ldap
aaa-server test (inside) host 192.168.70.220
timeout 5
server-port 636
ldap-base-dn domainname
ldap-login-password *
ldap-login-dn cn=jdoe
ldap-over-ssl enable
aaa authentication enable console LOCAL
aaa authentication ssh console LOCAL
http server enable
http 192.168.70.0 255.255.255.0 inside
snmp-server host inside 192.168.70.220 poll community public version 2c
snmp-server location Home
snmp-server contact Domain Tech
snmp-server community public
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set TRANS_ESP_3DES_SHA esp-3des esp-sha-hmac
crypto ipsec transform-set TRANS_ESP_3DES_SHA mode transport
crypto dynamic-map outside_dyn_map 20 set pfs
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-AES-256-SHA
crypto dynamic-map outside_dyn_map 40 set pfs
crypto dynamic-map outside_dyn_map 40 set transform-set ESP-3DES-MD5
crypto dynamic-map outside_dyn_map 60 set pfs
crypto dynamic-map outside_dyn_map 60 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 80 set pfs group1
crypto dynamic-map outside_dyn_map 80 set transform-set TRANS_ESP_3DES_SHA
crypto map outside_map 20 match address outside_20_cryptomap
crypto map outside_map 20 set peer x.x.x.x
crypto map outside_map 20 set transform-set ESP-3DES-SHA
crypto map outside_map 40 match address outside_40_cryptomap
crypto map outside_map 40 set pfs
crypto map outside_map 40 set peer x.x.x.x
crypto map outside_map 40 set transform-set ESP-AES-256-SHA
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp policy 30
authentication crack
encryption aes-256
hash sha
group 5
lifetime 86400
crypto isakmp policy 50
authentication crack
encryption 3des
hash md5
group 2
lifetime 86400
crypto isakmp policy 70
authentication pre-share
encryption aes-256
hash sha
group 5
lifetime 86400
crypto isakmp nat-traversal 20
telnet 192.168.70.0 255.255.255.0 inside
telnet timeout 5
ssh 192.168.70.0 255.255.255.0 inside
ssh timeout 40
console timeout 0
management-access inside
dhcpd auto_config outside
!
priority-queue inside
priority-queue outside
tftp-server inside 192.168.70.115 \091223
webvpn
auto-signon allow ip 192.168.70.220 255.255.255.255 auth-type ntlm
group-policy DefaultRAGroup internal
group-policy DefaultRAGroup attributes
dns-server value 192.168.70.222
vpn-tunnel-protocol l2tp-ipsec
default-domain value domainname.local
group-policy DomainVPN internal
group-policy DomainVPN attributes
dns-server value 192.168.70.220
vpn-tunnel-protocol IPSec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value DomainVPN_splitTunnelAcl
default-domain value domainname.local
group-policy DomainTech internal
group-policy DomainTech attributes
wins-server none
dns-server value 192.168.70.220
vpn-tunnel-protocol IPSec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value DomainTech_splitTunnelAcl
default-domain value domainname.local
username domain password cbd.LnP3B30Wt6s8 encrypted privilege 15
tunnel-group DefaultRAGroup general-attributes
address-pool VPNPool
default-group-policy DefaultRAGroup
tunnel-group DefaultRAGroup ipsec-attributes
pre-shared-key *
tunnel-group x.x.x.x type ipsec-l2l
tunnel-group x.x.x.x ipsec-attributes
pre-shared-key *
tunnel-group DomainVPN type ipsec-ra
tunnel-group DomainVPN general-attributes
address-pool VPNPool
default-group-policy DomainVPN
tunnel-group DomainVPN ipsec-attributes
pre-shared-key *
!
class-map PRIORITY
match access-list PRIORITY
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect netbios
inspect tftp
inspect pptp
class PRIORITY
priority
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:b394ca090a6 528180eb0e 2b6184bded 1
: end
Result of the command: "show run"
: Saved
:
ASA Version 7.2(4)
!
hostname oto
domain-name domainname.local
enable password xog1vkvNT9FMcP6g encrypted
passwd xog1vkvNT9FMcP6g encrypted
names
name 174.141.7.122 COMPANYA description 255.255.255.248
name 10.1.0.0 SSOINTERNAL description SSO Network of Servers for Clients
name 10.0.0.0 SSOLAN description Domain Management Network
!
