10-29-2006 07:44 PM
I have linked my asa5520 as:
cat6(access port) -> (outside)ASA5520
cat6 (trunk port) -> (inside)-> vlan101 and vlan 102
configure asa5520 as:
interface GigabitEthernet0/0
nameif inside
security-level 100
no ip address
!
interface GigabitEthernet0/0.101
vlan 101
no nameif
no security-level
ip address 10.1.1.1 255.255.255.0
!
interface GigabitEthernet0/0.102
vlan 102
no nameif
no security-level
ip address 10.1.2.1 255.255.255.0
!
interface GigabitEthernet0/1
nameif outside
security-level 0
ip address 10.1.3.9 255.255.255.0
on the cat6, I have add static route:
ip route 10.1.1.0 255.255.255.0 10.1.3.0
Since I do not want using route protocol ospf/rip. Can I use static route? if so, how can I do it?
Any comments will appreciated
Thanks in advance
Solved! Go to Solution.
10-30-2006 05:18 PM
I think your static route in Cat6 should point to specific next-hop IP of 10.1.3.x instead of 10.1.3.0 (this is subnet ID).
Anyway, you can always use static in ASA. It does support OSPF/RIP.
To configure static on ASA to go out to Cat6, use (example):
route outside 0.0.0.0 0.0.0.0 10.1.3.1, or
route outside 10.1.1.0 255.255.255.0 10.1.3.1
*assuming 10.1.3.1 is your Cat6 Vlan interface IP facing ASA outside interface
or, from Cat6, route to ASA inside VLan 101:
ip route 10.1.1.0 255.255.255.0 10.1.3.9
But other condition to be met is you must configure static nat for the inside Vlan101 to talk to Outside segment, like:
static (inside,outside) 10.1.1.0 10.1.1.0 netmask 255.255.255.0
This will allow users/hosts from outside/Cat6 side to talk to inside Vlan101 hosts.
HTH
AK
10-30-2006 05:18 PM
I think your static route in Cat6 should point to specific next-hop IP of 10.1.3.x instead of 10.1.3.0 (this is subnet ID).
Anyway, you can always use static in ASA. It does support OSPF/RIP.
To configure static on ASA to go out to Cat6, use (example):
route outside 0.0.0.0 0.0.0.0 10.1.3.1, or
route outside 10.1.1.0 255.255.255.0 10.1.3.1
*assuming 10.1.3.1 is your Cat6 Vlan interface IP facing ASA outside interface
or, from Cat6, route to ASA inside VLan 101:
ip route 10.1.1.0 255.255.255.0 10.1.3.9
But other condition to be met is you must configure static nat for the inside Vlan101 to talk to Outside segment, like:
static (inside,outside) 10.1.1.0 10.1.1.0 netmask 255.255.255.0
This will allow users/hosts from outside/Cat6 side to talk to inside Vlan101 hosts.
HTH
AK
10-30-2006 06:49 PM
yes, you are right. I changed and my ping packets can reach the asa5200. but, it bands because it deny inbound icmp.
Great thanks for help. since you are online, could you please advice me, how can I remove the deny for icmp?
the security level is 0 already. I thought it should allow all traffic pass?
Many Regards
10-30-2006 09:31 PM
By default, PIX/ASA will deny incoming access/ICMP from outside (lower security) to inside/higher security level interfaces.
You need to open/use ACL to allow inbound ICMP/ping from outside to inside, i.e to your Vlan101, do the following:
General
access-list outside extended permit icmp any any ---> permit any icmp type
access-group outside in interface outside
Ping to specific host:
- you need to map the inside host to an outside ip, so that outside users/hosts can ping it. Use static command.
Example - map vlan101 host 10.1.1.12 to unused outside IP of 10.1.3.40
static (inside,outside) 10.1.3.40 10.1.1.12 netmask 255.255.255.255
access-list outside extended permit icmp any host 10.1.3.40 --> allow
access-group outside in interface outside
or you can specify who can ping to specific destination:
access-list outside extended permit icmp host 10.1.3.100 host 10.1.3.40
access-group outside in interface outside
Note:
- replace the keyword 'outside' with any name/number
- you can narrow icmp type, i.e echo, echo-reply and so on. Add it at the end of ACL.
HTH
AK
11-11-2006 07:54 AM
Great thanks for the reply.
I can not use NAT, I have used "no nat-control"
I need outside any machine can ping inside machine 10.1.1.12 and I need 10.1.1.0 can be seen in outside ( not internet)
Basicaly, I need make asa5520 as router, because I can not change the inside machines ip addresses since they are on production.
I need add asa5520 into current infrastruction with no firewall first. and then think about firewall.
Please advice how can I achive it.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide