Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

ASA 5510 Static route

Hello,

i have a asa 5510 device

int0 is connected to ISP1

int1 is connected to lan (10.100.100.0/255.255.255.0)

ASA is configured to nat(PAT) lan.

what is the problem:

i need to configure asa to route all traffic to lan 10.10.0.0/255.255.0.0 through 10.100.100.1.

i configure on device a static route:

route inside 10.10.0.0 255.255.0.0 10.100.100.1 1

the problem is if i ping 10.10.1.1 which is a valid host the asa report portmap translation creation failed for icmp source inside dst inside 10.10.1.1

if i put on a computer the gw 10.100.100.1 and i ping 10.10.1.1 it works.

thx

6 REPLIES

Re: ASA 5510 Static route

Can you post a sanitized config?

New Member

Re: ASA 5510 Static route

: Saved

:

ASA Version 7.2(3)

!

hostname ASA

domain-name car.ro

enable password xxxxxxx encrypted

names

name 80.xx.xx.70 AdrsPublica

name 10.100.100.61 ITManager

name 80.xx.xx.65 Router2821

!

interface Ethernet0/0

nameif WAN1

security-level 0

ip address 80.xx.xx.66 255.255.255.224

!

interface Ethernet0/1

nameif inside

security-level 100

ip address 10.100.100.3 255.255.255.0

!

interface Ethernet0/2

shutdown

no nameif

no security-level

no ip address

!

interface Ethernet0/3

shutdown

no nameif

no security-level

no ip address

!

interface Management0/0

nameif management

security-level 100

ip address 192.168.1.1 255.255.255.0

management-only

!

passwd xxxxxxxxxxxxxx encrypted

ftp mode passive

clock timezone EEST 2

clock summer-time EEDT recurring last Sun Mar 3:00 last Sun Oct 4:00

dns server-group DefaultDNS

domain-name car.ro

same-security-traffic permit intra-interface

access-list WAN1_access_in extended permit ip host Router2821 host 80.xx.xx.71 log emergencies

access-list inside_access_in extended permit ip 10.100.100.0 255.255.255.0 any

access-list inside_access_in extended permit ip 10.10.0.0 255.255.0.0 10.100.100.0 255.255.255.0

pager lines 24

logging enable

logging asdm informational

mtu WAN1 1500

mtu inside 1500

mtu management 1500

ip verify reverse-path interface WAN1

icmp unreachable rate-limit 1 burst-size 1

asdm image disk0:/asdm-523.bin

no asdm history enable

arp timeout 14400

nat-control

global (WAN1) 101 interface

global (WAN1) 120 80.xx.xx.71 netmask 255.255.255.255

nat (inside) 101 10.100.100.0 255.255.255.0

static (inside,WAN1) udp 80.xx.xx.71 tftp ITManager tftp netmask 255.255.255.255

access-group WAN1_access_in in interface Idilis

access-group inside_access_in in interface inside

route WAN1 0.0.0.0 0.0.0.0 Router2821 1

route inside 10.10.0.0 255.255.0.0 10.100.100.1 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout uauth 0:05:00 absolute

http server enable

http 192.168.1.0 255.255.255.0 management

http 10.100.100.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

telnet 10.100.100.0 255.255.255.0 inside

telnet timeout 5

ssh timeout 5

console timeout 0

management-access management

dhcpd address 192.168.1.2-192.168.1.254 management

!

!

class-map inspection_default

match default-inspection-traffic

!

!

policy-map type inspect dns preset_dns_map

parameters

message-length maximum 512

policy-map global_policy

class inspection_default

inspect dns preset_dns_map

inspect ftp

inspect h323 h225

inspect h323 ras

inspect rsh

inspect rtsp

inspect esmtp

inspect sqlnet

inspect skinny

inspect sunrpc

inspect xdmcp

inspect sip

inspect netbios

inspect tftp

inspect icmp

!

service-policy global_policy global

username alex password xxxxxxxxxxxxxxxxxxxxxxxxx encrypted privilege 15

prompt hostname context

Cryptochecksum:xxx

: end

asdm image disk0:/asdm-523.bin

no asdm history enable

Green

Re: ASA 5510 Static route

The problem here is you are attempting to hairpin the traffic on the inside interface. You were right by adding the same-security-traffic permit intra-interface command but you need a little more.

Add...

static (inside,inside) 10.10.0.0 10.10.0.0 netmask 255.255.0.0

global (inside) 101 interface

Adding the global statement with the corresponding nat statement will ensure the reply from the 10.10.0.0 network will be routed back to the inside of the ASA, which will then be routed back to the source 10.100.100.x.

New Member

Re: ASA 5510 Static route

done work

THX

Green

Re: ASA 5510 Static route

Does that mean it worked or it did not work? I hope it did.

New Member

Re: ASA 5510 Static route

it worked

Thank you very much

But i have another question

I have 2 ISP.

I want to configure the int 0/3 with an ip address from the second provider. The allocated ip address is 82.76.xx.xx/255.255.255.0. the dns form this provider is 193.231.236.xx. i want to config the asa to nat all request that go to dns(193.231......)through 82.76.xx.xx

it is possible?

thank you

2224
Views
5
Helpful
6
Replies