01-10-2009 12:10 PM - last edited on 03-25-2019 05:41 PM by ciscomoderator
Greetings, i have an ASA 5510 with three interfaces configured.
One is the outside interface, one is dediacted to voice traffic and one is dedicated to data traffic.
On the data network i have my laptop and on the voice network i have a CME system with unity express module installed.
The voice network sits on 172.22.25.0 /24
The data network sits on 172.23.24.0 /24
The unity express module on the cme system has a loopback address of 10.10.10.0 /30
Now i have no issues getting to the cme system on 172.22.25.0 /24 but cant get to 10.10.10.1 via the firewall.
I have tried identity statements and have a static route on the asa pointing to 10.10.10.0 /30 via the cme router to no effect, could someone recommend how i could get from the data network to the cue module on the voice network via the firewall.
Regards
Solved! Go to Solution.
01-10-2009 06:05 PM
Thanks for posting config, I do apologize , same-security-traffic permit intra-interface for a moment I had thought pictured in my mind 10.10.10.0 was coming from same access interface, so this command applies for voice source hosts under 10.10.10.0 accessing destinations on 172.22.25.0 net but it can be left as you will eventually need for above scenario:
access-list exempt_nat0_outbound extended permit ip 10.10.10.0 255.255.255.252 172.22.25.0 255.255.255.0
portmap translation creation failed for icmp src access:172.23.25.212 dst voice:10.10.10.1 (type 8, code 0)
As for translation fail message above add this to exempt nat acl and try again reaching 10.10.10.1 from 172.23.25.0
access-list exempt_nat0_outbound extended permit ip 10.10.10.0 255.255.255.252 172.23.24.0 255.255.255.0
PLS let us know how works out to fruther assist.
Regards
01-10-2009 01:55 PM
I have tried identity statements and have a static route on the asa pointing to 10.10.10.0 /30 via the cme router to no effect
Hi,
I do not know cme devices but I would assume your cme router has an interface under 172.22.25.Y/24 network where Y is its ip address asign to that cme router interface.
so your static route in asa to reach 10.10.10.0 network would be something as:
route voice_nameif 10.10.10.0 255.255.255.252 172.22.25.Y 1
You will also need:
same-security-traffic permit intra-interface
May need a nonat exempt acl in asa also to talk to 10.10.10.0 network from 172.23
does the cme router have a route back to asa to reach 172.23.24.0 network for 10.10.10.0 to get to it? look at asdm real time log to see messages while trying connections between the two networks.
I would expect cme router that have 10.10.10.0/30 network have a route to
172.23.24.0 network via 172.22.25.x asa interface where x is the default gateway of 172.22.25.0/24 network.
Regards
01-10-2009 02:56 PM
Thank you for your reply, appologies i should have been more concise.
Cisco ASA Interface Names:
e0 - outside - WAN
e1 - access - Data
e2 - voice - Voice
I have the route added to the ASA
route voice 10.10.10.0 255.255.255.252 172.22.25.4 1
I also have the same-security-traffic permit intra-interface statement in there.
There is only one interface connected on the CME Router being 172.22.25.4 /24 and a default route back to the asa on 172.22.25.1.
I have a NAT exempt statement for these networks.
access-list exempt_nat0_outbound extended permit ip 172.16.0.0 255.255.0.0 172.16.0.0 255.255.0.0
access-list exempt_nat0_outbound extended permit ip 10.10.10.0 255.255.255.252 10.10.10.0 255.255.255.252
global (outside) 1 interface
nat (access) 0 access-list exempt_nat0_outbound
nat (access) 1 172.23.25.0 255.255.255.0
nat (voice) 0 access-list exempt_nat0_outbound
nat (voice) 1 172.22.25.0 255.255.255.0
The error message of which ive seen so many times before urghh!
portmap translation creation failed for icmp src access:172.23.25.212 dst voice:10.10.10.1 (type 8, code 0)
The module itself sits inside the cme router as per the config below.
interface Loopback0
description Loopback For UnityExpress
ip address 10.10.10.2 255.255.255.252
!
interface FastEthernet0/0
ip address 172.22.25.4 255.255.255.0
duplex full
speed 100
auto qos voip
service-policy output AutoQoS-Policy-UnTrust
!
interface FastEthernet0/1
no ip address
shutdown
!
interface Integrated-Service-Engine1/0
ip unnumbered Loopback0
service-module ip address 10.10.10.1 255.255.255.252
service-module ip default-gateway 10.10.10.2
no keepalive
!
ip route 0.0.0.0 0.0.0.0 172.22.25.1
Regards
01-10-2009 03:08 PM
Thank you for your reply, appologies i should have been more concise.
Cisco ASA Interface Names:
e0 - outside - WAN
e1 - access - Data
e2 - voice - Voice
I have the route added to the ASA
route voice 10.10.10.0 255.255.255.252 172.22.25.4 1
I also have the same-security-traffic permit intra-interface statement in there.
There is only one interface connected on the CME Router being 172.22.25.4 /24 and a default route back to the asa on 172.22.25.1.
I have a NAT exempt statement for these networks.
access-list exempt_nat0_outbound extended permit ip 172.16.0.0 255.255.0.0 172.16.0.0 255.255.0.0
access-list exempt_nat0_outbound extended permit ip 10.10.10.0 255.255.255.252 10.10.10.0 255.255.255.252
global (outside) 1 interface
nat (access) 0 access-list exempt_nat0_outbound
nat (access) 1 172.23.25.0 255.255.255.0
nat (voice) 0 access-list exempt_nat0_outbound
nat (voice) 1 172.22.25.0 255.255.255.0
The error message of which ive seen so many times before urghh!
portmap translation creation failed for icmp src access:172.23.25.212 dst voice:10.10.10.1 (type 8, code 0)
The module itself sits inside the cme router as per the config below.
interface Loopback0
description Loopback For UnityExpress
ip address 10.10.10.2 255.255.255.252
!
interface FastEthernet0/0
ip address 172.22.25.4 255.255.255.0
duplex full
speed 100
auto qos voip
service-policy output AutoQoS-Policy-UnTrust
!
interface FastEthernet0/1
no ip address
shutdown
!
interface Integrated-Service-Engine1/0
ip unnumbered Loopback0
service-module ip address 10.10.10.1 255.255.255.252
service-module ip default-gateway 10.10.10.2
no keepalive
!
ip route 0.0.0.0 0.0.0.0 172.22.25.1
Regards
01-10-2009 06:05 PM
Thanks for posting config, I do apologize , same-security-traffic permit intra-interface for a moment I had thought pictured in my mind 10.10.10.0 was coming from same access interface, so this command applies for voice source hosts under 10.10.10.0 accessing destinations on 172.22.25.0 net but it can be left as you will eventually need for above scenario:
access-list exempt_nat0_outbound extended permit ip 10.10.10.0 255.255.255.252 172.22.25.0 255.255.255.0
portmap translation creation failed for icmp src access:172.23.25.212 dst voice:10.10.10.1 (type 8, code 0)
As for translation fail message above add this to exempt nat acl and try again reaching 10.10.10.1 from 172.23.25.0
access-list exempt_nat0_outbound extended permit ip 10.10.10.0 255.255.255.252 172.23.24.0 255.255.255.0
PLS let us know how works out to fruther assist.
Regards
01-14-2009 09:23 AM
Mark, glad I was able to help and thank you for rating the post .
Rgds
Jorge
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: