thombie
asked on
cisco ASA 5520 ver 7.2
I am trying to to get the client VPN working to my network via 5520 ASA
I can connect to the VPN server but I cant ping any devices and I cant see my servers or switches on the 10.40.226.0.
Below is my Listing
!
hostname XXX-FW
domain-name default.domain.invalid
enable password HB13YlevMtUcL7F2 encrypted
names
name 10.40.226.60 OWA_Server description Exchange 2010
name x.x.x.x MX-External description SMTP-Iternal IP
name 10.40.226.200 MX-Server description SMTP Server
name x.x.x.x external-OWA description Web-Server
!
interface GigabitEthernet0/0
description LAN Interface
nameif inside
security-level 100
ip address 172.16.1.1 255.255.255.0
!
interface GigabitEthernet0/1
description ISP Interface
nameif Outside
security-level 0
ip address 195.X.X.X 255.255.255.248
!
interface GigabitEthernet0/2
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet1/0
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet1/1
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet1/2
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet1/3
shutdown
no nameif
no security-level
no ip address
!
passwd HB13YlevMtUcL7F2 encrypted
boot system disk0:/asa722-k8.bin
ftp mode passive
dns server-group DefaultDNS
domain-name default.domain.invalid
object-group network Northeast
description NE
network-object 172.16.1.0 255.255.255.0
network-object 172.16.3.0 255.255.255.0
object-group network VPNRange
network-object 192.168.18.0 255.255.255.0
access-list ICMP extended permit icmp any any
access-list XXXX_VPN_splitTunnelAcl standard permit 10.40.226.0 255.255.255.0
access-list RemoteVPNUsers extended permit ip any any
access-list RemoteVPNUsers extended permit tcp any any
access-list XXX_VPN_splitTunnelAcl_1 standard permit 10.40.226.0 255.255.255.0
access-list outside extended permit tcp any host MX-External eq smtp
access-list outside extended permit tcp any host external-OWA eq https
access-list outside extended permit tcp any host external-OWA eq 3389
access-list inside_access_in extended permit tcp any any
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu Outside 1500
ip local pool remotepool 192.168.18.10-192.168.18.1 00
no failover
monitor-interface inside
monitor-interface Outside
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-522.bin
no asdm history enable
arp timeout 14400
global (Outside) 1 195.X.X.X netmask 255.255.255.248
global (Outside) 2 195.X.X.X netmask 255.255.255.0
nat (inside) 2 10.40.226.0 255.255.255.0
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,Outside) tcp MX-External smtp 10.40.226.40 smtp netmask 255.255.255.255
static (inside,Outside) tcp OWA_Server https OWA_Server https netmask 255.255.255.255
access-group inside_access_in in interface inside
route inside 10.40.226.0 255.255.255.0 172.16.1.254 1
route inside 172.16.3.0 255.255.255.0 172.16.1.254 1
route inside 172.16.4.0 255.255.255.0 172.16.1.254 1
route Outside 0.0.0.0 0.0.0.0 195.40.10.97 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
group-policy XXX_VPN internal
group-policy XXX_VPN attributes
dns-server value 10.40.226.56 10.40.226.58
vpn-filter none
vpn-tunnel-protocol IPSec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value XXX_VPN_splitTunnelAcl_1
default-domain value XXXX
username XXX password 0iTejLO.n6ldwbbu encrypted
http server enable
http 172.16.3.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto dynamic-map Outside_dyn_map 20 set pfs
crypto dynamic-map Outside_dyn_map 20 set transform-set ESP-3DES-SHA
crypto map Outside_map 65535 ipsec-isakmp dynamic Outside_dyn_map
crypto map Outside_map interface Outside
crypto isakmp enable inside
crypto isakmp enable Outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
tunnel-group XXX_VPN type ipsec-ra
tunnel-group XXX_VPN general-attributes
address-pool (Outside) remotepool
address-pool remotepool
default-group-policy XXX_VPN
tunnel-group XXX_VPN ipsec-attributes
pre-shared-key *
telnet timeout 5
ssh timeout 5
console timeout 0
!
class-map ICMP-CMAP
match access-list ICMP
!
!
policy-map global_policy
class ICMP-CMAP
inspect icmp
!
prompt hostname context
Cryptochecksum:864bfc6f118 dcfd7db575 fc5c132680 0
: end
I can connect to the VPN server but I cant ping any devices and I cant see my servers or switches on the 10.40.226.0.
