Solved

Can't access Internet behind Cisco Router

Posted on 2016-10-05
14
55 Views
Last Modified: 2016-10-05
Dear experts, I'm introducing a Cisco Router as an internal router behind my Cisco ASA firewall. The setup is very similar to the attached diagram. Say my workstations are in LAN2. I have configured a static route in my firewall to route traffic from workstation network (LAN2) to the router interface 192.168.1.1. From my workstations in LAN2, I can ping all the way to the inside interface of the ASA. However when I try to ping 8.8.8.8 from my workstations, I get a request time out. I also configure a default gateway on my internal router to point to the inside interface of my ASA. May I know what could be the problem?
Cisco.jpg
0
Comment
Question by:totallypatrick
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 8
  • 2
  • 2
  • +2
14 Comments
 
LVL 2

Expert Comment

by:e1ext
ID: 41829643
have you done nat on Lan1 and Lan2 address? also create acl to permit icmp traffic and put the acl on the outside asa interface (access-group). it is for the return traffic.
0
 

Author Comment

by:totallypatrick
ID: 41829649
hi e1ext, no nat is done on LAN1 and LAN2. I can ping 8.8.8.8 if I connect a test workstation behind the inside interface of the ASA. After I introduce a router, I can't ping 8.8.8.8 from behind the router (LAN2).
0
 
LVL 17

Expert Comment

by:John Tsioumpris
ID: 41829719
If i am not mistaken LAN2 can't see the IP of the router(192.168.1.1) because it is on a different subnet...have you tried to ping the router from LAN1,LAN2 and what are the results...
0
Space-Age Communications Transitions to DevOps

ViaSat, a global provider of satellite and wireless communications, securely connects businesses, governments, and organizations to the Internet. Learn how ViaSat’s Network Solutions Engineer, drove the transition from a traditional network support to a DevOps-centric model.

 

Author Comment

by:totallypatrick
ID: 41829838
LAN2 can ping all interface on the router as well as to the inside interface of the ASA.
0
 
LVL 14

Expert Comment

by:SIM50
ID: 41829944
Is LAN2 included in NAT statement on ASA?
What do logs say? sh log | i <source_IP>
Run packet tracer on ASA and post the result.
packet-tracer input inside icmp <source_IP> 8 0 8.8.8.8 detailed
0
 

Author Comment

by:totallypatrick
ID: 41829982
Nope LAN2 is not in NAT statement on ASA. Must it be on NAT? I can try to run the packet tracer tom morning and revert
0
 
LVL 14

Accepted Solution

by:
SIM50 earned 500 total points
ID: 41830006
You need to include it in the NAT statement for the traffic to pass through the ASA. Once you configure one NAT statement, ASA turns on nat-control which doesn't let traffic go through without any NAT.
0
 

Author Comment

by:totallypatrick
ID: 41830020
Thanks for the tip. I'll try 1st thing tom morning
0
 
LVL 46

Expert Comment

by:Craig Beck
ID: 41831034
As well as NAT statements, have you configured any firewall rules to allow the 192.168.2.0/24 network to get to the internet?
0
 

Author Comment

by:totallypatrick
ID: 41831107
Still no joy. I have put in a NAT statement on the inside interface of ASA with network 192.168.2.0 networks and still can't ping. ACL also allow all outgoing traffic
0
 

Author Comment

by:totallypatrick
ID: 41831116
Dear SIM50,

My client IP is 192.168.240.10. My Workstation network is actually 192.168.240.0/24

GKC-ASA01# packet-tracer input inside icmp 192.168.240.10 8 0 8.8.8.8 detailed

Phase: 1
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
 Forward Flow based lookup yields rule:
 in  id=0x7fffddbac9d0, priority=1, domain=permit, deny=false
        hits=1687, user_data=0x0, cs_id=0x0, l3_type=0x8
        src mac=0000.0000.0000, mask=0000.0000.0000
        dst mac=0000.0000.0000, mask=0100.0000.0000
        input_ifc=inside, output_ifc=any

Phase: 2
Type: ROUTE-LOOKUP
Subtype: Resolve Egress Interface
Result: ALLOW
Config:
Additional Information:
found next-hop 111.223.124.225 using egress ifc  outside

Phase: 3
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group inside_access_in in interface inside
access-list inside_access_in extended permit ip object Network-240 any
Additional Information:
 Forward Flow based lookup yields rule:
 in  id=0x7fffdf2eede0, priority=13, domain=permit, deny=false
        hits=0, user_data=0x7fffe5a79f40, cs_id=0x0, use_real_addr, flags=0x0, protocol=0
        src ip/id=192.168.240.0, mask=255.255.240.0, port=0, tag=any
        dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0
        input_ifc=inside, output_ifc=any

Phase: 4
Type: NAT
Subtype:
Result: ALLOW
Config:
nat (inside,outside) source dynamic Network-240 interface description Test NAT Overload for 240 Network
Additional Information:
Dynamic translate 192.168.240.10/0 to 111.223.124.226/55910
 Forward Flow based lookup yields rule:
 in  id=0x7fffdf33edc0, priority=6, domain=nat, deny=false
        hits=0, user_data=0x7fffdf30a050, cs_id=0x0, flags=0x0, protocol=0
        src ip/id=192.168.240.0, mask=255.255.240.0, port=0, tag=any
        dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0
        input_ifc=inside, output_ifc=outside

