Solved

Can't access Internet behind Cisco Router

Posted on 2016-10-05
14
48 Views
Last Modified: 2016-10-05
Dear experts, I'm introducing a Cisco Router as an internal router behind my Cisco ASA firewall. The setup is very similar to the attached diagram. Say my workstations are in LAN2. I have configured a static route in my firewall to route traffic from workstation network (LAN2) to the router interface 192.168.1.1. From my workstations in LAN2, I can ping all the way to the inside interface of the ASA. However when I try to ping 8.8.8.8 from my workstations, I get a request time out. I also configure a default gateway on my internal router to point to the inside interface of my ASA. May I know what could be the problem?
Cisco.jpg
0
Comment
Question by:totallypatrick
  • 8
  • 2
  • 2
  • +2
14 Comments
 
LVL 2

Expert Comment

by:e1ext
ID: 41829643
have you done nat on Lan1 and Lan2 address? also create acl to permit icmp traffic and put the acl on the outside asa interface (access-group). it is for the return traffic.
0
 

Author Comment

by:totallypatrick
ID: 41829649
hi e1ext, no nat is done on LAN1 and LAN2. I can ping 8.8.8.8 if I connect a test workstation behind the inside interface of the ASA. After I introduce a router, I can't ping 8.8.8.8 from behind the router (LAN2).
0
 
LVL 13

Expert Comment

by:John Tsioumpris
ID: 41829719
If i am not mistaken LAN2 can't see the IP of the router(192.168.1.1) because it is on a different subnet...have you tried to ping the router from LAN1,LAN2 and what are the results...
0
PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

 

Author Comment

by:totallypatrick
ID: 41829838
LAN2 can ping all interface on the router as well as to the inside interface of the ASA.
0
 
LVL 14

Expert Comment

by:SIM50
ID: 41829944
Is LAN2 included in NAT statement on ASA?
What do logs say? sh log | i <source_IP>
Run packet tracer on ASA and post the result.
packet-tracer input inside icmp <source_IP> 8 0 8.8.8.8 detailed
0
 

Author Comment

by:totallypatrick
ID: 41829982
Nope LAN2 is not in NAT statement on ASA. Must it be on NAT? I can try to run the packet tracer tom morning and revert
0
 
LVL 14

Accepted Solution

by:
SIM50 earned 500 total points
ID: 41830006
You need to include it in the NAT statement for the traffic to pass through the ASA. Once you configure one NAT statement, ASA turns on nat-control which doesn't let traffic go through without any NAT.
0
 

Author Comment

by:totallypatrick
ID: 41830020
Thanks for the tip. I'll try 1st thing tom morning
0
 
LVL 45

Expert Comment

by:Craig Beck
ID: 41831034
As well as NAT statements, have you configured any firewall rules to allow the 192.168.2.0/24 network to get to the internet?
0
 

Author Comment

by:totallypatrick
ID: 41831107
Still no joy. I have put in a NAT statement on the inside interface of ASA with network 192.168.2.0 networks and still can't ping. ACL also allow all outgoing traffic
0
 

Author Comment

by:totallypatrick
ID: 41831116
Dear SIM50,

My client IP is 192.168.240.10. My Workstation network is actually 192.168.240.0/24

GKC-ASA01# packet-tracer input inside icmp 192.168.240.10 8 0 8.8.8.8 detailed

Phase: 1
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
 Forward Flow based lookup yields rule:
 in  id=0x7fffddbac9d0, priority=1, domain=permit, deny=false
        hits=1687, user_data=0x0, cs_id=0x0, l3_type=0x8
        src mac=0000.0000.0000, mask=0000.0000.0000
        dst mac=0000.0000.0000, mask=0100.0000.0000
        input_ifc=inside, output_ifc=any

Phase: 2
Type: ROUTE-LOOKUP
Subtype: Resolve Egress Interface
Result: ALLOW
Config:
Additional Information:
found next-hop 111.223.124.225 using egress ifc  outside

Phase: 3
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group inside_access_in in interface inside
access-list inside_access_in extended permit ip object Network-240 any
Additional Information:
 Forward Flow based lookup yields rule:
 in  id=0x7fffdf2eede0, priority=13, domain=permit, deny=false
        hits=0, user_data=0x7fffe5a79f40, cs_id=0x0, use_real_addr, flags=0x0, protocol=0
        src ip/id=192.168.240.0, mask=255.255.240.0, port=0, tag=any
        dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0
        input_ifc=inside, output_ifc=any

Phase: 4
Type: NAT
Subtype:
Result: ALLOW
Config:
nat (inside,outside) source dynamic Network-240 interface description Test NAT Overload for 240 Network
Additional Information:
Dynamic translate 192.168.240.10/0 to 111.223.124.226/55910
 Forward Flow based lookup yields rule:
 in  id=0x7fffdf33edc0, priority=6, domain=nat, deny=false
        hits=0, user_data=0x7fffdf30a050, cs_id=0x0, flags=0x0, protocol=0
        src ip/id=192.168.240.0, mask=255.255.240.0, port=0, tag=any
        dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0
        input_ifc=inside, output_ifc=outside

