Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations SkipVought on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

cant pass traffic on the asa between the trusted LANs

Status
Not open for further replies.
watchguardmonkey

watchguardmonkey

Technical User
Apr 15, 2003
209
0
0
GB
Hi,
Just been given this network to look after and it has an ASA 5500, which I'm brand new to and the problem is that traffic can't seem to get pass the device when it is all on the trusted side.

We have 12 networks connected via a cisco router, and the asa on the corporate LAN which all the other LANS need to access, I know it's the access-list & NAT statements, but just not sure how they should be setup.

Can anyone shed a bit of light on this? thanks WGM

access-list acl_outside extended permit tcp any host 80.194.100.157 eq smtp
access-list acl_outside extended permit tcp any host 80.194.100.156 eq www
access-list acl_outside extended permit tcp any host 80.194.100.155 eq www
access-list acl_outside extended permit ip 192.168.27.48 255.255.255.240 10.0.1.0 255.255.255.0
access-list acl_outside extended permit ip 10.0.1.0 255.255.255.0 192.168.27.48 255.255.255.240
access-list acl_outside extended permit ip 10.0.0.0 255.0.0.0 10.0.1.0 255.255.255.0
access-list acl_outside extended permit object-group TCPUDP 192.168.27.48 255.255.255.240 10.0.1.0 255.255.255.0 eq www
access-list acl-inside extended permit tcp 10.0.1.0 255.255.255.0 any eq www
access-list acl-inside extended permit ip 10.0.0.0 255.255.255.0 any
access-list outside_1_cryptomap extended permit ip 10.0.1.0 255.255.255.0 any
access-list outside_1_cryptomap extended permit ip 192.168.27.48 255.255.255.240 10.0.1.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 10.0.1.0 255.255.255.0 any
access-list inside_nat0_outbound extended permit ip any 10.0.1.236 255.255.255.252
access-list inside_nat0_outbound extended permit ip 10.0.1.0 255.255.255.0 192.168.27.48 255.255.255.240
access-list inside_nat0_outbound extended permit ip host 10.0.1.0 10.0.1.236 255.255.255.252
access-list outside_access_out extended permit ip 10.0.1.0 255.255.255.0 192.168.27.48 255.255.255.240
access-list DefaultRAGroup_splitTunnelAcl standard permit host 10.0.1.0
pager lines 24
logging enable
logging asdm informational
mtu outside 1500
mtu inside 1500
mtu management 1500
ip local pool vpnpool 10.0.1.237-10.0.1.238 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-602.bin
no asdm history enable
arp timeout 14400
global (outside) 101 80.194.100.130-80.194.100.139 netmask 255.255.255.224
global (outside) 1 80.194.100.145 netmask 255.0.0.0
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 10.0.0.0 255.0.0.0
nat (inside) 101 0.0.0.0 0.0.0.0
static (inside,outside) tcp 80.194.100.157 smtp 10.0.1.4 smtp netmask 255.255.255.255
static (inside,outside) tcp 80.194.100.156 255.255.255.255
static (inside,outside) tcp 80.194.100.155 255.255.255.255
access-group acl_outside in interface outside
access-group outside_access_out out interface outside
 
Sort by date Sort by votes
Yes this acl appears to be blocking it


access-list outside_access_out extended permit ip 10.0.1.0 255.255.255.0 192.168.27.48 255.255.255.240


All ACL's have an inherit deny any any at the end and applying this acl has just that effect.
 
Upvote 0 Downvote
Hi

Thanks for teh reply, but could you expand a bit on it, the 192 address is the management ip and I can get to it no problem, the problem lies with the remote sites that are connected via a cisco router getting to the corporate 10.0.1.0 /24 network, the remote sites are all 10.0.2, 10.0.3, etc.

cheers, WGM
 
Upvote 0 Downvote
How are the remote sites connected to the ASA? Perhaps a network diagram is in order.
 
Upvote 0 Downvote
they all connect into a cisco 3600 which then points them to the asa, I'm looking at changing this at the minute which would no doubt solve the problem, but was just wondering what experinced cisco users made of the config and why it is not pasing the traffic, as when I replace the asa with the old FW, everything works fine.
 
Upvote 0 Downvote
I bet its the fact that you don't have the routes in the ASA pointing the other subnets back to the internal router.
 
Upvote 0 Downvote
brianinms first thing I checked they all point back to the 3600 interface that's on the LAN, it's to do with the ACL's and he NAT statements, will put the errors into the cisco tool and get it from that, just thought someone on here might have spotted the error in the config.

thanks for you help.

WGM
 
Upvote 0 Downvote
OK here is the error message, but the cisco error decoder dosn't like it,

Config

nat (inside) 1 10.0.0.0 255.0.0.0
match ip inside 10.0.0.0 255.0.0.0 inside any
dynamic translation to pool 1 (No matching global)
translate_hits = 2, untranslate_hits = 0

so what is he global statement that I need to put in? anybody?!

thanks, WGM
 
Upvote 0 Downvote
Its hard to troubleshoot issues with half a configuration. I don't know the total picture so instead of asking a million questions its easier to have all the information.
 
Upvote 0 Downvote
ok just for info incase anyone else has the same issue, it was solved by putting a no-nat rule for the 10's networks.
cheers,
WGM
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

Sameer258
  • Locked
  • Question
Need Help to Find ip and mac address with email who one open my email
Replies
0
Views
136
Sameer258
Sameer258
intel233
  • Locked
  • Question
Cisco ASA - VPN Question
Replies
6
Views
143
intel233
intel233
gkreg
  • Locked
  • Question
asa 5500-x url filtering
Replies
0
Views
85
gkreg
gkreg
PauS0n
  • Locked
  • Question
Need Help On Cisco ASA 5512 Running Version 9
Replies
0
Views
55
PauS0n
PauS0n
intel233
  • Locked
  • Question
Cisco ASA 5510 -Static NAT Help
Replies
8
Views
154
intel233
intel233

Part and Inventory Search

Sponsor

Back
Top