Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

multiple IPs on ASA 5505 - connection problem

see attached config of my ASA 5505

I can access all 3 internal networks: 200.0 201.0 42.0 and they all access the internet

I get mail on 63.x.y.126\SERVER_MAIL which is the configured IP on vlan2 (WAN)

I can't access other external IPs (SERVER_RU & SERVER_WWW are configured but not accessible)

16 REPLIES

Re: multiple IPs on ASA 5505 - connection problem

Your route entry seems strange:

route inside 192.168.42.0 255.255.255.0 192.168.42.4 1

192.168.42.4 is supposed to be in the same subnet as your inside interface. Also is it possible to post any syslogs for this denied traffic?

You can also run a 'packet-tracer' simulating this traffic coming from the outside interface.

Regards

Farrukh

New Member

Re: multiple IPs on ASA 5505 - connection problem

route inside 192.168.42.0 255.255.255.0 192.168.42.4 1 allow packets from 192.168.42.x subnet to access ASA

192.168.42.4 is the core switch that both ASA & the 42 subnet connect to

how do I export the syslog off the ASA?

Re: multiple IPs on ASA 5505 - connection problem

"that both ASA & the 42 subnet connect to "

The ASA has three VLAN interfaces, none of which belong to 192.168.42.x

?

Regards

Farrukh

New Member

Re: multiple IPs on ASA 5505 - connection problem

this is how my network is configured:

192.168.42.0/24 <-> Cisco3560 Vlan42 192.168.42.4

192.168.200.0/24 <-> Cisco3560 Vlan200 192.168.200.254 <-> ASA inside=192.168.200.4

192.168.201.0/24 <-> Cisco3560 Vlan201 192.168.201.254

using this all my LAN traffic go to Cisco 3560 that have a default route 0.0.0.0 0.0.0.0 192.168.200.4

this is the part that does not have problems.

in my post I asked about routing traffic coming from the internet into my LAN

the access-list\static combination for inbound smtp is working (using the interface public IP). any other public IP (as in different then the specified interface .126 IP) fail

Re: multiple IPs on ASA 5505 - connection problem

Change this:

route inside 192.168.42.0 255.255.255.0 192.168.42.4 1

To

route inside 192.168.42.0 255.255.255.0

192.168.200.254

You have a Class C from your ISP?

Regards

Farrukh

New Member

Re: multiple IPs on ASA 5505 - connection problem

I have a class C from my ISP: 63.x.y.0/24

.253 & .254 are the ISP routers. .1 is the DG

I use .126 as my MX and few other IPs for web site and applications

as I said, the main IP is coming in but other does not

Re: multiple IPs on ASA 5505 - connection problem

Did u change the route?

Change it and run a packet tracer

packet-tracer input outside tcp 4.4.4.4 1045

63.x.y.110 443 detailed

Regards

Farrukh

New Member

Re: multiple IPs on ASA 5505 - connection problem

I can only make changes after hours.

can you explain what this command would do?

Re: multiple IPs on ASA 5505 - connection problem

You don't need to worry about this command making any changes. Its just a 'diagnostic' command run from enable mode. You don't even have to do 'config t' to run it!

This will simulate the desired traffic flow and tell you WHERE its failing (NAT,RPF check, ACL, Spoofing etc.)

Regards

Farrukh

New Member

Re: multiple IPs on ASA 5505 - connection problem

I'll try it tonight and come back with the result.

thanks

New Member

Re: multiple IPs on ASA 5505 - connection problem

mistake

New Member

Re: multiple IPs on ASA 5505 - connection problem

this is the correct output (attached file)

Re: multiple IPs on ASA 5505 - connection problem

Output seems perfect and the respective traffic should work.

A next step would be perhaps to capture traffic on the ASA outside interface for these public IPs to see if any traffic 'actually' reaches them from the internet or not.

Regards

Farrukh

New Member

Re: multiple IPs on ASA 5505 - connection problem

how would you do that?

Re: multiple IPs on ASA 5505 - connection problem

New Member

Re: multiple IPs on ASA 5505 - connection problem

I have access to the ISP router (cisco 2800). is there a way to test connectivity from that router to the LAN IPs? (something similar to packet trace)

496
Views
0
Helpful
16
Replies