Phase: 5
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
 Forward Flow based lookup yields rule:
 in  id=0x7fffdd3812f0, priority=0, domain=nat-per-session, deny=true
        hits=5973242, user_data=0x0, cs_id=0x0, reverse, use_real_addr, flags=0x0, protocol=0
        src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
        dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0
        input_ifc=any, output_ifc=any

Phase: 6
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
 Forward Flow based lookup yields rule:
 in  id=0x7fffddbb45a0, priority=0, domain=inspect-ip-options, deny=true
        hits=5383, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
        src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
        dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0
        input_ifc=inside, output_ifc=any

Phase: 7
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
class-map inspection_default
 match default-inspection-traffic
policy-map global_policy
 description Test
 class inspection_default
  inspect icmp
service-policy global_policy global
Additional Information:
 Forward Flow based lookup yields rule:
 in  id=0x7fffde6ba850, priority=70, domain=inspect-icmp, deny=false
        hits=1, user_data=0x7fffde6b5060, cs_id=0x0, use_real_addr, flags=0x0, protocol=1
        src ip/id=0.0.0.0, mask=0.0.0.0, icmp-type=0, tag=any
        dst ip/id=0.0.0.0, mask=0.0.0.0, icmp-code=0, tag=any, dscp=0x0
        input_ifc=inside, output_ifc=any

Phase: 8
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
Additional Information:
 Forward Flow based lookup yields rule:
 in  id=0x7fffddbb3e50, priority=66, domain=inspect-icmp-error, deny=false
        hits=35, user_data=0x7fffddbb33c0, cs_id=0x0, use_real_addr, flags=0x0, protocol=1
        src ip/id=0.0.0.0, mask=0.0.0.0, icmp-type=0, tag=any
        dst ip/id=0.0.0.0, mask=0.0.0.0, icmp-code=0, tag=any, dscp=0x0
        input_ifc=inside, output_ifc=any

Phase: 9
Type: NAT
Subtype: rpf-check
Result: ALLOW
Config:
nat (inside,outside) source dynamic Network-240 interface description Test NAT Overload for 240 Network
Additional Information:
 Forward Flow based lookup yields rule:
 out id=0x7fffdf33f870, priority=6, domain=nat-reverse, deny=false
        hits=1, user_data=0x7fffdf30a3c0, cs_id=0x0, use_real_addr, flags=0x0, protocol=0
        src ip/id=192.168.240.0, mask=255.255.240.0, port=0, tag=any
        dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0
        input_ifc=inside, output_ifc=outside

Phase: 10
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
 Reverse Flow based lookup yields rule:
 in  id=0x7fffdd3812f0, priority=0, domain=nat-per-session, deny=true
        hits=5973244, user_data=0x0, cs_id=0x0, reverse, use_real_addr, flags=0x0, protocol=0
        src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
        dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0
        input_ifc=any, output_ifc=any

Phase: 11
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
 Reverse Flow based lookup yields rule:
 in  id=0x7fffddab2f60, priority=0, domain=inspect-ip-options, deny=true
        hits=1779559, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
        src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
        dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0
        input_ifc=outside, output_ifc=any

Phase: 12
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 4914850, packet dispatched to next module
Module information for forward flow ...
snp_fp_tracer_drop
snp_fp_inspect_ip_options
snp_fp_inspect_icmp
snp_fp_translate
snp_fp_adjacency
snp_fp_fragment
snp_ifc_stat

Module information for reverse flow ...
snp_fp_tracer_drop
snp_fp_inspect_ip_options
snp_fp_translate
snp_fp_inspect_icmp
snp_fp_adjacency
snp_fp_fragment
snp_ifc_stat

Result:
input-interface: inside
input-status: up
input-line-status: up
output-interface: outside
output-status: up
output-line-status: up
Action: allow
0
 
LVL 2

Expert Comment

by:e1ext
ID: 41831209
Hello,

I created a simulation for this in GNS3, and it is working just fine, please find the attached files
Test-LAN-with-Router-and-ASA.zip
0
 

Author Comment

by:totallypatrick
ID: 41831218
Thanks all for the contribution. I've got it. I've forgotten to add default route in the router.
0
 

Author Closing Comment

by:totallypatrick
ID: 41831219
Good advice
0

Featured Post

Gigs: Get Your Project Delivered by an Expert

Select from freelancers specializing in everything from database administration to programming, who have proven themselves as experts in their field. Hire the best, collaborate easily, pay securely and get projects done right.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Restrict RDP Remote Access through SonicWall 3 111
VIRL IP adress 3 69
URL question:  WWW versus WWW1 in address line 4 57
New firewall implementation guidance 12 59
Optimal Xbox 360 connectivity requires "OPEN NAT". If you use Juniper Netscreen or SSG firewall products in a home setting, the following steps will allow you get rid of the dreaded warning screen below and achieve the best online gaming environment…
I found an issue or “bug” in the SonicOS platform (the firmware controlling SonicWALL security appliances) that has to do with renaming Default Service Objects, which then causes a portion of the system to become uncontrollable and unstable. BACK…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

785 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question