Solved: ASA 5510: Users unable to access internet through firewall

mansoorms · ‎02-27-2013

Hi ,

I have some problem with the ASA 5510 ver 7.0(6). My manager wants to keep this as backup. tried lots of things but still users not able to access internet nor can i ping anywhere.For example when i ping 4.2.2.2 i dont get any reply.The runing config is below for ur ref :

HQ-ASA-01# show running-config

: Saved

:

ASA Version 7.0(6)

!

hostname HQ-ASA-01

domain-name srca.org.sa

enable password vGomFiNOfnKitujV encrypted

names

dns-guard

!

interface Ethernet0/0

nameif outside

security-level 0

ip address x.x.x.x 255.255.255.128

!

interface Ethernet0/1

nameif inside

security-level 100

ip address 10.1.20.5 255.255.255.0

!

interface Ethernet0/2

shutdown

no nameif

no security-level

no ip address

!

interface Management0/0

description For Mangement & ASDM Access

nameif MANAGEMENT

security-level 100

ip address 192.168.0.7 255.255.255.0

management-only

!

passwd GfJ0zeWqpgFx7jXA encrypted

banner exec Welcome to

banner exec Please disconnect the session immediately, If you not authorize.

banner login !!!!!! WARNING !!!!!!

banner login #######################################################################

banner login ACCESS TO THIS SYSTEM IS STRICTLY RESTRICTED TO AUTHORIZED PERSON ONLY

banner login UNAUTHORIZED PERSON ARE NOT ALLOWED TO ACCESS THIS SYSTEM.THIS SYSTEM

banner login IS MONITORED & LOGED.

banner login #######################################################################

ftp mode passive

clock timezone AST 3

access-list OUTSIDE_IN_ACL extended permit icmp any any echo-reply

access-list OUTSIDE_IN_ACL extended permit icmp any any time-exceeded

access-list OUTSIDE_IN_ACL extended permit icmp any any echo

access-list OUTSIDE_IN_ACL extended permit tcp any any eq www

pager lines 24

logging enable

logging buffered debugging

logging asdm informational

mtu outside 1500

mtu inside 1500

mtu MANAGEMENT 1500

icmp permit any outside

icmp permit any inside

icmp permit any MANAGEMENT

asdm image disk0:/asdm506.bin

no asdm history enable

arp timeout 14400

nat-control

global (outside) 1 x.x.x.x-x.x.x.x netmask 255.255.255.128

nat (inside) 1 10.1.20.0 255.255.255.0

static (inside,outside) tcp x.x.x.x www 10.1.20.7 8080 netmask 255.255.255.255

static (inside,outside) x.x.x.x 192.168.0.244 netmask 255.255.255.255

static (inside,outside) x.x.x.x 192.168.0.71 netmask 255.255.255.255

access-group OUTSIDE_IN_ACL in interface outside

route outside 0.0.0.0 0.0.0.0 x.x.x.x 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00

timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

username cisco password ZjE9y3gyrnCUpp24 encrypted privilege 15

aaa authentication http console LOCAL

http server enable

http 192.168.0.83 255.255.255.255 inside

http 192.168.0.244 255.255.255.255 inside

http 192.168.0.71 255.255.255.255 inside

http 192.168.0.83 255.255.255.255 MANAGEMENT

http 192.168.0.244 255.255.255.255 MANAGEMENT

http 192.168.0.71 255.255.255.255 MANAGEMENT

snmp-server location Head Quarter

snmp-server contact xxxxxxxxx

snmp-server community xxxxxxxx

snmp-server enable traps snmp authentication linkup linkdown coldstart

telnet 192.168.0.101 255.255.255.255 inside

telnet 192.168.0.71 255.255.255.255 inside

telnet 192.168.0.72 255.255.255.255 inside

telnet 192.168.0.101 255.255.255.255 MANAGEMENT

telnet 192.168.0.71 255.255.255.255 MANAGEMENT

telnet 192.168.0.72 255.255.255.255 MANAGEMENT

telnet 192.168.0.7 255.255.255.255 MANAGEMENT

telnet timeout 30

ssh 192.168.0.0 255.255.255.0 MANAGEMENT

ssh timeout 5

console timeout 0

management-access MANAGEMENT

!

