Hi all,
I'm trying to configure an ASA sat behind a standard ADSL router. I've read some posts and articles about setting up this and read about double natting etc. I tried to do the following config. I can ping from the the ASA to all parts of the network i.e. 172.16.0.X and 192.168.1.X and can ping ip address externally. i.e. 212.58.244.68 (bbc) but I cant get any Internet connection nor ping from a host on the 172.16.0.X network.
My config
Building configuration...
Cryptochecksum: 896e7571 44f13afd a8b1dbe9 91916e1f
1735 bytes copied in 1.620 secs (1735 bytes/sec)
[OK]
ciscoasa#
ciscoasa#
ciscoasa#
ciscoasa#
ciscoasa#
ciscoasa#
ciscoasa# show config
: Saved
: Written by enable_15 at 05:23:51.109 UTC Mon Jan 6 2014
!
ASA Version 8.2(1)
!
hostname ciscoasa
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface Vlan1
nameif inside
security-level 100
ip address 172.16.0.20 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address dhcp setroute
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
shutdown
!
interface Ethernet0/3
shutdown
!
interface Ethernet0/4
shutdown
!
interface Ethernet0/5
shutdown
!
interface Ethernet0/6
shutdown
!
interface Ethernet0/7
shutdown
!
ftp mode passive
pager lines 24
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 172.16.0.0 255.255.255.0
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
telnet timeout 5
ssh timeout 5
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
!
!
prompt hostname context
Cryptochecksum:896e757144f13afda8b1dbe991916e1f
My other question is that sometimes when I make a change I i.e put e 0/1 into vlan 1 and save the changes I can't see the changes when I enter in show config. Why is that ?
The network I'm trying to create is
ADSL Router ( with NAT) -> e0/0 ASA (with NAT) -> e0/1 Internal network
Am I doing this correctly? Is this the correct way to do this?
some other useful outputs
ciscoasa# show int ip br
Interface IP-Address OK? Method Status Protocol
Internal-Data0/0 unassigned YES unset up up
Internal-Data0/1 unassigned YES unset up up
Vlan1 172.16.0.20 YES manual up up
Vlan2 192.168.1.12 YES DHCP up up
Virtual0 127.0.0.1 YES unset up up
Ethernet0/0 unassigned YES unset up up
Ethernet0/1 unassigned YES unset up up
Ethernet0/2 unassigned YES unset administratively down down
Ethernet0/3 unassigned YES unset administratively down down
Ethernet0/4 unassigned YES unset administratively down down
Ethernet0/5 unassigned YES unset administratively down down
Ethernet0/6 unassigned YES unset administratively down down
Ethernet0/7 unassigned YES unset administratively down down
ciscoasa#
ciscoasa# show nat
NAT policies on Interface inside:
match ip inside 172.16.0.0 255.255.255.0 inside any
dynamic translation to pool 1 (No matching global)
translate_hits = 0, untranslate_hits = 0
match ip inside 172.16.0.0 255.255.255.0 outside any
dynamic translation to pool 1 (192.168.1.12 [Interface PAT])
translate_hits = 60, untranslate_hits = 8
match ip inside 172.16.0.0 255.255.255.0 _internal_loopback any
dynamic translation to pool 1 (No matching global)
translate_hits = 0, untranslate_hits = 0
ciscoasa# show xlate
Thanks
I'm trying to configure an ASA sat behind a standard ADSL router. I've read some posts and articles about setting up this and read about double natting etc. I tried to do the following config. I can ping from the the ASA to all parts of the network i.e. 172.16.0.X and 192.168.1.X and can ping ip address externally. i.e. 212.58.244.68 (bbc) but I cant get any Internet connection nor ping from a host on the 172.16.0.X network.
My config
Building configuration...
Cryptochecksum: 896e7571 44f13afd a8b1dbe9 91916e1f
1735 bytes copied in 1.620 secs (1735 bytes/sec)
[OK]
ciscoasa#
ciscoasa#
ciscoasa#
ciscoasa#
ciscoasa#
ciscoasa#
ciscoasa# show config
: Saved
: Written by enable_15 at 05:23:51.109 UTC Mon Jan 6 2014
!
ASA Version 8.2(1)
!
hostname ciscoasa
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface Vlan1
nameif inside
security-level 100
ip address 172.16.0.20 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address dhcp setroute
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
shutdown
!
interface Ethernet0/3
shutdown
!
interface Ethernet0/4
shutdown
!
interface Ethernet0/5
shutdown
!
interface Ethernet0/6
shutdown
!
interface Ethernet0/7
shutdown
!
ftp mode passive
pager lines 24
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 172.16.0.0 255.255.255.0
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
telnet timeout 5
ssh timeout 5
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
!
!
prompt hostname context
Cryptochecksum:896e757144f13afda8b1dbe991916e1f
My other question is that sometimes when I make a change I i.e put e 0/1 into vlan 1 and save the changes I can't see the changes when I enter in show config. Why is that ?
The network I'm trying to create is
ADSL Router ( with NAT) -> e0/0 ASA (with NAT) -> e0/1 Internal network
Am I doing this correctly? Is this the correct way to do this?
some other useful outputs
ciscoasa# show int ip br
Interface IP-Address OK? Method Status Protocol
Internal-Data0/0 unassigned YES unset up up
Internal-Data0/1 unassigned YES unset up up
Vlan1 172.16.0.20 YES manual up up
Vlan2 192.168.1.12 YES DHCP up up
Virtual0 127.0.0.1 YES unset up up
Ethernet0/0 unassigned YES unset up up
Ethernet0/1 unassigned YES unset up up
Ethernet0/2 unassigned YES unset administratively down down
Ethernet0/3 unassigned YES unset administratively down down
Ethernet0/4 unassigned YES unset administratively down down
Ethernet0/5 unassigned YES unset administratively down down
Ethernet0/6 unassigned YES unset administratively down down
Ethernet0/7 unassigned YES unset administratively down down
ciscoasa#
ciscoasa# show nat
NAT policies on Interface inside:
match ip inside 172.16.0.0 255.255.255.0 inside any
dynamic translation to pool 1 (No matching global)
translate_hits = 0, untranslate_hits = 0
match ip inside 172.16.0.0 255.255.255.0 outside any
dynamic translation to pool 1 (192.168.1.12 [Interface PAT])
translate_hits = 60, untranslate_hits = 8
match ip inside 172.16.0.0 255.255.255.0 _internal_loopback any
dynamic translation to pool 1 (No matching global)
translate_hits = 0, untranslate_hits = 0
ciscoasa# show xlate
Thanks