Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
396
Views
0
Helpful
7
Replies

Routes not being created properly

Go to solution
cgbuskirk
Level 1
Level 1

‎10-28-2008 02:28 PM - edited ‎03-11-2019 07:04 AM

I am rather new to setting up firewalls. I have an ASA 5510 that I am setting up currently to block all non-web traffic on our firewall except from our office.

I have configured the interfaces but when I run "show route" it only shows the inside route. I have been unable to get any data to pass through the firewall even when I had set the access list to allow all traffic from all sources. There is a small 8 address network on the outside interface connecting to our hosting company. Inside is a public class C. All address are valid Public IPs.

Relevant excerpts From my current config:

interface Ethernet0/0

nameif outside

security-level 0

ip address x.x.226.170 255.255.255.248

!

interface Ethernet0/1

nameif inside

security-level 50

ip address x.x.255.2 255.255.255.0

.........

access-list outside_access_in extended permit ip host x.x.14.30 any

access-list outside_access_in extended permit icmp any any

access-list outside_access_in extended permit tcp any any eq www

.........

access-group outside_access_in in interface outside

route outside 0.0.0.0 0.0.0.0 x.x.226.168 1

When I run the "Show route" command all I get is :

C x.x.255.0 255.255.255.0 is directly connected, inside

There is no mention of the default route or the network connected to the outside interface.

Any help would be greatly appreciated

Thank you,

Chris Buskirk

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Jon Marshall
Hall of Fame
Hall of Fame
In response to cgbuskirk

‎10-28-2008 04:12 PM

Chris

route outside 0.0.0.0 0.0.0.0 x.x.226.168 1

This can't be the default-gateway because that is the subnet address. So the actual gateway address would have to come from

x.x.226.169 - 174

and you have already used .170 on your ASA outside interface.

Also what is your NAT setup. Lets say you have a server on the inside

195.177.22.10 and you want to give access to this you need the following line in your config

static (inside,outside) 195.177.22.10 195.177.22.10 netmask 255.255.255.255

normally you want NAT a private IP to a public IP but you are using public IP's internally anyway.

Jon

View solution in original post

0 Helpful
7 Replies 7

Go to solution
Jon Marshall
Hall of Fame
Hall of Fame

‎10-28-2008 02:43 PM

Chris

Just a quick sanity check. Is the outside interface actually up ie. can you ping your upstream gateway.

Jon

0 Helpful

Go to solution
cgbuskirk
Level 1
Level 1
In response to Jon Marshall

‎10-28-2008 03:13 PM

It's actually disconnected right now. When we had connected it before we could ping it from the hosting company's router. Unfortunately the website is already live so I could not leave the outside interface connected after I failed to configure the firewall properly. Will the route not show when it's disconnected?

0 Helpful

Go to solution
Jon Marshall
Hall of Fame
Hall of Fame
In response to cgbuskirk

‎10-28-2008 03:21 PM

If the interface is down no it will not show up in the routing table and nor will the default-route if that is reachable via the outside interface.

Jon

0 Helpful

Go to solution
cgbuskirk
Level 1
Level 1
In response to Jon Marshall

‎10-28-2008 03:38 PM

Thank you. That makes sense. As for why I couldn't get data to pass thru before I wanted to check and make sure my settings are right.

My outside route should point to the gateway of the hosting company's router correct?

Above I have listed my access list. Is this correct for allowing all www traffic thru? It seemed before that the website traffic was going out to in but not the other way. Do I need to create an access group for the inside interface to allow users to access our site properly?

It feels like I'm making this setup harder than it should be for a simple flat network but I just can't get it to work.

Thank you,

Chris Buskirk

0 Helpful

Go to solution
Jon Marshall
Hall of Fame
Hall of Fame
In response to cgbuskirk

‎10-28-2008 03:43 PM

Chris

Can we just clarify what you want to do.

1) Do you have web servers on your LAN that you want people on the Internet to access or

2) Do you just want your internal users to be able to connect to web servers on the Internet

If 2) by default all traffic is allowed out so are you looking to restrict what traffic can go out from your LAN.

Lastly you say your internal clients use public addressing - is this addressing assigned to you or not.

In answer to your question

"My outside route should point to the gateway of the hosting company's router correct?"

the answer is yes if when you say hosting company you mean ISP ?

Jon

0 Helpful

Go to solution
cgbuskirk
Level 1
Level 1
In response to Jon Marshall

‎10-28-2008 04:07 PM

Jon,

I am hosting a public website at on off-site colocation facility. We do have those address assigned and the website is running and accessible right now. I just have the uplink plugged into the backbone switch rather than the Firewall right now.

Previously I had the outside route directed to the IP of the outside interface like I had seen in several examples. I am guessing thats what was causing my problems.

Thank you,

Chris

0 Helpful

Go to solution
Jon Marshall
Hall of Fame
Hall of Fame
In response to cgbuskirk

‎10-28-2008 04:12 PM

Chris

route outside 0.0.0.0 0.0.0.0 x.x.226.168 1

This can't be the default-gateway because that is the subnet address. So the actual gateway address would have to come from

x.x.226.169 - 174

and you have already used .170 on your ASA outside interface.

Also what is your NAT setup. Lets say you have a server on the inside

195.177.22.10 and you want to give access to this you need the following line in your config

static (inside,outside) 195.177.22.10 195.177.22.10 netmask 255.255.255.255

normally you want NAT a private IP to a public IP but you are using public IP's internally anyway.

Jon

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card