class-map New_inspection

class-map inspection_daefault

class-map inspection_default

!

ntp server 10.1.20.101 source inside

Cryptochecksum:dce8e214347881c43cf85fa8c7ea6cd5

: end

HQ-ASA-01#

I have two different networks in my LAN

10.1.0.0 & 192.168.0.0

Kindly help me out ..

Jouni Forss · ‎03-05-2013

Oh well,

I had just written a long post and the browser thought it would be a good idea to go back one page and lost all that I had written.

Another try. Maybe this time the browser wont decide to do anything special.

So again I dont see any logic with the Static Routing either on the ASA or the Core device when it comes to routing traffic through the ASA

Core

Where is this route pointing towards? Its not the ASA atleast.

ip route 0.0.0.0 0.0.0.0 192.168.0.9

ASA

As I stated before the static route on the ASA doesnt make any sense either

route inside 10.1.0.0 255.255.0.0 192.168.0.136 1

The reasons being that the gateway IP set (192.168.0.136) IS NOT part of the subnet that is configured on the "inside" interface.

Is the ASA supposed to handle all the Internet traffic and is ALL TRAFFIC from the LAN supposed to go through the ASA to the Internet?

If this is the case I think you will need to change the configurations

ASA

Configure a new link network on the ASA "inside" interface. Same will be done on the Core side
Delete the old route for LAN networks and configure it with the new gateway IP address
New link network being used is 192.168.255.0/24 or something else if its already in use in your network
Make sure you dont cut your own management connection through the interface configuration change.

interface Ethernet0/2

description ****Trusted_LAN_Network*****

nameif inside

security-level 100

no ip add

ip add 192.168.255.1 255.255.255.0

no route inside 10.1.0.0 255.255.0.0 192.168.0.136 1

route inside 10.1.0.0 255.255.0.0 192.168.255.2

Core

Configure a new Vlan, Vlan interface and subnet to work as a link network between your Core and ASA
Remove the old default route and configure a new one pointing towards the ASA "inside" interface IP address
Connect the free physical port you have chosen for the link between Core to ASA to the ASA interface Ethernet0/2

vlan 255

name Core-to-ASA

interface Vlan255

description Core-to-ASA

ip add 192.168.255.2 255.255.255.0

no shutdown

interface

descrition Core-to-ASA

switchport mode access

switchport access vlan 255

switchport nonegotiate

spanning-tree portfast

no ip route 0.0.0.0 0.0.0.0 192.168.0.9

ip route 0.0.0.0 0.0.0.0 192.168.255.1

I MUST STRESS that you only do these configurations if after going through the whole core switch configuration it would seem that it doesnt cause any problems with existing working connections. I cant see the whole core configuration and cant really take everything into consideration.

I dont know where the current default route points to for example. I dont know if the 192.168.0.9 is actually some Internet router you have. In that case changing the default route would naturally mean that all traffic would begin to go through the ASA and potentially break something.

But at the end to get some connections to go through the ASA you will need to route something towards it "inside" interface and have the Core to ASA link in order which it doesnt seem to be at the moment.

The OSPF routing in your Core and ASA is also a mystery to me so that again is something I cant comment on at the moment. The suggestion that I made rely simply on Static routing on both the ASA and the Core device.

- Jouni

View solution in original post

Jouni Forss · ‎02-27-2013

Hi,

You dont have any route on the ASA for the network 10.1.0.0 (what mask?)
If the network 192.168.0.0 (what mask?) means the "MANAGEMENT" then that interface cant pass traffic at the moment as it has the "management-only" configuration. It will only permit management connections to the ASA. Not any traffic through the actual ASA
You have 192.168.0.0/24 network configurations for both "inside" and "MANAGEMENT" interfaces. The network 192.168.0.0/24 cannot be found behind the ASA as its already a connected network on the MANAGEMENT interface.
You dont have a NAT configuration for either of the mentioned networks
- nat (inside) 1 10.1.0.0
- nat (MANAGEMENT) 1 192.168.0.0 (Provided you remove the "management-only" configuration
You seem to have removed the default inspection policy completely

Default setting is usually the following

class-map inspection_default

match default-inspection-traffic

!

policy-map type inspect dns preset_dns_map

parameters

message-length maximum client auto

message-length maximum 512

policy-map global_policy

class inspection_default

inspect dns preset_dns_map

inspect ftp

inspect h323 h225

inspect h323 ras

inspect ip-options

inspect netbios

inspect rsh

inspect rtsp

inspect skinny

inspect esmtp

inspect sqlnet

inspect sunrpc

inspect tftp

inspect sip

inspect xdmcp

inspect icmp

!

service-policy global_policy global

- Jouni

mansoorms · ‎02-27-2013

Hi Jouni,

Thanx for ur quick response. I really appreciate.

I have added the following default settings :

class-map New_inspection

class-map inspection_default

match default-inspection-traffic

!

policy-map global_policy

class inspection_default

inspect ftp

inspect h323 h225

inspect h323 ras

inspect rsh

inspect rtsp

inspect esmtp

inspect sqlnet

inspect skinny

inspect sunrpc

inspect xdmcp

inspect sip

inspect netbios

inspect tftp

inspect icmp

!

service-policy global_policy global

ntp server 10.1.20.101

Cryptochecksum:d5b05c72d3bd4847c00227f45ac775c5

: end

HQ-ASA-01#

Jouni i have multiple subnets in my buildings which are connected to the Core switch which in turn is connected to the ASA.Do u want me to remove the management-only from 192.168.0.0 network or add a seperate subnet of it.

Regarding the route i have only one default route for outside.Do i have to specify for internal networks as well.

i have configr some NAT kindly check :

nat-control

global (outside) 10 interface

nat (inside1) 10 access-list TRAFFIC-OUT

access-group outside_access_in in interface outside

route outside 0.0.0.0 0.0.0.0 x.x.x.x 1

route inside1 10.1.0.0 255.255.0.0 192.168.0.136 1

please suggest me what else to do.

route outside 0.0.0.0 0.0.0.0 x.x.x.x 1

Jouni Forss · ‎02-27-2013

Hi,

A bit hard to say anything for certain as I dont have the whole picture.

You posted configurations that refer to an interface "inside1" which isnt mentioned in the first configuration so I have no idea how the configuration looks at the moment.

For that matter I have no idea about the local switch configurations either.

- Jouni

mansoorms · ‎03-04-2013

Hi Jouni,

Sorry for being late.Act was busy in something else.Still the same problem however i've made some changes to config as below :

ASA 5510-7.0(6)

)

!

hostname HQ-ASA-01

domain-name ABCD

enable password vGomFiNOfnKitujV encrypted

names

no dns-guard

!

interface Ethernet0/0

description ****Untrusted_Outside****

nameif outside

security-level 0

ip address xxx.xxx.167.130 255.255.255.128

ospf authentication null

!

interface Ethernet0/1

no nameif

no security-level

no ip address

!

interface Ethernet0/2

description ****Trusted_LAN_Network*****

nameif inside

security-level 100

ip address 10.1.16.75 255.255.255.0

ospf authentication null

!

interface Management0/0

description For Mangement & ASDM Access

nameif MANAGEMENT

security-level 100

ip address 192.168.0.7 255.255.255.0

management-only

!

passwd GfJ0zeWqpgFx7jXA encrypted

banner exec Welcome to Authority

banner exec Please disconnect the session immediately, If you not authorize.

banner login !!!!!! WARNING !!!!!!

banner login #######################################################################

banner login ACCESS TO THIS SYSTEM IS STRICTLY RESTRICTED TO AUTHORIZED PERSON ONLY

banner login UNAUTHORIZED PERSON ARE NOT ALLOWED TO ACCESS THIS SYSTEM.THIS SYSTEM

banner login IS MONITORED & LOGED.

banner login #######################################################################

boot system disk0:/asa706-k8.bin

ftp mode passive

clock timezone AST 3

same-security-traffic permit inter-interface

same-security-traffic permit intra-interface

access-list TRAFFIC_OUT extended permit ip any any

access-list outside_acess_in extended permit tcp any any

access-list outside_acess_in extended permit tcp any any eq https

access-list outside_acess_in extended permit tcp any any eq www

pager lines 24

logging enable

logging buffered debugging

logging asdm informational

mtu outside 1500

mtu inside 1500

mtu MANAGEMENT 1500

icmp permit any outside

icmp permit any MANAGEMENT

asdm image disk0:/asdm-508.bin

no asdm history enable

arp timeout 14400

nat-control

global (outside) 20 xxx.xxx.167.140-82.118.167.254 netmask 255.255.255.128

nat (inside) 20 access-list TRAFFIC_OUT

route outside 0.0.0.0 0.0.0.0 82.118.167.129 1

route inside 10.1.0.0 255.255.0.0 192.168.0.136 1

!

router ospf 1

network 10.1.0.0 255.255.0.0 area 0

log-adj-changes

!

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00

timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

username admin password 77hMTjqs7QBrE4nZ encrypted privilege 15

username cisco password USOq9S238LRjFqK0 encrypted privilege 15

aaa authentication http console LOCAL

aaa authentication enable console LOCAL

aaa authentication serial console LOCAL

aaa authentication telnet console LOCAL

http server enable

http 0.0.0.0 0.0.0.0 inside

http 192.168.0.83 255.255.255.255 MANAGEMENT

http 192.168.0.244 255.255.255.255 MANAGEMENT

http 192.168.0.71 255.255.255.255 MANAGEMENT

http 192.168.0.7 255.255.255.255 MANAGEMENT

http 192.168.0.0 255.255.255.0 MANAGEMENT

snmp-server location Head Quarter

snmp-server contact

snmp-server community $$$$$$$$$$

snmp-server enable traps snmp authentication linkup linkdown coldstart

telnet 0.0.0.0 0.0.0.0 inside

telnet 192.168.0.101 255.255.255.255 MANAGEMENT

telnet 192.168.0.71 255.255.255.255 MANAGEMENT

telnet 192.168.0.72 255.255.255.255 MANAGEMENT

telnet 192.168.0.7 255.255.255.255 MANAGEMENT

telnet 192.168.0.83 255.255.255.255 MANAGEMENT

telnet timeout 30

ssh 192.168.0.0 255.255.255.0 MANAGEMENT

ssh timeout 5

console timeout 0

management-access MANAGEMENT

!

class-map ABCD_inspection

class-map inspection_daefault

class-map inspection_default

match default-inspection-traffic

!

policy-map global_policy

class inspection_default

inspect ftp

inspect h323 h225

inspect h323 ras

inspect rsh

inspect rtsp

inspect esmtp

inspect sqlnet

inspect skinny

inspect sunrpc

inspect xdmcp

inspect sip

inspect netbios

inspect tftp

inspect icmp

!

service-policy global_policy global

ntp server 10.1.20.101

Cryptochecksum:57babc115fccbbc0cc59adfc7121112f

: end

HQ-ASA-01#

My e0/2 is attached to Core switch from where my 10.1.0.0 network is coming.I have eight floors all defined in different vlans.Each floors switch(Nortel) is connected to Core Switch(4507R-E).All the users who are in these vlans are not able to access internet thru this ASA 5510. If u need anything else plz tell me.

Kindly help/suggest to solve this .

Jouni Forss · ‎03-04-2013

Hi,

Regarding the NAT

You dont need a Policy NAT configuration

A typical NAT configuration in your case would be

global (outside) 20 xxx.xxx.167.140-82.118.167.254 netmask 255.255.255.128

nat (inside) 20 10.1.0.0 255.255.0.0

And the routin still doesnt seem correct to me

route inside 10.1.0.0 255.255.0.0 192.168.0.136 1

You are configuring that network 10.1.0.0/16 is found through "inside" interface. The gateway IP address is however incorrect. It cant point to a IP address that is not part of the network of the "inside" interface.

If you have a network 10.1.16.0/24 between the core switch and the ASA then the ASA "inside" routes should be pointing towards the IP address on network 10.1.16.0/16 that is configured on the core switch. Naturally the core switch should have some route towards the "inside" interface IP address of 10.1.16.75 for traffic to flow to the ASA.

- Jouni

mansoorms · ‎03-05-2013

Hi Jouni,

I'm little bit confused on this. The requirement is that all the users on different floors must access internet thru the firewall.

when i see the config of the Coreswitch there are different vlans for each floor n they are connected to the core switch.All the vlans are defined in core switch.But i'm unable to get any of those networks onto my ASA.here is the config for Core Switch :

Current configuration : 18527 bytes

!

hostname HQ_Prim_Core_Swt

!

boot-start-marker

boot-end-marker

!

enable secret 5 $1$xj2Z$TmV9chRtQWCuXYMsCtBVW/

enable password 7 13521317135C0729

!

username admin password 7 011202095205465E74

username srca password 7 120D09121C0E1F417F7D1A7D65

no aaa new-model

ip subnet-zero

ip dhcp excluded-address 10.1.10.1 10.1.10.20

ip dhcp excluded-address 10.1.11.1 10.1.11.20

ip dhcp excluded-address 10.1.12.1 10.1.12.20

ip dhcp excluded-address 10.1.13.1 10.1.13.20

ip dhcp excluded-address 10.1.14.1 10.1.14.20

ip dhcp excluded-address 10.1.15.1 10.1.15.20

ip dhcp excluded-address 10.1.16.1 10.1.16.20

ip dhcp excluded-address 10.1.17.1 10.1.17.20

ip dhcp excluded-address 10.1.18.1 10.1.18.20

ip dhcp excluded-address 10.1.11.241 10.1.11.254

ip dhcp excluded-address 10.1.10.241 10.1.10.254

ip dhcp excluded-address 10.1.12.241 10.1.12.254

ip dhcp excluded-address 10.1.13.241 10.1.13.254

ip dhcp excluded-address 10.1.14.241 10.1.14.254

ip dhcp excluded-address 10.1.15.241 10.1.15.254

ip dhcp excluded-address 10.1.16.241 10.1.16.254

ip dhcp excluded-address 10.1.17.241 10.1.17.254

ip dhcp excluded-address 10.1.18.241 10.1.18.254

ip dhcp excluded-address 192.168.0.1 192.168.0.40

!

ip dhcp pool VLAN1

network 192.168.0.0 255.255.255.0

default-router 192.168.0.136

dns-server 192.168.0.1 192.168.0.6

netbios-name-server 192.168.0.1 192.168.0.6

netbios-node-type h-node

!

ip dhcp-server 192.168.0.136

vtp mode transparent

cluster run

!

spanning-tree mode pvst

spanning-tree extend system-id

!

redundancy

mode sso

!

vlan internal allocation policy ascending

!

vlan 10

name Ground_Floor

!

vlan 11

name First_Floor

!

vlan 12

name Second_Floor

!

vlan 13

name Third_Floor

!

vlan 14

name Fourth_Floor

!

vlan 15

name Fifth_Floor

!

vlan 16

name Sixth_Floor

!

vlan 17

name Seventh_Floor

!

vlan 18

name Eighth_Floor

!

vlan 19

name Management

!

vlan 20

name Servers

!

vlan 21

name IP-Cameras

!

vlan 22

name Src_Voice

!

