Solved

Can't access Internet behind Cisco Router

Posted on 2016-10-05
14
39 Views
Last Modified: 2016-10-05
Dear experts, I'm introducing a Cisco Router as an internal router behind my Cisco ASA firewall. The setup is very similar to the attached diagram. Say my workstations are in LAN2. I have configured a static route in my firewall to route traffic from workstation network (LAN2) to the router interface 192.168.1.1. From my workstations in LAN2, I can ping all the way to the inside interface of the ASA. However when I try to ping 8.8.8.8 from my workstations, I get a request time out. I also configure a default gateway on my internal router to point to the inside interface of my ASA. May I know what could be the problem?
Cisco.jpg
0
Comment
Question by:totallypatrick
  • 8
  • 2
  • 2
  • +2
14 Comments
 
LVL 2

Expert Comment

by:e1ext
ID: 41829643
have you done nat on Lan1 and Lan2 address? also create acl to permit icmp traffic and put the acl on the outside asa interface (access-group). it is for the return traffic.
0
 

Author Comment

by:totallypatrick
ID: 41829649
hi e1ext, no nat is done on LAN1 and LAN2. I can ping 8.8.8.8 if I connect a test workstation behind the inside interface of the ASA. After I introduce a router, I can't ping 8.8.8.8 from behind the router (LAN2).
0
 
LVL 13

Expert Comment

by:John Tsioumpris
ID: 41829719
If i am not mistaken LAN2 can't see the IP of the router(192.168.1.1) because it is on a different subnet...have you tried to ping the router from LAN1,LAN2 and what are the results...
0
 

Author Comment

by:totallypatrick
ID: 41829838
LAN2 can ping all interface on the router as well as to the inside interface of the ASA.
0
 
LVL 13

Expert Comment

by:SIM50
ID: 41829944
Is LAN2 included in NAT statement on ASA?
What do logs say? sh log | i <source_IP>
Run packet tracer on ASA and post the result.
packet-tracer input inside icmp <source_IP> 8 0 8.8.8.8 detailed
0
 

Author Comment

by:totallypatrick
ID: 41829982
Nope LAN2 is not in NAT statement on ASA. Must it be on NAT? I can try to run the packet tracer tom morning and revert
0
 
LVL 13

Accepted Solution

by:
SIM50 earned 500 total points
ID: 41830006
You need to include it in the NAT statement for the traffic to pass through the ASA. Once you configure one NAT statement, ASA turns on nat-control which doesn't let traffic go through without any NAT.
0
How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

 

Author Comment

by:totallypatrick
ID: 41830020
Thanks for the tip. I'll try 1st thing tom morning
0
 
LVL 45

Expert Comment

by:Craig Beck
ID: 41831034
As well as NAT statements, have you configured any firewall rules to allow the 192.168.2.0/24 network to get to the internet?
0
 

Author Comment

by:totallypatrick
ID: 41831107
Still no joy. I have put in a NAT statement on the inside interface of ASA with network 192.168.2.0 networks and still can't ping. ACL also allow all outgoing traffic
0
 

Author Comment

by:totallypatrick
ID: 41831116
Dear SIM50,

My client IP is 192.168.240.10. My Workstation network is actually 192.168.240.0/24

GKC-ASA01# packet-tracer input inside icmp 192.168.240.10 8 0 8.8.8.8 detailed

Phase: 1
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
 Forward Flow based lookup yields rule:
 in  id=0x7fffddbac9d0, priority=1, domain=permit, deny=false
        hits=1687, user_data=0x0, cs_id=0x0, l3_type=0x8
        src mac=0000.0000.0000, mask=0000.0000.0000
        dst mac=0000.0000.0000, mask=0100.0000.0000
        input_ifc=inside, output_ifc=any

Phase: 2
Type: ROUTE-LOOKUP
Subtype: Resolve Egress Interface
Result: ALLOW
Config:
Additional Information:
found next-hop 111.223.124.225 using egress ifc  outside

Phase: 3
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group inside_access_in in interface inside
access-list inside_access_in extended permit ip object Network-240 any
Additional Information:
 Forward Flow based lookup yields rule:
 in  id=0x7fffdf2eede0, priority=13, domain=permit, deny=false
        hits=0, user_data=0x7fffe5a79f40, cs_id=0x0, use_real_addr, flags=0x0, protocol=0
        src ip/id=192.168.240.0, mask=255.255.240.0, port=0, tag=any
        dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0
        input_ifc=inside, output_ifc=any

Phase: 4
Type: NAT
Subtype:
Result: ALLOW
Config:
nat (inside,outside) source dynamic Network-240 interface description Test NAT Overload for 240 Network
Additional Information:
Dynamic translate 192.168.240.10/0 to 111.223.124.226/55910
 Forward Flow based lookup yields rule:
 in  id=0x7fffdf33edc0, priority=6, domain=nat, deny=false
        hits=0, user_data=0x7fffdf30a050, cs_id=0x0, flags=0x0, protocol=0
        src ip/id=192.168.240.0, mask=255.255.240.0, port=0, tag=any
        dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0
        input_ifc=inside, output_ifc=outside

Phase: 5
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
 Forward Flow based lookup yields rule:
 in  id=0x7fffdd3812f0, priority=0, domain=nat-per-session, deny=true
        hits=5973242, user_data=0x0, cs_id=0x0, reverse, use_real_addr, flags=0x0, protocol=0
        src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
        dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0
        input_ifc=any, output_ifc=any

Phase: 6
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
 Forward Flow based lookup yields rule:
 in  id=0x7fffddbb45a0, priority=0, domain=inspect-ip-options, deny=true
        hits=5383, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
        src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
        dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0
        input_ifc=inside, output_ifc=any

Phase: 7
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
class-map inspection_default
 match default-inspection-traffic
policy-map global_policy
 description Test
 class inspection_default
  inspect icmp
service-policy global_policy global
Additional Information:
 Forward Flow based lookup yields rule:
 in  id=0x7fffde6ba850, priority=70, domain=inspect-icmp, deny=false
        hits=1, user_data=0x7fffde6b5060, cs_id=0x0, use_real_addr, flags=0x0, protocol=1
        src ip/id=0.0.0.0, mask=0.0.0.0, icmp-type=0, tag=any
        dst ip/id=0.0.0.0, mask=0.0.0.0, icmp-code=0, tag=any, dscp=0x0
        input_ifc=inside, output_ifc=any

Phase: 8
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
Additional Information:
 Forward Flow based lookup yields rule:
 in  id=0x7fffddbb3e50, priority=66, domain=inspect-icmp-error, deny=false
        hits=35, user_data=0x7fffddbb33c0, cs_id=0x0, use_real_addr, flags=0x0, protocol=1
        src ip/id=0.0.0.0, mask=0.0.0.0, icmp-type=0, tag=any
        dst ip/id=0.0.0.0, mask=0.0.0.0, icmp-code=0, tag=any, dscp=0x0
        input_ifc=inside, output_ifc=any

Phase: 9
Type: NAT
Subtype: rpf-check
Result: ALLOW
Config:
nat (inside,outside) source dynamic Network-240 interface description Test NAT Overload for 240 Network
Additional Information:
 Forward Flow based lookup yields rule:
 out id=0x7fffdf33f870, priority=6, domain=nat-reverse, deny=false
        hits=1, user_data=0x7fffdf30a3c0, cs_id=0x0, use_real_addr, flags=0x0, protocol=0
        src ip/id=192.168.240.0, mask=255.255.240.0, port=0, tag=any
        dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0
        input_ifc=inside, output_ifc=outside

Phase: 10
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
 Reverse Flow based lookup yields rule:
 in  id=0x7fffdd3812f0, priority=0, domain=nat-per-session, deny=true
        hits=5973244, user_data=0x0, cs_id=0x0, reverse, use_real_addr, flags=0x0, protocol=0
        src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
        dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0
        input_ifc=any, output_ifc=any

Phase: 11
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
 Reverse Flow based lookup yields rule:
 in  id=0x7fffddab2f60, priority=0, domain=inspect-ip-options, deny=true
        hits=1779559, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
        src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
        dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0
        input_ifc=outside, output_ifc=any

Phase: 12
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 4914850, packet dispatched to next module
Module information for forward flow ...
snp_fp_tracer_drop
snp_fp_inspect_ip_options
snp_fp_inspect_icmp
snp_fp_translate
snp_fp_adjacency
snp_fp_fragment
snp_ifc_stat

Module information for reverse flow ...
snp_fp_tracer_drop
snp_fp_inspect_ip_options
snp_fp_translate
snp_fp_inspect_icmp
snp_fp_adjacency
snp_fp_fragment
snp_ifc_stat

Result:
input-interface: inside
input-status: up
input-line-status: up
output-interface: outside
output-status: up
output-line-status: up
Action: allow
0
 
LVL 2

Expert Comment

by:e1ext
ID: 41831209
Hello,

I created a simulation for this in GNS3, and it is working just fine, please find the attached files
Test-LAN-with-Router-and-ASA.zip
0
 

Author Comment

by:totallypatrick
ID: 41831218
Thanks all for the contribution. I've got it. I've forgotten to add default route in the router.
0
 

Author Closing Comment

by:totallypatrick
ID: 41831219
Good advice
0

Featured Post

How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

Join & Write a Comment

Suggested Solutions

Network traffic routing plays key role in your network, if you have single site with heavy browsing or multiple sites, replicating important application data from your Primary Default Gateway ,you have to route your other network traffic from your p…
Tired of waiting for your show or movie to load?  Are buffering issues a constant problem with your internet connection?  Check this article out to see if these simple adjustments are the solution for you.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

758 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

19 Experts available now in Live!

Get 1:1 Help Now