Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1418
Views
0
Helpful
18
Replies

Can not get two interfaces to comunicate on asa 5510

mebernstein
Level 1
Level 1

‎06-15-2009 12:49 PM - edited ‎03-06-2019 06:16 AM

Problem:

I am having problems geting the two interfaces to comunicate with each other. I can ping my Linksys Router from the outside interface of the firewall, but I am unable to do this from the inside interface. Also I heard that I need ACL's. What are they? Do I have to have them? How do you implement them?

Setup:

I currently have a Linksys RV082 connected to two ISP's, connected on the LAN side of that is a Cisco ASA 5510 firewall, connected on the lan side of that is a Cisco 2821 router.

NAT:

Original:

Interface: interior

Source Network: interior:any/0

Destination Network: any

Translated:

Interface: Exterior

Address: interface PAT

Static routes:

Linksys to Firewall:

Destination IP: 192.168.6.0

Subnet mask: 255.255.255.0

Default Gateway: 192.168.0.101

Hop count: 1

Interface: lan

Firewall to Linksys

Exterior 0.0.0.0 0.0.0.0 192.168.0.1 1

IP Addresses:

Inside firewall: 192.168.6.0

Outside firewall: 192.168.0.101

Linksys: 192.168.0.1

Cisco Router Outside: 192.168.6.101

Cisco Router Inside: 192.168.4.0

____________Cisco ASA 5510 Configuration_____________________________

Firewall# show running-config

: Saved

:

ASA Version 7.0(8)

!

hostname Firewall

domain-name default.domain.invalid

enable password 6efABQ2cPmP7OKuA encrypted

passwd 2KFQnbNIdI.2KYOU encrypted

names

dns-guard

!

interface Ethernet0/0

nameif Interior

security-level 0

ip address 192.168.6.1 255.255.255.0

!

interface Ethernet0/1

nameif Exterior

security-level 100

ip address dhcp setroute

!

interface Ethernet0/2

shutdown

nameif 0

security-level 0

no ip address

!

interface Management0/0

nameif management

security-level 100

ip address 192.168.1.1 255.255.255.0

management-only

!

ftp mode passive

same-security-traffic permit inter-interface

pager lines 24

logging asdm informational

mtu management 1500

mtu Exterior 1500

mtu Interior 1500

mtu 0 1500

asdm image disk0:/asdm-508.bin

no asdm history enable

arp timeout 14400

global (Exterior) 100 interface

nat (Interior) 100 0.0.0.0 0.0.0.0

nat (Interior) 100 0.0.0.0 0.0.0.0 outside

route Exterior 0.0.0.0 0.0.0.0 192.168.0.1 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00

timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

http server enable

http 192.168.1.0 255.255.255.0 management

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

sysopt noproxyarp 0

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

telnet timeout 5

ssh timeout 5

console timeout 0

dhcpd address 192.168.1.2-192.168.1.254 management

dhcpd address 192.168.6.2-192.168.6.10 Interior

dhcpd lease 3600

dhcpd ping_timeout 50

dhcpd enable management

dhcpd enable Interior

!

class-map inspection_default

match default-inspection-traffic

!

!

policy-map global_policy

class inspection_default

inspect dns maximum-length 512

inspect ftp

inspect h323 h225

inspect h323 ras

inspect rsh

inspect rtsp

inspect esmtp

inspect sqlnet

inspect skinny

inspect sunrpc

inspect xdmcp

inspect sip

inspect netbios

inspect tftp

inspect icmp error

inspect mgcp

inspect pptp

inspect ctiqbe

inspect snmp

inspect http

inspect icmp

inspect ils

!

service-policy global_policy global

Cryptochecksum:ff820992c3c5d0aa4866e518fe0f9766

: end

Labels:
0 Helpful
18 Replies 18

John Blakley
VIP Alumni
VIP Alumni
In response to mebernstein

‎06-16-2009 06:34 AM

I'm assuming that your management station isn't the one that you're trying to get on the internet from, is it? Do you have a workstation on the 192.168.6.0 subnet?

HTH, John *** Please rate all useful posts ***
0 Helpful

mebernstein
Level 1
Level 1
In response to John Blakley

‎06-16-2009 06:38 AM

Not yet but I can put one on if need be. Should I? Currently I do not have a management station on that subnet just the 2821 router(not configured yet). Shouldn't the ping just work with out a management computer on the subnet?

0 Helpful

John Blakley
VIP Alumni
VIP Alumni
In response to mebernstein

‎06-16-2009 06:40 AM

Your nat statements don't cover your management subnet.

Try:

nat (management) 100 0 0

Then ping from your management station outbound.

HTH, John *** Please rate all useful posts ***
0 Helpful

i.va
Level 3
Level 3
In response to John Blakley

‎06-16-2009 07:06 AM

Also: I see your extrior interface is getting an IP from DHCP. Try setting this statically, as well as a static default route pointing to the linksys. The route back from the linksys to the asa should correspong to this config...

Unless you have a static DHCP reservation, the route back from the Linksys to the ASA will not work, since the default gateway (ASA Exterior) IP could change.

"Routing failed to locate next hop for icmp from" tells me the ASA might not be getting an IP and default route via DHCP.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card