Internal Host Access

Unanswered Question
Feb 26th, 2009

I have an MPLS network, with a main site running hosted applications [10.10.x.x/21, Router -], and 3 other sites [10.11.x.x/21, 10.12.x.x/21 and 10.13.x.x/21; GW for each router at each site is, etc.].

I have the 10.10.x.x/21 network behind an ASA 5510. It's inside interface is The entire 10.10.x.x/21 network is behind the ASA. None of the other sites can access the hosts on the 10.10.x.x/21, nor can the 10.10.x.x/21 hosts access the other sites.


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Jon Marshall Fri, 02/27/2009 - 02:31


1) Do the other sites have a route to 10.10.x.x/21

2) Have you setup access on the ASA. So if you want the whole internal network to be accessible from the remote sites

static (inside,outside) 10.10.x.x 10.10.x.x netmask

and then you need to have an access-list applied to the outside interface of your ASA allowing access eg.

access-list outside_in permit ip 10.11.x.x 10.10.x.x


access-group outside_in in interface outside

Note i have used IP in the acl but you can tie it down to specific ports/IP addresses if you need to.


thomasmelvin Fri, 02/27/2009 - 07:20


Thanks for the reply.

1) Yes all sites have a route to the

2) I added the static/acl and no change. I can't even ping.

Jon Marshall Fri, 02/27/2009 - 07:56

If you save it in a notepad or wordpad you should be able to add an attachment to your message.

Or you could try just pasting half of it into one message and the rest into another message.


Jon Marshall Fri, 02/27/2009 - 08:21


Could you give an example of an IP address you are trying to access from a remote site and what the source IP address is as well. Also what tcp port you are trying to access on so

src IP address =

destination IP address =

Port number =


thomasmelvin Fri, 02/27/2009 - 08:24

John, sure...

src IP address =

destination IP address =

Port number = 0 [STD PING]

The same is true for the opposite.


This Discussion