Hi,
Can you share your config please?
Send it directly to me if you don't want to share all info on the group.
Regards,
--
Piotr Matusiak
CCIE #19860 (R&S, Security), CCSI #33705
Technical Instructor
website: www.MicronicsTraining.com
blog: www.ccie1.com
�If you can't explain it simply, you don't understand it well enough� -
Albert Einstein
2011/1/21 Manouchehr Omari <manouchehr1979_at_gmail.com>
>
>
> Hello Piotr,
>
> I did the same configuration and also removed the translation between
> inside and outside I'm still unable to go through.
>
> Thanks,
> Manny
>
>
>
>
> On Thu, Jan 20, 2011 at 3:45 PM, Piotr Matusiak <pitt2k_at_gmail.com> wrote:
>
>> Hi,
>>
>> I'm not sure why do you use NAT between Inside and Outside interfaces as
>> there is only Branch behind the outside. Am I correct?
>> In order to have internet access for you branch users you should:
>> 1. have default gateway on the ASA pointed to the Internet and have static
>> routing pointed to the Outside for branch network
>> 2. configure NAT so that branch users will be translated when going to the
>> internet
>> nat (outside) 2 172.16.1.0 255.255.255.0
>> global (INTERNET) 2 interface
>> 3. allow to send the traffic between interfaces with the same security
>> level
>> same-security permit inter-interface
>>
>> If there is no need for translation between Inside and Outside you may
>> delete it.
>>
>>
>> Regards,
>> --
>> Piotr Matusiak
>> CCIE #19860 (R&S, Security), CCSI #33705
>> Technical Instructor
>> website: www.MicronicsTraining.com
>> blog: www.ccie1.com
>>
>> �If you can't explain it simply, you don't understand it well enough� -
>> Albert Einstein
>>
>>
>> 2011/1/20 Manouchehr Omari <manouchehr1979_at_gmail.com>
>>
>>>
>>>
>>> Hello Piotr,
>>>
>>> Here is the output,
>>>
>>>
>>> sh nameif
>>>
>>> Interface Name Security
>>> Ethernet0/0 outside 0
>>> Ethernet0/1 inside 100
>>> Ethernet0/2 INTERNET 0
>>>
>>>
>>> Kind Regards,
>>>
>>>
>>>
>>> On Thu, Jan 20, 2011 at 12:57 PM, Piotr Matusiak <pitt2k_at_gmail.com>wrote:
>>>
>>>> Hi,
>>>>
>>>> What are the interface names and security levels on the ASA? Can you
>>>> send output of the command show nameif
>>>>
>>>> Regards,
>>>> --
>>>> Piotr Matusiak
>>>> CCIE #19860 (R&S, Security), CCSI #33705
>>>> Technical Instructor
>>>> website: www.MicronicsTraining.com
>>>> blog: www.ccie1.com
>>>>
>>>> �If you can't explain it simply, you don't understand it well enough� -
>>>> Albert Einstein
>>>>
>>>>
>>>> 2011/1/20 Manouchehr Omari <manouchehr1979_at_gmail.com>
>>>>
>>>>> Dear All,
>>>>>
>>>>> I will highly appreciate any help in this regard, one of our branches
>>>>> connected through E1 circuit with IPSec tunnel is unable to use
>>>>> Internet
>>>>> from HQ, Below is the topology,
>>>>>
>>>>>
>>>>>
>>>>> HQ - ASA 5510-------------E1------------------ Router - Branch ----
>>>>> LAN
>>>>>
>>>>>
>>>>> ASA has interfaces,
>>>>>
>>>>> E0/0 = E1 connecting branch..
>>>>> E0/1 = HQ LAN
>>>>> E0/2 = Internet
>>>>>
>>>>> Below is the NAT and the ACL for interesting traffic config on ASA
>>>>>
>>>>> global (outside) 1 interface
>>>>> nat (inside) 1 0.0.0.0 0.0.0.0
>>>>> nat (inside) 0 access-list 101
>>>>>
>>>>> access-list 101 per ip 10.1.1.0 255.255.255.0 172.16.1.0 255.255.255.0
>>>>>
>>>>> Everything is working fine except that users in the branch unable to
>>>>> access
>>>>> the Internet through HQ i don't think if the NAT configuration on ASA
>>>>> is
>>>>> correct in order for the branch users to be able to access the
>>>>> internet, and
>>>>> also I'm not doing any NAT on branch router. Anyone with any help
>>>>> please...
>>>>>
>>>>> Kind Regards,
>>>>>
>>>>>
>>>>> Blogs and organic groups at http://www.ccie.net
>>>>>
>>>>> _______________________________________________________________________
>>>>> Subscription information may be found at:
>>>>> http://www.groupstudy.com/list/CCIELab.html
Blogs and organic groups at http://www.ccie.net
Received on Fri Jan 21 2011 - 07:31:41 ART