pzeitham
asked on
Help with Cisco ASA 5505
Hello,
In my LAN I am using two different networks, 192.168.1.0/24 and 10.0.0.0/8. I purchased an ASA to allow access to the Internet for all my networks. On the ASA, I am using 192.168.0.0/24 network. So far, I have been unable to configure the ASA to allow the internal networks to access the Internet. My current configuration is attached.
Below is my addressing scheme of my network (if that would help):
ISP
XXX.XXX.XXX.XXX
|
|
\|/
ASA
192.168.0.X/24 ---> Both internal and Internet pingable from here
|
|
\|/
2811 Router
192.168.1.X/24 ---> ISP gateway and internal pingable here.
|
|
|----> 192.168.1.0/24 ---> Production network
|
|
|----> 2811 router ---> 10.0.0.0/8 ---> Test lab
ASA-Config-2012-09-01.txt
In my LAN I am using two different networks, 192.168.1.0/24 and 10.0.0.0/8. I purchased an ASA to allow access to the Internet for all my networks. On the ASA, I am using 192.168.0.0/24 network. So far, I have been unable to configure the ASA to allow the internal networks to access the Internet. My current configuration is attached.
Below is my addressing scheme of my network (if that would help):
ISP
XXX.XXX.XXX.XXX
|
|
\|/
ASA
192.168.0.X/24 ---> Both internal and Internet pingable from here
|
|
\|/
2811 Router
192.168.1.X/24 ---> ISP gateway and internal pingable here.
|
|
|----> 192.168.1.0/24 ---> Production network
|
|
|----> 2811 router ---> 10.0.0.0/8 ---> Test lab
ASA-Config-2012-09-01.txt
ASKER
Thanks for the catch. I have added that to my config and the problem is still there.
Can you post a show route and show xlate?
Also Are you actually using OSPF? If not I would remove the config.
Also Are you actually using OSPF? If not I would remove the config.
Can you also confirm the ASA is a 5505 and what code you are running on it?
Did you purchase with the base license or a security plus license?
Are you natting the 10.0.0.0/8 traffic on the 2811 to the 192.168.1.0 network?
Did you purchase with the base license or a security plus license?
Are you natting the 10.0.0.0/8 traffic on the 2811 to the 192.168.1.0 network?
ASKER
Hello,
Here is the requested output. An updated copy of the config is attached.
I have a base license and the version is below.
Cisco Adaptive Security Appliance Software Version 8.4(3)
Device Manager Version 6.4(7)
Compiled on Fri 06-Jan-12 10:24 by builders
System image file is "disk0:/asa843-k8.bin"
Config file at boot was "startup-config"
No, I am not NATing on the 2811.
show route
Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP
i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
* - candidate default, U - per-user static route, o - ODR
P - periodic downloaded static route
Gateway of last resort is 98.223.140.1 to network 0.0.0.0
C 98.223.140.0 255.255.252.0 is directly connected, outside
O 10.1.11.0 255.255.255.0 [110/12] via 192.168.0.1, 0:02:55, inside
O 10.1.10.0 255.255.255.0 [110/12] via 192.168.0.1, 0:02:55, inside
O 10.1.1.8 255.255.255.252 [110/141] via 192.168.0.1, 0:02:55, inside
O 10.1.12.0 255.255.255.0 [110/12] via 192.168.0.1, 0:02:55, inside
O 10.1.1.0 255.255.255.252 [110/76] via 192.168.0.1, 0:02:55, inside
O 10.1.1.4 255.255.255.252 [110/76] via 192.168.0.1, 0:02:55, inside
O 10.1.254.1 255.255.255.255 [110/12] via 192.168.0.1, 0:02:55, inside
O 10.1.254.2 255.255.255.255 [110/77] via 192.168.0.1, 0:02:55, inside
C 192.168.0.0 255.255.255.0 is directly connected, inside
O 192.168.1.0 255.255.255.0 [110/11] via 192.168.0.1, 0:02:55, inside
d* 0.0.0.0 0.0.0.0 [1/0] via 98.223.140.1, outside
show xlate
2 in use, 3 most used
Flags: D - DNS, i - dynamic, r - portmap, s - static, I - identity, T - twice
e - extended
TCP PAT from inside:192.168.1.7X 443-443 to outside:98.223.14X.XXX 443-443
flags sr idle 0:03:17 timeout 0:00:00
TCP PAT from inside:192.168.1.7X 25-25 to outside:98.223.14X.XXX 25-25
flags sr idle 0:03:17 timeout 0:00:00
ASA-Config-2012-09-01-12-52
Here is the requested output. An updated copy of the config is attached.
I have a base license and the version is below.
