Cisco ASA Config
Hi All,
I have a firewall problem with my Cisco ASA 5510 that I am trying to troubleshoot, it is all new kit so I have the luxury of being able to do what I want on it without fear of knocking out any live systems.
On one side I have a Cisco 887 router that has access to the internet on IP 192.168.3.1
On the other side I have a Cisco ASA 5510 on IP 192.168.3.2
When i telnet onto the Router I can ping the internet but not the inside network through the firewall, I think I have a problem with NAT, config is attached.
I can ping the internal network from the firewall ok... have I got it set-up properly? I'm toying with the idea of wiping it and starting from scratch....
I have a firewall problem with my Cisco ASA 5510 that I am trying to troubleshoot, it is all new kit so I have the luxury of being able to do what I want on it without fear of knocking out any live systems.
On one side I have a Cisco 887 router that has access to the internet on IP 192.168.3.1
On the other side I have a Cisco ASA 5510 on IP 192.168.3.2
When i telnet onto the Router I can ping the internet but not the inside network through the firewall, I think I have a problem with NAT, config is attached.
I can ping the internal network from the firewall ok... have I got it set-up properly? I'm toying with the idea of wiping it and starting from scratch....
ASKER
Since you do address translations with nat/global-statements you do an overload NAT (PAT - Port address translation). That means that all sessions must be initiated from inside.
What you try to do is to ping to outside IP of the firewall, and it has no idea if and which inside host to translate the ping to.
In order to do inbound ping from internet you need to do a static translation. For example:
static (inside_TG,Outside_ADSL) 192.168.3.123 10.249.249.123
...which will allow you to from outside ping the outside ip 192.168.3.123 to reach the inside host 10.249.249.123.
Another approach (since you use private ip on the outside interface) is to remove all nat/global-statements and do no address translations at all in the firewall. But that requires that your outside router (and other routers involved if needed) have routes of the 10.249.249.0/24-network pointing towards 192.168.3.2.
So my question back is: what do you want to achieve? Why do you need to ping the inside hosts from the outside network? And do you need/want the ASA to translate any addresses at all?
Best regards
Kvistofta
What you try to do is to ping to outside IP of the firewall, and it has no idea if and which inside host to translate the ping to.
In order to do inbound ping from internet you need to do a static translation. For example:
static (inside_TG,Outside_ADSL) 192.168.3.123 10.249.249.123
...which will allow you to from outside ping the outside ip 192.168.3.123 to reach the inside host 10.249.249.123.
Another approach (since you use private ip on the outside interface) is to remove all nat/global-statements and do no address translations at all in the firewall. But that requires that your outside router (and other routers involved if needed) have routes of the 10.249.249.0/24-network pointing towards 192.168.3.2.
So my question back is: what do you want to achieve? Why do you need to ping the inside hosts from the outside network? And do you need/want the ASA to translate any addresses at all?
Best regards
Kvistofta
Ok, let's see.
First: global (Inside_TG) 101 interface should be: global (Outside_ADSL) 101 interface (for inside to outside traffic.
Second: It's normal that you can't ping from the outside to a host on the inside, you don't want that (or do you?).
Third: Perhaps it's an idea to have the router in bridge mode so the ASA has the public IP(s) on it's outside interface. Now you NAT on the router as well. That can give some isuues sometimes.
First: global (Inside_TG) 101 interface should be: global (Outside_ADSL) 101 interface (for inside to outside traffic.
Second: It's normal that you can't ping from the outside to a host on the inside, you don't want that (or do you?).
Third: Perhaps it's an idea to have the router in bridge mode so the ASA has the public IP(s) on it's outside interface. Now you NAT on the router as well. That can give some isuues sometimes.
Mmm, Kvistofta is still able to type much faster than I do :-~
:-)
Good point erniebeek, I didnt see the bad interface in the global-statement!
/J
Good point erniebeek, I didnt see the bad interface in the global-statement!
/J
Combined Expert Powerrrrrrr!!
:-D
:-D
ASKER
Lol, thanks for your replies, to answer some of the questions.
I don't really want to ping any inside addresses for any reason other than to test connectivity, but I see your point in the fact that this is normal. However I can't ping the internet (8.8.8.8) from the Firewall when I can from the ASA.
As far as bridging goes, this seems like a good idea as I don't really want to do anything with the router other than pass traffic to the the firewall, all NAT etc will be done on the ASA - is this easy to set-up?
Because of these points would it be easier to bin this config and start over?
Cheers
K
I don't really want to ping any inside addresses for any reason other than to test connectivity, but I see your point in the fact that this is normal. However I can't ping the internet (8.8.8.8) from the Firewall when I can from the ASA.
As far as bridging goes, this seems like a good idea as I don't really want to do anything with the router other than pass traffic to the the firewall, all NAT etc will be done on the ASA - is this easy to set-up?
Because of these points would it be easier to bin this config and start over?
Cheers
K
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Hi Kvistofta, sorry for confusion.
I can ping the internet from the ASA ok now yes.
Yolu are correct in your asumption, the only reason I have this Cisco 887 is because it is an ADSL2 circuit and the ASA obviously does not have this capability.
Can I change the configuration of the 887 router so this works in bridged mode instead and the ASA holds the public address?
Thanks
K
I can ping the internet from the ASA ok now yes.
Yolu are correct in your asumption, the only reason I have this Cisco 887 is because it is an ADSL2 circuit and the ASA obviously does not have this capability.
Can I change the configuration of the 887 router so this works in bridged mode instead and the ASA holds the public address?
Thanks
K
Yes, you can. But I don´t know exactly how. Hopefully someone else here can help you with that.
/Kvistofta
/Kvistofta
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
;)