Solved: ASA 5505 multiple subnets

andreascalvo · ‎09-08-2011

Hi,

We want to use an ASA as a pure routing device.

Our network has several internal subnets (10.1.x.0/24), and we want to be able to reach them from outside and to allow access between them.

We have a defined a VLAN for each subnet range with the same security-level, added it to an Ethernet port and made the Ethernet that acts as outside as a trunk, and defined it as the global routing.

We cannot ping any of the subnet IPs defined in the ASA from outside nor we can ping it from the internal IP addresses.

Any hint?

Thanks!

Configuration:

: Saved

:

ASA Version 8.2(1)

!

hostname ciscoasa

enable password 8Ry2YjIyt7RRXU24 encrypted

passwd 2KFQnbNIdI.2KYOU encrypted

names

!

interface Vlan1

nameif inside

security-level 100

ip address 192.168.1.1 255.255.255.0

!

interface Vlan2

nameif outside

security-level 0

ip address 192.168.254.100 255.255.255.0

!

interface Vlan3

nameif fujairah

security-level 0

ip address 10.1.12.254 255.255.255.0

!

interface Vlan4

nameif uaq

security-level 0

ip address 10.1.13.254 255.255.255.0

!

interface Vlan10

no nameif

no security-level

no ip address

!

interface Ethernet0/0

switchport access vlan 2

switchport mode trunk

!

interface Ethernet0/1

switchport access vlan 3

!

interface Ethernet0/2

switchport access vlan 4

!

interface Ethernet0/3

!

interface Ethernet0/4

!

interface Ethernet0/5

!

interface Ethernet0/6

!

interface Ethernet0/7

!

ftp mode passive

same-security-traffic permit inter-interface

pager lines 24

logging asdm informational

mtu inside 1500

mtu outside 1500

mtu fujairah 1500

mtu uaq 1500

no failover

icmp unreachable rate-limit 1 burst-size 1

no asdm history enable

arp timeout 14400

global (outside) 1 interface

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

dynamic-access-policy-record DfltAccessPolicy

http 192.168.1.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

telnet timeout 5

ssh timeout 5

console timeout 0

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

!

prompt hostname context

Cryptochecksum:eddbd834c3fc53652e4d56706b1d0915

: end

Thanks!

varrao · ‎09-08-2011

Hi Andreas,

A few things that you might just need to add for it:

nat (outside) 2 0.0.0.0 0.0.0.0

global (fujairah) 2 interface

static (fujairah,outside) 10.1.x.0 10.1.x.0

access-list outside_access permit icmp any any

access-group outside_access in interface fujairah

Simialry the same config would be required for the uaq interface as well.

Hope this helps.

Thanks,

Varun

Thanks,
Varun Rao

View solution in original post

varrao · ‎09-08-2011

Hi Andreas,

A few things that you might just need to add for it:

nat (outside) 2 0.0.0.0 0.0.0.0

global (fujairah) 2 interface

static (fujairah,outside) 10.1.x.0 10.1.x.0

access-list outside_access permit icmp any any

access-group outside_access in interface fujairah

Simialry the same config would be required for the uaq interface as well.

Hope this helps.

Thanks,

Varun

Thanks,
Varun Rao

andreascalvo · ‎09-09-2011

It worked.

I was messing up with the nat rules.

However, the static (x,outside) 10.1.x.0 10.1.x.0 seems to not be necessary, as the sites see each other fine.

Thanks!

varrao · ‎09-09-2011

Glad it worked

Thanks,

Varun

Thanks,
Varun Rao