[c-nsp] ASA 5505 doesn't like itself
Wil Schultz
wschultz at bsdboy.com
Tue Feb 22 14:27:02 EST 2011
On Feb 22, 2011, at 7:03 AM, Michael Loether wrote:
> On Feb 17, 2011, at 5:10 PM, Ryan West wrote:
>> Can you post the show runs for the NAT, ACL, access-groups, and interfaces?
>
> Interfaces:
>
> interface Vlan1
> nameif inside
> security-level 100
> ip address 172.19.1.1 255.255.255.0
> !
> interface Vlan2
> nameif outside
> security-level 0
> ip address 64.183.175.22 255.255.255.252
> !
> interface Ethernet0/0
> switchport access vlan 2
> !
> interface Ethernet0/1
> !
>
> ACL:
>
> access-list inside_access_in extended permit icmp any any
> access-list inside_access_in extended permit ip any any
> access-list outside_access_in extended permit ip any any
> access-list outside_access_in extended permit icmp any any
> access-list outside_access_in extended permit tcp object-group AWC-Outside 64.183.175.20 255.255.255.252 eq ssh
> access-list outside_access_in extended permit udp object Orion object AWC-YRMC-LLC-Outside eq snmp
>
> NAT
>
> nat (inside,outside) source dynamic any interface
>
> Mike
> _______________________________________________
> cisco-nsp mailing list cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
I'm not familiar with this fancy new NAT command so I won't comment if it's correct or not.
> nat (inside,outside) source dynamic any interface
However, this is the traditional way to allow traffic to flow:
nat (inside) 10 172.19.1.0 255.255.255.0
global (outside) 10 interface
Also assuming that things are plugged in correctly, from the ASA you can ping out to the Internet and to internal hosts, yes?
If that doesn't work set up a syslog box and send the logs there, the ASA has excellent logging.
Best of luck.
-wil
More information about the cisco-nsp
mailing list