Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Community Member

Using ASA-5510 to route VLAN WLAN connection

Hi Everyone..

I am a complete newbie to Cisco equipment. So far I've been able to figure out how to do most of what I needed by using the ASDM but I have run into something that is a little more complicated that just opening a port.

We currently have a connection to our remote site. This site has a T1 internet connection. Our connection is a site to site VPN with an ASA-5510 on this end and a ASA-5505 on the other.

We are upgrading this connection to a 75mbit hybrid microwave/fiber link. The provider is going to hand it off to us as an untagged VLAN. We made the decision to route all of the remote site's internet access through this location as to avoid having to split off part of the bandwidth of this link to dedicate to internet access.

We also have an Enterasys B3 Layer 3 switch and on the test bench I believe I have successfully configured this switch to enable the VLANs to communicate with each other and allow the remote site internet access.

The main office uses ip schema 10.0/16 and the remote office uses 10.3/16

However, after giving this more thought, I believe that the ASA-5510 would be better suited to this task.

We have unused Ethernet ports on the device, so how would I configure the ASA to do this?

I am sure I would have to configure the unused port, along with VLAN config and some routing configuration, but I am completely ignorant on how to do this.

Thank You for any help,

Michael

Everyone's tags (3)
3 ACCEPTED SOLUTIONS

Accepted Solutions
Community Member

Re: Using ASA-5510 to route VLAN WLAN connection

Hello again,

The last image you included is the closest to what I would implement and what I tried to convey via the visio diagram I had attached with my previous post. The second image is much simpler, the only difference being that any broadcast traffic generated at the remote site would traverse the point-to-point link - dying at port1 on the Enterasys.

The 172.30.0.0/30 subnet would strictly be for the interfaces that either end of the point to point link are connected to. There is no particular reason I chose this subnet, you were already using 10.x.x.x ranges so throwing in a different IP scheme makes the addresses distinguishable.

You won't need to modify the client configurations at either site, just the configuration on the network equipment/routes, I included a sample IP configuration in the diagram below for a client at each site.

Scenario: (disregard reference to 172.30.0.1 being the Enterasys, I was too lazy to correct it)

On the ASA you would want to enter the following:

asa (config)# int vlan 300                                        //create vlan 300 (assuming vlan 300 is not in use already)

asa (config-if)# nameif point-to-point                         //name the zone/interface

asa (config-if)# security-level 100                              //assign security-level equal to "inside" vlan

asa (config-if)# ip add 172.30.0.1 255.255.255.252      //configure IP address

asa (config-if)# no shut                                             //bring VLAN up

asa (config-if)# int eth 2                                             //switch to interface config of interface connected to p2p link

asa (config-if)# switchport access vlan 300                  //associate with vlan 300

Return to global config mode:

asa (config)# same-security-traffic inter-interface     //permit interfaces with same security level to pass traffic

Add route for the remote network, next hop being 172.30.0.2 (2921)

asa (config)# route point-to-point 10.3.0.0 255.255.0.0 172.30.0.2

You may need to reconfigure your NAT statements (post the output of "sh run nat" from the 5510 for this).

On the 2921:

2921 (config)# int ge0/0                                                    //configure interface connected to point-to-point link

2921 (config-if)# ip add 172.30.0.2 255.255.255.252           //configure ip

2921 (config-if)# no shut                                                  //make sure the interface is up

Add default route so all traffic will get pushed over the point to point link:

2921 (config)#  ip route 0.0.0.0 0.0.0.0 172.30.0.1

Hope this helps.

Community Member

Re: Using ASA-5510 to route VLAN WLAN connection

Michael,

The information regarding VLANs actually only pertains to the 5505 series as it uses VLANs to seperate zones, whereas the 5510 is port based. So - ignore the VLAN300 statement and just issue the commands on the next available interface. You should have one interface named "inside", one named "outside" and one named "point-to-point" (or whatever makes sense to you).

Should look something like this:

asa (config)# int eth 0/2                                      

asa (config-if)# nameif point-to-point                         //name the zone/interface

asa (config-if)# security-level 100                              //assign security-level equal to "inside" vlan

asa (config-if)# ip add 172.30.0.1 255.255.255.252      //configure IP address

asa (config-if)# no shut                                             //bring VLAN up

In regards to maintaining the VPN configuration until you are ready to cutover:

I would just configure the 5510 to allow management access from the point-to-point connection.

management-access point-to-point       

ssh 172.30.0.2 255.255.255.252           //assuming you use SSH to manage the device

The commands above should allow you to configure everything at the main site except for the default route you mentioned above. You can then go to the remote site, configure the equipment as necessary, remote into the 5510 at the main site via the point to point link and make the necessary routing changes and tear down the VPN.

Hope this helps.

P.S. - Please rate the posts if you feel they were helpful, it will help people facing a simliar issue identify the appropriate solution.

Community Member

Re: Using ASA-5510 to route VLAN WLAN connection

Michael,

Sounds like you have an excellent handle on what you need to do.

Remote Office:

The base license on the 5505 permits 3 VLANs, one of which is restricted, meaning it can talk to one other VLAN but not both. In your case I'm not sure which is playing that role but by default VLAN1 is 'inside', VLAN2 is 'outside' and VLAN3 is 'dmz'. Based on the security levels you mentioned above it sounds like some of that got switched around for some reason, but that is ok!

If you issue a 'sh run int' you should see a line "no forward interface VLAN" on one of the interfaces, this is the line that dictates which interface for which this command is configured is not allowed to communicate with.

For example you might see "no forward interface VLAN12" under VLAN1 on the 5505 at your remote site, this would mean that VLAN1 is your restricted VLAN and that traffic generated on this interface/VLAN can only talk to VLAN2.

If you connected the point to point link to eth0/1, you would set the security-level to match the LAN:

     asa (config-if)# security-level 100

Reconfigure your restricted VLAN (VLAN1) so that it could pass traffic to VLAN12 rather than to VLAN2

     asa (config-if)#no forward interface VLAN2

Allow interfaces with the same-security level to talk to pass traffic between one another:

     asa (config)#same-security-traffic permit inter-interface

Then continue with the P2P addressing and routing we discussed in our previous posts.

Main Office:

Yes, you will need the "same-security-traffic permit inter-interface" commad on the 5510 as well - please be sure to set the security level of the P2P interface the same as the 'inside' interface.

Hope this helps!

23 REPLIES
Community Member

Using ASA-5510 to route VLAN WLAN connection

Hello Michael,

If I understand you correctly you have a point to point link between your main site and a remote site and are wanting to route internet traffic for the remote site through the main site utilizing the ASA. (please correct me if I'm wrong)

Depending on the type of point-to-point link (Layer-2 or Layer-3) it would be configured a little bit differently. If it is a layer-3 service your provider will probably assign you addresses to use. If it is a layer-2 service you can use anything that makes sense to you -- a /30 would be the obvious choice. I'm assuming it's a layer-2 service since you mentioned the provider is handing it off as an untagged VLAN.