Phase: 5
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
 Forward Flow based lookup yields rule:
 in  id=0x7fffdd3812f0, priority=0, domain=nat-per-session, deny=true
        hits=5973242, user_data=0x0, cs_id=0x0, reverse, use_real_addr, flags=0x0, protocol=0
        src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
        dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0
        input_ifc=any, output_ifc=any

Phase: 6
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
 Forward Flow based lookup yields rule:
 in  id=0x7fffddbb45a0, priority=0, domain=inspect-ip-options, deny=true
        hits=5383, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
        src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
        dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0
        input_ifc=inside, output_ifc=any

Phase: 7
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
class-map inspection_default
 match default-inspection-traffic
policy-map global_policy
 description Test
 class inspection_default
  inspect icmp
service-policy global_policy global
Additional Information:
 Forward Flow based lookup yields rule:
 in  id=0x7fffde6ba850, priority=70, domain=inspect-icmp, deny=false
        hits=1, user_data=0x7fffde6b5060, cs_id=0x0, use_real_addr, flags=0x0, protocol=1
        src ip/id=0.0.0.0, mask=0.0.0.0, icmp-type=0, tag=any
        dst ip/id=0.0.0.0, mask=0.0.0.0, icmp-code=0, tag=any, dscp=0x0
        input_ifc=inside, output_ifc=any

Phase: 8
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
Additional Information:
 Forward Flow based lookup yields rule:
 in  id=0x7fffddbb3e50, priority=66, domain=inspect-icmp-error, deny=false
        hits=35, user_data=0x7fffddbb33c0, cs_id=0x0, use_real_addr, flags=0x0, protocol=1
        src ip/id=0.0.0.0, mask=0.0.0.0, icmp-type=0, tag=any
        dst ip/id=0.0.0.0, mask=0.0.0.0, icmp-code=0, tag=any, dscp=0x0
        input_ifc=inside, output_ifc=any

Phase: 9
Type: NAT
Subtype: rpf-check
Result: ALLOW
Config:
nat (inside,outside) source dynamic Network-240 interface description Test NAT Overload for 240 Network
Additional Information:
 Forward Flow based lookup yields rule:
 out id=0x7fffdf33f870, priority=6, domain=nat-reverse, deny=false
        hits=1, user_data=0x7fffdf30a3c0, cs_id=0x0, use_real_addr, flags=0x0, protocol=0
        src ip/id=192.168.240.0, mask=255.255.240.0, port=0, tag=any
        dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0
        input_ifc=inside, output_ifc=outside

Phase: 10
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
 Reverse Flow based lookup yields rule:
 in  id=0x7fffdd3812f0, priority=0, domain=nat-per-session, deny=true
        hits=5973244, user_data=0x0, cs_id=0x0, reverse, use_real_addr, flags=0x0, protocol=0
        src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
        dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0
        input_ifc=any, output_ifc=any

Phase: 11
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
 Reverse Flow based lookup yields rule:
 in  id=0x7fffddab2f60, priority=0, domain=inspect-ip-options, deny=true
        hits=1779559, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
        src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
        dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0
        input_ifc=outside, output_ifc=any

Phase: 12
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 4914850, packet dispatched to next module
Module information for forward flow ...
snp_fp_tracer_drop
snp_fp_inspect_ip_options
snp_fp_inspect_icmp
snp_fp_translate
snp_fp_adjacency
snp_fp_fragment
snp_ifc_stat

Module information for reverse flow ...
snp_fp_tracer_drop
snp_fp_inspect_ip_options
snp_fp_translate
snp_fp_inspect_icmp
snp_fp_adjacency
snp_fp_fragment
snp_ifc_stat

Result:
input-interface: inside
input-status: up
input-line-status: up
output-interface: outside
output-status: up
output-line-status: up
Action: allow
0
 
LVL 2

Expert Comment

by:e1ext
ID: 41831209
Hello,

I created a simulation for this in GNS3, and it is working just fine, please find the attached files
Test-LAN-with-Router-and-ASA.zip
0
 

Author Comment

by:totallypatrick
ID: 41831218
Thanks all for the contribution. I've got it. I've forgotten to add default route in the router.
0
 

Author Closing Comment

by:totallypatrick
ID: 41831219
Good advice
0

Featured Post

Portable, direct connect server access

The ATEN CV211 connects a laptop directly to any server allowing you instant access to perform data maintenance and local operations, for quick troubleshooting, updating, service and repair.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

I have seen some questions on problems with SSH/telnet access to Cisco routers that may occur despite the fact that from a PC connected to your LAN, Internet connectivity is in place and users can access Internet sites without any issues.  There are…
Hello , This is a short article on how would you go about enabling traceoptions on a Juniper router . Traceoptions are similar to Cisco debug commands but these traceoptions are implemented in Juniper networks router . The following demonstr…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

734 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question