cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1394
Views
0
Helpful
6
Replies

Different LANs cannot connect

shawnsherwood
Level 1
Level 1

I am trying to connect two LANS together 172.16.2.x and 172.16.1.x. I am able to ping from ASA, but not from a workstation.

I am new to Cisco products so any help is greatly appreciated.

: Saved
:
ASA Version 8.2(5)
!
hostname sanfranciscoasa
enable password Ks2g1WIl1DTTvO3g encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
name 172.16.2.2 Adtran
name 172.16.1.0 Cranbury
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6

             
!

             
interface Ethernet0/7

             
!

             
interface Vlan1

             
nameif inside

             
security-level 100

             
ip address 172.16.2.1 255.255.255.0

             
!

             
interface Vlan2

             
nameif outside

             
security-level 0

             
ip address 192.168.172.20 255.255.255.0

             
!

             
ftp mode passive

             
clock timezone PST -8

             
clock summer-time PDT recurring

             
dns domain-lookup outside

             
dns server-group DefaultDNS

             
name-server 8.8.8.8

             
name-server 8.8.4.4

             
same-security-traffic permit intra-interface

             
access-list inside_access_in extended permit ip any any

             
pager lines 24

             
logging enable

             
logging asdm informational

             
mtu inside 1500

             
mtu outside 1500

             
icmp unreachable rate-limit 1 burst-size 1

             
no asdm history enable

             
arp timeout 14400

             
global (outside) 1 interface

             
nat (inside) 1 0.0.0.0 0.0.0.0

             
static (inside,inside) Cranbury 172.16.2.0 netmask 255.255.255.0

             
access-group inside_access_in in interface inside

             
route outside 0.0.0.0 0.0.0.0 192.168.172.1 1

             
route inside Cranbury 255.255.255.0 Adtran 1

             
timeout xlate 3:00:00

             
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

             
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

             
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

             
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

             
timeout tcp-proxy-reassembly 0:01:00

             
timeout floating-conn 0:00:00

             
dynamic-access-policy-record DfltAccessPolicy

             
aaa authentication ssh console LOCAL

             
http server enable

             
http 172.16.2.0 255.255.255.0 inside

             
no snmp-server location

             
no snmp-server contact

             
snmp-server enable traps snmp authentication linkup linkdown coldstart

             
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac

             
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac

             
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac

             
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac

             
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac

             
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac

             
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac

             
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac

             
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac

             
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

             
crypto ipsec security-association lifetime seconds 28800

             
crypto ipsec security-association lifetime kilobytes 4608000

             
crypto ca trustpoint ASDM_TrustPoint0

             
enrollment terminal

             
subject-name CN=sanfranciscoasa

             
crl configure

             
crypto isakmp enable inside

             
crypto isakmp policy 10

             
authentication crack

             
encryption aes-256

             
hash sha

             
group 2

             
lifetime 86400

             
crypto isakmp policy 20

             
authentication rsa-sig

             
encryption aes-256

             
hash sha

             
group 2

             
lifetime 86400

             
crypto isakmp policy 30

             
authentication pre-share

             
encryption aes-256

             
hash sha

             
group 2

             
lifetime 86400

             
crypto isakmp policy 40

             
authentication crack

             
encryption aes-192

             
hash sha

             
group 2

             
lifetime 86400

             
crypto isakmp policy 50

             
authentication rsa-sig

             
encryption aes-192

             
hash sha

             
group 2

             
lifetime 86400

             
crypto isakmp policy 60

             
authentication pre-share

             
encryption aes-192

             
hash sha

             
group 2

             
