09-08-2011 08:44 AM - edited 03-11-2019 02:22 PM
Hi,
We want to use an ASA as a pure routing device.
Our network has several internal subnets (10.1.x.0/24), and we want to be able to reach them from outside and to allow access between them.
We have a defined a VLAN for each subnet range with the same security-level, added it to an Ethernet port and made the Ethernet that acts as outside as a trunk, and defined it as the global routing.
We cannot ping any of the subnet IPs defined in the ASA from outside nor we can ping it from the internal IP addresses.
Any hint?
Thanks!
Configuration:
: Saved
:
ASA Version 8.2(1)
!
hostname ciscoasa
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface Vlan1
nameif inside
security-level 100
ip address 192.168.1.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address 192.168.254.100 255.255.255.0
!
interface Vlan3
nameif fujairah
security-level 0
ip address 10.1.12.254 255.255.255.0
!
interface Vlan4
nameif uaq
security-level 0
ip address 10.1.13.254 255.255.255.0
!
interface Vlan10
no nameif
no security-level
no ip address
!
interface Ethernet0/0
switchport access vlan 2
switchport mode trunk
!
interface Ethernet0/1
switchport access vlan 3
!
interface Ethernet0/2
switchport access vlan 4
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
ftp mode passive
same-security-traffic permit inter-interface
pager lines 24
logging asdm informational
mtu inside 1500
mtu outside 1500
mtu fujairah 1500
mtu uaq 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (outside) 1 interface
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
telnet timeout 5
ssh timeout 5
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
!
!
prompt hostname context
Cryptochecksum:eddbd834c3fc53652e4d56706b1d0915
: end
Thanks!
Solved! Go to Solution.
09-08-2011 10:19 AM
Hi Andreas,
A few things that you might just need to add for it:
nat (outside) 2 0.0.0.0 0.0.0.0
global (fujairah) 2 interface
static (fujairah,outside) 10.1.x.0 10.1.x.0
access-list outside_access permit icmp any any
access-group outside_access in interface fujairah
Simialry the same config would be required for the uaq interface as well.
Hope this helps.
Thanks,
Varun
09-08-2011 10:19 AM
Hi Andreas,
A few things that you might just need to add for it:
nat (outside) 2 0.0.0.0 0.0.0.0
global (fujairah) 2 interface
static (fujairah,outside) 10.1.x.0 10.1.x.0
access-list outside_access permit icmp any any
access-group outside_access in interface fujairah
Simialry the same config would be required for the uaq interface as well.
Hope this helps.
Thanks,
Varun
09-09-2011 12:16 AM
It worked.
I was messing up with the nat rules.
However, the static (x,outside) 10.1.x.0 10.1.x.0 seems to not be necessary, as the sites see each other fine.
Thanks!
09-09-2011 01:03 AM
Glad it worked
Thanks,
Varun
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide