On the inside network, which is 172.23.14.0/24, I have some servers hooked up. Security is level 100. On the clients network, which is 172.23.20.0/24, I have a bunch of clients. Security is level 80.
Basically, I want my client to be able to talk to my servers. Right now I can't figure out how the heck to do that though. Actually, I had it working an hour ago, but somehow managed to screw it up. I believe I got it working bt doing:
global (inside) 1 172.23.14.200-172.23.14.249 nat (clients) 1 172.23.20.0 255.255.255.0
However that's still in there and its not working. It's telling me: Deny inbound icmp src clients:172.23.20.100 ds2 inside:172.23.14.101
I'm sure there's a better way to do this, I'm very new to it. Any help much appreciated.
Do you have version 7.0 or higher of the OS? Then it depends if you have enabled NAT control.
If NAT control is enabled, you need a NAT rule for everything what should pass between the interfaces (even if you don't want to change the address at all).
If NAT control is disabled (default), only the appropiate access lists are used.
Still not working. I must be doing something wrong. Included below is my config, maybe someone can spot something. Again I am trying to go from clients to inside (and vice versa).
Here's the config:
: Saved : ASA Version 8.0(2) ! hostname ciscoasa domain-name default.domain.invalid enable password XXXX encrypted names dns-guard ! interface Ethernet0/0 nameif outside security-level 0 ip address XX.XX.XX.51 255.255.255.248 ! interface Ethernet0/1 nameif inside security-level 100 ip address 172.23.14.1 255.255.255.0 ! interface Ethernet0/2 shutdown no nameif no security-level no ip address ! interface Ethernet0/3 nameif client security-level 80 ip address 172.23.20.1 255.255.255.0 ! interface Management0/0 nameif management security-level 100 ip address 192.168.1.1 255.255.255.0 management-only ! passwd XXX encrypted ftp mode passive dns server-group DefaultDNS domain-name default.domain.invalid access-list outside_access_in extended permit icmp any any echo-reply access-list outside_access_in extended permit icmp any any time- exceeded access-list client-to-inside extended permit ip 172.23.20.0
255.255.255.0 172.23.14.0 255.255.255.0 pager lines 24 logging enable logging asdm informational mtu outside 1500 mtu inside 1500 mtu client 1500 mtu management 1500 no failover icmp unreachable rate-limit 1 burst-size 1 asdm image disk0:/asdm-602.bin no asdm history enable arp timeout 14400 global (outside) 1 interface nat (inside) 1 0.0.0.0 0.0.0.0 nat (client) 1 0.0.0.0 0.0.0.0 access-group outside_access_in in interface outside access-group client-to-inside in interface client route outside 0.0.0.0 0.0.0.0 XX.XX.XX.50 1 timeout xlate 3:00:00 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02 timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat
0:05:00 timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip- disconnect 0:02:00 timeout uauth 0:05:00 absolute dynamic-access-policy-record DfltAccessPolicy http server enable http 192.168.1.0 255.255.255.0 management http 172.23.14.0 255.255.255.0 inside no snmp-server location no snmp-server contact snmp-server enable traps snmp authentication linkup linkdown coldstart no crypto isakmp nat-traversal telnet timeout 5 ssh timeout 5 console timeout 0 dhcpd address 172.23.14.100-172.23.14.105 inside dhcpd dns 4.2.2.2 interface inside dhcpd enable inside ! dhcpd address 172.23.20.100-172.23.20.155 client dhcpd dns 4.2.2.2 interface client dhcpd enable client ! dhcpd address 192.168.1.2-192.168.1.254 management dhcpd enable management ! threat-detection basic-threat threat-detection statistics access-list ! class-map inspection_default match default-inspection-traffic ! ! policy-map type inspect dns migrated_dns_map_1 parameters message-length maximum 512 policy-map global_policy class inspection_default inspect dns migrated_dns_map_1 inspect ftp inspect h323 h225 inspect h323 ras inspect rsh inspect rtsp inspect esmtp inspect sqlnet inspect skinny inspect sunrpc inspect xdmcp inspect sip inspect netbios inspect tftp ! service-policy global_policy global prompt hostname context : end asdm image disk0:/asdm-602.bin no asdm history enable
The clear xlate is to delete existing translation , wich may will existing connection..
And keep your access-group on the client interface , you still need it
Still not working. I must be doing something wrong. Included below is my config, maybe someone can spot something. Again I am trying to go from clients to inside (and vice versa).
Here's the config:
: Saved : ASA Version 8.0(2) ! hostname ciscoasa domain-name default.domain.invalid enable password XXXX encrypted names dns-guard ! interface Ethernet0/0 nameif outside security-level 0 ip address XX.XX.XX.51 255.255.255.248 ! interface Ethernet0/1 nameif inside security-level 100 ip address 172.23.14.1 255.255.255.0 ! interface Ethernet0/2 shutdown no nameif no security-level no ip address ! interface Ethernet0/3 nameif client security-level 80 ip address 172.23.20.1 255.255.255.0 ! interface Management0/0 nameif management security-level 100 ip address 192.168.1.1 255.255.255.0 management-only ! passwd XXX encrypted ftp mode passive dns server-group DefaultDNS domain-name default.domain.invalid access-list outside_access_in extended permit icmp any any echo-reply access-list outside_access_in extended permit icmp any any time- exceeded access-list client-to-inside extended permit ip 172.23.20.0
255.255.255.0 172.23.14.0 255.255.255.0 pager lines 24 logging enable logging asdm informational mtu outside 1500 mtu inside 1500 mtu client 1500 mtu management 1500 no failover icmp unreachable rate-limit 1 burst-size 1 asdm image disk0:/asdm-602.bin no asdm history enable arp timeout 14400 global (outside) 1 interface nat (inside) 1 0.0.0.0 0.0.0.0 nat (client) 1 0.0.0.0 0.0.0.0 access-group outside_access_in in interface outside access-group client-to-inside in interface client route outside 0.0.0.0 0.0.0.0 XX.XX.XX.50 1 timeout xlate 3:00:00 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02 timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat
0:05:00 timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip- disconnect 0:02:00 timeout uauth 0:05:00 absolute dynamic-access-policy-record DfltAccessPolicy http server enable http 192.168.1.0 255.255.255.0 management http 172.23.14.0 255.255.255.0 inside no snmp-server location no snmp-server contact snmp-server enable traps snmp authentication linkup linkdown coldstart no crypto isakmp nat-traversal telnet timeout 5 ssh timeout 5 console timeout 0 dhcpd address 172.23.14.100-172.23.14.105 inside dhcpd dns 4.2.2.2 interface inside dhcpd enable inside ! dhcpd address 172.23.20.100-172.23.20.155 client dhcpd dns 4.2.2.2 interface client dhcpd enable client ! dhcpd address 192.168.1.2-192.168.1.254 management dhcpd enable management ! threat-detection basic-threat threat-detection statistics access-list ! class-map inspection_default match default-inspection-traffic ! ! policy-map type inspect dns migrated_dns_map_1 parameters message-length maximum 512 policy-map global_policy class inspection_default inspect dns migrated_dns_map_1 inspect ftp inspect h323 h225 inspect h323 ras inspect rsh inspect rtsp inspect esmtp inspect sqlnet inspect skinny inspect sunrpc inspect xdmcp inspect sip inspect netbios inspect tftp ! service-policy global_policy global prompt hostname context : end asdm image disk0:/asdm-602.bin no asdm history enable
Maybe you can get more information with using the powerful capture function with trace enabled. There you should be able to see what happens to the packets. On a PIX with 7.x you can do something like
Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here.
All logos and trade names are the property of their respective owners.