On both the 5510 and the 5505 you'll want to configure an additional VLAN, the security-level and the IP address.

int vlan

     nameif point-to-point

     security-level

     ip address x.x.x.1 255.255.255.252

Then associate the VLAN with a physical interface (just like a switch).

int

     switchport access vlan

You will also want to enter the global config command to enable traffic between interfaces with the same security level.

same-security-traffic permit inter-interface

Then, add some routes:

Main Office: route point-to-point 10.3.0.0 255.255.0.0

Remote Office:

     route point-to-point 0.0.0.0 0.0.0.0

Some issues you might run into:

* Make sure your outbound NAT translation includes the remote offices network so your traffic originating from the site will get NAT'd out the WAN connection at the main site. (feel free to post questions if this doesn't make sense).

* If your 5505 is using the base license be careful with how the restricted VLAN is deployed as it can only 'talk to' one other VLAN, but not both. (i.e. if you had inside and outside, the restricted VLAN can either only exchange traffic with the inside VLAN or the outside VLAN, but not both without a manual configuration change).

I had a similar scenario with two 5505's on either end of a layer-2 point-to-point link, we opted for a site-to-site VPN across the point-to-point link as I wasn't overly trusting with the carrier providing the link.

Hope this helps, feel free to post questions for clarity.

Community Member

Re: Using ASA-5510 to route VLAN WLAN connection

Hi Mitchell,

Thank you for your reply..

You mostly have the gist of what I am trying to do, but let me clarify a few things.

Due to the insensitive nature of the data going between the two locations, I am not too worried about security of the connection. In addition, I would like to reduce the overhead by eliminating the VPN.

I believe the connection we are buying/using is a L2 link. We have the option of IP's if we want them, but in this situation I don't believe we need them. Essentially, the link is being handed off to us as an untagged VLAN connection - basically a 300 mile Ethernet cable.

If it weren't for the fact that this is a VLAN connection, I could just plug both ends into a switch on both sides, reconfigure the IP's and gateways on the remote side and be done with it since the remote location needs access to servers at this location.

But since this is a VLAN connection, I realize I will have to configure VLAN interfaces. I can do this with the Enterasys B3 layer 3 switch we have. I have already configured and tested the configuration on the switch. But as I stated, I believe the ASA may be better suited to the job.

Another thing that I forgot to mention is that the remote location also has a 2921 on site. We have dual T1 lines to the remote location. One provides POTS and one provides internet access.  I believe the router is there to service these T1 lines. Unfortunately I don't have any more information on what is there and why. I am new to this company and there isn't any documentation as to the network configuration at either location. I've figured out most of what is going on at this location simply because I am here.

Anyway, I am getting a little off track here. The idea I had was to keep it simple. Since we really don't need a site to site VPN connection, I believe we can eliminate the 5505 at the remote location, and possibly the 2921 depending on what it's being used for.

I envision one end of the VPN link going straight to the switch at the remote location, and one end going to the ASA-5510 at the main office. This way all I have to do is configure the 5510 and we're off to the races. Since there are no IT personnel at the remote location, I will have to get this side mostly set up, then go over there and complete the installation. So I am going to have to keep the transition as seamless as possible in order to reduce the down time as much as possible. I will be able to access the 5510 from the remote location.

But, I am certain you have far more experience than I at getting something like this up and running, so if I am off base, or what I am trying to do is not the best or correct way to do it, please let me know. I'm all ears. It is frustrating being so ignorant about Cisco equipment, but hey, we all had to start somewhere, right?

Thank You,

Michael

Community Member

Re: Using ASA-5510 to route VLAN WLAN connection

Any help here?

Thanks,

Michael

Community Member

Using ASA-5510 to route VLAN WLAN connection

Hello Michael,

Sorry for the delayed response. So no need for the VPN across the point-to-point link - check.

I don't know what kind of timeframe you have to complete the work described above but for me - it's always a must to create a topology diagram, often times it is a lot easier to see where the problem/bottleneck lies simply by creating a document such as this. Also, it might help me assist you (I'm a visual kind of a guy). I took the liberty of creating a quick visio with what I think you have setup currently and what you are trying to accomplish.

 

To keep things simple, I would terminate the 75Mbit point to point link at the main site into one of the 5510 interfaces, and the other end in one of the 2921 Gig interfaces. Both the 2921 (http://www.cisco.com/web/partners/downloads/765/tools/quickreference/routerperformance.pdf) and the 5510 (http://www.cisco.com/en/US/prod/collateral/vpndevc/ps6032/ps6094/ps6120/product_data_sheet0900aecd802930c5.html) have the throughput to handle a point to point link of this speed. You would be able to phase out both the ASA5505 and the DS1 at the remote site.

Your previous comment regarding configuring one site then migrating the other site over is correct. You should be able to get everything setup at the main site without affecting existing traffic flow between sites and then travel to the remote site and complete the configuration of the remote site along with the final touches to get internet based traffic routed through the main site.

I think you might be overcomplicating the fact that the point to point link is a "VLAN" connection. Treat it just like you described, a 300 mi ethernet cable. The benefit of using layer 3 addresses at either end of the point to point link is to prevent unneccessary broadcast traffic from traveling over the link.

If you are concerned with throughput for inter-vlan routing at the main site (I don't know how many VLANs you have at the main site) then you would probably want to terminate the point-to-point link at the main site on the switch using a routed port or an unused VLAN, or whatever the equivalents are in Enterasys terms. Using an unused VLAN technically provides greater throughput but the link isn't fast enough to saturate a routed port anyhow so it would be irrelevant.

I'm not familiar with Enterasys (I'll be honest, I've never heard of the company) but to do this on a L3 Cisco switch:

Routed Port: (limited by the speed of the port)

     int gi 1/0/35 (assuming you are connecting the point to point link into port 35)

          no switchport

          ip add 172.30.0.1 255.255.255.252

VLAN: (limited by the speed of the backplane)

     int vlan 4000

          ip add 172.30.0.1 255.255.255.252

          no shut

     int gi 1/0/35 (assuming you are connecting the point to point link into port 35)

          switchport mode access vlan 4000

Hope this helps.

Community Member

Re: Using ASA-5510 to route VLAN WLAN connection

Hello Mitchell,

Thank you for your reply. I apologize for my impatience.

Your diagrams are mostly correct. I don't have Visio to use here, so I drew up my current configuration, the Enterasys B3 switch option and the 5510-2921 link options in Paint.

Below is the current set up. We currently do not have any VLANs configured at all. In reality, even counting both locations we are a fairly small network with approximately 100 workstations, laptops and servers. If you include printers, access points, switches, etc, we have approx 150 total devices on the LAN.

Now, I am not 100% sure of the set up on the remote side regarding the voice T1 line. I believe this is the way it is set up because otherwise I would have no idea why the 2921 was even there since the ASA-5505 should be able to handle the routing for the incoming data T1 line all by itself. However, I could be wrong. It certainly wouldn't be the first time.

Below is the first idea I had as far as keeping it simple. Although the Enterasys switch is routing at a layer 3 level, I believe you are correct in that this is essentially a layer 2 link. I also believe you are correct in that broadcast traffic will travel over the link. Bear in mind that I have already tested this configuration and it worked on my test bench. All I had to do in order to get it to work was to enable RIP on the ASA-5510 and it was working. As long as I configured the gateway IP on the PCs attached to the VLAN interfaces, then both VLANs could communicate freely back and forth - which is what I am after since both networks must share servers.

As a side note, I am aware that I could dedicate more of the B3 ports to VLAN 200 and use the secondary NIC cards in the servers for these ports. But I have no need at this point to keep the VLANs separate, although I know it is an option for the future if I find it necessary to do so.

Below is the second option I was thinking of. Again, I believe you are correct in stating this is a layer 3 link which would isolate the broadcast traffic. What I am confused about is the IP configuration. In your diagram, you have picked an IP of 172.30.0.0/30. I am confused as to why you would select this IP. Maybe I am not thinking about it correctly, but wouldn't the interface on both sides of the connection require it's own IP? To use the IP range you selected for example, wouldn't the Ethernet port on the 2921 need to be configured with let's say 172.30.0.10, and then the PCs on the 10.3.0.0/16 network would need 172.30.0.10 configured as a gateway? And vice-versa on the main site side. If the interface on the 5510 was configured as let's say 172.30.0.20 wouldn't the PCs on this side need their gateway set to 172.30.1.20? If so, this would cause Windows machines to complain about the gateway not being on the same subnet as defined by the IP address and subnet. This is why I set the IP's the way I did on the B3 switch experiment.

Am I missing something here?

Long story short, I am looking for the best overall way to set this up while still keeping it relatively simple and keeping the overhead on the link as low as possible.

I realize my inexperience with routing in general and setting up Cisco equipment is a huge handicap for me in this instance. I really appreciate the patience and the assistance. Step by step instructions are a HUGE help for me at this stage of my knowledge.

Thank you very much,

Michael

Community Member

Re: Using ASA-5510 to route VLAN WLAN connection

Hello again,

The last image you included is the closest to what I would implement and what I tried to convey via the visio diagram I had attached with my previous post. The second image is much simpler, the only difference being that any broadcast traffic generated at the remote site would traverse the point-to-point link - dying at port1 on the Enterasys.

The 172.30.0.0/30 subnet would strictly be for the interfaces that either end of the point to point link are connected to. There is no particular reason I chose this subnet, you were already using 10.x.x.x ranges so throwing in a different IP scheme makes the addresses distinguishable.

You won't need to modify the client configurations at either site, just the configuration on the network equipment/routes, I included a sample IP configuration in the diagram below for a client at each site.

Scenario: (disregard reference to 172.30.0.1 being the Enterasys, I was too lazy to correct it)

On the ASA you would want to enter the following:

asa (config)# int vlan 300                                        //create vlan 300 (assuming vlan 300 is not in use already)

asa (config-if)# nameif point-to-point                         //name the zone/interface

asa (config-if)# security-level 100                              //assign security-level equal to "inside" vlan

asa (config-if)# ip add 172.30.0.1 255.255.255.252      //configure IP address

asa (config-if)# no shut                                             //bring VLAN up

asa (config-if)# int eth 2                                             //switch to interface config of interface connected to p2p link

asa (config-if)# switchport access vlan 300                  //associate with vlan 300

Return to global config mode:

asa (config)# same-security-traffic inter-interface     //permit interfaces with same security level to pass traffic

Add route for the remote network, next hop being 172.30.0.2 (2921)

asa (config)# route point-to-point 10.3.0.0 255.255.0.0 172.30.0.2

You may need to reconfigure your NAT statements (post the output of "sh run nat" from the 5510 for this).

On the 2921:

2921 (config)# int ge0/0                                                    //configure interface connected to point-to-point link

2921 (config-if)# ip add 172.30.0.2 255.255.255.252           //configure ip

2921 (config-if)# no shut                                                  //make sure the interface is up

Add default route so all traffic will get pushed over the point to point link:

2921 (config)#  ip route 0.0.0.0 0.0.0.0 172.30.0.1

Hope this helps.

Community Member

Re: Using ASA-5510 to route VLAN WLAN connection

Hello Mitchell,

Ok, I think I now completely understand what you are explaining to me. Sorry for being so dense.

A couple of questions. In your instructions above, which interface should I be configuring vlan300 for? Inside? Or are these global commands?

Also, do you think it would be possible to set up everything on the main office side that needs to be set up before going to the remote site *without* breaking our current VPN connection? It would be far easier to be able to do that since once I start messing with the connection at the remote location I may lose connectivity to the 5510. Although I do plan to take a mobile hotspot with me so I have a backup connection.

The reason I ask is because it seems to be that once I add:

asa (config)# route point-to-point 10.3.0.0 255.255.0.0 172.30.0.2

to the ASA that it will begin to try to route all traffic for the 10.3.0.0/16 network over the point to point interface instead of the Outside interface.

And one last question. Assuming that I am incorrect about the 2921 handling the voice T1, wouldn't it also be possible to use the ASA-5505 instead of the 2921 to achieve the same result?

Thanks,

Michael

Community Member

Re: Using ASA-5510 to route VLAN WLAN connection

Michael,

The information regarding VLANs actually only pertains to the 5505 series as it uses VLANs to seperate zones, whereas the 5510 is port based. So - ignore the VLAN300 statement and just issue the commands on the next available interface. You should have one interface named "inside", one named "outside" and one named "point-to-point" (or whatever makes sense to you).

Should look something like this:

asa (config)# int eth 0/2                                      

asa (config-if)# nameif point-to-point                         //name the zone/interface

asa (config-if)# security-level 100                              //assign security-level equal to "inside" vlan

asa (config-if)# ip add 172.30.0.1 255.255.255.252      //configure IP address

asa (config-if)# no shut                                             //bring VLAN up

In regards to maintaining the VPN configuration until you are ready to cutover:

I would just configure the 5510 to allow management access from the point-to-point connection.

management-access point-to-point       

ssh 172.30.0.2 255.255.255.252           //assuming you use SSH to manage the device

The commands above should allow you to configure everything at the main site except for the default route you mentioned above. You can then go to the remote site, configure the equipment as necessary, remote into the 5510 at the main site via the point to point link and make the necessary routing changes and tear down the VPN.

Hope this helps.