interface Vlan1
nameif inside
security-level 100
ip address 192.168.70.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address 173.165.153.73 255.255.255.248
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
dns domain-lookup outside
dns server-group DefaultDNS
name-server 4.2.2.2
name-server 68.87.68.162
name-server 68.87.74.162
domain-name domainname.local
object-group service Email tcp
port-object eq smtp
object-group service SSL tcp
port-object eq https
object-group service Web-ConnectWise tcp
port-object eq https
object-group service TerminalServices tcp
port-object range 3389 3389
object-group service LDAPSSL udp
port-object range 636 636
port-object range 389 389
object-group service LDAP tcp
port-object eq ldap
port-object eq ldaps
object-group service VPN tcp
description VPN
port-object range pptp pptp
port-object eq https
object-group service VOIP tcp
description Voice Over IP Ports for Phone System
port-object eq sip
object-group service VOIPUDP udp
description UDP Ports for phone system
port-object range 10000 20000
port-object range sip 5082
object-group network Group1
description Desc#1
network-object VENDORIP1 255.255.255.224
network-object VENDORIP2 255.255.255.224
network-object VENDORIP3255.255.255.224
network-object VENDORIP4 255.255.255.240
object-group network Group2
network-object VENDORIP5 255.255.255.224
network-object VENDORIP6 255.255.255.224
object-group network Group3
network-object VENDORIP7 255.255.254.0
object-group service SSL_Outside tcp
description SSL from Outside
port-object range 8888 8888
object-group service ViperRemoteService tcp
port-object eq 18082
access-list outside_access_in extended permit udp any host ISPWANIP#3 object-group VOIPUDP
access-list outside_access_in extended permit tcp any host ISPWANIP#3 object-group VOIP
access-list outside_access_in extended permit tcp any host ISPWANIP#2 object-group SSL
access-list outside_access_in extended permit tcp any host ISPWANIP#1 object-group Web-ConnectWise
access-list outside_access_in extended permit tcp object-group ReflexionMailGroup host ISPWANIP#2 object-group Email
access-list outside_access_in extended permit tcp host VENDORIPADDRESS host ISPWANIP#1 object-group TerminalServices
access-list outside_access_in extended permit tcp object-group Reflexion host ISPWANIP#2 eq ldap
access-list outside_access_in extended permit icmp any any
access-list outside_access_in extended permit tcp any host ISPWANIP#4 eq https
access-list inside_access_out extended permit ip any any log
access-list inside_access_out extended permit udp any any log
access-list inside_access_out extended permit tcp any any log
access-list inside_access_out extended permit icmp any any log
access-list inside_access_out extended permit udp any any object-group VOIPUDP
access-list inside_access_out extended permit tcp any any object-group VOIP
access-list outside_20_cryptomap extended permit ip 192.168.70.0 255.255.255.0 10.31.0.0 255.255.255.0
access-list DomainTech_splitTunnelAcl standard permit any
access-list Test_splitTunnelAcl standard permit CLIENTIPADDRESS 255.255.255.248
access-list outside_40_cryptomap extended permit ip 192.168.70.0 255.255.255.0 10.52.9.0 255.255.255.0
access-list PRIORITY extended permit ip any host CLIENTIPADDRESS2
access-list PRIORITY extended permit ip host CLIENTIPADDRESS2 any
access-list DomainVPN_splitTunnelAcl standard permit any
access-list inside_nat0_outbound extended permit ip any 172.16.24.96 255.255.255.240
pager lines 24
logging enable
logging asdm-buffer-size 300
logging monitor debugging
logging asdm debugging
logging from-address router@domainname.com
logging recipient-address jdoe@domainname.com level errors
mtu inside 1500
mtu outside 1500
ip local pool VPNPool 172.16.24.100-172.16.24.11
ip verify reverse-path interface outside
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-524.bin
asdm history enable
arp timeout 14400
global (outside) 1 interface
global (outside) 1 ISPWANIP#4 netmask 255.0.0.0
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 192.168.70.0 255.255.255.0
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) tcp ISPWANIP#4 https 192.168.70.3 https netmask 255.255.255.255
static (inside,outside) ISPWANIP#1 192.168.70.210 netmask 255.255.255.255
static (inside,outside) ISPWANIP#2 192.168.70.220 netmask 255.255.255.255
static (inside,outside) ISPWANIP#3 192.168.70.222 netmask 255.255.255.255
access-group inside_access_out in interface inside
access-group outside_access_in in interface outside
route inside SSOLAN 255.255.0.0 192.168.70.10 1
route inside SSOINTERNAL 255.255.0.0 192.168.70.10 1
route outside 0.0.0.0 0.0.0.0 ISPWANIPGATEWAY 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
aaa-server DomainTech protocol radius
accounting-mode simultaneous
aaa-server DomainTech (inside) host 192.168.70.220
key password
radius-common-pw password
aaa-server test protocol ldap
aaa-server test (inside) host 192.168.70.220
timeout 5
server-port 636
ldap-base-dn domainname
ldap-login-password *
ldap-login-dn cn=jdoe
ldap-over-ssl enable
aaa authentication enable console LOCAL
aaa authentication ssh console LOCAL
http server enable
http 192.168.70.0 255.255.255.0 inside
snmp-server host inside 192.168.70.220 poll community public version 2c
snmp-server location Home
snmp-server contact Domain Tech
snmp-server community public
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set TRANS_ESP_3DES_SHA esp-3des esp-sha-hmac
crypto ipsec transform-set TRANS_ESP_3DES_SHA mode transport
crypto dynamic-map outside_dyn_map 20 set pfs
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-AES-256-SHA
crypto dynamic-map outside_dyn_map 40 set pfs
crypto dynamic-map outside_dyn_map 40 set transform-set ESP-3DES-MD5
crypto dynamic-map outside_dyn_map 60 set pfs
crypto dynamic-map outside_dyn_map 60 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 80 set pfs group1
crypto dynamic-map outside_dyn_map 80 set transform-set TRANS_ESP_3DES_SHA
crypto map outside_map 20 match address outside_20_cryptomap
crypto map outside_map 20 set peer x.x.x.x
crypto map outside_map 20 set transform-set ESP-3DES-SHA
crypto map outside_map 40 match address outside_40_cryptomap
crypto map outside_map 40 set pfs
crypto map outside_map 40 set peer x.x.x.x
crypto map outside_map 40 set transform-set ESP-AES-256-SHA
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp policy 30
authentication crack
encryption aes-256
hash sha
group 5
lifetime 86400
crypto isakmp policy 50
authentication crack
encryption 3des
hash md5
group 2
lifetime 86400
crypto isakmp policy 70
authentication pre-share
encryption aes-256
hash sha
group 5
lifetime 86400
crypto isakmp nat-traversal 20
telnet 192.168.70.0 255.255.255.0 inside
telnet timeout 5
ssh 192.168.70.0 255.255.255.0 inside
ssh timeout 40
console timeout 0
management-access inside
dhcpd auto_config outside
!
priority-queue inside
priority-queue outside
tftp-server inside 192.168.70.115 \091223
webvpn
auto-signon allow ip 192.168.70.220 255.255.255.255 auth-type ntlm
group-policy DefaultRAGroup internal
group-policy DefaultRAGroup attributes
dns-server value 192.168.70.222
vpn-tunnel-protocol l2tp-ipsec
default-domain value domainname.local
group-policy DomainVPN internal
group-policy DomainVPN attributes
dns-server value 192.168.70.220
vpn-tunnel-protocol IPSec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value DomainVPN_splitTunnelAcl
default-domain value domainname.local
group-policy DomainTech internal
group-policy DomainTech attributes
wins-server none
dns-server value 192.168.70.220
vpn-tunnel-protocol IPSec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value DomainTech_splitTunnelAcl
default-domain value domainname.local
username domain password cbd.LnP3B30Wt6s8 encrypted privilege 15
tunnel-group DefaultRAGroup general-attributes
address-pool VPNPool
default-group-policy DefaultRAGroup
tunnel-group DefaultRAGroup ipsec-attributes
pre-shared-key *
tunnel-group x.x.x.x type ipsec-l2l
tunnel-group x.x.x.x ipsec-attributes
pre-shared-key *
tunnel-group DomainVPN type ipsec-ra
tunnel-group DomainVPN general-attributes
address-pool VPNPool
default-group-policy DomainVPN
tunnel-group DomainVPN ipsec-attributes
pre-shared-key *
!
class-map PRIORITY
match access-list PRIORITY
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect netbios
inspect tftp
inspect pptp
class PRIORITY
priority
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:b394ca090a6
: end
ASKER
Looks like something to do with Intra-Interface... I read this but dont understand it:
http://www.cisco.com/en/US/products/ps6120/products_tech_note09186a0080734db7.shtml
Tucker
http://www.cisco.com/en/US/products/ps6120/products_tech_note09186a0080734db7.shtml
Tucker
I believe you are missing the nat 0 statement to exempt nat.
ASKER
Can you explain a bit more? I know enough to get in trouble.
Tucker
Tucker
create a new access list to allow traffic between those subnets.
access-list inside_nat_0_inside extender permit tcp 192.168.70.0 255.255.255.0 10.0.0.0 255.255.0.0
nat (inside) 0 access-list inside_nat_0_inside
access-list inside_nat_0_inside extender permit tcp 192.168.70.0 255.255.255.0 10.0.0.0 255.255.0.0
nat (inside) 0 access-list inside_nat_0_inside
ASKER
Ok so I added the first line but when I added the second line I get the following error:
ERROR: access-list has protocol or port
ERROR: access-list has protocol or port
sorry... permit ip :)
ASKER
.... what?
Again... I get in trouble here if I try this crap on my own. :)
Thanks!!!
Again... I get in trouble here if I try this crap on my own. :)
Thanks!!!
ASKER CERTIFIED SOLUTION
membership
Create a free account to see this answer
Signing up is free and takes 30 seconds. No credit card required.
ASKER
Thanks!! So that still did not work. I have to use extended and not extender not sure if that matters.
I added:
access-list inside_nat_0_inside extended permit ip 192.168.70.0 255.255.255.0 SSOLAN 255.255.0.0
and
nat (inside) 0 access-list inside_nat_0_inside
I get the same response on the logs and on packet trace. Denyed:
3 Dec 27 2010 14:03:56 106014 Deny inbound icmp src inside:192.168.70.121 dst inside:10.0.10.10 (type 8, code 0)
I added:
access-list inside_nat_0_inside extended permit ip 192.168.70.0 255.255.255.0 SSOLAN 255.255.0.0
and
nat (inside) 0 access-list inside_nat_0_inside
I get the same response on the logs and on packet trace. Denyed:
3 Dec 27 2010 14:03:56 106014 Deny inbound icmp src inside:192.168.70.121 dst inside:10.0.10.10 (type 8, code 0)
Hi,
Try
same-security-traffic permit intra-interface
This will allow traffic to flow in and out of the same interface
Try
same-security-traffic permit intra-interface
This will allow traffic to flow in and out of the same interface
ASKER
Ok so now i got a new error messages:
3 Dec 27 2010 16:46:48 305005 10.0.10.10 No translation group found for icmp src inside:192.168.70.121 dst inside:10.0.10.10 (type 8, code 0)
3 Dec 27 2010 16:46:53 305005 10.0.10.10 No translation group found for udp src inside:192.168.70.220/53 dst inside:10.0.10.10/33517
I am trying to ping 10.0.10.10. Still no response.
Thanks for your help
3 Dec 27 2010 16:46:48 305005 10.0.10.10 No translation group found for icmp src inside:192.168.70.121 dst inside:10.0.10.10 (type 8, code 0)
3 Dec 27 2010 16:46:53 305005 10.0.10.10 No translation group found for udp src inside:192.168.70.220/53 dst inside:10.0.10.10/33517
I am trying to ping 10.0.10.10. Still no response.
Thanks for your help
ASKER
Ok so I got it to ping. I removed nat (inside) 1 0.0.0.0 0.0.0.0 and the ping worked. However I can not view the webpage that is on this appliance. I am trying to connect to http://10.0.10.10. I really dont want to NAT it i just want it to act like a router for this subnet. I dont think that is possible. I put back the nat (inside) 1 0.0.0.0 0.0.0.0 as I saw somewhere that was needed.
Hi,
NAT 0 is used to bypass NAT translations. If you modify your NAT 0 access-list to include the devices that you want to skip the NAT translation.
NAT 0 is used to bypass NAT translations. If you modify your NAT 0 access-list to include the devices that you want to skip the NAT translation.
sorry ignore my previous entry. so you can ping 10.0.10.10 from a pc 192.168.70.0 subnet but you can't web to it?
ASKER
Yes that is correct. Very Odd. This may be my cheap router causing the issue. But i have it setup for Router not NAT and I have my static route enabled. I will play with it some more tonight on the 10.0.0.0 side of the network and see what I fine.
ASKER
This got me able to ping the network which is what I wanted but I am still having issues with DNS. I can not get our from my subnetwork. I will open another question for this issue. Thanks for your help.
ASKER
FYI I got my DNS issue working. I had to add a route to my Windows DNS Server. See the other post here that helped me.
https://www.experts-exchange.com/questions/26715152/ASA-5505-Routing-from-Subdomain-but-Not-allowing-DNS-Traffic.html?anchorAnswerId=34475476#a34475476
https://www.experts-exchange.com/questions/26715152/ASA-5505-Routing-from-Subdomain-but-Not-allowing-DNS-Traffic.html?anchorAnswerId=34475476#a34475476
ASKER