Below is my Listing
!
hostname XXX-FW
domain-name default.domain.invalid
enable password HB13YlevMtUcL7F2 encrypted
names
name 10.40.226.60 OWA_Server description Exchange 2010
name x.x.x.x MX-External description SMTP-Iternal IP
name 10.40.226.200 MX-Server description SMTP Server
name x.x.x.x external-OWA description Web-Server
!
interface GigabitEthernet0/0
description LAN Interface
nameif inside
security-level 100
ip address 172.16.1.1 255.255.255.0
!
interface GigabitEthernet0/1
description ISP Interface
nameif Outside
security-level 0
ip address 195.X.X.X 255.255.255.248
!
interface GigabitEthernet0/2
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet1/0
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet1/1
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet1/2
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet1/3
shutdown
no nameif
no security-level
no ip address
!
passwd HB13YlevMtUcL7F2 encrypted
boot system disk0:/asa722-k8.bin
ftp mode passive
dns server-group DefaultDNS
domain-name default.domain.invalid
object-group network Northeast
description NE
network-object 172.16.1.0 255.255.255.0
network-object 172.16.3.0 255.255.255.0
object-group network VPNRange
network-object 192.168.18.0 255.255.255.0
access-list ICMP extended permit icmp any any
access-list XXXX_VPN_splitTunnelAcl standard permit 10.40.226.0 255.255.255.0
access-list RemoteVPNUsers extended permit ip any any
access-list RemoteVPNUsers extended permit tcp any any
access-list XXX_VPN_splitTunnelAcl_1 standard permit 10.40.226.0 255.255.255.0
access-list outside extended permit tcp any host MX-External eq smtp
access-list outside extended permit tcp any host external-OWA eq https
access-list outside extended permit tcp any host external-OWA eq 3389
access-list inside_access_in extended permit tcp any any
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu Outside 1500
ip local pool remotepool 192.168.18.10-192.168.18.1
no failover
monitor-interface inside
monitor-interface Outside
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-522.bin
no asdm history enable
arp timeout 14400
global (Outside) 1 195.X.X.X netmask 255.255.255.248
global (Outside) 2 195.X.X.X netmask 255.255.255.0
nat (inside) 2 10.40.226.0 255.255.255.0
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,Outside) tcp MX-External smtp 10.40.226.40 smtp netmask 255.255.255.255
static (inside,Outside) tcp OWA_Server https OWA_Server https netmask 255.255.255.255
access-group inside_access_in in interface inside
route inside 10.40.226.0 255.255.255.0 172.16.1.254 1
route inside 172.16.3.0 255.255.255.0 172.16.1.254 1
route inside 172.16.4.0 255.255.255.0 172.16.1.254 1
route Outside 0.0.0.0 0.0.0.0 195.40.10.97 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
group-policy XXX_VPN internal
group-policy XXX_VPN attributes
dns-server value 10.40.226.56 10.40.226.58
vpn-filter none
vpn-tunnel-protocol IPSec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value XXX_VPN_splitTunnelAcl_1
default-domain value XXXX
username XXX password 0iTejLO.n6ldwbbu encrypted
http server enable
http 172.16.3.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto dynamic-map Outside_dyn_map 20 set pfs
crypto dynamic-map Outside_dyn_map 20 set transform-set ESP-3DES-SHA
crypto map Outside_map 65535 ipsec-isakmp dynamic Outside_dyn_map
crypto map Outside_map interface Outside
crypto isakmp enable inside
crypto isakmp enable Outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
tunnel-group XXX_VPN type ipsec-ra
tunnel-group XXX_VPN general-attributes
address-pool (Outside) remotepool
address-pool remotepool
default-group-policy XXX_VPN
tunnel-group XXX_VPN ipsec-attributes
pre-shared-key *
telnet timeout 5
ssh timeout 5
console timeout 0
!
class-map ICMP-CMAP
match access-list ICMP
!
!
policy-map global_policy
class ICMP-CMAP
inspect icmp
!
prompt hostname context
Cryptochecksum:864bfc6f118
: end
Like fgasimzade said: the machines on the 10.40.226.0 network need a route to the 192.168.18.0 network.
Second: I see you're not exempting the VPN traffic from NAT
access-list nonat extended permit ip 10.40.226.0 255.255.255.0 192.168.18.0 255.255.255.0
nat (inside) 0 access-list nonat
Third: have a look at the (ASDM) logs. They might give you a clue what's going wrong.
Second: I see you're not exempting the VPN traffic from NAT
access-list nonat extended permit ip 10.40.226.0 255.255.255.0 192.168.18.0 255.255.255.0
nat (inside) 0 access-list nonat
Third: have a look at the (ASDM) logs. They might give you a clue what's going wrong.
ASKER
10.40.226.1 is the deault gateway to 10.40.226.0
so do I need to add a static route to 192.168.18.0 ?
so do I need to add a static route to 192.168.18.0 ?
Yes, you would need to add a route on 10.40.226.1
ASKER
what would the syntax look like on a cisco switch
ip route 192.168.18.0 255.255.255.0 10.40.226.1 ?
ip route 192.168.18.0 255.255.255.0 10.40.226.1 ?
Almost, should be:
ip route 192.168.18.0 255.255.255.0 172.16.1.1
FW needs to be the gateway.
ip route 192.168.18.0 255.255.255.0 172.16.1.1
FW needs to be the gateway.
Also, like I said, check the NAT exempt. Is there a reason you're not using that?
ASKER
Just added NONAT config and I cant ping 10.40.226.1
would that be an ICMP issue ? in fact I cant out to the to the internet any ideas ?
would that be an ICMP issue ? in fact I cant out to the to the internet any ideas ?
You also added the route on the intermediate switch?
And did you check the (ASDM) logs, anything showing there?
And did you check the (ASDM) logs, anything showing there?
Pls confirm you have added the static route
Also, pls remove this access list and check again
access-group inside_access_in in interface inside
and make sure you have
sysopt connection permit-ipsec
configured on ASA
Also, pls remove this access list and check again
access-group inside_access_in in interface inside
and make sure you have
sysopt connection permit-ipsec
configured on ASA
ASKER
This my current config o thefirewall still cant ping inside from the VPN
: Saved
:
ASA Version 7.2(2)
!
hostname xxxx-FW
domain-name default.domain.invalid
enable password HB13YlevMtUcL7F2 encrypted
names
name 10.40.226.60 OWA_Server description Exchange 2010
name 195.40.10.101 MX-External description SMTP-Iternal IP
name 10.40.226.200 MX-Server description SMTP Server
name 195.XXX external-OWA description Web-Server
!
interface GigabitEthernet0/0
description LAN Interface
nameif inside
security-level 100
ip address 172.16.1.1 255.255.255.0
!
interface GigabitEthernet0/1
description ISP Interface
nameif Outside
security-level 0
ip address 195.XXXX 255.255.255.248
!
interface GigabitEthernet0/2
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet1/0
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet1/1
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet1/2
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet1/3
shutdown
no nameif
no security-level
no ip address
!
passwd HB13YlevMtUcL7F2 encrypted
boot system disk0:/asa722-k8.bin
ftp mode passive
dns server-group DefaultDNS
domain-name default.domain.invalid
object-group network Northeast
description NE
network-object 172.16.1.0 255.255.255.0
network-object 172.16.3.0 255.255.255.0
object-group network VPNRange
network-object 192.168.18.0 255.255.255.0
access-list ICMP extended permit icmp any any
access-list XXXX_VPN_splitTunnelAcl standard permit 10.40.226.0 255.255.255.0
access-list RemoteVPNUsers extended permit ip any any
access-list RemoteVPNUsers extended permit tcp any any
