Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
New Member

Internal Host Access

I have an MPLS network, with a main site running hosted applications [10.10.x.x/21, Router - 10.10.0.254], and 3 other sites [10.11.x.x/21, 10.12.x.x/21 and 10.13.x.x/21; GW for each router at each site is 10.11.0.254/21, etc.].

I have the 10.10.x.x/21 network behind an ASA 5510. It's inside interface is 10.10.0.252/21. The entire 10.10.x.x/21 network is behind the ASA. None of the other sites can access the hosts on the 10.10.x.x/21, nor can the 10.10.x.x/21 hosts access the other sites.

******************************************************

8 REPLIES
Hall of Fame Super Blue

Re: Internal Host Access

Tom

1) Do the other sites have a route to 10.10.x.x/21

2) Have you setup access on the ASA. So if you want the whole internal network to be accessible from the remote sites

static (inside,outside) 10.10.x.x 10.10.x.x netmask 255.255.248.0

and then you need to have an access-list applied to the outside interface of your ASA allowing access eg.

access-list outside_in permit ip 10.11.x.x 255.255.248.0 10.10.x.x 255.255.248.0

etc...

access-group outside_in in interface outside

Note i have used IP in the acl but you can tie it down to specific ports/IP addresses if you need to.

Jon

New Member

Re: Internal Host Access

Jon,

Thanks for the reply.

1) Yes all sites have a route to the 10.10.0.0/21.

2) I added the static/acl and no change. I can't even ping.

Hall of Fame Super Blue

Re: Internal Host Access

Could you post the config of the ASA ?

Jon

New Member

Re: Internal Host Access

Says it's too many characters...?

Hall of Fame Super Blue

Re: Internal Host Access

If you save it in a notepad or wordpad you should be able to add an attachment to your message.

Or you could try just pasting half of it into one message and the rest into another message.

Jon

New Member

Re: Internal Host Access

Thank Jon...

Here's my config.

As an FYI, I cannot get the Cisco VPN CLient to work either :O)

Hall of Fame Super Blue

Re: Internal Host Access

Tom

Could you give an example of an IP address you are trying to access from a remote site and what the source IP address is as well. Also what tcp port you are trying to access on so

src IP address =

destination IP address =

Port number =

Jon

New Member

Re: Internal Host Access

John, sure...

src IP address = 10.10.1.16

destination IP address = 10.11.0.254

Port number = 0 [STD PING]

The same is true for the opposite.

159
Views
0
Helpful
8
Replies
CreatePlease to create content