vlan 23

name Src_Vsat

!

vlan 30

!

vlan 31

name cloud

!

vlan 121

!

class-map match-all YOU

class-map match-all httpurl

!

interface GigabitEthernet5/9

switchport access vlan 16

switchport mode access

!

interface GigabitEthernet5/43

switchport mode access

!

interface Vlan10

ip address 10.1.10.251 255.255.255.0

ip helper-address 10.1.20.101

ip helper-address 10.1.20.102

standby 10 ip 10.1.10.250

standby 10 preempt

!

interface Vlan11

ip address 10.1.11.251 255.255.255.0

ip helper-address 10.1.20.101

ip helper-address 10.1.20.102

standby 11 ip 10.1.11.250

standby 11 preempt

!

interface Vlan12

ip address 10.1.12.251 255.255.255.0

ip helper-address 10.1.20.101

ip helper-address 10.1.20.102

standby 12 ip 10.1.12.250

standby 12 preempt

!

interface Vlan13

ip address 10.1.13.251 255.255.255.0

ip helper-address 10.1.20.101

ip helper-address 10.1.20.102

standby 13 ip 10.1.13.250

standby 13 preempt

!

interface Vlan14

ip address 10.1.14.251 255.255.255.0

ip helper-address 10.1.20.101

ip helper-address 10.1.20.102

standby 14 ip 10.1.14.250

standby 14 preempt

!

interface Vlan15

ip address 10.1.15.251 255.255.255.0

ip helper-address 10.1.20.101

ip helper-address 10.1.20.102

standby 15 ip 10.1.15.250

standby 15 preempt

!

interface Vlan16

ip address 10.1.16.251 255.255.255.0

ip helper-address 10.1.20.101

ip helper-address 10.1.20.102

standby 15 preempt

standby 16 ip 10.1.16.250

standby 16 preempt

!

interface Vlan17

ip address 10.1.17.251 255.255.255.0

ip helper-address 10.1.20.101

ip helper-address 10.1.20.102

standby 17 ip 10.1.17.250

standby 17 preempt

!

interface Vlan18

ip address 10.1.18.251 255.255.255.0

ip helper-address 10.1.20.101

ip helper-address 10.1.20.102

standby 18 ip 10.1.18.250

standby 18 preempt

!

interface Vlan19

ip address 10.1.19.251 255.255.255.0

standby 19 ip 10.1.19.250

standby 19 preempt

!

interface Vlan20

ip address 10.1.20.251 255.255.255.0

standby 20 ip 10.1.20.250

standby 20 preempt

!

interface Vlan21

ip address 10.1.21.251 255.255.255.0

standby 21 ip 10.1.21.250

standby 21 preempt

!

interface Vlan22

ip address 10.1.22.251 255.255.255.0

ip helper-address 10.1.20.101

ip helper-address 10.1.20.102

standby 22 ip 10.1.22.250

standby 22 preempt

!

interface Vlan23

ip address 10.1.23.251 255.255.255.0

ip helper-address 10.1.20.101

ip helper-address 10.1.20.102

shutdown

standby 23 ip 10.1.23.250

standby 23 preempt

!

interface Vlan30

ip address 192.168.30.13 255.255.255.0

standby 30 ip 192.168.30.12

standby 30 preempt

!

interface Vlan31

ip address 10.101.1.53 255.255.255.0

!

interface Vlan121

ip address 192.168.168.251 255.255.255.0

shutdown

!

ip route profile

ip route 0.0.0.0 0.0.0.0 192.168.0.9

ip route 10.1.0.0 255.255.255.252 192.168.0.9

ip route 10.36.0.0 255.255.0.0 192.168.0.9

ip route 10.66.4.88 255.255.255.252 10.101.1.51

ip route 10.200.7.156 255.255.255.252 10.101.1.51

ip route 10.201.20.0 255.255.255.0 10.20.6.6

ip route 172.16.0.0 255.255.0.0 192.168.0.9

ip route 192.168.99.0 255.255.255.0 192.168.0.9

ip http server

ip http secure-server

!

route-map Operations permit 10

match ip address 30

set interface GigabitEthernet2/3

!

