totallypatrick
asked on
Can't access Internet behind Cisco Router
Dear experts, I'm introducing a Cisco Router as an internal router behind my Cisco ASA firewall. The setup is very similar to the attached diagram. Say my workstations are in LAN2. I have configured a static route in my firewall to route traffic from workstation network (LAN2) to the router interface 192.168.1.1. From my workstations in LAN2, I can ping all the way to the inside interface of the ASA. However when I try to ping 8.8.8.8 from my workstations, I get a request time out. I also configure a default gateway on my internal router to point to the inside interface of my ASA. May I know what could be the problem?
Cisco.jpg
Cisco.jpg
have you done nat on Lan1 and Lan2 address? also create acl to permit icmp traffic and put the acl on the outside asa interface (access-group). it is for the return traffic.
ASKER
hi e1ext, no nat is done on LAN1 and LAN2. I can ping 8.8.8.8 if I connect a test workstation behind the inside interface of the ASA. After I introduce a router, I can't ping 8.8.8.8 from behind the router (LAN2).
If i am not mistaken LAN2 can't see the IP of the router(192.168.1.1) because it is on a different subnet...have you tried to ping the router from LAN1,LAN2 and what are the results...
ASKER
LAN2 can ping all interface on the router as well as to the inside interface of the ASA.
Is LAN2 included in NAT statement on ASA?
What do logs say? sh log | i <source_IP>
Run packet tracer on ASA and post the result.
packet-tracer input inside icmp <source_IP> 8 0 8.8.8.8 detailed
What do logs say? sh log | i <source_IP>
Run packet tracer on ASA and post the result.
packet-tracer input inside icmp <source_IP> 8 0 8.8.8.8 detailed
ASKER
Nope LAN2 is not in NAT statement on ASA. Must it be on NAT? I can try to run the packet tracer tom morning and revert
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Thanks for the tip. I'll try 1st thing tom morning
As well as NAT statements, have you configured any firewall rules to allow the 192.168.2.0/24 network to get to the internet?
ASKER
Still no joy. I have put in a NAT statement on the inside interface of ASA with network 192.168.2.0 networks and still can't ping. ACL also allow all outgoing traffic
ASKER
Dear SIM50,
My client IP is 192.168.240.10. My Workstation network is actually 192.168.240.0/24
GKC-ASA01# packet-tracer input inside icmp 192.168.240.10 8 0 8.8.8.8 detailed
Phase: 1
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7fffddbac9d0, priority=1, domain=permit, deny=false
hits=1687, user_data=0x0, cs_id=0x0, l3_type=0x8
src mac=0000.0000.0000, mask=0000.0000.0000
dst mac=0000.0000.0000, mask=0100.0000.0000
input_ifc=inside, output_ifc=any
Phase: 2
Type: ROUTE-LOOKUP
Subtype: Resolve Egress Interface
Result: ALLOW
Config:
Additional Information:
found next-hop 111.223.124.225 using egress ifc outside
Phase: 3
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group inside_access_in in interface inside
access-list inside_access_in extended permit ip object Network-240 any
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7fffdf2eede0, priority=13, domain=permit, deny=false
hits=0, user_data=0x7fffe5a79f40, cs_id=0x0, use_real_addr, flags=0x0, protocol=0
src ip/id=192.168.240.0, mask=255.255.240.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0
input_ifc=inside, output_ifc=any
Phase: 4
Type: NAT
Subtype:
Result: ALLOW
Config:
nat (inside,outside) source dynamic Network-240 interface description Test NAT Overload for 240 Network
Additional Information:
Dynamic translate 192.168.240.10/0 to 111.223.124.226/55910
Forward Flow based lookup yields rule:
in id=0x7fffdf33edc0, priority=6, domain=nat, deny=false
hits=0, user_data=0x7fffdf30a050, cs_id=0x0, flags=0x0, protocol=0
src ip/id=192.168.240.0, mask=255.255.240.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0
input_ifc=inside, output_ifc=outside
Phase: 5
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7fffdd3812f0, priority=0, domain=nat-per-session, deny=true
