multiple IPs on ASA 5505 - connection problem

Unanswered Question
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Farrukh Haroon Wed, 08/27/2008 - 23:25
User Badges:
  • Red, 2250 points or more

Your route entry seems strange:


route inside 192.168.42.0 255.255.255.0 192.168.42.4 1


192.168.42.4 is supposed to be in the same subnet as your inside interface. Also is it possible to post any syslogs for this denied traffic?


You can also run a 'packet-tracer' simulating this traffic coming from the outside interface.



Regards


Farrukh

Farrukh Haroon Thu, 08/28/2008 - 05:26
User Badges:
  • Red, 2250 points or more

"that both ASA & the 42 subnet connect to "


The ASA has three VLAN interfaces, none of which belong to 192.168.42.x


?


Regards


Farrukh

this is how my network is configured:

192.168.42.0/24 <-> Cisco3560 Vlan42 192.168.42.4

192.168.200.0/24 <-> Cisco3560 Vlan200 192.168.200.254 <-> ASA inside=192.168.200.4

192.168.201.0/24 <-> Cisco3560 Vlan201 192.168.201.254


using this all my LAN traffic go to Cisco 3560 that have a default route 0.0.0.0 0.0.0.0 192.168.200.4


this is the part that does not have problems.

in my post I asked about routing traffic coming from the internet into my LAN

the access-list\static combination for inbound smtp is working (using the interface public IP). any other public IP (as in different then the specified interface .126 IP) fail

Farrukh Haroon Thu, 08/28/2008 - 05:49
User Badges:
  • Red, 2250 points or more

Change this:


route inside 192.168.42.0 255.255.255.0 192.168.42.4 1


To


route inside 192.168.42.0 255.255.255.0

192.168.200.254


You have a Class C from your ISP?


Regards


Farrukh

Farrukh Haroon Thu, 08/28/2008 - 06:25
User Badges:
  • Red, 2250 points or more

Did u change the route?


Change it and run a packet tracer


packet-tracer input outside tcp 4.4.4.4 1045

63.x.y.110 443 detailed


Regards


Farrukh

Farrukh Haroon Thu, 08/28/2008 - 06:34
User Badges:
  • Red, 2250 points or more

You don't need to worry about this command making any changes. Its just a 'diagnostic' command run from enable mode. You don't even have to do 'config t' to run it!


This will simulate the desired traffic flow and tell you WHERE its failing (NAT,RPF check, ACL, Spoofing etc.)


Regards


Farrukh

Farrukh Haroon Fri, 08/29/2008 - 13:03
User Badges:
  • Red, 2250 points or more

Output seems perfect and the respective traffic should work.


A next step would be perhaps to capture traffic on the ASA outside interface for these public IPs to see if any traffic 'actually' reaches them from the internet or not.


Regards


Farrukh

Actions

This Discussion