access-list XXXX_VPN_splitTunnelAcl_1 standard permit 10.40.226.0 255.255.255.0
access-list outside extended permit tcp any host MX-External eq smtp
access-list outside extended permit tcp any host external-OWA eq https
access-list outside extended permit tcp any host external-OWA eq 3389
access-list nonat extended permit ip 10.40.226.0 255.255.255.0 192.168.18.0 255.255.255.0
access-list inside_access_in remark Internal UDP
access-list inside_access_in extended permit udp any any
access-list inside_access_in extended permit tcp any any
access-list Outside_access_in extended permit ip any any inactive
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu Outside 1500
ip local pool remotepool 192.168.18.10-192.168.18.1 00
no failover
monitor-interface inside
monitor-interface Outside
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-522.bin
no asdm history enable
arp timeout 14400
global (Outside) 1 195x.x.x netmask 255.255.255.248
global (Outside) 2 195.XXX netmask 255.255.255.0
nat (inside) 0 access-list nonat
nat (inside) 2 10.40.226.0 255.255.255.0
nat (inside) 1 0.0.0.0 0.0.0.0
access-group Outside_access_in in interface Outside
route inside 10.40.226.0 255.255.255.0 172.16.1.254 1
route inside 172.16.3.0 255.255.255.0 172.16.1.254 1
route inside 172.16.4.0 255.255.255.0 172.16.1.254 1
route Outside 0.0.0.0 0.0.0.0 195.40.10.97 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
group-policy XXXX_VPN internal
group-policy XXXX_VPN attributes
dns-server value 10.40.226.56 10.40.226.58
vpn-filter none
vpn-tunnel-protocol IPSec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value XXXX_VPN_splitTunnelAcl_1
default-domain value services.XXXXconsulting.co .uk
username jthombs password 0iTejLO.n6ldwbbu encrypted
http server enable
http 172.16.3.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto dynamic-map Outside_dyn_map 20 set pfs
crypto dynamic-map Outside_dyn_map 20 set transform-set ESP-3DES-SHA
crypto map Outside_map 65535 ipsec-isakmp dynamic Outside_dyn_map
crypto map Outside_map interface Outside
crypto isakmp enable inside
crypto isakmp enable Outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
tunnel-group XXXX_VPN type ipsec-ra
tunnel-group XXXX_VPN general-attributes
address-pool (Outside) remotepool
address-pool remotepool
default-group-policy XXXX_VPN
tunnel-group XXXX_VPN ipsec-attributes
pre-shared-key *
telnet 172.16.3.0 255.255.255.0 inside
telnet timeout 5
ssh timeout 5
console timeout 0
!
class-map ICMP-CMAP
match access-list ICMP
!
!
policy-map global_policy
class ICMP-CMAP
inspect icmp
!
prompt hostname context
Cryptochecksum:b957f31b8c5 aa62e9375a 7293b3b3df 9
: end
: Saved
:
ASA Version 7.2(2)
!
hostname xxxx-FW
domain-name default.domain.invalid
enable password HB13YlevMtUcL7F2 encrypted
names
name 10.40.226.60 OWA_Server description Exchange 2010
name 195.40.10.101 MX-External description SMTP-Iternal IP
name 10.40.226.200 MX-Server description SMTP Server
name 195.XXX external-OWA description Web-Server
!
interface GigabitEthernet0/0
description LAN Interface
nameif inside
security-level 100
ip address 172.16.1.1 255.255.255.0
!
interface GigabitEthernet0/1
description ISP Interface
nameif Outside
security-level 0
ip address 195.XXXX 255.255.255.248
!
interface GigabitEthernet0/2
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet1/0
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet1/1
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet1/2
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet1/3
shutdown
no nameif
no security-level
no ip address
!
passwd HB13YlevMtUcL7F2 encrypted
boot system disk0:/asa722-k8.bin
ftp mode passive
dns server-group DefaultDNS
domain-name default.domain.invalid
object-group network Northeast
description NE
network-object 172.16.1.0 255.255.255.0
network-object 172.16.3.0 255.255.255.0
object-group network VPNRange
network-object 192.168.18.0 255.255.255.0
access-list ICMP extended permit icmp any any
access-list XXXX_VPN_splitTunnelAcl standard permit 10.40.226.0 255.255.255.0
access-list RemoteVPNUsers extended permit ip any any
access-list RemoteVPNUsers extended permit tcp any any
access-list XXXX_VPN_splitTunnelAcl_1 standard permit 10.40.226.0 255.255.255.0
access-list outside extended permit tcp any host MX-External eq smtp
access-list outside extended permit tcp any host external-OWA eq https
access-list outside extended permit tcp any host external-OWA eq 3389
access-list nonat extended permit ip 10.40.226.0 255.255.255.0 192.168.18.0 255.255.255.0
access-list inside_access_in remark Internal UDP
access-list inside_access_in extended permit udp any any
access-list inside_access_in extended permit tcp any any
access-list Outside_access_in extended permit ip any any inactive
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu Outside 1500
ip local pool remotepool 192.168.18.10-192.168.18.1
no failover
monitor-interface inside
monitor-interface Outside
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-522.bin
no asdm history enable
arp timeout 14400
global (Outside) 1 195x.x.x netmask 255.255.255.248
global (Outside) 2 195.XXX netmask 255.255.255.0
nat (inside) 0 access-list nonat
nat (inside) 2 10.40.226.0 255.255.255.0
nat (inside) 1 0.0.0.0 0.0.0.0
access-group Outside_access_in in interface Outside
route inside 10.40.226.0 255.255.255.0 172.16.1.254 1
route inside 172.16.3.0 255.255.255.0 172.16.1.254 1
route inside 172.16.4.0 255.255.255.0 172.16.1.254 1
route Outside 0.0.0.0 0.0.0.0 195.40.10.97 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
group-policy XXXX_VPN internal
group-policy XXXX_VPN attributes
dns-server value 10.40.226.56 10.40.226.58
vpn-filter none
vpn-tunnel-protocol IPSec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value XXXX_VPN_splitTunnelAcl_1
default-domain value services.XXXXconsulting.co
username jthombs password 0iTejLO.n6ldwbbu encrypted
http server enable
http 172.16.3.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto dynamic-map Outside_dyn_map 20 set pfs
crypto dynamic-map Outside_dyn_map 20 set transform-set ESP-3DES-SHA
crypto map Outside_map 65535 ipsec-isakmp dynamic Outside_dyn_map
crypto map Outside_map interface Outside
crypto isakmp enable inside
crypto isakmp enable Outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
tunnel-group XXXX_VPN type ipsec-ra
tunnel-group XXXX_VPN general-attributes
address-pool (Outside) remotepool
address-pool remotepool
default-group-policy XXXX_VPN
tunnel-group XXXX_VPN ipsec-attributes
pre-shared-key *
telnet 172.16.3.0 255.255.255.0 inside
telnet timeout 5
ssh timeout 5
console timeout 0
!
class-map ICMP-CMAP
match access-list ICMP
!
!
policy-map global_policy
class ICMP-CMAP
inspect icmp
!
prompt hostname context
Cryptochecksum:b957f31b8c5
: end
Have a look at these:
access-list Outside_access_in extended permit ip any any inactive
access-group Outside_access_in in interface Outside
Effectively this means that nothing is allowed from the out- to the inside.
(implicit 'deny all' at the end of every ACL)
access-list Outside_access_in extended permit ip any any inactive
access-group Outside_access_in in interface Outside
Effectively this means that nothing is allowed from the out- to the inside.
(implicit 'deny all' at the end of every ACL)
ASKER
What need to 192.168.18.0/24 allowed in
as well as ports 443 25 and 80
as well as ports 443 25 and 80
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
stange still cant ping
Anything showing in the logs?
ASKER
I can hit the server still no icmp though
You can hit (connect to) the server but not ping?
Try:
access-list Outside_access_in extended permit icmp 192.168.18.0 255.255.255.0 10.40.226.0 255.255.255.0
Try:
access-list Outside_access_in extended permit icmp 192.168.18.0 255.255.255.0 10.40.226.0 255.255.255.0
ASKER
actually i cant hit the server
Let's check the log then.
ASKER
looks like its getting stopped on at NAT
nat.PNG
nat.PNG
ASKER
see attached should this rule be the other way round
ASKER
ASKER
I Have attached my rulebase
rulebase.PNG
rulebase.PNG
That nat exempt could be the one.....
192.168.18.0 is on the outside of the firewall, not the inside.
But then, in your config it's:
access-list nonat extended permit ip 10.40.226.0 255.255.255.0 192.168.18.0 255.255.255.0
Which is ok. Or did you make some more changes after posting that?
192.168.18.0 is on the outside of the firewall, not the inside.
But then, in your config it's:
access-list nonat extended permit ip 10.40.226.0 255.255.255.0 192.168.18.0 255.255.255.0
Which is ok. Or did you make some more changes after posting that?
ASKER
Thanks for your patience its all working now.
Good to hear :)
And thx 4 the points.
So how did you resolve it?
And thx 4 the points.
So how did you resolve it?
ASKER
flipping the NAT rule around.
Is there a route to 192.168.18.0 subnet?