lifetime 86400

             
crypto isakmp policy 70

             
authentication crack

             
encryption aes

             
hash sha

             
group 2

             
lifetime 86400

             
crypto isakmp policy 80

             
authentication rsa-sig

             
encryption aes

             
hash sha

             
group 2

             
lifetime 86400

             
crypto isakmp policy 90

             
authentication pre-share

             
encryption aes

             
hash sha

             
group 2

             
lifetime 86400

             
crypto isakmp policy 100

             
authentication crack

             
encryption 3des

             
hash sha

             
group 2

             
lifetime 86400

             
crypto isakmp policy 110

             
authentication rsa-sig

             
encryption 3des

             
hash sha

             
group 2

             
lifetime 86400

             
crypto isakmp policy 120

             
authentication pre-share

             
encryption 3des

             
hash sha

             
group 2

             
lifetime 86400

             
crypto isakmp policy 130

             
authentication crack

             
encryption des

             
hash sha

             
group 2

             
lifetime 86400

             
crypto isakmp policy 140

             
authentication rsa-sig

             
encryption des

             
hash sha

             
group 2

             
lifetime 86400

             
crypto isakmp policy 150

             
authentication pre-share

             
encryption des

             
hash sha

             
group 2

             
lifetime 86400

             
telnet timeout 5

             
ssh 172.16.2.0 255.255.255.255 inside

             
ssh timeout 5

             
console timeout 0

             
dhcpd auto_config outside

             
!

             
dhcpd address 172.16.2.50-172.16.2.59 inside

             
dhcpd dns 8.8.8.8 8.8.4.4 interface inside

             
dhcpd enable inside

             
!

             


             
threat-detection basic-threat

             
threat-detection statistics access-list

             
no threat-detection statistics tcp-intercept

             
webvpn

             
username ssherwood password JkjHliTRLXMXtcz8 encrypted privilege 15

             
!

             
class-map inspection_default

             
match default-inspection-traffic

             
!

             
!

             
policy-map type inspect dns preset_dns_map

             
parameters

             
  message-length maximum client auto

             
  message-length maximum 512

             
policy-map global_policy

             
class inspection_default

             
  inspect dns preset_dns_map

             
  inspect ftp

             
  inspect h323 h225

             
  inspect h323 ras

             
  inspect rsh

             
  inspect rtsp

             
  inspect esmtp

             
  inspect sqlnet

             
  inspect skinny 

             
  inspect sunrpc

             
  inspect xdmcp

             
  inspect sip 

             
  inspect netbios

             
  inspect tftp

             
  inspect ip-options

             
!

             
service-policy global_policy global

             
prompt hostname context

             
no call-home reporting anonymous

             
Cryptochecksum:4d6af11c0eaa87ca4977c07fc7b535a3

             
: end

6 Replies 6

Amit Singh
Cisco Employee
Cisco Employee

Hi Shawn,

Please could you paste the toplogy diagram? Where does 172.16.1.0 reside?

A brief topology would help.

Cheers,

-amit singh

Amit,

I don't have a diagram, but I explain the best I can,

SF 172.16.2.0

Cisco ASA 172.16.2.1
Port 0 goes to internet

Port 2 goes to Adtran T1 172.16.2.2

Cranbury 172.16.1.0

Cisco ASA 172.16.1.1

Port 0 goes to internet

Port 2 goes to Adtran T1 172.16.1.2

So currently I can ping/trace route directly from SF ASA to Cranbury ASA, but am unable to ping via a workstation.

Hope that answers your question.

Port 2 goes to Adtran T1 172.16.2.2

Port 2 goes to Adtran T1 172.16.1.2

In above config both sides of the T1 need to be in the same subnet.  Yours are in two different subnets.  is this a typo?

Port 2 goes to Adtran T1 172.16.2.1/30

Port 2 goes to Adtran T1 172.16.2.2/30

HTH

AT&T had me set both of the ADtrans to match the local network at each location.

SF

Adtran ethernet side 172.16.2.2

Adtran BGP PPP side 172.16.2.0

Cranbury

Adtran ethernet side 172.16.1.2

Adtran BGP PPP side 172.16,1.0

JulietCharlie
Level 1
Level 1

And what about routing? Is it corectly configured?

Can you provide me output of :

sho ip route

sho ip bgp sum

if there is not 50 pages output :)).

Is it working now?

If I use the adtran as the default gateway I can ping to the other T1 and ASA. Im not at the site anymore, but when I get a chance I'll send the requested info

Thanks

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: