Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
Community Member

Routes not being created properly

I am rather new to setting up firewalls. I have an ASA 5510 that I am setting up currently to block all non-web traffic on our firewall except from our office.

I have configured the interfaces but when I run "show route" it only shows the inside route. I have been unable to get any data to pass through the firewall even when I had set the access list to allow all traffic from all sources. There is a small 8 address network on the outside interface connecting to our hosting company. Inside is a public class C. All address are valid Public IPs.

Relevant excerpts From my current config:

interface Ethernet0/0

nameif outside

security-level 0

ip address x.x.226.170 255.255.255.248

!

interface Ethernet0/1

nameif inside

security-level 50

ip address x.x.255.2 255.255.255.0

.........

access-list outside_access_in extended permit ip host x.x.14.30 any

access-list outside_access_in extended permit icmp any any

access-list outside_access_in extended permit tcp any any eq www

.........

access-group outside_access_in in interface outside

route outside 0.0.0.0 0.0.0.0 x.x.226.168 1

When I run the "Show route" command all I get is :

C x.x.255.0 255.255.255.0 is directly connected, inside

There is no mention of the default route or the network connected to the outside interface.

Any help would be greatly appreciated

Thank you,

Chris Buskirk

1 ACCEPTED SOLUTION

Accepted Solutions
Hall of Fame Super Blue

Re: Routes not being created properly

Chris

route outside 0.0.0.0 0.0.0.0 x.x.226.168 1

This can't be the default-gateway because that is the subnet address. So the actual gateway address would have to come from

x.x.226.169 - 174

and you have already used .170 on your ASA outside interface.

Also what is your NAT setup. Lets say you have a server on the inside

195.177.22.10 and you want to give access to this you need the following line in your config

static (inside,outside) 195.177.22.10 195.177.22.10 netmask 255.255.255.255

normally you want NAT a private IP to a public IP but you are using public IP's internally anyway.

Jon

7 REPLIES
Hall of Fame Super Blue

Re: Routes not being created properly

Chris

Just a quick sanity check. Is the outside interface actually up ie. can you ping your upstream gateway.

Jon

Community Member

Re: Routes not being created properly

It's actually disconnected right now. When we had connected it before we could ping it from the hosting company's router. Unfortunately the website is already live so I could not leave the outside interface connected after I failed to configure the firewall properly. Will the route not show when it's disconnected?

Hall of Fame Super Blue

Re: Routes not being created properly

If the interface is down no it will not show up in the routing table and nor will the default-route if that is reachable via the outside interface.

Jon

Community Member

Re: Routes not being created properly

Thank you. That makes sense. As for why I couldn't get data to pass thru before I wanted to check and make sure my settings are right.

My outside route should point to the gateway of the hosting company's router correct?

Above I have listed my access list. Is this correct for allowing all www traffic thru? It seemed before that the website traffic was going out to in but not the other way. Do I need to create an access group for the inside interface to allow users to access our site properly?

It feels like I'm making this setup harder than it should be for a simple flat network but I just can't get it to work.

Thank you,

Chris Buskirk

Hall of Fame Super Blue

Re: Routes not being created properly

Chris

Can we just clarify what you want to do.

1) Do you have web servers on your LAN that you want people on the Internet to access or

2) Do you just want your internal users to be able to connect to web servers on the Internet

If 2) by default all traffic is allowed out so are you looking to restrict what traffic can go out from your LAN.

Lastly you say your internal clients use public addressing - is this addressing assigned to you or not.

In answer to your question

"My outside route should point to the gateway of the hosting company's router correct?"

the answer is yes if when you say hosting company you mean ISP ?

Jon

Community Member

Re: Routes not being created properly

Jon,

I am hosting a public website at on off-site colocation facility. We do have those address assigned and the website is running and accessible right now. I just have the uplink plugged into the backbone switch rather than the Firewall right now.

Previously I had the outside route directed to the IP of the outside interface like I had seen in several examples. I am guessing thats what was causing my problems.

Thank you,

Chris

Hall of Fame Super Blue

Re: Routes not being created properly

Chris

route outside 0.0.0.0 0.0.0.0 x.x.226.168 1

This can't be the default-gateway because that is the subnet address. So the actual gateway address would have to come from

x.x.226.169 - 174

and you have already used .170 on your ASA outside interface.

Also what is your NAT setup. Lets say you have a server on the inside

195.177.22.10 and you want to give access to this you need the following line in your config

static (inside,outside) 195.177.22.10 195.177.22.10 netmask 255.255.255.255

normally you want NAT a private IP to a public IP but you are using public IP's internally anyway.

Jon

146
Views
0
Helpful
7
Replies
CreatePlease to create content