cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1019
Views
5
Helpful
13
Replies

Can't seem to figure out how to Route across an ASA5510

Jmorgan1413_2
Level 1
Level 1

I'm having no luck here. I have tried entering default routes, static routes, etc from both the CLI and the ASDM console.

I am replacing a 2621 router which we had working just fine, but I can't duplicate the functionality we had with the router.

I have attached a visio drawing which should explain what I am doing.

From the PC on the test network I can only ping as far as the .225 interface. From a PC connected to SWITCh 1, I can ping the 105 interface but no further.

From the Firewall itself I can ping just about anything I want. So the problem seems to be that the ETH 0 and ETH 1 interfaces are not communicating.

Any Ideas?

13 Replies 13

bbacola
Level 1
Level 1

A copy of your configuration on the ASA would be necessary to tell you what is wrong. What are the subnet masks of the 2 interfaces?

Here is my config file. Probably has a lot of unnecessary stuff in it.

My outside mask is /25

My inside mask is /28

Thanks a lot.

Remove these

access-group outside_access_out out interface outside

access-group inside_access_in in interface inside

route outside 199.222.135.0 255.255.255.0 199.222.135.1 1

route inside 0.0.0.0 0.0.0.0 199.222.135.0 1

route inside 0.0.0.0 0.0.0.0 199.222.135.1 1

Add

global (outside) 1 interface

route outside 0.0.0.0 0.0.0.0 199.222.135.1

OK.

I did that.

It did not seem to help.

Attached is how my config looks now

mightymouse2045
Level 1
Level 1

ummm you have no access lists to permit traffic through the device, hence the previous post to remove them. But if you remove them then it blocks by default.

You have an

icmp permit any outside

for replying to pings outside, but you should also have one for the inside so:

icmp permit any inside

Also your inside nat is a bit hmm lets just say open. What you should have is this for your inside to outside nat:

nat (inside) 0 199.222.135.224 255.255.255.240 0 0

Now put these statements in for your access lists:

access-list outside_access_in permit ip any any

access-list inside_access_in permit ip any any

Then add the access lists to the interface with:

access-group outside_access_in in interface outside

access-group inside_access_in in interface inside

Give that a go

Cheers,

Peter

Sorry Peter,

Still no go.

Attached is my running config as it stands after the changes you suggested.

As you may have figured out by now, this is not exactly my forte.

Thanks for helping.

You don't have the access lists applied to the interfaces as per below:

access-group outside_access_in in interface outside

access-group inside_access_in in interface inside

Right.

Don't know how I missed that.

I've got them now and it still does not work.

See attached.

Thanks again.

Hi there,

Sorry but I bow out at this point. It looks fine as far as I'm concerned. You may want to try removing your inspection rules for now as another attempt at diagnosing what is stopping this working.

Another option is to take it back to it's factory default settings and adding in what I have given you from the stock standard config and see if that works at that point.

Are you putting in the config I've given you through the commmand line or through the GUI?

I am not too crash hot with the ASA devices as we haven't moved away from the PIX yet, and I can see there are some slight differences in the commmands you are using for the ASA in particular the NAT command if you have a look at the one I sent you compared to how it's showing in your config.

Cheers,

Peter

Actually i just twigged on something - your global (outside) 1 interface - is defining the global NAT to instance 1 - so your NAT (inside) should point to that - not 0.

So try changing your NAT statement from:

nat (inside) 0 199.222.135.224 255.255.255.240

to:

nat (inside) 1 199.222.135.224 255.255.255.240

Hope this works - if not then I'm fresh out of ideas :)

Peter

Twig? Or the whole tree???

That did it.

Thank you very much.

Now we're on to applying rules and opening and closing ports. I'm sure you guys will be hearing from me again.

Peter, thanks. 5 star help my friend.

How do I go about rating you?

No problems man :) Glad I could help out - god knows I had plenty of dramas myself when I first started out with Cisco's - they are complicated but that's what makes them interesting - getting your head around how to configure them correctly is the hard part, but once you do it's smooth sailing :)

A tip for you on configuring the groups have a look at an old config of mine for a PIX 515e. Looks complicated but getting your IP's named, and put into groups etc makes admin a damn site easier through the GUI - just naming groups or device names instead of IP's - obviously then making changes to IP's etc can be done without having to clean up in 50 other places etc and for other reasons aswell.

Have fun :)

Peter

Peter,

Thanks to all your help I can now go from the inside interface out, but I still can't go from my outside interface in. I have some web servers sitting on the inside network which I can hit from other machines on my inside network, but I can not hit them from the network on my outside interface.

I have been playing with this quite a bit as my gut tells me that it has to do with global interfaces and NAT (even though I'm not translating), but I can't make it work.

I am attaching my config so that you could maybe take a look at it and see where I've gone wrong.

I have added a bunch of access lists and the appropriate groups and added them to the correct interfaces (I think), but I am open to being told they are all wrong.

Nothing I have been able to do with other global interfaces or NATs has worked so I have removed all those attempts.

Any help would be appreciated.

John

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: