topic Check below things. in Network Security

ASA Configuration

moussa.malqui1 — Tue, 12 Mar 2019 08:26:49 GMT

Hi all,

my architecture is :

and my ASA config is:

interface GigabitEthernet0
nameif outside
security-level 0
ip address 192.168.2.1 255.255.255.0
!
interface GigabitEthernet1
nameif inside
security-level 100
ip address 10.30.60.1 255.255.255.0
!
interface GigabitEthernet2
nameif dmz
security-level 50
ip address 10.30.61.1 255.255.255.0
!
ftp mode passive
object network inside-subnet
subnet 10.30.60.0 255.255.255.0
object network dmz-subnet
subnet 10.30.61.0 255.255.255.0
pager lines 24
mtu outside 1500
mtu inside 1500
mtu dmz 1500
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
!
object network inside-subnet
nat (inside,outside) dynamic interface
object network dmz-subnet
nat (dmz,outside) dynamic interface

but ping is not work from R3 (inside) to R2 (outside)

thanks in advance,

Regards,

Check below things.

Pawan Raut — Tue, 25 Oct 2016 11:12:31 GMT

Check below things.

1) Do you have default route or return route towards ASA on both router?

2) Do you have command "same-security-traffic permit inter-interface" in ASA config if not you have to add that.

Kindly rate for useful post

Tahnks Pawan for your reply,

moussa.malqui1 — Wed, 26 Oct 2016 08:41:09 GMT

Tahnks Pawan for your reply,

How i can adjust default route?

Regards,

give me the output sh ip

Pawan Raut — Wed, 26 Oct 2016 08:50:14 GMT

give me the output sh ip route from both router

Default route :

MANI .P — Thu, 27 Oct 2016 06:47:32 GMT

Default route :

do check the route below on ASA

#route outside 0 0 192.168.2.2

also do check the global service policy inspection

#policy-map global_policy

#inspect icmp

R3#sh ip routeCodes: C -

moussa.malqui1 — Wed, 02 Nov 2016 10:05:27 GMT

R3#sh ip route
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route

Gateway of last resort is not set

C 10.30.60.0 is directly connected, FastEthernet0/0

R2#sh ip route
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route

Gateway of last resort is not set

C 192.168.2.0/24 is directly connected, FastEthernet0/0

Thanks Pawan,

Ragards,

You do not have route to

Pawan Raut — Wed, 02 Nov 2016 10:11:11 GMT

You do not have route to reach each other please add below route.

on R1

ip route 192.168.2.0 2 255.255.255.0 10.30.60.1

and on R2

ip route 10.30.60.0 255.255.255.0 192.168.2.1

I tried that but don't

moussa.malqui1 — Wed, 02 Nov 2016 10:26:48 GMT

I tried that but don't working

R3#ping 192.168.2.1

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.2.1, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)

can you give me a basic

moussa.malqui1 — Wed, 02 Nov 2016 10:55:03 GMT

can you give me a basic firewall configuration?

Thanks Pawan,

Regards,

Do you have command "same

Pawan Raut — Wed, 02 Nov 2016 11:07:10 GMT

Do you have command "same-security-traffic permit inter-interface" in ASA config if not you have to add that