P.S. - Please rate the posts if you feel they were helpful, it will help people facing a simliar issue identify the appropriate solution.

Community Member

Re: Using ASA-5510 to route VLAN WLAN connection

Mitchell,

Okay, thank you for that. I was a little confused by the references to VLAN on the 5510.

I think I have the information I need to get started on this project. This main office equipment has been installed. We are waiting on the remote site to get installed and for the provider to let us know that everything is ready to go..

I will come back and rate these posts after I get everything up and running. If I have more questions I'll post them.

Thanks again for all your help, I really appreciate your time.

Michael

Community Member

Re: Using ASA-5510 to route VLAN WLAN connection

Hi Mitchell..

Ok, I am back.. With more information.

I have pre-configured the ASA-5510 per your instructions. No problems except with the management access. I had to remove management access from the inside interface and reassign it to the point to point interface.

Our connection should be finished and handed off to us tomorrow, which means on Monday I will be at the remote location to do the set up.

I also found out that the Cisco 2921 does not have anything to do with the telephones over there. There is separate equipment for the voice T1. It turns out that the only reason the 2921 is there is to basically convert the T1 into Ethernet.

So that opens up the possibility of using the ASA-5505 instead of the 2921.

This unit has a base license though, so I understand that only 2 VLANs can communicate with each other using this license.

But, since I am going to be shutting down the internet connection there, couldn't I reconfigure it?

The current configuration is as follows:

eth 0/0: Outside, vlan2, Security level 0

eth 0/1: Management, vlan1, security level 50 (This seems to be set up as a DMZ?)

eth 0/2-0/7: Inside, vlan12, security level 100

So what I was thinking is if I reconfigured eth 0/0, set it's security level to 100, then used the same-security-traffic inter-interface command to allow traffic between vlan1 and vlan12.

If I am correct in my thinking, how would I go about doing this? I think I can figure it out by your instructions above, but I'd like to double check just to be on the safe side.

Oh, and one more thing. Do I need the same-security-traffic inter-interface command on the ASA5510 in the remote office also?

Thank You!

Michael

Community Member

Re: Using ASA-5510 to route VLAN WLAN connection

Michael,

Sounds like you have an excellent handle on what you need to do.

Remote Office:

The base license on the 5505 permits 3 VLANs, one of which is restricted, meaning it can talk to one other VLAN but not both. In your case I'm not sure which is playing that role but by default VLAN1 is 'inside', VLAN2 is 'outside' and VLAN3 is 'dmz'. Based on the security levels you mentioned above it sounds like some of that got switched around for some reason, but that is ok!

If you issue a 'sh run int' you should see a line "no forward interface VLAN" on one of the interfaces, this is the line that dictates which interface for which this command is configured is not allowed to communicate with.

For example you might see "no forward interface VLAN12" under VLAN1 on the 5505 at your remote site, this would mean that VLAN1 is your restricted VLAN and that traffic generated on this interface/VLAN can only talk to VLAN2.

If you connected the point to point link to eth0/1, you would set the security-level to match the LAN:

     asa (config-if)# security-level 100

Reconfigure your restricted VLAN (VLAN1) so that it could pass traffic to VLAN12 rather than to VLAN2

     asa (config-if)#no forward interface VLAN2

Allow interfaces with the same-security level to talk to pass traffic between one another:

     asa (config)#same-security-traffic permit inter-interface

Then continue with the P2P addressing and routing we discussed in our previous posts.

Main Office:

Yes, you will need the "same-security-traffic permit inter-interface" commad on the 5510 as well - please be sure to set the security level of the P2P interface the same as the 'inside' interface.

Hope this helps!

Community Member

Re: Using ASA-5510 to route VLAN WLAN connection


Hi Mitchell,

Yes, this helps a lot.

I had to re-read your post to understand what you are saying, but I got it now. My thought was to reconfigure the "outside" interfarec, but your suggestion is to reconfigure the "management" interface instead. Two different ways to achieve the same result.

I am nowhere near being an expert, but I think I am slowly starting to wrap my head around these devices and I am becoming slightly more comfortable with the CLI. Now if I just knew the commands and how to use them better I wouldn't feel as lost.

Thanks very much for the help.

Michael

Community Member

Re:Using ASA-5510 to route VLAN WLAN connection

Glad you've got your head around it.

Please rate if it was helpful so people know there is a solution in the topic somewhere.

Community Member

Re: Using ASA-5510 to route VLAN WLAN connection

Hi Mitchell...

Ok.. I am stuck now... I configured both devices, but I cannot get traffic to pass over the link. I have verified that the WAN link is working because I can manage the 5510 from the remote location. When I connect the 5505 to the link, I can ping the 5510 from inside the 5505. But that is all I can do.

The WAN interface on the 5510 side is named Mabton

The WAN interface on the 5505 side is named MountVernon

I configured the 5510 with:

#  route Mabton 10.3.0.0 255.255.0.0 172.30.0.2

I configured the 5505 with:

# route MountVernon 0.0.0.0 0.0.0.0 172.30.0.1

I tried some variables but nothing seems to work. I can paste my running config for you if you'd like.

I am hoping you are available since I am at the remote location and stuck.

Thanks,

Michael

Community Member

Re:Using ASA-5510 to route VLAN WLAN connection

Please post the running configs with the public addresses and credentials redacted.

Sent from Cisco Technical Support Android App

Community Member

Re: Using ASA-5510 to route VLAN WLAN connection

Hi Mitchell..

Thanks for your reply... Configs pasted below:

-----------------------

Main Location ASA5510 Configuration File

All references to Mabton public IPs have been changed to 5.5.5.5
All references to MountVernon public IPs have been changed to 7.7.7.7

: Saved
:
ASA Version 8.4(2)
!
hostname Riverbend
domain-name Northwesthort.com
enable password xxxxxxxxxxxxx encrypted
passwd xxxxxxxxxxx encrypted
multicast-routing
names
dns-guard
!
interface Ethernet0/0
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet0/1
nameif Outside2
security-level 0
ip address 7.7.7.7 255.255.255.240
!
interface Ethernet0/2
nameif Inside
security-level 100
ip address 10.0.1.1 255.255.0.0
!
interface Ethernet0/3
nameif Mabton
security-level 100
ip address 172.30.0.1 255.255.255.252
!
interface Management0/0
shutdown
nameif management
security-level 100
ip address 192.168.1.1 255.255.255.0
management-only
!
boot system disk0:/asa842-k8.bin
ftp mode passive
clock timezone PST -8
clock summer-time PDT recurring
dns domain-lookup Inside
dns server-group DefaultDNS
domain-name Northwesthort.com
same-security-traffic permit inter-interface
object network obj-7.7.7.7
host 7.7.7.7
object network obj-7.7.7.7
host 7.7.7.7
object network obj-10.0.0.0
subnet 10.0.0.0 255.255.0.0
object network obj-10.3.0.0
subnet 10.3.0.0 255.255.0.0
object network obj-172.20.0.0
subnet 172.20.0.0 255.255.255.128
object network obj-10.0.30.254
host 10.0.30.254
object network obj-10.0.30.253
host 10.0.30.253
object network obj-10.0.30.252
host 10.0.30.252
object network obj-10.0.200.21
host 10.0.200.21
object network obj-10.0.30.250
host 10.0.30.250
object network obj-10.0.30.249
host 10.0.30.249
object network obj-10.0.30.248
host 10.0.30.248
object network obj-10.0.30.247
host 10.0.30.247
object network obj-10.0.30.246
host 10.0.30.246
object network obj-10.0.201.3
host 10.0.201.3
object network obj-10.0.30.242
host 10.0.30.242
object network obj-10.0.30.242-01
host 10.0.30.242
object network obj-10.0.30.241
host 10.0.30.241
object network obj-10.0.30.240
host 10.0.30.240
object network obj-10.0.200.23
host 10.0.200.23
object network obj-10.0.201.2
host 10.0.201.2
object network obj-10.0.201.2-01
host 10.0.201.2
object network obj-10.0.201.2-02
host 10.0.201.2
object network obj-10.0.201.2-03
host 10.0.201.36
object network obj-10.0.201.21
host 10.0.201.21
object network obj-10.0.201.2-04
host 10.0.201.2
object network obj-10.0.201.2-05
host 10.0.201.2
object network obj-10.0.201.2-06
host 10.0.201.2
object network obj-10.0.201.5
host 10.0.201.5
object network obj-10.0.30.245
host 10.0.30.245
object network obj-10.0.30.238
host 10.0.30.238
object network obj-10.0.200.24
host 10.0.200.24
object network obj-10.0.201.7
host 10.0.201.7
object network obj-10.0.201.18
host 10.0.201.18
object network obj-10.0.30.244
host 10.0.30.244
object network obj-10.0.201.6
host 10.0.201.6
object network obj-10.0.200.26
host 10.0.200.26
object network obj-10.0.201.6-01
host 10.0.201.6
object network obj-10.0.200.28
host 10.0.200.28
object network obj-10.0.30.237
host 10.0.30.237
object network obj-10.0.201.34-04
host 10.0.201.34
object network obj-10.0.201.34
host 10.0.201.34
object network obj-10.0.201.35
host 10.0.201.35
object network obj-10.0.201.34-01
host 10.0.201.34
object network obj-10.0.201.34-02
host 10.0.201.34
object network obj-10.0.201.34-03
host 10.0.201.34
object network obj-10.0.201.20
host 10.0.201.20
object network obj-10.0.201.6-02
host 10.0.201.6
object network obj-10.0.30.236
host 10.0.30.236
object network obj-10.0.30.240-01
host 10.0.30.240
object network obj-10.0.201.2-07
host 10.0.201.2
object network obj-10.0.201.21-01
host 10.0.201.21
object network obj_any
subnet 0.0.0.0 0.0.0.0
object network obj_any-01
subnet 0.0.0.0 0.0.0.0
object network obj-0.0.0.0
host 0.0.0.0
object network obj_any-02
subnet 0.0.0.0 0.0.0.0
object network obj_any-03
subnet 0.0.0.0 0.0.0.0
object network obj_any-04
subnet 0.0.0.0 0.0.0.0
object network obj-10.0.30.235
host 10.0.30.235
object network obj-10.0.201.201
host 10.0.201.201
object network obj-10.0.201.201-01
host 10.0.201.201
object network obj-10.0.30.234
host 10.0.30.234
object network Obj-10.0.32.39
host 10.0.32.39
description ADFS server
object network Obj-10.0.201.36
object network obj-10.0.201.36-2
host 10.0.201.36
object network obj-10.0.201.2-08
host 10.0.201.2
object network obj-10.0.201.2-10
host 10.0.201.2
object network obj-10.0.30.251
host 10.0.30.251
object-group service TSPorts tcp
description Allowed ports for TS traffic
port-object range 3389 3415
port-object range 3416 3420
port-object range 3421 3425
object-group network TSIPS
description IPs allowed Terminal Service Traffic
network-object 10.0.30.224 255.255.255.224
network-object 10.0.200.0 255.255.255.0
network-object 10.0.201.0 255.255.255.0
access-list Inside_nat0_outbound extended permit ip 10.0.0.0 255.255.0.0 10.3.0.0 255.255.0.0
access-list Inside_nat0_outbound extended permit ip any 172.20.0.0 255.255.255.128
access-list Outside_cryptomap_20_1 extended permit ip 10.0.0.0 255.255.0.0 10.3.0.0 255.255.0.0
access-list management_nat0_outbound extended permit ip any 172.20.0.0 255.255.255.128
access-list Outside2_access_out extended permit icmp any any
access-list Outside2_access_out extended permit ip any any
access-list Outside2_access_in extended permit icmp any any
access-list Outside2_access_in extended permit tcp any host 10.0.201.2 eq www
access-list Outside2_access_in extended permit tcp any host 10.0.201.2 eq ftp
access-list Outside2_access_in extended permit tcp 161.165.202.24 255.255.255.248 host 10.0.30.240 eq 4080
access-list Outside2_access_in extended permit tcp host 168.244.164.230 host 10.0.30.240 eq 4080
access-list Outside2_access_in extended permit tcp host 168.244.164.33 host 10.0.30.240 eq 4080
access-list Outside2_access_in extended permit udp any host 10.0.30.241 eq 47825
access-list Outside2_access_in extended permit tcp any host 10.0.201.21 eq www
