Hi,
I'm not sure why do you use NAT between Inside and Outside interfaces as
there is only Branch behind the outside. Am I correct?
In order to have internet access for you branch users you should:
1. have default gateway on the ASA pointed to the Internet and have static
routing pointed to the Outside for branch network
2. configure NAT so that branch users will be translated when going to the
internet
nat (outside) 2 172.16.1.0 255.255.255.0
global (INTERNET) 2 interface
3. allow to send the traffic between interfaces with the same security level
same-security permit inter-interface
If there is no need for translation between Inside and Outside you may
delete it.
Regards,
--
Piotr Matusiak
CCIE #19860 (R&S, Security), CCSI #33705
Technical Instructor
website: www.MicronicsTraining.com
blog: www.ccie1.com
�If you can't explain it simply, you don't understand it well enough� -
Albert Einstein
2011/1/20 Manouchehr Omari <manouchehr1979_at_gmail.com>
>
>
> Hello Piotr,
>
> Here is the output,
>
>
> sh nameif
>
> Interface Name Security
> Ethernet0/0 outside 0
> Ethernet0/1 inside 100
> Ethernet0/2 INTERNET 0
>
>
> Kind Regards,
>
>
>
> On Thu, Jan 20, 2011 at 12:57 PM, Piotr Matusiak <pitt2k_at_gmail.com> wrote:
>
>> Hi,
>>
>> What are the interface names and security levels on the ASA? Can you send
>> output of the command show nameif
>>
>> Regards,
>> --
>> Piotr Matusiak
>> CCIE #19860 (R&S, Security), CCSI #33705
>> Technical Instructor
>> website: www.MicronicsTraining.com
>> blog: www.ccie1.com
>>
>> �If you can't explain it simply, you don't understand it well enough� -
>> Albert Einstein
>>
>>
>> 2011/1/20 Manouchehr Omari <manouchehr1979_at_gmail.com>
>>
>>> Dear All,
>>>
>>> I will highly appreciate any help in this regard, one of our branches
>>> connected through E1 circuit with IPSec tunnel is unable to use Internet
>>> from HQ, Below is the topology,
>>>
>>>
>>>
>>> HQ - ASA 5510-------------E1------------------ Router - Branch ---- LAN
>>>
>>>
>>> ASA has interfaces,
>>>
>>> E0/0 = E1 connecting branch..
>>> E0/1 = HQ LAN
>>> E0/2 = Internet
>>>
>>> Below is the NAT and the ACL for interesting traffic config on ASA
>>>
>>> global (outside) 1 interface
>>> nat (inside) 1 0.0.0.0 0.0.0.0
>>> nat (inside) 0 access-list 101
>>>
>>> access-list 101 per ip 10.1.1.0 255.255.255.0 172.16.1.0 255.255.255.0
>>>
>>> Everything is working fine except that users in the branch unable to
>>> access
>>> the Internet through HQ i don't think if the NAT configuration on ASA is
>>> correct in order for the branch users to be able to access the internet,
>>> and
>>> also I'm not doing any NAT on branch router. Anyone with any help
>>> please...
>>>
>>> Kind Regards,
>>>
>>>
>>> Blogs and organic groups at http://www.ccie.net
>>>
>>> _______________________________________________________________________
>>> Subscription information may be found at:
>>> http://www.groupstudy.com/list/CCIELab.html
Blogs and organic groups at http://www.ccie.net
Received on Thu Jan 20 2011 - 21:45:01 ART