Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Newbie Static Routing Issue

Hello all,

Having no previous Cisco experience, I'm really struggling to get to grips with what should be a very simple staic route configuration on an ASA 5505.

Basically,I'm using the ASA5505 as my default gateway, however I have another router (Speedtouch 608WL) which serves a site to site VPN to another office. I've configured a static route point as per the attachment however, I cannot access resource on the remote network. is there something really simple that I'm missing. Please accept my apologies for many lack of basic understanding on how these devices work, I've been thrown i the deep end big time on this one. Any help you cold provide, even if it's pointing me in the direction of some tutorials or other resources ould be greatly appreciated.

Many Thanks

ScreenShot.png

7 REPLIES
Cisco Employee

Newbie Static Routing Issue

Josh,

There are few things you might want to check.

1) Is the next hop 192.168.11.253 the IP of the router and is it reachable from the ASA?

2) On the router, is the VPN up in the first place.

It would be nice to have a topology diagram. Can you provide one?

Regards

Anand

New Member

Newbie Static Routing Issue

Many thanks for your response.

Yes, 192.168.11.253 is the IP address of the router servicing the IPSec VPN to the 192.168.14.0 network. Another Idenitcal Speedtouch is at the other end. If I change my default gateway address to 192.168.11.253 I can access all the resources on the 192.168.14.0 network - which leads me to believe VPN is operational.

If I ping 192.168.11.253 from the ASA I get the following response:

However, If I try to ping the router at the other end of the gateway (192.168.14.253) from the adsm I get the following response:

Please find a very crude network diagram overview diagram below:

Many Thanks for your help thus far. Please let me know if you need any further information.

New Member

Newbie Static Routing Issue

Forgot to say, the double arrow denotes a IPSec VPN between sites. Thanks again.

Purple

Newbie Static Routing Issue

Hi,

the static route you entered is wrong because the 192.168.14.0 network is not on the inside interface but the outside one.

Where is the inside network communicating through VPN located? Which device is doing NAT ?

Can you post config of ASA and router.

Regards.

Alain

Don't forget to rate helpful posts.
New Member

Newbie Static Routing Issue

Thanks Alain.

I might not have a full understanding, and could be wrong, but I was sure it was on the Inside interface, as it's connect via a switch on port 2 (which is configured as Inside). Am I wrong?

Unfortunatley I cannot post the full config for the Speedtouch as it's managed by a third party. I could get the config sent over, howver , it could take a couple of days. Though RE said router, as soon as I make the Speedtouch my Default gateway I can access all the nessecary resources. In my understanding (and appreicate I could be wrong) doesn't that point to it performing it's role correctly.

Thanks again for your help. Please find the config for the ASA below:

Result of the command: "show running-config"

: Saved

:

ASA Version 8.3(1)

!

hostname ciscoasa

enable password uHrzqROQ0KCd5V0G encrypted

passwd 2KFQnbNIdI.2KYOU encrypted

names

!

interface Vlan1

nameif inside

security-level 100

ip address 192.168.11.254 255.255.255.0

!

interface Vlan2

nameif outside

security-level 0

ip address dhcp setroute

!

interface Ethernet0/0

switchport access vlan 2

!

interface Ethernet0/1

!

interface Ethernet0/2

!

interface Ethernet0/3

!

interface Ethernet0/4

!

interface Ethernet0/5

!

interface Ethernet0/6

!

interface Ethernet0/7

!

ftp mode passive

dns domain-lookup inside

dns domain-lookup outside

dns server-group DefaultDNS

name-server 192.168.11.23

name-server 192.168.11.28

dns server-group OpenDns

name-server 208.67.222.222

name-server 208.67.220.220

dns-group OpenDns

object network obj_any

subnet 0.0.0.0 0.0.0.0

pager lines 24

logging asdm informational

mtu inside 1500

mtu outside 1500

icmp unreachable rate-limit 1 burst-size 1

no asdm history enable

arp timeout 14400

nat (inside,outside) source dynamic any interface

!

object network obj_any

nat (inside,outside) dynamic interface

route inside 192.168.14.0 255.255.255.0 192.168.11.253 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

dynamic-access-policy-record DfltAccessPolicy

http server enable

http 192.168.1.0 255.255.255.0 inside

http 192.168.11.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

telnet timeout 5

ssh timeout 5

console timeout 0

dhcp-client client-id interface outside

dhcpd auto_config outside

!

dhcpd address 192.168.11.5-192.168.11.253 inside

!

threat-detection basic-threat

threat-detection statistics host number-of-rate 3

threat-detection statistics port

threat-detection statistics protocol

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

webvpn

!

class-map inspection_default

match default-inspection-traffic

!

!

policy-map type inspect dns preset_dns_map

parameters

  message-length maximum client auto

  message-length maximum 512

policy-map global_policy

class inspection_default

  inspect dns preset_dns_map

  inspect ftp

  inspect h323 h225

  inspect h323 ras

  inspect rsh

  inspect rtsp

  inspect esmtp

  inspect sqlnet

  inspect skinny 

  inspect sunrpc

  inspect xdmcp

  inspect sip 

  inspect netbios

  inspect tftp

  inspect ip-options

!

service-policy global_policy global

prompt hostname context

Cryptochecksum:b424fd365a8f219b0e2803af7e12dac1

: end

Purple

Newbie Static Routing Issue

Hi,

I might not have a full understanding, and could be wrong, but I was  sure it was on the Inside interface, as it's connect via a switch on  port 2 (which is configured as Inside). Am I wrong?

looking at your config you are not wrong indeed but why did you connect the inside interface of the ASA to the router?

This should be connected through outside to the router as the router is connected to the outside world otherwise what is the use of the firewall?

What is connected to outside then? as I see you receive an IP address on outside from a DHCP server along with a default route ? Where are the other devices connected to?

Regards.

Alain

Don't forget to rate helpful posts.
New Member

Newbie Static Routing Issue

Thanks for getting back to me. the DHCP address asigned to the outside interface is from the ISP. The ASA is connected directly to a cable modem.

The speedtouch connecting the 192.168.11.0 network to the 192.168.14.0 network is in a differnet buidling (Where the cable modem come ine) that can only be accessed via the local network/inside interface (fibre connect buildings and my switches will not VLAN). Maybe I haven't given the best description of what I'm trying to achieve.

I'd like for all traffic sent to 192.168.11.254 (the ASA) sent to the 192.168.14.0 network to be routed through the Speedtouch's (192.168.11.253) existing VPN connection. This VPN is definitley working and I can create static routes to this network from other devices (a Draytek router). However, I cannot get ASA to communicate with it.

Is there a differnet way I shoudl be setting the static route up?

Hope that makes sense. Please let me know if you need any further information.

Many Thanks .

462
Views
0
Helpful
7
Replies