access-list Outside2_access_in extended deny tcp any host 10.0.201.36 eq smtp
access-list Outside2_access_in extended permit tcp host 63.111.64.75 host 10.0.30.240 eq 4080
access-list Outside2_access_in extended permit udp any host 10.0.201.2 eq 443
access-list Outside2_access_in extended permit tcp any host 10.0.201.2 eq https
access-list Outside2_access_in extended permit tcp any host 10.0.201.6 eq 993
access-list Outside2_access_in extended permit tcp 5.5.5.5 255.255.255.0 host 10.0.30.240 eq 4080
access-list Outside2_access_in extended permit tcp any host 10.0.201.34 eq www
access-list Outside2_access_in extended permit tcp any host 10.0.201.34 eq https
access-list Outside2_access_in extended permit udp any host 10.0.201.34 eq 443
access-list Outside2_access_in extended permit tcp any host 10.0.201.6 eq https
access-list Outside2_access_in extended permit tcp any object-group TSIPS eq 3389
access-list Outside2_access_in extended permit tcp any host 10.0.201.201 eq smtp
access-list Outside2_access_in extended permit tcp any host 10.0.201.36 eq www
access-list Outside2_access_in extended permit tcp any host 10.0.201.36 eq https
access-list Outside2_access_in extended permit tcp any host 10.0.201.2 eq 8083
access-list Outside2_access_in extended permit tcp any host 10.0.201.2 eq 8080
access-list Outside2_access_in extended permit tcp any host 10.0.201.2 eq 8081
access-list Split_Tunnel_List standard permit 10.0.0.0 255.255.0.0
pager lines 24
logging enable
logging buffer-size 8192
logging trap errors
logging history emergencies
logging asdm errors
logging host Inside 10.0.201.4
logging ftp-server 10.0.201.2 /Syslog rb-util3\locsyslog *****
logging class auth history alerts trap errors asdm critical
mtu Outside2 1500
mtu Inside 1500
mtu Mabton 1500
mtu management 1500
ip local pool vpnpool 172.20.0.0-172.20.0.127 mask 255.255.255.128
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-645.bin
no asdm history enable
arp timeout 14400
nat (Inside,any) source static obj-10.0.0.0 obj-10.0.0.0 destination static obj-10.3.0.0 obj-10.3.0.0 no-proxy-arp
nat (Inside,any) source static any any destination static obj-172.20.0.0 obj-172.20.0.0
nat (management,Outside2) source static any any destination static obj-172.20.0.0 obj-172.20.0.0
!
object network obj-7.7.7.7
nat (any,Inside) static 10.0.201.21 dns
object network obj-7.7.7.7
nat (any,Inside) static 10.0.201.2 dns
object network obj-10.0.30.254
nat (Inside,Outside2) static 7.7.7.7 service tcp 3389 3395
object network obj-10.0.30.253
nat (Inside,Outside2) static 7.7.7.7 service tcp 3389 3396
object network obj-10.0.30.250
nat (Inside,Outside2) static 7.7.7.7 service tcp 3389 3400
object network obj-10.0.30.249
nat (Inside,Outside2) static 7.7.7.7 service tcp 3389 3401
object network obj-10.0.30.248
nat (Inside,Outside2) static 7.7.7.7 service tcp 3389 3402
object network obj-10.0.30.247
nat (Inside,Outside2) static 7.7.7.7 service tcp 3389 3403
object network obj-10.0.201.3
nat (Inside,Outside2) static 7.7.7.7 service tcp 3389 3391
object network obj-10.0.30.242
nat (Inside,Outside2) static 7.7.7.7 service tcp 3389 3407
object network obj-10.0.30.242-01
nat (Inside,Outside2) static 7.7.7.7 service udp 47825 47825
object network obj-10.0.30.241
nat (Inside,Outside2) static 7.7.7.7 service tcp 3389 3408
object network obj-10.0.30.240
nat (Inside,Outside2) static 7.7.7.7 service tcp 4080 4080
object network obj-10.0.200.23
nat (Inside,Outside2) static 7.7.7.7 service tcp 3389 3394
object network obj-10.0.201.2
nat (Inside,Outside2) static 7.7.7.7 service tcp 3389 3393
object network obj-10.0.201.2-02
nat (Inside,Outside2) static 7.7.7.7 service tcp www www
object network obj-10.0.201.2-03
nat (Inside,Outside2) static 7.7.7.7 service tcp smtp smtp
object network obj-10.0.201.21
nat (Inside,Outside2) static 7.7.7.7 service tcp www www
object network obj-10.0.201.2-04
nat (Inside,Outside2) static 7.7.7.7 service tcp 8083 8083
object network obj-10.0.201.2-05
nat (Inside,Outside2) static 7.7.7.7 service tcp https https
object network obj-10.0.201.2-06
nat (Inside,Outside2) static 7.7.7.7 service udp 443 443
object network obj-10.0.201.5
nat (Inside,Outside2) static 7.7.7.7 service tcp 3389 3418
object network obj-10.0.30.245
nat (Inside,Outside2) static 7.7.7.7 service tcp 3389 3410
object network obj-10.0.30.238
nat (Inside,Outside2) static 7.7.7.7 service tcp 3389 3411
object network obj-10.0.201.7
nat (Inside,Outside2) static 7.7.7.7 service tcp 3389 3390
object network obj-10.0.201.18
nat (Inside,Outside2) static 7.7.7.7 service tcp 3389 3392
object network obj-10.0.30.244
nat (Inside,Outside2) static 7.7.7.7 service tcp 3389 3405
object network obj-10.0.201.6
nat (Inside,Outside2) static 7.7.7.7 service tcp 3389 3413
object network obj-10.0.201.6-01
nat (Inside,Outside2) static 7.7.7.7 service tcp 993 993
object network obj-10.0.30.237
nat (Inside,Outside2) static 7.7.7.7 service tcp 3389 3416
object network obj-10.0.201.34-04
nat (Inside,Outside2) static 7.7.7.7 service tcp 3389 3417
object network obj-10.0.201.35
nat (Inside,Outside2) static 7.7.7.7 service tcp 3389 3419
object network obj-10.0.201.34-01
nat (Inside,Outside2) static 7.7.7.7 service tcp www www
object network obj-10.0.201.34-02
nat (Inside,Outside2) static 7.7.7.7 service tcp https https
object network obj-10.0.201.34-03
nat (Inside,Outside2) static 7.7.7.7 service udp 443 443
object network obj-10.0.201.20
nat (Inside,Outside2) static 7.7.7.7 service tcp 3389 3420
object network obj-10.0.201.6-02
nat (Inside,Outside2) static 7.7.7.7 service tcp https https
object network obj-10.0.30.236
nat (Inside,Outside2) static 7.7.7.7 service tcp 3389 3421
object network obj-10.0.30.240-01
nat (Inside,Outside2) dynamic 7.7.7.7
object network obj-10.0.201.2-07
nat (Inside,Outside2) dynamic 7.7.7.7 dns
object network obj-10.0.201.21-01
nat (Inside,Outside2) dynamic 7.7.7.7 dns
object network obj_any
nat (Inside,Outside2) dynamic 7.7.7.7
object network obj_any-01
nat (Inside,Outside2) dynamic obj-0.0.0.0
object network obj_any-02
nat (Mabton,Outside2) dynamic obj-0.0.0.0
object network obj_any-03
nat (management,Outside2) dynamic 7.7.7.7
object network obj_any-04
nat (management,Outside2) dynamic obj-0.0.0.0
object network obj-10.0.201.201-01
nat (Inside,Outside2) dynamic 7.7.7.7
object network obj-10.0.30.234
nat (Inside,Outside2) static 7.7.7.7 service tcp 3389 3423
object network obj-10.0.201.36-2
nat (Inside,Outside2) static 7.7.7.7 service tcp https https
object network obj-10.0.201.2-08
nat (Inside,Outside2) static 7.7.7.7 service tcp 8080 8080
object network obj-10.0.201.2-10
nat (Inside,Outside2) static 7.7.7.7 service tcp 8081 8081
object network obj-10.0.30.251
nat (Inside,Outside2) static 7.7.7.7 service tcp 3389 3399
access-group Outside2_access_in in interface Outside2
access-group Outside2_access_out out interface Outside2
route Outside2 0.0.0.0 0.0.0.0 7.7.7.7 2
route Mabton 10.3.0.0 255.255.0.0 172.30.0.2 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
aaa-server nwhort protocol radius
aaa-server nwhort (Inside) host 10.0.200.10
key *****
user-identity default-domain LOCAL
http server enable
http 192.168.1.0 255.255.255.0 management
http 10.0.0.0 255.255.0.0 Inside
http 172.30.0.0 255.255.255.252 Mabton
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
sysopt noproxyarp Inside
auth-prompt prompt Hello
auth-prompt accept Done Good
auth-prompt reject Sorry Pal
crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto dynamic-map Outside_dyn_map 20 set ikev1 transform-set ESP-DES-MD5
crypto dynamic-map Outside_dyn_map 20 set security-association lifetime seconds 28800
crypto dynamic-map Outside_dyn_map 20 set security-association lifetime kilobytes 4608000
crypto dynamic-map Outside2_dyn_map 20 set ikev1 transform-set ESP-DES-MD5
crypto dynamic-map Outside2_dyn_map 20 set security-association lifetime seconds 28800
crypto dynamic-map Outside2_dyn_map 20 set security-association lifetime kilobytes 4608000
crypto map Outside_map 20 match address Outside_cryptomap_20_1
crypto map Outside_map 20 set pfs
crypto map Outside_map 20 set peer 5.5.5.5
crypto map Outside_map 20 set ikev1 transform-set ESP-3DES-SHA
crypto map Outside_map 20 set security-association lifetime seconds 28800
crypto map Outside_map 20 set security-association lifetime kilobytes 4608000
crypto map Outside_map 65535 ipsec-isakmp dynamic Outside_dyn_map
crypto map Outside_map interface Outside2
crypto map Outside2_map 65535 set security-association lifetime seconds 28800
crypto map Outside2_map 65535 set security-association lifetime kilobytes 4608000
crypto isakmp identity address
no crypto isakmp nat-traversal
crypto ikev1 policy 10
authentication pre-share
encryption 3des
hash sha
group 1
lifetime 86400
crypto ikev1 policy 30
authentication pre-share
encryption des
hash md5
group 2
lifetime 86400
telnet 10.0.0.0 255.255.0.0 Inside
telnet 10.3.0.0 255.255.0.0 Inside
telnet 172.30.0.0 255.255.255.252 Mabton
telnet 192.168.1.0 255.255.255.0 management
telnet timeout 30
ssh timeout 5
console timeout 0
management-access Mabton
dhcpd ping_timeout 750
!
dhcpd address 7.7.7.7-7.7.7.7 Outside2
dhcpd option 3 ip 7.7.7.7 interface Outside2
dhcpd enable Outside2
!
dhcpd address 192.168.1.2-192.168.1.254 management
dhcpd enable management
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ntp server 10.0.201.7 source Inside prefer
tftp-server Inside 10.0.30.254 ASAConfig
webvpn
group-policy DfltGrpPolicy attributes
group-policy vpnclient internal
group-policy vpnclient attributes
wins-server value 10.0.201.7
dns-server value 10.0.200.25
vpn-tunnel-protocol ikev1 ikev2 l2tp-ipsec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value Split_Tunnel_List
default-domain value nwhort.local
group-policy vpnclient2 internal
group-policy vpnclient2 attributes
wins-server value 10.0.201.7
dns-server value 10.0.201.7
default-domain value nwhort.local
username scottr password RPA.iVy/Gb2zvItH encrypted
username scottr attributes
vpn-group-policy vpnclient
tunnel-group 5.5.5.5 type ipsec-l2l
tunnel-group 5.5.5.5 ipsec-attributes
ikev1 pre-shared-key *****
tunnel-group vpnclient type remote-access
tunnel-group vpnclient general-attributes
address-pool vpnpool
default-group-policy vpnclient
tunnel-group vpnclient ipsec-attributes
ikev1 pre-shared-key *****
ikev1 user-authentication none
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns migrated_dns_map_1
parameters
policy-map global_policy
class inspection_default
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect sqlnet
  inspect skinny 
  inspect sunrpc
  inspect xdmcp
  inspect sip 
  inspect netbios
  inspect tftp
  inspect dns migrated_dns_map_1
  inspect ip-options
  inspect esmtp
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
call-home
profile CiscoTAC-1
  no active
  destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
  destination address email callhome@cisco.com
  destination transport-method http
  subscribe-to-alert-group diagnostic
  subscribe-to-alert-group environment
  subscribe-to-alert-group inventory periodic monthly
  subscribe-to-alert-group configuration periodic monthly
  subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:c44d3dbd88396d10282c7ff09c790111
: end
asdm image disk0:/asdm-645.bin
asdm location 172.20.0.0 255.255.255.128 Outside2
no asdm history enable

---------------------------------

Remote Location ASA5505 Configuration File

All references to Mabton public IPs have been changed to 5.5.5.5
All references to MountVernon public IPs have been changed to 7.7.7.7


: Saved
:
ASA Version 8.0(4)
!
hostname Mabton
domain-name northwesthort.com
enable password xxxxxxxxxxxxxxxxxxxx encrypted
passwd xxxxxxxxxxxxxxxxx encrypted
names
!
interface Vlan1
no forward interface Vlan2
nameif MountVernon
security-level 100
ip address 172.30.0.2 255.255.255.252
!
interface Vlan2
shutdown
nameif outside
security-level 0
ip address 5.5.5.5 255.255.255.248
!
interface Vlan12
nameif inside
security-level 100
ip address 10.3.1.2 255.255.0.0
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
switchport access vlan 12
!
interface Ethernet0/3
switchport access vlan 12
!
interface Ethernet0/4
switchport access vlan 12
!
interface Ethernet0/5
switchport access vlan 12
!
interface Ethernet0/6
switchport access vlan 12
!
interface Ethernet0/7
switchport access vlan 12
!
boot system disk0:/asa804-k8.bin
ftp mode passive
dns server-group DefaultDNS
domain-name northwesthort.com
same-security-traffic permit inter-interface
access-list outside_access_out extended permit tcp 10.3.0.0 255.255.0.0 any eq www inactive
access-list outside_access_out extended permit tcp 10.3.0.0 255.255.0.0 any eq ftp inactive
access-list outside_access_out extended permit icmp any any inactive
access-list outside_access_out extended permit ip any any inactive
access-list outside_access_in extended permit icmp any any inactive
access-list outside_access_in extended permit tcp any host 5.5.5.5 range 3390 3392 inactive
access-list outside_access_in extended permit tcp any host 5.5.5.5 eq 3390 inactive
access-list outside_1_cryptomap extended permit ip 10.3.0.0 255.255.0.0 10.0.0.0 255.255.0.0
access-list inside_nat0_outbound extended permit ip 10.3.0.0 255.255.0.0 10.0.0.0 255.255.0.0
pager lines 24
logging enable
logging asdm informational
mtu MountVernon 1500
mtu outside 1500
mtu inside 1500
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-647.bin
no asdm history enable
arp timeout 14400
global (outside) 10 5.5.5.5
nat (MountVernon) 10 0.0.0.0 0.0.0.0
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 10 0.0.0.0 0.0.0.0
static (inside,outside) tcp 5.5.5.5 47809 10.3.31.253 47809 netmask 255.255.255.255
static (inside,outside) udp 5.5.5.5 47809 10.3.31.253 47809 netmask 255.255.255.255
static (inside,outside) tcp 5.5.5.5 3391 10.3.31.251 3389 netmask 255.255.255.255
static (inside,outside) tcp 5.5.5.5 3392 10.3.31.250 3389 netmask 255.255.255.255
static (inside,outside) tcp 5.5.5.5 3390 10.3.201.18 3389 netmask 255.255.255.255
access-group outside_access_in in interface outside
access-group outside_access_out out interface outside
route MountVernon 0.0.0.0 0.0.0.0 172.30.0.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
nac-policy DfltGrpPolicy-nac-framework-create nac-framework
reval-period 36000
sq-period 300
http server enable
http 10.3.0.0 255.255.255.255 inside
http 10.0.0.0 255.0.0.0 inside
http 192.168.1.0 255.255.255.0 MountVernon
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto map outsid_map 1 set pfs
crypto map outsid_map 1 set security-association lifetime seconds 28800
crypto map outsid_map 1 set security-association lifetime kilobytes 4608000
crypto map outside_map 1 match address outside_1_cryptomap
crypto map outside_map 1 set pfs
crypto map outside_map 1 set peer 7.7.7.7
crypto map outside_map 1 set transform-set ESP-3DES-SHA
crypto map outside_map 1 set security-association lifetime seconds 28800
crypto map outside_map 1 set security-association lifetime kilobytes 4608000
crypto map outside_map interface outside
crypto isakmp identity address
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 1
lifetime 86400
no crypto isakmp nat-traversal
telnet 192.168.1.0 255.255.255.0 MountVernon
telnet 10.3.0.0 255.255.0.0 inside
telnet timeout 5
ssh timeout 5
console timeout 0
management-access inside
dhcpd auto_config outside
!

threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
tftp-server inside 10.3.201.18 /asa.cfg
group-policy DfltGrpPolicy attributes
vpn-tunnel-protocol l2tp-ipsec webvpn
nac-settings value DfltGrpPolicy-nac-framework-create
webvpn
  svc keepalive none
  svc dpd-interval client none
  svc dpd-interval gateway none
  customization value DfltCustomization
tunnel-group 7.7.7.7 type ipsec-l2l
tunnel-group 7.7.7.7 ipsec-attributes
pre-shared-key *
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
  message-length maximum 512
policy-map global_policy
class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect netbios
  inspect rsh
  inspect rtsp
  inspect skinny 
  inspect esmtp
  inspect sqlnet
  inspect sunrpc
  inspect tftp
  inspect sip 
  inspect xdmcp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:b2834b4f750df909e5e0450971eba2bf
: end
asdm image disk0:/asdm-647.bin
no asdm history enable

----------------

Community Member

Re: Using ASA-5510 to route VLAN WLAN connection

Update:

From inside the 5505, I can ping random 10.0.0.0/16 addresses inside the Mount Vernon network. Except for 10.0.1.1 which is the 5510 gateway IP. Which is to be expected I suppose.

But I can't ping 10.0.0.0/16 addresses from the 10.3.0.0/16 network.

Unfortunately I can't try it the other way around since I can't seem to be able to connect to my main office desktop using RDP over my cell connection.

Which leads me to believe the routing issue is on the Mabton side.

Michael

Community Member

Re:Using ASA-5510 to route VLAN WLAN connection

Michael,

I think the issue is related to the VPN configuration still being present. I think the NAT statements are unnecessarily NATing the traffic.

Backup the configs and remove the tunnel-group statements on both ends, along with the nat exemption statements. I would test to make sure you have inter-site connectivity before worrying about the internet access via the main site, you will need to add a NAT statement to get that working (see below).

object net obj-10.3.0.0

nat (mabton,outside2) dynamic interface

Community Member

Re: Using ASA-5510 to route VLAN WLAN connection

Hi Mitchell..

You rock!

After removing the VPN entries on both ends I was able to ping machines from either network.

I added the NAT statement above and now the remote location has internet access.

I am curious though.. I disabled the VPN connections on their respective interfaces using ASDM. Shouldn't that have worked without having to delete the VPN entries?

Now I just need to add the NAT rules that were on the 5505 to the 5510 and I am all set. If I have trouble with that I will revisit this thread so don't unsubscribe just yet.

Thanks so much!

Michael

Community Member

Re:Using ASA-5510 to route VLAN WLAN connection

Great!

I can't comment on the ASDM as I don't use it unless I absolutely have to.

Community Member

Re: Using ASA-5510 to route VLAN WLAN connection

Hi Mitchell...

No worries.. It's just something I was curious about.

Ok, I do have one more question though. The 5505 is running an old ASA version - 8.0.

The newest version is 8.4.4ED. Should I install this version or should I just leave well enough alone?

Do I have to install each interim version between what I have now and this one or can I just go straight to the newest version?

Will upgrading the software break my configuration?

Thanks,

Michael

Community Member

Re:Using ASA-5510 to route VLAN WLAN connection

Good question. I would update the 5505 to match the 5510.

I would backup the image and the config just to be safe but,

the update should convert the config for you and there is no need to upgrade to interim releases.

Sent from Cisco Technical Support Android App

Community Member

Re:Using ASA-5510 to route VLAN WLAN connection

Hi Mitchell..

One more question if you don't mind.

I am at the remote location and everything seems to be working very well.

One exception.

I have a dns entry to allow inside machines to access our forward facing web site by using the internal IP.

That has always worked just fine. Unfortunately it is not working from the remote site any longer. It still works from the main site though.

If I nslookup our website address, it resolves correctly to the internal IP at both locations.

But if you ping the address from the remote site only, it resolves to our outside address and there is no reply. Of course trying to access it from a browser does not work either.

I suspect that is because all of the internet traffic is getting routed to the Outside interface on the 5510 at the remote location.

Is there a way for me to fix this?

Thanks,

Michael

3927
Views
25
Helpful
23
Replies
CreatePlease to create content