topic ASA 5510 Inside Routing in Network Security

ASA 5510 Inside Routing

Imran Ahmad — Mon, 11 Mar 2019 23:33:19 GMT

Hello Guys,

I have 3-VLANs on my cisco switch:

VLAN1- 192.168.2.2

VLAN2- 192.168.10.2

VLAN3- 192.168.11.2

i hv conected my switch --to-- ASA5510 inside int which is in vlan1 . my asa inside int ip is : 192.168.2.1 . so now i want know how to route traffic distined to VLAN2 & 3 on the asa?

Previosly i had Pix-firewall and i had these normal inside routing configured,

route inside 192.168.10.0 255.255.255.0 192.168.2.1 1

route inside 192.168.11.0 255.255.255.0 192.168.2.1 1

But on asa 5510 i can not do it like this, while doing this it gives an eorror mesage saying that you can not route to 192.168.2.1 inside int .

plz share ur idea

ASA 5510 Inside Routing

Jennifer Halim — Sun, 22 Jul 2012 15:54:32 GMT

It should be as follows:

route inside 192.168.10.0 255.255.255.0 192.168.2.2 1

route inside 192.168.11.0 255.255.255.0 192.168.2.2 1

You should route it to your switch ip address as you can't route it to the ASA interface itself.

ASA 5510 Inside Routing

Imran Ahmad — Sun, 22 Jul 2012 16:09:03 GMT

I did this but i dont know for some reason it hads slowed down all my VLAN1 (192.168.2.0) network. the network speed had goten slow and while i wanted to access any server from within vlan-1 some times i was able to access and some times i could not access them even though there was ping reply but i could not access share-folders and remote session . im not 100% sure that the slow speed was due to the routing, but i could not find anyother reason except the routing. because as i connected my old pix-firewall back to the network, then my vlan-1 net speed was normal back

Re: ASA 5510 Inside Routing

Ramraj Sivagnanam Sivajanam — Sun, 22 Jul 2012 17:28:36 GMT

Hi Bro

The advice provided by Jennier Halim is correct. I would have adviced the same thing too. Could you paste your latest show running-config here, so that everyone here can advise you further?

P/S: Paste the Cisco PIX config as well, so that we can see the config difference

Re: ASA 5510 Inside Routing

mvsheik123 — Sun, 22 Jul 2012 19:44:28 GMT

Hi Imran,

Proceed as Jennifer suggested. Once you change replce PIX with ASA, try 'clear arp' on switch or reboot the SW. That should fix the slowness issue (as long as rest of the config and physical infrastructure is good).

hth

ASA 5510 Inside Routing

Imran Ahmad — Thu, 26 Jul 2012 08:57:31 GMT

Dear all, Bellow is my ASA5510 configuration output. please see what is wrong ??? i restarted everything the switch, the asa, clear arp..... but no result. when i connect the asa into my network, it automatically slows down the vlan-1 only. other vlans can access vlan-1 normaly. but a host from VLAN-1 can not access other host inside of VLAN-1. after many reties then they can access. plz see what is wrong

interface Ethernet0/0
nameif outside
security-level 0
ip address 202.86.17.246 255.255.255.240
!
interface Ethernet0/1
nameif inside
security-level 100
ip address 192.168.2.1 255.255.255.0
!
interface Ethernet0/1.4
vlan 4
nameif WIRELESS
security-level 94
ip address 192.168.101.1 255.255.255.0
!
interface Ethernet0/1.6
vlan 6
nameif GUEST
security-level 90
ip address 192.168.110.1 255.255.255.224
!

same-security-traffic permit intra-interface

object network NAT0
subnet 192.168.0.0 255.255.128.0
object network NAT0.1
subnet 192.168.2.0 255.255.255.0
object network NAT0.2
subnet 192.168.100.0 255.255.255.0

object network inside_any
subnet 0.0.0.0 0.0.0.0
object network guest_any
subnet 0.0.0.0 0.0.0.0
object network WIRELESS_any
subnet 0.0.0.0 0.0.0.0

mtu outside 1500
mtu inside 1500
mtu WIRELESS 1500
mtu GUEST 1500
mtu MPAISA-DMZ 1500

nat (inside,any) source static NAT0.1 NAT0.1 destination static NAT0 NAT0
nat (inside,any) source static NAT0.2 NAT0.2 destination static NAT0 NAT0

!
object network inside_any
nat (inside,outside) dynamic interface
object network guest_any
nat (GUEST,outside) dynamic interface
object network WIRELESS_any
nat (WIRELESS,outside) dynamic interface

route outside 0.0.0.0 0.0.0.0 202.86.17.245 1
route inside 192.168.100.0 255.255.255.0 192.168.2.250 1
route inside 192.168.101.192 255.255.255.240 192.168.2.250 1
route inside 192.168.102.0 255.255.255.224 192.168.2.250 1

threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept

class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect pptp
inspect http
inspect ip-options
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email callhome@cisco.com
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:675eee6acc783964e9f064bc9158d5a0
: end

HQASA#

ASA 5510 Inside Routing

Imran Ahmad — Thu, 26 Jul 2012 09:43:33 GMT

plz dont get confused. on my prevois post i was using old ips with my vlans, but on last one which i hav attached my asa config, i have changed the vlans-ip-address

ASA 5510 Inside Routing

nkarthikeyan — Thu, 26 Jul 2012 14:16:18 GMT

Hi Imran,

Still i do see you inetrafce configurations and other configuration seems improper.

bject network NAT0

subnet 192.168.0.0 255.255.128.0

object network NAT0.1

subnet 192.168.2.0 255.255.255.0

object network NAT0.2

subnet 192.168.100.0 255.255.255.0

nat (inside,any) source static NAT0.1 NAT0.1 destination static NAT0 NAT0

nat (inside,any) source static NAT0.2 NAT0.2 destination static NAT0 NAT0

Can u pls explain what you are trying with the above statement.

Please do rate for the helpful posts.

Karthik

ASA 5510 Inside Routing

Ramraj Sivagnanam Sivajanam — Fri, 27 Jul 2012 02:06:20 GMT

Hi Bro

Could you issue the command show threa-detection shun, and see if you have any IP Address 192.168.2.XXX being listed?

Perhaps, this could be a host issue, not VLAN-1.