Cisco Adaptive Security Appliance Software Version 8.4(3)
Device Manager Version 6.4(7)
Compiled on Fri 06-Jan-12 10:24 by builders
System image file is "disk0:/asa843-k8.bin"
Config file at boot was "startup-config"
No, I am not NATing on the 2811.
show route
Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP
i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
* - candidate default, U - per-user static route, o - ODR
P - periodic downloaded static route
Gateway of last resort is 98.223.140.1 to network 0.0.0.0
C 98.223.140.0 255.255.252.0 is directly connected, outside
O 10.1.11.0 255.255.255.0 [110/12] via 192.168.0.1, 0:02:55, inside
O 10.1.10.0 255.255.255.0 [110/12] via 192.168.0.1, 0:02:55, inside
O 10.1.1.8 255.255.255.252 [110/141] via 192.168.0.1, 0:02:55, inside
O 10.1.12.0 255.255.255.0 [110/12] via 192.168.0.1, 0:02:55, inside
O 10.1.1.0 255.255.255.252 [110/76] via 192.168.0.1, 0:02:55, inside
O 10.1.1.4 255.255.255.252 [110/76] via 192.168.0.1, 0:02:55, inside
O 10.1.254.1 255.255.255.255 [110/12] via 192.168.0.1, 0:02:55, inside
O 10.1.254.2 255.255.255.255 [110/77] via 192.168.0.1, 0:02:55, inside
C 192.168.0.0 255.255.255.0 is directly connected, inside
O 192.168.1.0 255.255.255.0 [110/11] via 192.168.0.1, 0:02:55, inside
d* 0.0.0.0 0.0.0.0 [1/0] via 98.223.140.1, outside
show xlate
2 in use, 3 most used
Flags: D - DNS, i - dynamic, r - portmap, s - static, I - identity, T - twice
e - extended
TCP PAT from inside:192.168.1.7X 443-443 to outside:98.223.14X.XXX 443-443
flags sr idle 0:03:17 timeout 0:00:00
TCP PAT from inside:192.168.1.7X 25-25 to outside:98.223.14X.XXX 25-25
flags sr idle 0:03:17 timeout 0:00:00
ASA-Config-2012-09-01-12-52
What is the default route on the 2811 router?
Please post sanitized config of the 2811 router.
ASKER
I have not set one. The router is using OSPF.
#show ip route
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route
Gateway of last resort is not set
98.0.0.0/22 is subnetted, 1 subnets
O 98.223.140.0 [110/11] via 192.168.0.2, 00:00:20, FastEthernet0/1
10.0.0.0/8 is variably subnetted, 8 subnets, 3 masks
O 10.1.11.0/24 [110/2] via 192.168.1.5, 00:00:20, FastEthernet0/0
O 10.1.10.0/24 [110/2] via 192.168.1.5, 00:00:20, FastEthernet0/0
O 10.1.1.8/30 [110/131] via 192.168.1.5, 00:00:20, FastEthernet0/0
O 10.1.12.0/24 [110/2] via 192.168.1.5, 00:00:20, FastEthernet0/0
O 10.1.1.0/30 [110/66] via 192.168.1.5, 00:00:21, FastEthernet0/0
O 10.1.1.4/30 [110/66] via 192.168.1.5, 00:00:21, FastEthernet0/0
O 10.1.254.1/32 [110/2] via 192.168.1.5, 00:00:21, FastEthernet0/0
O 10.1.254.2/32 [110/67] via 192.168.1.5, 00:00:21, FastEthernet0/0
C 192.168.0.0/24 is directly connected, FastEthernet0/1
C 192.168.1.0/24 is directly connected, FastEthernet0/0
2811-router-config-2012-09-02
#show ip route
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route
Gateway of last resort is not set
98.0.0.0/22 is subnetted, 1 subnets
O 98.223.140.0 [110/11] via 192.168.0.2, 00:00:20, FastEthernet0/1
10.0.0.0/8 is variably subnetted, 8 subnets, 3 masks
O 10.1.11.0/24 [110/2] via 192.168.1.5, 00:00:20, FastEthernet0/0
O 10.1.10.0/24 [110/2] via 192.168.1.5, 00:00:20, FastEthernet0/0
O 10.1.1.8/30 [110/131] via 192.168.1.5, 00:00:20, FastEthernet0/0
O 10.1.12.0/24 [110/2] via 192.168.1.5, 00:00:20, FastEthernet0/0
O 10.1.1.0/30 [110/66] via 192.168.1.5, 00:00:21, FastEthernet0/0
O 10.1.1.4/30 [110/66] via 192.168.1.5, 00:00:21, FastEthernet0/0
O 10.1.254.1/32 [110/2] via 192.168.1.5, 00:00:21, FastEthernet0/0
O 10.1.254.2/32 [110/67] via 192.168.1.5, 00:00:21, FastEthernet0/0
C 192.168.0.0/24 is directly connected, FastEthernet0/1
C 192.168.1.0/24 is directly connected, FastEthernet0/0
2811-router-config-2012-09-02
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Thank you very much!!
interface Vlan2
nameif outside
security-level 0
ip address dhcp setroute