Link to home
Start Free TrialLog in
Avatar of totallypatrick
totallypatrickFlag for Singapore

asked on

Can't access Internet behind Cisco Router

Dear experts, I'm introducing a Cisco Router as an internal router behind my Cisco ASA firewall. The setup is very similar to the attached diagram. Say my workstations are in LAN2. I have configured a static route in my firewall to route traffic from workstation network (LAN2) to the router interface 192.168.1.1. From my workstations in LAN2, I can ping all the way to the inside interface of the ASA. However when I try to ping 8.8.8.8 from my workstations, I get a request time out. I also configure a default gateway on my internal router to point to the inside interface of my ASA. May I know what could be the problem?
Cisco.jpg
Avatar of e1ext
e1ext

have you done nat on Lan1 and Lan2 address? also create acl to permit icmp traffic and put the acl on the outside asa interface (access-group). it is for the return traffic.
Avatar of totallypatrick

ASKER

hi e1ext, no nat is done on LAN1 and LAN2. I can ping 8.8.8.8 if I connect a test workstation behind the inside interface of the ASA. After I introduce a router, I can't ping 8.8.8.8 from behind the router (LAN2).
Avatar of John Tsioumpris
If i am not mistaken LAN2 can't see the IP of the router(192.168.1.1) because it is on a different subnet...have you tried to ping the router from LAN1,LAN2 and what are the results...
LAN2 can ping all interface on the router as well as to the inside interface of the ASA.
Is LAN2 included in NAT statement on ASA?
What do logs say? sh log | i <source_IP>
Run packet tracer on ASA and post the result.
packet-tracer input inside icmp <source_IP> 8 0 8.8.8.8 detailed
Nope LAN2 is not in NAT statement on ASA. Must it be on NAT? I can try to run the packet tracer tom morning and revert
ASKER CERTIFIED SOLUTION
Avatar of SIM50
SIM50
Flag of United States of America image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Thanks for the tip. I'll try 1st thing tom morning
As well as NAT statements, have you configured any firewall rules to allow the 192.168.2.0/24 network to get to the internet?
Still no joy. I have put in a NAT statement on the inside interface of ASA with network 192.168.2.0 networks and still can't ping. ACL also allow all outgoing traffic
Dear SIM50,

My client IP is 192.168.240.10. My Workstation network is actually 192.168.240.0/24

GKC-ASA01# packet-tracer input inside icmp 192.168.240.10 8 0 8.8.8.8 detailed

Phase: 1
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
 Forward Flow based lookup yields rule:
 in  id=0x7fffddbac9d0, priority=1, domain=permit, deny=false
        hits=1687, user_data=0x0, cs_id=0x0, l3_type=0x8
        src mac=0000.0000.0000, mask=0000.0000.0000
        dst mac=0000.0000.0000, mask=0100.0000.0000
        input_ifc=inside, output_ifc=any

Phase: 2
Type: ROUTE-LOOKUP
Subtype: Resolve Egress Interface
Result: ALLOW
Config:
Additional Information:
found next-hop 111.223.124.225 using egress ifc  outside

Phase: 3
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group inside_access_in in interface inside
access-list inside_access_in extended permit ip object Network-240 any
Additional Information:
 Forward Flow based lookup yields rule:
 in  id=0x7fffdf2eede0, priority=13, domain=permit, deny=false
        hits=0, user_data=0x7fffe5a79f40, cs_id=0x0, use_real_addr, flags=0x0, protocol=0
        src ip/id=192.168.240.0, mask=255.255.240.0, port=0, tag=any
        dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0
        input_ifc=inside, output_ifc=any

Phase: 4
Type: NAT
Subtype:
Result: ALLOW
Config:
nat (inside,outside) source dynamic Network-240 interface description Test NAT Overload for 240 Network
Additional Information:
Dynamic translate 192.168.240.10/0 to 111.223.124.226/55910
 Forward Flow based lookup yields rule:
 in  id=0x7fffdf33edc0, priority=6, domain=nat, deny=false
        hits=0, user_data=0x7fffdf30a050, cs_id=0x0, flags=0x0, protocol=0
        src ip/id=192.168.240.0, mask=255.255.240.0, port=0, tag=any
        dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0
        input_ifc=inside, output_ifc=outside

Phase: 5
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
 Forward Flow based lookup yields rule:
 in  id=0x7fffdd3812f0, priority=0, domain=nat-per-session, deny=true
        hits=5973242, user_data=0x0, cs_id=0x0, reverse, use_real_addr, flags=0x0, protocol=0
        src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
        dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0
        input_ifc=any, output_ifc=any

Phase: 6
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
 Forward Flow based lookup yields rule:
 in  id=0x7fffddbb45a0, priority=0, domain=inspect-ip-options, deny=true
        hits=5383, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
        src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
        dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0
        input_ifc=inside, output_ifc=any

Phase: 7
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
class-map inspection_default
 match default-inspection-traffic
policy-map global_policy
 description Test
 class inspection_default
  inspect icmp
service-policy global_policy global
Additional Information:
 Forward Flow based lookup yields rule:
 in  id=0x7fffde6ba850, priority=70, domain=inspect-icmp, deny=false
        hits=1, user_data=0x7fffde6b5060, cs_id=0x0, use_real_addr, flags=0x0, protocol=1
        src ip/id=0.0.0.0, mask=0.0.0.0, icmp-type=0, tag=any
        dst ip/id=0.0.0.0, mask=0.0.0.0, icmp-code=0, tag=any, dscp=0x0
        input_ifc=inside, output_ifc=any

Phase: 8
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
Additional Information:
 Forward Flow based lookup yields rule:
 in  id=0x7fffddbb3e50, priority=66, domain=inspect-icmp-error, deny=false
        hits=35, user_data=0x7fffddbb33c0, cs_id=0x0, use_real_addr, flags=0x0, protocol=1
        src ip/id=0.0.0.0, mask=0.0.0.0, icmp-type=0, tag=any
        dst ip/id=0.0.0.0, mask=0.0.0.0, icmp-code=0, tag=any, dscp=0x0
        input_ifc=inside, output_ifc=any

Phase: 9
Type: NAT
Subtype: rpf-check
Result: ALLOW
Config:
nat (inside,outside) source dynamic Network-240 interface description Test NAT Overload for 240 Network
Additional Information:
 Forward Flow based lookup yields rule:
 out id=0x7fffdf33f870, priority=6, domain=nat-reverse, deny=false
        hits=1, user_data=0x7fffdf30a3c0, cs_id=0x0, use_real_addr, flags=0x0, protocol=0
        src ip/id=192.168.240.0, mask=255.255.240.0, port=0, tag=any
        dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0
        input_ifc=inside, output_ifc=outside

Phase: 10
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
 Reverse Flow based lookup yields rule:
 in  id=0x7fffdd3812f0, priority=0, domain=nat-per-session, deny=true
        hits=5973244, user_data=0x0, cs_id=0x0, reverse, use_real_addr, flags=0x0, protocol=0
        src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
        dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0
        input_ifc=any, output_ifc=any

Phase: 11
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
 Reverse Flow based lookup yields rule:
 in  id=0x7fffddab2f60, priority=0, domain=inspect-ip-options, deny=true
        hits=1779559, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
        src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
        dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0
        input_ifc=outside, output_ifc=any

Phase: 12
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 4914850, packet dispatched to next module
Module information for forward flow ...
snp_fp_tracer_drop
snp_fp_inspect_ip_options
snp_fp_inspect_icmp
snp_fp_translate
snp_fp_adjacency
snp_fp_fragment
snp_ifc_stat

Module information for reverse flow ...
snp_fp_tracer_drop
snp_fp_inspect_ip_options
snp_fp_translate
snp_fp_inspect_icmp
snp_fp_adjacency
snp_fp_fragment
snp_ifc_stat

Result:
input-interface: inside
input-status: up
input-line-status: up
output-interface: outside
output-status: up
output-line-status: up
Action: allow
Hello,

I created a simulation for this in GNS3, and it is working just fine, please find the attached files
Test-LAN-with-Router-and-ASA.zip
Thanks all for the contribution. I've got it. I've forgotten to add default route in the router.
Good advice