hits=5973242, user_data=0x0, cs_id=0x0, reverse, use_real_addr, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0
input_ifc=any, output_ifc=any
Phase: 6
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7fffddbb45a0, priority=0, domain=inspect-ip-options, deny=true
hits=5383, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0
input_ifc=inside, output_ifc=any
Phase: 7
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
class-map inspection_default
match default-inspection-traffic
policy-map global_policy
description Test
class inspection_default
inspect icmp
service-policy global_policy global
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7fffde6ba850, priority=70, domain=inspect-icmp, deny=false
hits=1, user_data=0x7fffde6b5060, cs_id=0x0, use_real_addr, flags=0x0, protocol=1
src ip/id=0.0.0.0, mask=0.0.0.0, icmp-type=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, icmp-code=0, tag=any, dscp=0x0
input_ifc=inside, output_ifc=any
Phase: 8
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7fffddbb3e50, priority=66, domain=inspect-icmp-error, deny=false
hits=35, user_data=0x7fffddbb33c0, cs_id=0x0, use_real_addr, flags=0x0, protocol=1
src ip/id=0.0.0.0, mask=0.0.0.0, icmp-type=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, icmp-code=0, tag=any, dscp=0x0
input_ifc=inside, output_ifc=any
Phase: 9
Type: NAT
Subtype: rpf-check
Result: ALLOW
Config:
nat (inside,outside) source dynamic Network-240 interface description Test NAT Overload for 240 Network
Additional Information:
Forward Flow based lookup yields rule:
out id=0x7fffdf33f870, priority=6, domain=nat-reverse, deny=false
hits=1, user_data=0x7fffdf30a3c0, cs_id=0x0, use_real_addr, flags=0x0, protocol=0
src ip/id=192.168.240.0, mask=255.255.240.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0
input_ifc=inside, output_ifc=outside
Phase: 10
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
Reverse Flow based lookup yields rule:
in id=0x7fffdd3812f0, priority=0, domain=nat-per-session, deny=true
hits=5973244, user_data=0x0, cs_id=0x0, reverse, use_real_addr, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0
input_ifc=any, output_ifc=any
Phase: 11
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Reverse Flow based lookup yields rule:
in id=0x7fffddab2f60, priority=0, domain=inspect-ip-options, deny=true
hits=1779559, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0
input_ifc=outside, output_ifc=any
Phase: 12
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 4914850, packet dispatched to next module
Module information for forward flow ...
snp_fp_tracer_drop
snp_fp_inspect_ip_options
snp_fp_inspect_icmp
snp_fp_translate
snp_fp_adjacency
snp_fp_fragment
snp_ifc_stat
Module information for reverse flow ...
snp_fp_tracer_drop
snp_fp_inspect_ip_options
snp_fp_translate
snp_fp_inspect_icmp
snp_fp_adjacency
snp_fp_fragment
snp_ifc_stat
Result:
input-interface: inside
input-status: up
input-line-status: up
output-interface: outside
output-status: up
output-line-status: up
Action: allow
My client IP is 192.168.240.10. My Workstation network is actually 192.168.240.0/24
GKC-ASA01# packet-tracer input inside icmp 192.168.240.10 8 0 8.8.8.8 detailed
Phase: 1
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7fffddbac9d0, priority=1, domain=permit, deny=false
hits=1687, user_data=0x0, cs_id=0x0, l3_type=0x8
src mac=0000.0000.0000, mask=0000.0000.0000
dst mac=0000.0000.0000, mask=0100.0000.0000
input_ifc=inside, output_ifc=any
Phase: 2
Type: ROUTE-LOOKUP
Subtype: Resolve Egress Interface
Result: ALLOW
Config:
Additional Information:
found next-hop 111.223.124.225 using egress ifc outside
Phase: 3
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group inside_access_in in interface inside
access-list inside_access_in extended permit ip object Network-240 any
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7fffdf2eede0, priority=13, domain=permit, deny=false
hits=0, user_data=0x7fffe5a79f40, cs_id=0x0, use_real_addr, flags=0x0, protocol=0
src ip/id=192.168.240.0, mask=255.255.240.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0