Kindly help/suggest .

Jouni Forss · ‎03-05-2013

Oh well,

I had just written a long post and the browser thought it would be a good idea to go back one page and lost all that I had written.

Another try. Maybe this time the browser wont decide to do anything special.

So again I dont see any logic with the Static Routing either on the ASA or the Core device when it comes to routing traffic through the ASA

Core

Where is this route pointing towards? Its not the ASA atleast.

ip route 0.0.0.0 0.0.0.0 192.168.0.9

ASA

As I stated before the static route on the ASA doesnt make any sense either

route inside 10.1.0.0 255.255.0.0 192.168.0.136 1

The reasons being that the gateway IP set (192.168.0.136) IS NOT part of the subnet that is configured on the "inside" interface.

Is the ASA supposed to handle all the Internet traffic and is ALL TRAFFIC from the LAN supposed to go through the ASA to the Internet?

If this is the case I think you will need to change the configurations

ASA

Configure a new link network on the ASA "inside" interface. Same will be done on the Core side
Delete the old route for LAN networks and configure it with the new gateway IP address
New link network being used is 192.168.255.0/24 or something else if its already in use in your network
Make sure you dont cut your own management connection through the interface configuration change.

interface Ethernet0/2

description ****Trusted_LAN_Network*****

nameif inside

security-level 100

no ip add

ip add 192.168.255.1 255.255.255.0

no route inside 10.1.0.0 255.255.0.0 192.168.0.136 1

route inside 10.1.0.0 255.255.0.0 192.168.255.2

Core

Configure a new Vlan, Vlan interface and subnet to work as a link network between your Core and ASA
Remove the old default route and configure a new one pointing towards the ASA "inside" interface IP address
Connect the free physical port you have chosen for the link between Core to ASA to the ASA interface Ethernet0/2

vlan 255

name Core-to-ASA

interface Vlan255

description Core-to-ASA

ip add 192.168.255.2 255.255.255.0

no shutdown

interface

descrition Core-to-ASA

switchport mode access

switchport access vlan 255

switchport nonegotiate

spanning-tree portfast

no ip route 0.0.0.0 0.0.0.0 192.168.0.9

ip route 0.0.0.0 0.0.0.0 192.168.255.1

I MUST STRESS that you only do these configurations if after going through the whole core switch configuration it would seem that it doesnt cause any problems with existing working connections. I cant see the whole core configuration and cant really take everything into consideration.

I dont know where the current default route points to for example. I dont know if the 192.168.0.9 is actually some Internet router you have. In that case changing the default route would naturally mean that all traffic would begin to go through the ASA and potentially break something.

But at the end to get some connections to go through the ASA you will need to route something towards it "inside" interface and have the Core to ASA link in order which it doesnt seem to be at the moment.

The OSPF routing in your Core and ASA is also a mystery to me so that again is something I cant comment on at the moment. The suggestion that I made rely simply on Static routing on both the ASA and the Core device.

- Jouni

mansoorms · ‎03-06-2013

Hi Jouni,

I'm really sorry for not mentioning this fact from the begining.Act all the users are accessing the internet thru Juniper i.e, 192.168.0.9 . Thats the reason u r seeing the default route in the config of switch.

The requirement states that this connection via ASA should be a backup one. Is it possible to configure that on Cisco 4507 R-E switch.

If i'm doing anything as u mentioned above the users will not able to access internet .

So kindly suggest me how to go.

mansoorms · ‎03-07-2013

Hi Jouni,

Thanx a lot for ur help.I disabled the older config by backing it up n tried a new config as u said n it worked.

But the prob is i was able access on the 6th floor(on which my data room is located).when i tried accessing internet from other floors i was unable to do so.

Kindly suggest me what else has to be done in addition to what u mentioned in the previous answer.