Options
Asa lab issue
I have the following LAB set up.
LAN1751 connected to the Inside interface of an ASA 5510 and a WAN1751 connected to the outside interface of the ASA 5510
I have included a JPG.
From the WAN router, I can source ping from Both Subnets and ping the ASA OUTSIDE interface.
From the LAN router, I can ping the INSIDE interface of the ASA but I cannot ping the OUTSIDE interface.
Im not sure if this has to do with my ACL's or my NAT.
LABASA# sh run
: Saved
:
ASA Version 8.2(1)
!
hostname LABASA
names
!
interface Ethernet0/0
nameif inside
security-level 100
ip address 10.255.255.1 255.255.255.0
!
interface Ethernet0/1
nameif outside
security-level 0
ip address 9.9.9.10 255.255.255.240
!
interface Ethernet0/2
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
shutdown
no nameif
no security-level
no ip address
!
ftp mode passive
object-group network labips
network-object 9.9.9.0 255.255.255.240
network-object 11.11.11.0 255.255.255.0
object-group service labtcp tcp
port-object eq https
port-object eq 8081
port-object eq ssh
port-object eq 89
port-object eq 500
port-object eq 10000
port-object eq 3389
port-object eq 4500
access-list 101 extended permit icmp any any
access-list 101 extended permit ospf any any
access-list 101 extended permit tcp 10.255.255.0 255.255.255.0 any eq ssh
access-list 101 extended deny tcp any any eq ssh
access-list 101 extended permit ip any any
access-list 103 extended permit icmp object-group labips any
access-list 103 extended deny tcp any any eq ssh
access-list 103 extended permit tcp object-group labips any object-group labtcp
pager lines 24
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-621.bin
no asdm history enable
arp timeout 14400
global (outside) 1 9.9.9.12 netmask 255.255.255.240
nat (inside) 1 0.0.0.0 0.0.0.0
access-group 101 in interface inside
access-group 103 in interface outside
route outside 0.0.0.0 0.0.0.0 9.9.9.11 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
aaa authentication ssh console LOCAL
http server enable
http 10.255.255.0 255.255.255.0 inside
http 11.11.11.0 255.255.255.0 outside
http 9.9.9.0 255.255.255.240 outside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
telnet timeout 5
ssh 10.255.255.0 255.255.255.0 inside
ssh 9.9.9.0 255.255.255.240 outside
ssh 11.11.11.0 255.255.255.0 outside
ssh timeout 5
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
username password encrypted
!
!
prompt hostname context
Cryptochecksum:167315f8ec1d346d1f6cc485c3367b61
: end
WANROUTER#sh run
Building configuration...
Current configuration : 925 bytes
!
!
version 12.3
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname WANROUTER
!
boot-start-marker
boot-end-marker
!
memory-size iomem 25
mmi polling-interval 60
no mmi auto-configure
no mmi pvc
mmi snmp-timeout 180
no aaa new-model
ip subnet-zero
!
!
ip domain name LAB.com
!
no ip cef
ip audit po max-events 100
!
!
!
!
!
!
!
!
interface FastEthernet0/0
ip address 9.9.9.11 255.255.255.0
speed auto
!
interface Serial0/0
ip address 11.11.11.1 255.255.255.0
no fair-queue
!
ip classless
no ip http server
no ip http secure-server
!
!
!
!
!
line con 0
line aux 0
line vty 0 4
login local
transport input ssh
!
end
LAN ROUTER#sh run
Building configuration...
Current configuration:
!
version 12.1
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname LANROUTER
!
!
!
!
memory-size iomem 25
ip subnet-zero
!
!
!
!
interface Serial0
no ip address
shutdown
no fair-queue
!
interface FastEthernet0
ip address 10.255.255.2 255.255.255.0
speed auto
!
ip classless
ip route 0.0.0.0 0.0.0.0 10.255.255.1
no ip http server
!
!
line con 0
transport input none
line aux 0
line vty 0 4
!
no scheduler allocate
end
LAN1751 connected to the Inside interface of an ASA 5510 and a WAN1751 connected to the outside interface of the ASA 5510
I have included a JPG.
From the WAN router, I can source ping from Both Subnets and ping the ASA OUTSIDE interface.
From the LAN router, I can ping the INSIDE interface of the ASA but I cannot ping the OUTSIDE interface.
Im not sure if this has to do with my ACL's or my NAT.
LABASA# sh run
: Saved
:
ASA Version 8.2(1)
!
hostname LABASA
names
!
interface Ethernet0/0
nameif inside
security-level 100
ip address 10.255.255.1 255.255.255.0
!
interface Ethernet0/1
nameif outside
security-level 0
ip address 9.9.9.10 255.255.255.240
!
interface Ethernet0/2
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
shutdown
no nameif
no security-level
no ip address
!
ftp mode passive
object-group network labips
network-object 9.9.9.0 255.255.255.240
network-object 11.11.11.0 255.255.255.0
object-group service labtcp tcp
port-object eq https
port-object eq 8081
port-object eq ssh
port-object eq 89
port-object eq 500
port-object eq 10000
port-object eq 3389
port-object eq 4500
access-list 101 extended permit icmp any any
access-list 101 extended permit ospf any any
access-list 101 extended permit tcp 10.255.255.0 255.255.255.0 any eq ssh
access-list 101 extended deny tcp any any eq ssh
access-list 101 extended permit ip any any
access-list 103 extended permit icmp object-group labips any
access-list 103 extended deny tcp any any eq ssh
access-list 103 extended permit tcp object-group labips any object-group labtcp
pager lines 24
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-621.bin
no asdm history enable
arp timeout 14400
global (outside) 1 9.9.9.12 netmask 255.255.255.240
nat (inside) 1 0.0.0.0 0.0.0.0
access-group 101 in interface inside
access-group 103 in interface outside
route outside 0.0.0.0 0.0.0.0 9.9.9.11 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
aaa authentication ssh console LOCAL
http server enable
http 10.255.255.0 255.255.255.0 inside
http 11.11.11.0 255.255.255.0 outside
http 9.9.9.0 255.255.255.240 outside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
telnet timeout 5
ssh 10.255.255.0 255.255.255.0 inside
ssh 9.9.9.0 255.255.255.240 outside
ssh 11.11.11.0 255.255.255.0 outside
ssh timeout 5
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
username password encrypted
!
!
prompt hostname context
Cryptochecksum:167315f8ec1d346d1f6cc485c3367b61
: end
WANROUTER#sh run
Building configuration...
Current configuration : 925 bytes
!
!
version 12.3
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname WANROUTER
!
boot-start-marker
boot-end-marker
!
memory-size iomem 25
mmi polling-interval 60
no mmi auto-configure
no mmi pvc
mmi snmp-timeout 180
no aaa new-model
ip subnet-zero
!
!
ip domain name LAB.com
!
no ip cef
ip audit po max-events 100
!
!
!
!
!
!
!
!
interface FastEthernet0/0
ip address 9.9.9.11 255.255.255.0
speed auto
!
interface Serial0/0
ip address 11.11.11.1 255.255.255.0
no fair-queue
!
ip classless
no ip http server
no ip http secure-server
!
!
!
!
!
line con 0
line aux 0
line vty 0 4
login local
transport input ssh
!
end
LAN ROUTER#sh run
Building configuration...
Current configuration:
!
version 12.1
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname LANROUTER
!
!
!
!
memory-size iomem 25
ip subnet-zero
!
!
!
!
interface Serial0
no ip address
shutdown
no fair-queue
!
interface FastEthernet0
ip address 10.255.255.2 255.255.255.0
speed auto
!
ip classless
ip route 0.0.0.0 0.0.0.0 10.255.255.1
no ip http server
!
!
line con 0
transport input none
line aux 0
line vty 0 4
!
no scheduler allocate
end
Comments
-
Options
flipmad
Member Posts: 184
You can close this thread. I figured it out. My NAT statement is wrong and I had to adjust my access-list