cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1347
Views
0
Helpful
17
Replies

ASA Routing problem

I have  a problem with a routing.

My ASA 5510 is at ip 192.168.1.20

I have alos a router on IP Adress 192.168.1.30

I have created static route on the ASA for network 10.1.1.0 and network 10.1.10.1 to the gateway 192.168.1.30.

Problem I cannot ping the 10.1.1.0 and 10.1.10.1 networks...

In the logging I get Inbound ICMP deny message

I have open everything in the inbound Inside Interface.

Why can't I reach those networks?

My computer's gateway is the ASA 192.168.1.20. Everything else is working fine (WAN to LAN and LAN to WAN)

Only the LAN to LAN thing blocks...

Thanks for your help.

17 Replies 17

varrao
Level 10
Level 10

Can you add this??

policy-map global_policy

  class inspection_default

    inspect icmp

and if it doesn.t work can you providfe th nat and acl's that you have added??

Thanks,

Varun

Thanks,
Varun Rao

Yes, I have added the inspect ICMP

I have created routes like this

route inside 10.1.1.0 255.255.255.0 192.168.1.30

route inside 10.1.10.0 255.255.255.252 192.168.1.30

Is this a problem of nat? Do i have to create Nat rules instead of static routes?

access-list Inside_access_in extended permit ip any any

access-list Inside_access_in extended permit tcp any any

access-list Inside_access_in extended permit udp any any

access-list Inside_access_in extended permit icmp any any

No if you are pinging from outside interface to inside interface, then you would need to appli these access-list on the outside interface:

access-list outside_access_in extended permit ip any any

access-group outside_access_in in interface outside

alongwith the static.

Let me know from where are you pinging, inside to outside or outside to inside??

Thanks,

Varun

Thanks,
Varun Rao

Actually it's inside inside...

-----------------------------------------------------

Mycomputer = 192.168.1.101

To Gateway = 192.168.1.20

Connected to subnet= 192.168.1.0

------------------------------------------------------

ASA = 192.168.1.20

Routes

route inside 10.1.1.0 255.255.255.0 192.168.1.30

route inside 10.1.10.0 255.255.255.252 192.168.1.30

Connected to subnet: 192.168.1.0 and WAN

-----------------------------------------------------

Router= 192.168.1.30

Connected to subnet 10.1.1.0 and 10.1.10.0

Hope it makes more sense

Hi,

then you must permit traffic entering an interface to exit the same interface with the global config command:

same-security-traffic permit inter-interface

Alain

Don't forget to rate helpful posts.

thanks I'll try this and get back to you

Sent from Cisco Technical Support iPhone App

shouldn't be intra-interface ??

Sent from Cisco Technical Support iPhone App

Hi Jean,

You would need the following configuration then:

static (inside,inside) 10.1.1.0 10.1.1.0 norand nailed

static (inside,inside) 10.1.10.0 10.1.10.0 norand nailed

nat (inside) 10 0.0.0.0 0.0.0.0

global (inside) 10 interface

same-security-traffic permit intra-interface

sysopt noproxyarp inside

this should do.

Thanks,

Varun

Thanks,
Varun Rao

it's not working Alain

Sent from Cisco Technical Support iPhone App

Now I get error: portmap translation creation failed for icmp src

Sent from Cisco Technical Support iPhone App

Did you try the config I suggested??? Its missing a nat statement, according to the error message.

Can you share your config with us? alongwith the source and teh destination.

Thanks,

Varun

Thanks,
Varun Rao

varun

Because the 10.1.1.0 and 10.1.10.0 are routed by the other router, not this one

Sent from Cisco Technical Support iPhone App

Varun

The 10.1.1.0 and 10.1.10.0 are connected to the other router 192.168.1.30

So I can't nat this subnet on this particular ASA. So I've created routes on the ASA to route this particular traffic to the 192.168.1.30 router.

any ideas?

Sent from Cisco Technical Support iPhone App

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: