Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3238
Views
5
Helpful
6
Replies

ASA 5510 Static route

midocarsrl
Level 1
Level 1

‎10-18-2007 08:11 AM - edited ‎03-03-2019 07:13 PM

Hello,

i have a asa 5510 device

int0 is connected to ISP1

int1 is connected to lan (10.100.100.0/255.255.255.0)

ASA is configured to nat(PAT) lan.

what is the problem:

i need to configure asa to route all traffic to lan 10.10.0.0/255.255.0.0 through 10.100.100.1.

i configure on device a static route:

route inside 10.10.0.0 255.255.0.0 10.100.100.1 1

the problem is if i ping 10.10.1.1 which is a valid host the asa report portmap translation creation failed for icmp source inside dst inside 10.10.1.1

if i put on a computer the gw 10.100.100.1 and i ping 10.10.1.1 it works.

thx

Labels:
0 Helpful
6 Replies 6

Collin Clark
VIP Alumni
VIP Alumni

‎10-18-2007 08:48 AM

Can you post a sanitized config?

0 Helpful

midocarsrl
Level 1
Level 1
In response to Collin Clark

‎10-18-2007 09:23 AM

: Saved

:

ASA Version 7.2(3)

!

hostname ASA

domain-name car.ro

enable password xxxxxxx encrypted

names

name 80.xx.xx.70 AdrsPublica

name 10.100.100.61 ITManager

name 80.xx.xx.65 Router2821

!

interface Ethernet0/0

nameif WAN1

security-level 0

ip address 80.xx.xx.66 255.255.255.224

!

interface Ethernet0/1

nameif inside

security-level 100

ip address 10.100.100.3 255.255.255.0

!

interface Ethernet0/2

shutdown

no nameif

no security-level

no ip address

!

interface Ethernet0/3

shutdown

no nameif

no security-level

no ip address

!

interface Management0/0

nameif management

security-level 100

ip address 192.168.1.1 255.255.255.0

management-only

!

passwd xxxxxxxxxxxxxx encrypted

ftp mode passive

clock timezone EEST 2

clock summer-time EEDT recurring last Sun Mar 3:00 last Sun Oct 4:00

dns server-group DefaultDNS

domain-name car.ro

same-security-traffic permit intra-interface

access-list WAN1_access_in extended permit ip host Router2821 host 80.xx.xx.71 log emergencies

access-list inside_access_in extended permit ip 10.100.100.0 255.255.255.0 any

access-list inside_access_in extended permit ip 10.10.0.0 255.255.0.0 10.100.100.0 255.255.255.0

pager lines 24

logging enable

logging asdm informational

mtu WAN1 1500

mtu inside 1500

mtu management 1500

ip verify reverse-path interface WAN1

icmp unreachable rate-limit 1 burst-size 1

asdm image disk0:/asdm-523.bin

no asdm history enable

arp timeout 14400

nat-control

global (WAN1) 101 interface

global (WAN1) 120 80.xx.xx.71 netmask 255.255.255.255

nat (inside) 101 10.100.100.0 255.255.255.0

static (inside,WAN1) udp 80.xx.xx.71 tftp ITManager tftp netmask 255.255.255.255

access-group WAN1_access_in in interface Idilis

access-group inside_access_in in interface inside

route WAN1 0.0.0.0 0.0.0.0 Router2821 1

route inside 10.10.0.0 255.255.0.0 10.100.100.1 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout uauth 0:05:00 absolute

http server enable

http 192.168.1.0 255.255.255.0 management

http 10.100.100.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

telnet 10.100.100.0 255.255.255.0 inside

telnet timeout 5

ssh timeout 5

console timeout 0

management-access management

dhcpd address 192.168.1.2-192.168.1.254 management

!

!

class-map inspection_default

match default-inspection-traffic

!

!

policy-map type inspect dns preset_dns_map

parameters

message-length maximum 512

policy-map global_policy

class inspection_default

inspect dns preset_dns_map

inspect ftp

inspect h323 h225

inspect h323 ras

inspect rsh

inspect rtsp

inspect esmtp

inspect sqlnet

inspect skinny

inspect sunrpc

inspect xdmcp

inspect sip

inspect netbios

inspect tftp

inspect icmp

!

service-policy global_policy global

username alex password xxxxxxxxxxxxxxxxxxxxxxxxx encrypted privilege 15

prompt hostname context

Cryptochecksum:xxx

: end

asdm image disk0:/asdm-523.bin

no asdm history enable

0 Helpful

acomiskey
Level 10
Level 10
In response to midocarsrl

‎10-18-2007 11:34 AM

The problem here is you are attempting to hairpin the traffic on the inside interface. You were right by adding the same-security-traffic permit intra-interface command but you need a little more.

Add...

static (inside,inside) 10.10.0.0 10.10.0.0 netmask 255.255.0.0

global (inside) 101 interface

Adding the global statement with the corresponding nat statement will ensure the reply from the 10.10.0.0 network will be routed back to the inside of the ASA, which will then be routed back to the source 10.100.100.x.

midocarsrl
Level 1
Level 1
In response to acomiskey

‎10-18-2007 12:27 PM

done work

THX

0 Helpful

acomiskey
Level 10
Level 10
In response to midocarsrl

‎10-18-2007 12:30 PM

Does that mean it worked or it did not work? I hope it did.

0 Helpful

midocarsrl
Level 1
Level 1
In response to acomiskey

‎10-19-2007 09:29 AM

it worked

Thank you very much

But i have another question

I have 2 ISP.

I want to configure the int 0/3 with an ip address from the second provider. The allocated ip address is 82.76.xx.xx/255.255.255.0. the dns form this provider is 193.231.236.xx. i want to config the asa to nat all request that go to dns(193.231......)through 82.76.xx.xx

it is possible?

thank you

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card