input_ifc=inside, output_ifc=any
Phase: 4
Type: NAT
Subtype:
Result: ALLOW
Config:
nat (inside,outside) source dynamic Network-240 interface description Test NAT Overload for 240 Network
Additional Information:
Dynamic translate 192.168.240.10/0 to 111.223.124.226/55910
Forward Flow based lookup yields rule:
in id=0x7fffdf33edc0, priority=6, domain=nat, deny=false
hits=0, user_data=0x7fffdf30a050, cs_id=0x0, flags=0x0, protocol=0
src ip/id=192.168.240.0, mask=255.255.240.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0
input_ifc=inside, output_ifc=outside
Phase: 5
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7fffdd3812f0, priority=0, domain=nat-per-session, deny=true
hits=5973242, user_data=0x0, cs_id=0x0, reverse, use_real_addr, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0
input_ifc=any, output_ifc=any
Phase: 6
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7fffddbb45a0, priority=0, domain=inspect-ip-options,
hits=5383, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0
input_ifc=inside, output_ifc=any
Phase: 7
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
class-map inspection_default
match default-inspection-traffic
policy-map global_policy
description Test
class inspection_default
inspect icmp
service-policy global_policy global
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7fffde6ba850, priority=70, domain=inspect-icmp, deny=false
hits=1, user_data=0x7fffde6b5060, cs_id=0x0, use_real_addr, flags=0x0, protocol=1
src ip/id=0.0.0.0, mask=0.0.0.0, icmp-type=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, icmp-code=0, tag=any, dscp=0x0
input_ifc=inside, output_ifc=any
Phase: 8
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7fffddbb3e50, priority=66, domain=inspect-icmp-error,
hits=35, user_data=0x7fffddbb33c0, cs_id=0x0, use_real_addr, flags=0x0, protocol=1
src ip/id=0.0.0.0, mask=0.0.0.0, icmp-type=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, icmp-code=0, tag=any, dscp=0x0
input_ifc=inside, output_ifc=any
Phase: 9
Type: NAT
Subtype: rpf-check
Result: ALLOW
Config:
nat (inside,outside) source dynamic Network-240 interface description Test NAT Overload for 240 Network
Additional Information:
Forward Flow based lookup yields rule:
out id=0x7fffdf33f870, priority=6, domain=nat-reverse, deny=false
hits=1, user_data=0x7fffdf30a3c0, cs_id=0x0, use_real_addr, flags=0x0, protocol=0
src ip/id=192.168.240.0, mask=255.255.240.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0
input_ifc=inside, output_ifc=outside
Phase: 10
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
Reverse Flow based lookup yields rule:
in id=0x7fffdd3812f0, priority=0, domain=nat-per-session, deny=true
hits=5973244, user_data=0x0, cs_id=0x0, reverse, use_real_addr, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0
input_ifc=any, output_ifc=any
Phase: 11
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Reverse Flow based lookup yields rule:
in id=0x7fffddab2f60, priority=0, domain=inspect-ip-options,
hits=1779559, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0
input_ifc=outside, output_ifc=any
Phase: 12
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 4914850, packet dispatched to next module
Module information for forward flow ...
snp_fp_tracer_drop
snp_fp_inspect_ip_options
snp_fp_inspect_icmp
snp_fp_translate
snp_fp_adjacency
snp_fp_fragment
snp_ifc_stat
Module information for reverse flow ...
snp_fp_tracer_drop
snp_fp_inspect_ip_options
snp_fp_translate
snp_fp_inspect_icmp
snp_fp_adjacency
snp_fp_fragment
snp_ifc_stat
Result:
input-interface: inside
input-status: up
input-line-status: up
output-interface: outside
output-status: up
output-line-status: up
Action: allow
Hello,
I created a simulation for this in GNS3, and it is working just fine, please find the attached files
Test-LAN-with-Router-and-ASA.zip
I created a simulation for this in GNS3, and it is working just fine, please find the attached files
Test-LAN-with-Router-and-ASA.zip
ASKER
Thanks all for the contribution. I've got it. I've forgotten to add default route in the router.
ASKER
Good advice