cant pass traffic on the asa between the trusted LANs

[watchguardmonkey]

Hi,
Just been given this network to look after and it has an ASA 5500, which I'm brand new to and the problem is that traffic can't seem to get pass the device when it is all on the trusted side.

We have 12 networks connected via a cisco router, and the asa on the corporate LAN which all the other LANS need to access, I know it's the access-list & NAT statements, but just not sure how they should be setup.

Can anyone shed a bit of light on this? thanks WGM

access-list acl_outside extended permit tcp any host 80.194.100.157 eq smtp
access-list acl_outside extended permit tcp any host 80.194.100.156 eq www
access-list acl_outside extended permit tcp any host 80.194.100.155 eq www
access-list acl_outside extended permit ip 192.168.27.48 255.255.255.240 10.0.1.0 255.255.255.0
access-list acl_outside extended permit ip 10.0.1.0 255.255.255.0 192.168.27.48 255.255.255.240
access-list acl_outside extended permit ip 10.0.0.0 255.0.0.0 10.0.1.0 255.255.255.0
access-list acl_outside extended permit object-group TCPUDP 192.168.27.48 255.255.255.240 10.0.1.0 255.255.255.0 eq www
access-list acl-inside extended permit tcp 10.0.1.0 255.255.255.0 any eq www
access-list acl-inside extended permit ip 10.0.0.0 255.255.255.0 any
access-list outside_1_cryptomap extended permit ip 10.0.1.0 255.255.255.0 any
access-list outside_1_cryptomap extended permit ip 192.168.27.48 255.255.255.240 10.0.1.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 10.0.1.0 255.255.255.0 any
access-list inside_nat0_outbound extended permit ip any 10.0.1.236 255.255.255.252
access-list inside_nat0_outbound extended permit ip 10.0.1.0 255.255.255.0 192.168.27.48 255.255.255.240
access-list inside_nat0_outbound extended permit ip host 10.0.1.0 10.0.1.236 255.255.255.252
access-list outside_access_out extended permit ip 10.0.1.0 255.255.255.0 192.168.27.48 255.255.255.240
access-list DefaultRAGroup_splitTunnelAcl standard permit host 10.0.1.0
pager lines 24
logging enable
logging asdm informational
mtu outside 1500
mtu inside 1500
mtu management 1500
ip local pool vpnpool 10.0.1.237-10.0.1.238 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-602.bin
no asdm history enable
arp timeout 14400
global (outside) 101 80.194.100.130-80.194.100.139 netmask 255.255.255.224
global (outside) 1 80.194.100.145 netmask 255.0.0.0
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 10.0.0.0 255.0.0.0
nat (inside) 101 0.0.0.0 0.0.0.0
static (inside,outside) tcp 80.194.100.157 smtp 10.0.1.4 smtp netmask 255.255.255.255
static (inside,outside) tcp 80.194.100.156

http://www 10.0.1.6

http://www netmask

255.255.255.255
static (inside,outside) tcp 80.194.100.155

http://www 10.0.1.17

http://www netmask

255.255.255.255
access-group acl_outside in interface outside
access-group outside_access_out out interface outside

 

[brianinms]

Yes this acl appears to be blocking it


access-list outside_access_out extended permit ip 10.0.1.0 255.255.255.0 192.168.27.48 255.255.255.240


All ACL's have an inherit deny any any at the end and applying this acl has just that effect.

 

[watchguardmonkey]

Hi

Thanks for teh reply, but could you expand a bit on it, the 192 address is the management ip and I can get to it no problem, the problem lies with the remote sites that are connected via a cisco router getting to the corporate 10.0.1.0 /24 network, the remote sites are all 10.0.2, 10.0.3, etc.

cheers, WGM

 

[brianinms]

How are the remote sites connected to the ASA? Perhaps a network diagram is in order.

 

[watchguardmonkey]

they all connect into a cisco 3600 which then points them to the asa, I'm looking at changing this at the minute which would no doubt solve the problem, but was just wondering what experinced cisco users made of the config and why it is not pasing the traffic, as when I replace the asa with the old FW, everything works fine.

 

[brianinms]

I bet its the fact that you don't have the routes in the ASA pointing the other subnets back to the internal router.

 

[watchguardmonkey]

brianinms first thing I checked they all point back to the 3600 interface that's on the LAN, it's to do with the ACL's and he NAT statements, will put the errors into the cisco tool and get it from that, just thought someone on here might have spotted the error in the config.

thanks for you help.

WGM

 

[watchguardmonkey]

OK here is the error message, but the cisco error decoder dosn't like it,

Config

nat (inside) 1 10.0.0.0 255.0.0.0
match ip inside 10.0.0.0 255.0.0.0 inside any
dynamic translation to pool 1 (No matching global)
translate_hits = 2, untranslate_hits = 0

so what is he global statement that I need to put in? anybody?!

thanks, WGM

 

[brianinms]

Post your full config

 

[watchguardmonkey]

why?

 

[brianinms]

Its hard to troubleshoot issues with half a configuration. I don't know the total picture so instead of asking a million questions its easier to have all the information.

 

[watchguardmonkey]

ok just for info incase anyone else has the same issue, it was solved by putting a no-nat rule for the 10's networks.
cheers,
WGM