topic ASA Routing problems? in Network Security

ASA Routing problems?

vlatko.runchev — Mon, 11 Mar 2019 23:48:47 GMT

Hi there,

i have a problem with Routing on ASA 5505.

Here is a brief explanation of the topology:

DC Upstream IP: 77.246.165.141/30

ASA 5505 Upstream to DC IP: 77.246.165.142/30

Interface outside.

There is a Cisco Switch connected to one of ASA Ethernet ports, forming Public/DMZ VLAN.

ASA 5505 Public VLAN interface ip: 31.24.36.1/26

Cisco 3750 Public VLAN interface ip: 31.24.36.62, default gateway: 31.24.36.1, IP Routing enabled on Switch.

From the Cisco Switch I can access the Internet with source ip: 31.24.36.62.

Now I have asked from DC additional subnet: 31.24.36.192/26 and they have it routed correctly towards the ASA Outside interface ip: 77.246.165.142.

I have created additional Public2 VLAN on the Switch with IP address of: 31.24.36.193/26.

On the ASA 5505 i added the route to this Public2 VLAN:

#route public 31.24.36.192 255.255.255.192 31.24.36.62 1

Now the problem is that from the Switch with Source IP: 31.24.36.193 i can ping ASA 5505 Public VLAN IP: 31.24.36.1 so the routing between subnets 31.24.36.0/26 and 31.24.36.192/26 is working OK on both the ASA 5505 and the Switch.

But I can't access the Internet from the Switch with Source IP: 31.24.36.193.

ASA Routing problems?

mvsheik123 — Sun, 02 Sep 2012 13:42:59 GMT

Hi.

Any NAT/PAT related config missed on ASA for the new Subnet?

Post the sanitized configs from ASA & Switch.

Thx

ASA Routing problems?

Julio Carvajal — Sun, 02 Sep 2012 19:11:11 GMT

Hello Vladimir,

What version are you running, I do not think you have any NAT as you are already playing with a public range.

Do you have any ACL applied to the public interface on the ASA?

Can you place here the Configuration from both devices?

Regards,

Julio

Re: ASA Routing problems?

vlatko.runchev — Fri, 07 Sep 2012 08:43:31 GMT

Thanks for the replies.

I am running:

Cisco Adaptive Security Appliance Software Version 8.2(2)

As for NAT configuration, there is NAT configured between the Outside Interface IP and the Internal Subnet:

global (outside) 1 interface

nat (inside) 1 192.168.X.0 255.255.255.0

nat (inside) 1 0.0.0.0 0.0.0.0

also there is NAT exemption configured because of the Site-to-Site IPSec VPN that we have:

nat (inside) 0 access-list inside_nat0_outbound1

access-list inside_nat0_outbound1 extended permit ip any 192.168.X.0 255.255.255.0

access-list inside_nat0_outbound1 extended permit ip 192.168.X.0 255.255.255.0 OtherSiteLAN 255.255.255.0

access-list inside_nat0_outbound1 extended permit ip any 192.168.X.240 255.255.255.248

access-list inside_nat0_outbound1 extended permit ip 192.168.X.0 255.255.255.128 OtherSiteLAN 255.255.255.0

I don't have any ACL configured on the Public interface in any direction.

Here is the configuration on the Switch regarding this scenario:

interface FastEthernet2/0/X

description Access Port for Public Subnet(31.24.32.0/26) to ASA

switchport access vlan 500

switchport mode access

interface Vlan500

description Public VLAN 1

ip address 31.24.36.62 255.255.255.192

interface Vlan510

description Public VLAN 2

ip address 31.24.36.193 255.255.255.192

ip route 0.0.0.0 0.0.0.0 31.24.36.1

Here is the output when pinging the ASA Public Interface IP with source IP address of: 31.24.36.193(VLAN 510)

SWITCH#ping 31.24.36.1 source vlan 510

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 31.24.36.1, timeout is 2 seconds:

Packet sent with a source address of 31.24.36.193

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 1/4/9 ms

And here is when I try to ping some Internet host:

SWITCH#ping 8.8.8.8 source vlan 510

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 8.8.8.8, timeout is 2 seconds:

Packet sent with a source address of 31.24.36.193

.....

Success rate is 0 percent (0/5)

Re: ASA Routing problems?

Julio Carvajal — Fri, 07 Sep 2012 16:12:14 GMT

Hello Vladimir,

Can you add the following command.

fixup protocol icmp and provide us the result

If this does not work I would like to check the entire config of both devices

rate all the answers, that is more important for us that a thanks

Julio

Re: ASA Routing problems?

vlatko.runchev — Wed, 21 Nov 2012 12:39:28 GMT

Hello,

sorry for the late response...

The command:

fixup protocol icmp also didn't solved the problem.

Can this have anything related to the Base licence, that this device is having and it's 3 VLAN limitation?

I have configured:

interface Vlan500

no forward interface Vlan1 <--Private VLAN