Hi!

Thank you for your reply.

The other network (172.0.0.0 /24) is not directly connected to ASA. Both ASA and "OTHER ROUTER" are connected to same switch. Have been searching for solution and played around with NAT between two networks (NAT Exempt) but this solves only case with portmap error within log.

Have pasted ASA configuration below, please check when you have time.

interface Vlan1

nameif inside

security-level 100

ip address 192.168.1.1 255.255.255.0

!

interface Vlan2

nameif outside

security-level 0

ip address X.X.X.X 255.255.255.248

no ftp mode passive

!

same-security-traffic permit inter-interface

object-group network DM_INLINE_NETWORK_1

network-object host X.X.X.X

network-object host X.X.X.X

object-group network DM_INLINE_NETWORK_2

network-object host X.X.X.X

network-object host X.X.X.X

object-group network DM_INLINE_NETWORK_3

network-object hostX.X.X.X

network-object host X.X.X.X

access-list outside_access_in remark Permit traffic from network.com and network.com

access-list outside_access_in extended permit ip object-group DM_INLINE_NETWORK_1 host X.X.X.X

access-list outside_access_in remark Permit traffic from network.com and network.com

access-list outside_access_in extended permit tcp object-group DM_INLINE_NETWORK_2 host X.X.X.X

access-list outside_access_in remark Permit traffic from network.com and network.com

access-list outside_access_in extended permit udp object-group DM_INLINE_NETWORK_3 host X.X.X.X

access-list outside_access_in remark Permit traffic from network.com and network.com

access-list outside_access_in remark Permit traffic from network.com and network.com

access-list outside_access_in remark Permit traffic from network.com and network.com

access-list VPN_access remark VPN access

access-list VPN_access extended permit ip any 192.168.1.0 255.255.255.0

access-list VPN_access remark VPN access

access-list VPN_access extended permit tcp any 192.168.1.0 255.255.255.0

access-list VPN_access remark VPN access

access-list VPN_access extended permit udp any 192.168.1.0 255.255.255.0

access-list VPN_access remark VPN access

access-list VPN_access extended permit icmp any 192.168.1.0 255.255.255.0

access-list inside_access_in extended permit ip any any

access-list inside_nat0_outbound_2 extended permit ip 192.168.1.0 255.255.255.0 172.0.0.0 255.255.255.0

access-list inside_nat0_outbound_2 extended permit ip 172.0.0.0 255.255.255.0 192.168.1.0 255.255.255.0

icmp unreachable rate-limit 1 burst-size 1

asdm image disk0:/asdm-523.bin

no asdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 0 access-list inside_nat0_outbound_2

nat (inside) 1 0.0.0.0 0.0.0.0

static (inside,outside) x.x.x.x 192.168.1.14 netmask 255.255.255.255

access-group inside_access_in in interface inside

access-group outside_access_in in interface outside

route inside 0.0.0.0 0.0.0.0 192.168.1.1 tunneled

route inside 172.0.0.0 255.255.255.0 192.168.1.2 1

route outside 0.0.0.0 0.0.0.0 x.x.x.x

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

aaa authorization command LOCAL

http server enable

http 192.168.1.0 255.255.255.0 inside

http x.x.x.x 255.255.255.0 outside

http x.x.x.x 255.255.255.0 outside

policy-map type inspect dns preset_dns_map

parameters

message-length maximum 512

policy-map global_policy

class inspection_default

inspect ftp

inspect icmp

inspect dns preset_dns_map

inspect h323 h225

inspect h323 ras

inspect rsh

inspect skinny

inspect esmtp

inspect sqlnet

inspect tftp

inspect rtsp

class class_sip_tcp

inspect sip

ASA Routing table:

Gateway of last resort is x.x.x.x to network 0.0.0.0

C x.x.x.x 255.255.255.248 is directly connected, outside

C 192.168.1.0 255.255.255.0 is directly connected, inside

C 127.0.0.0 255.255.255.0 is directly connected, _internal_loopback

S 172.0.0.0 255.255.255.0 [1/0] via 192.168.1.2, inside

S* 0.0.0.0 0.0.0.0 [1/0] via x.x.x.x, outside

S 0.0.0.0 0.0.0.0 [255/0] via 192.168.1.1, inside tunneled

Unfortunately, have no access to "OTHER ROUTER", but I am sure it should look like:

- both networks directly connected

- and default route 0.0.0.0 0.0.0.0 via external port

Thanks!

Maybe an interesting info:

Host 172.0.0.10 with def gw 172.0.0.254 is able to ping both IPs: 192.168.1.1(ASA) and 192.168.1.2 (ROUTER) but is not allowed to communicate with any other machine in ASA internal network.

Hi

could you please try to rach host in 172.x.x.x network after removing NAT0. i think it is not necessary.

thanks

vipin

Hi Vipin Raj,

Without this Exempt I had a portmap error within log; I think this configuration is new (and obviously) does not help but I am sure networks are not able communicate with our without this commands.

Hi Sandra,

from the host in 192.168.1.0 network, are you able to reach 192.168.1.2?

thanks

vipin

Hi,

I think you are able to reach/ping the router ip 192.168.1.2, right? bcz it is like directly connected.

are you sure the NAT0 is needed?

access-list inside_nat0_outbound_2 extended permit ip 192.168.1.0 255.255.255.0 172.0.0.0 255.255.255.0

access-list inside_nat0_outbound_2 extended permit ip 172.0.0.0 255.255.255.0 192.168.1.0 255.255.255.0

because both 192.168.x.x and 172.x.x.x network are inside of the office, right?

thanks

vipin

Hi Sandra,

Where is this new network 172.0.0.0 /24 configured (defined) is there any vlan in another router/switch?
Did you tell the device (where you have defined this new network) to reach 192.168.1.0 /24 through the gateway like...

ip route 192.168.1.0 255.255.255.0 172.0.0.254 --->This needs to be configured on the device where this new network defined.

Please rate the helpfull posts.
Regards,
Naidu.

Hi Latchum,

172.0.0.0 /24 is defined on "OTHER ROUTER" and there are no VLANs defined.

Do you really think this is necessary: ip route 192.168.1.0 255.255.255.0 172.0.0.254 ? ?

192.168.1.0 /24 and 172.0.0.0 /24 are network directly connected to "OTHER ROUTER".

Thanks!

Hi,

yes, if it is directly connected,there is no need of the static route.can you try after removing NAT0 commands?

thanks

vipin

Hi,

NAT has been removed with following error now (communication still not available):

NAT in Rules Table is the one that is happening on outside interface. So, every package that enters into 192.168.1.1 is directly forwarded to outside and to NAT process. With above configuration I am saying if two networks are communicating NAT is not needed.

So, removing this NAT configuration - does not solve the case

Hi,

The  nat 0 is not needed here as traffic shouldn't be natted as the remote subnet is reachable through Inside interface.

you must  add this command:

same-security-traffic permit intra-interface

as well as put a static(inside, inside) to enable hairpinning.

Regards.

Alain