Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Can't access Cisco ASA 5510 by public IP behind Internet router

We need to deploy a Cisco ASA 5510 behind the Internet facing router for Remote Access VPN (RAVPN). We bought the block of 16 IPs (in a different subnet) which is routed through the main router (69.x.x.x)and configured the outside interface of ASA with a public IP 64.x.x.x and subnet mask 255.255.255.240. Below is the network structure.


But, we can't access the ASA by it's public IP. Please suggest.



DSL Modem → RV082 router → Switch → LAN

                      (69.x.x.x)              ↑           (192.168.0.0)

                                       Cisco ASA 5510

                    (outside: 64.x.x.x, inside: 192.168.0.172)

16 REPLIES

Can't access Cisco ASA 5510 by public IP behind Internet router

How does the router connect to the ASA physically? Does it connect through a switch or just directly from an ethernet interface on the router to the ASA?

New Member

Can't access Cisco ASA 5510 by public IP behind Internet router

The asa is connected through the switch.

Can't access Cisco ASA 5510 by public IP behind Internet router

Can you post the IP configuration for the outside ASA? Also, is the switchport that the

ASA connected to in the VLAN that corresponds to the 69.x.x.x network?

New Member

Can't access Cisco ASA 5510 by public IP behind Internet router

IP configuration for the outside ASA:

Interface: Ethernet 0/0

Name: Outside

Enabled: Yes

Security label: 0

IP address: 64.26.185.50

Subnet mask: 255.255.255.240

Yes, the switchport that the ASA is connected belongs to the 69.x.x.x network.

Can't access Cisco ASA 5510 by public IP behind Internet router

What is the default route for the ASA? Also, can you setup a packet capture to see if the packets are actually getting to the outside interface of the ASA? And from the ASA can you ping its default gateway?

New Member

Can't access Cisco ASA 5510 by public IP behind Internet router

The default route for the ASA is the 69.x.x.x - the public IP of the RV082 gateway router.

I did setup a packet capture and it's getting to the outside interface of the ASA. But, from the ASA, I can't ping its default gateway 69.x.x.x.

Can't access Cisco ASA 5510 by public IP behind Internet router

Can you provide the show run route of the ASA??

Regards,

Looking for some Networking Assistance? Contact me directly at jcarvaja@laguiadelnetworking.com I will fix your problem ASAP. Cheers, Julio Carvajal Segura http://laguiadelnetworking.com
New Member

Can't access Cisco ASA 5510 by public IP behind Internet router

route Outside 0.0.0.0 0.0.0.0 69.20.234.102 1

Can't access Cisco ASA 5510 by public IP behind Internet router

What is the default gateway of 64.26.185.50/28 and where is it on your network?

Can't access Cisco ASA 5510 by public IP behind Internet router

Hello,

So outside interface of the ASA its on 64.x.x.x subnet and router is on 69.x.x.x subnet, they are nto on the same network, so of course they will not have connectivity.

You need to define how to get to the outside world ( default gateway should be 64.x.x.x not 69.)

Regards,

Julio

Do rate all the helpful posts!!

Looking for some Networking Assistance? Contact me directly at jcarvaja@laguiadelnetworking.com I will fix your problem ASAP. Cheers, Julio Carvajal Segura http://laguiadelnetworking.com
New Member

Can't access Cisco ASA 5510 by public IP behind Internet router

hello John and Julio,

Thanks for helping me out!

As I mentioned in the 1st post, we bought a block of 16 IPs (in a different subnet - 64.x.x.x) which is routed through the main router (69.x.x.x).

So, not sure how to config the ASA outside interface.

Regards

Can't access Cisco ASA 5510 by public IP behind Internet router

Hello,

Here is the issue:

DSL Modem → RV082 router → Switch → LAN

                      (69.x.x.x)              ↑           (192.168.0.0)

                                       Cisco ASA 5510

                    (outside: 64.x.x.x, inside: 192.168.0.172)

If the ASA wants to communicate with the RV082 he will need to send the packets to the 69.x.x.x.x right? but who is the default gateway of the ASA 5510 ( Got to be on the same broadcast domain)??

You told us the gateway is 69.x.x. as per : route Outside 0.0.0.0 0.0.0.0 69.20.234.102 1

So of course, there is not going to be communication between those 2 hosts.

You need to:

1-Change the outside ip address of the ASA and place it on the same broadcast domain than the router

2- Place another layer 3 device in-between the router and the ASA ( so connection to the router with 69.x.x.x ip address and connection to asa with ip address 64.x.x.x) in that case default gateway should be the other layer 3 device.

route outside 0.0.0.0 0.0.0.0 64.x.x.x

Regards,

Do rate all the helpful posts!!

Julio

Looking for some Networking Assistance? Contact me directly at jcarvaja@laguiadelnetworking.com I will fix your problem ASAP. Cheers, Julio Carvajal Segura http://laguiadelnetworking.com

Can't access Cisco ASA 5510 by public IP behind Internet router

Hi Supriya,

As John and Julio suggested, you need to have a gateway ip for the ASA to get on to the internet in the same broadcast domain as 64.x.x.x. I just want to mention couple of points..

I quickly checked the RV082 userguide and the router itself is VPN capable (with inksys vpn client software). You may want to look into that.

If it is mandatory to use ASA- It appears that both (64 & 69) IP range are from the same ISP (Magma comm). You need to talk to ISP and find out how they routed the new ips to your location. If this thru the same DSL modem, then atleast one IP reserved as gateway. You may need to connect your ASA directly to an available port on the DSL modem (if any).

Thx

MS

New Member

Can't access Cisco ASA 5510 by public IP behind Internet router

Thank you all for your support.

I talked to the ISP provider and found out that the IPs (blockof 16) that we bought are not true static IPs. They're routed through the main router - 69.x.x.x. So, we can't use as public IP for the outside interface of the ASA. They can only be used for port forwarding or natting to the internal IPs of devices.

So, I need to configure ASA differently to be used in the present network with the existing resources. May be I'll NAT one of these IPs to the internal interface of the ASA and configure RAVPN accordingly.

Thanks again.

Supriya

Can't access Cisco ASA 5510 by public IP behind Internet router

Thanks for the update Supriya. Based on your update, it sounds like RV082 provided and managed by ISP. You know your network requirement better than anyone- but if possible, I would replace the router with ASA. So ASA will be your Internet and RAVPN gateway as well. One device to manage and more security. You can even use the existing IP block without any addl ip block.

Thx

MS

Can't access Cisco ASA 5510 by public IP behind Internet router

Hello Supriya,

Yeap, looks like MS advise is a great option here, so you can elaborate the port-forwarding on the ASA, and this will start proxy arping the Global ip addresses on the NAT.

If you want to leave the network the way it is you will need to provide to the outside interface ASA an ip address of 69.x.x.x.

Regards,

Julio

Looking for some Networking Assistance? Contact me directly at jcarvaja@laguiadelnetworking.com I will fix your problem ASAP. Cheers, Julio Carvajal Segura http://laguiadelnetworking.com
2888
Views
11
Helpful
16
Replies