Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
Community Member

ASA 5510 Access to network not directly connected

Greetings, i have an ASA 5510 with three interfaces configured.

One is the outside interface, one is dediacted to voice traffic and one is dedicated to data traffic.

On the data network i have my laptop and on the voice network i have a CME system with unity express module installed.

The voice network sits on 172.22.25.0 /24

The data network sits on 172.23.24.0 /24

The unity express module on the cme system has a loopback address of 10.10.10.0 /30

Now i have no issues getting to the cme system on 172.22.25.0 /24 but cant get to 10.10.10.1 via the firewall.

I have tried identity statements and have a static route on the asa pointing to 10.10.10.0 /30 via the cme router to no effect, could someone recommend how i could get from the data network to the cue module on the voice network via the firewall.

Regards

1 ACCEPTED SOLUTION

Accepted Solutions

Re: ASA 5510 Access to network not directly connected

Thanks for posting config, I do apologize , same-security-traffic permit intra-interface for a moment I had thought pictured in my mind 10.10.10.0 was coming from same access interface, so this command applies for voice source hosts under 10.10.10.0 accessing destinations on 172.22.25.0 net but it can be left as you will eventually need for above scenario:

access-list exempt_nat0_outbound extended permit ip 10.10.10.0 255.255.255.252 172.22.25.0 255.255.255.0

portmap translation creation failed for icmp src access:172.23.25.212 dst voice:10.10.10.1 (type 8, code 0)

As for translation fail message above add this to exempt nat acl and try again reaching 10.10.10.1 from 172.23.25.0

access-list exempt_nat0_outbound extended permit ip 10.10.10.0 255.255.255.252 172.23.24.0 255.255.255.0

PLS let us know how works out to fruther assist.

Regards

5 REPLIES

Re: ASA 5510 Access to network not directly connected

I have tried identity statements and have a static route on the asa pointing to 10.10.10.0 /30 via the cme router to no effect

Hi,

I do not know cme devices but I would assume your cme router has an interface under 172.22.25.Y/24 network where Y is its ip address asign to that cme router interface.

so your static route in asa to reach 10.10.10.0 network would be something as:

route voice_nameif 10.10.10.0 255.255.255.252 172.22.25.Y 1

You will also need:

same-security-traffic permit intra-interface

May need a nonat exempt acl in asa also to talk to 10.10.10.0 network from 172.23

does the cme router have a route back to asa to reach 172.23.24.0 network for 10.10.10.0 to get to it? look at asdm real time log to see messages while trying connections between the two networks.

I would expect cme router that have 10.10.10.0/30 network have a route to

172.23.24.0 network via 172.22.25.x asa interface where x is the default gateway of 172.22.25.0/24 network.

Regards

Community Member

Re: ASA 5510 Access to network not directly connected

Thank you for your reply, appologies i should have been more concise.

Cisco ASA Interface Names:

e0 - outside - WAN

e1 - access - Data

e2 - voice - Voice

I have the route added to the ASA

route voice 10.10.10.0 255.255.255.252 172.22.25.4 1

I also have the same-security-traffic permit intra-interface statement in there.

There is only one interface connected on the CME Router being 172.22.25.4 /24 and a default route back to the asa on 172.22.25.1.

I have a NAT exempt statement for these networks.

access-list exempt_nat0_outbound extended permit ip 172.16.0.0 255.255.0.0 172.16.0.0 255.255.0.0

access-list exempt_nat0_outbound extended permit ip 10.10.10.0 255.255.255.252 10.10.10.0 255.255.255.252

global (outside) 1 interface

nat (access) 0 access-list exempt_nat0_outbound

nat (access) 1 172.23.25.0 255.255.255.0

nat (voice) 0 access-list exempt_nat0_outbound

nat (voice) 1 172.22.25.0 255.255.255.0

The error message of which ive seen so many times before urghh!

portmap translation creation failed for icmp src access:172.23.25.212 dst voice:10.10.10.1 (type 8, code 0)

The module itself sits inside the cme router as per the config below.

interface Loopback0

description Loopback For UnityExpress

ip address 10.10.10.2 255.255.255.252

!

interface FastEthernet0/0

ip address 172.22.25.4 255.255.255.0

duplex full

speed 100

auto qos voip

service-policy output AutoQoS-Policy-UnTrust

!

interface FastEthernet0/1

no ip address

shutdown

!

interface Integrated-Service-Engine1/0

ip unnumbered Loopback0

service-module ip address 10.10.10.1 255.255.255.252

service-module ip default-gateway 10.10.10.2

no keepalive

!

ip route 0.0.0.0 0.0.0.0 172.22.25.1

Regards

Community Member

Re: ASA 5510 Access to network not directly connected

Thank you for your reply, appologies i should have been more concise.

Cisco ASA Interface Names:

e0 - outside - WAN

e1 - access - Data

e2 - voice - Voice

I have the route added to the ASA

route voice 10.10.10.0 255.255.255.252 172.22.25.4 1

I also have the same-security-traffic permit intra-interface statement in there.

There is only one interface connected on the CME Router being 172.22.25.4 /24 and a default route back to the asa on 172.22.25.1.

I have a NAT exempt statement for these networks.

access-list exempt_nat0_outbound extended permit ip 172.16.0.0 255.255.0.0 172.16.0.0 255.255.0.0

access-list exempt_nat0_outbound extended permit ip 10.10.10.0 255.255.255.252 10.10.10.0 255.255.255.252

global (outside) 1 interface

nat (access) 0 access-list exempt_nat0_outbound

nat (access) 1 172.23.25.0 255.255.255.0

nat (voice) 0 access-list exempt_nat0_outbound

nat (voice) 1 172.22.25.0 255.255.255.0

The error message of which ive seen so many times before urghh!

portmap translation creation failed for icmp src access:172.23.25.212 dst voice:10.10.10.1 (type 8, code 0)

The module itself sits inside the cme router as per the config below.

interface Loopback0

description Loopback For UnityExpress

ip address 10.10.10.2 255.255.255.252

!

interface FastEthernet0/0

ip address 172.22.25.4 255.255.255.0

duplex full

speed 100

auto qos voip

service-policy output AutoQoS-Policy-UnTrust

!

interface FastEthernet0/1

no ip address

shutdown

!

interface Integrated-Service-Engine1/0

ip unnumbered Loopback0

service-module ip address 10.10.10.1 255.255.255.252

service-module ip default-gateway 10.10.10.2

no keepalive

!

ip route 0.0.0.0 0.0.0.0 172.22.25.1

Regards

Re: ASA 5510 Access to network not directly connected

Thanks for posting config, I do apologize , same-security-traffic permit intra-interface for a moment I had thought pictured in my mind 10.10.10.0 was coming from same access interface, so this command applies for voice source hosts under 10.10.10.0 accessing destinations on 172.22.25.0 net but it can be left as you will eventually need for above scenario:

access-list exempt_nat0_outbound extended permit ip 10.10.10.0 255.255.255.252 172.22.25.0 255.255.255.0

portmap translation creation failed for icmp src access:172.23.25.212 dst voice:10.10.10.1 (type 8, code 0)

As for translation fail message above add this to exempt nat acl and try again reaching 10.10.10.1 from 172.23.25.0

access-list exempt_nat0_outbound extended permit ip 10.10.10.0 255.255.255.252 172.23.24.0 255.255.255.0

PLS let us know how works out to fruther assist.

Regards

Re: ASA 5510 Access to network not directly connected

Mark, glad I was able to help and thank you for rating the post .

Rgds

Jorge

321
Views
0
Helpful
5
Replies
CreatePlease to create content