cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

Welcome to Cisco Firewalls Community


3029
Views
11
Helpful
16
Replies
Beginner

Can't access Cisco ASA 5510 by public IP behind Internet router

We need to deploy a Cisco ASA 5510 behind the Internet facing router for Remote Access VPN (RAVPN). We bought the block of 16 IPs (in a different subnet) which is routed through the main router (69.x.x.x)and configured the outside interface of ASA with a public IP 64.x.x.x and subnet mask 255.255.255.240. Below is the network structure.


But, we can't access the ASA by it's public IP. Please suggest.



DSL Modem → RV082 router → Switch → LAN

                      (69.x.x.x)              ↑           (192.168.0.0)

                                       Cisco ASA 5510

                    (outside: 64.x.x.x, inside: 192.168.0.172)

16 REPLIES 16
Rising star

Can't access Cisco ASA 5510 by public IP behind Internet router

How does the router connect to the ASA physically? Does it connect through a switch or just directly from an ethernet interface on the router to the ASA?

Beginner

Can't access Cisco ASA 5510 by public IP behind Internet router

The asa is connected through the switch.

Highlighted
Rising star

Can't access Cisco ASA 5510 by public IP behind Internet router

Can you post the IP configuration for the outside ASA? Also, is the switchport that the

ASA connected to in the VLAN that corresponds to the 69.x.x.x network?

Beginner

Can't access Cisco ASA 5510 by public IP behind Internet router

IP configuration for the outside ASA:

Interface: Ethernet 0/0

Name: Outside

Enabled: Yes

Security label: 0

IP address: 64.26.185.50

Subnet mask: 255.255.255.240

Yes, the switchport that the ASA is connected belongs to the 69.x.x.x network.

Rising star

Can't access Cisco ASA 5510 by public IP behind Internet router

What is the default route for the ASA? Also, can you setup a packet capture to see if the packets are actually getting to the outside interface of the ASA? And from the ASA can you ping its default gateway?

Beginner

Can't access Cisco ASA 5510 by public IP behind Internet router

The default route for the ASA is the 69.x.x.x - the public IP of the RV082 gateway router.

I did setup a packet capture and it's getting to the outside interface of the ASA. But, from the ASA, I can't ping its default gateway 69.x.x.x.

Can't access Cisco ASA 5510 by public IP behind Internet router

Can you provide the show run route of the ASA??

Regards,

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
Beginner

Can't access Cisco ASA 5510 by public IP behind Internet router

route Outside 0.0.0.0 0.0.0.0 69.20.234.102 1

Rising star

Can't access Cisco ASA 5510 by public IP behind Internet router

What is the default gateway of 64.26.185.50/28 and where is it on your network?

Can't access Cisco ASA 5510 by public IP behind Internet router

Hello,

So outside interface of the ASA its on 64.x.x.x subnet and router is on 69.x.x.x subnet, they are nto on the same network, so of course they will not have connectivity.

You need to define how to get to the outside world ( default gateway should be 64.x.x.x not 69.)

Regards,

Julio

Do rate all the helpful posts!!

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
Beginner

Can't access Cisco ASA 5510 by public IP behind Internet router

hello John and Julio,

Thanks for helping me out!

As I mentioned in the 1st post, we bought a block of 16 IPs (in a different subnet - 64.x.x.x) which is routed through the main router (69.x.x.x).

So, not sure how to config the ASA outside interface.

Regards

Can't access Cisco ASA 5510 by public IP behind Internet router

Hello,

Here is the issue:

DSL Modem → RV082 router → Switch → LAN

                      (69.x.x.x)              ↑           (192.168.0.0)

                                       Cisco ASA 5510

                    (outside: 64.x.x.x, inside: 192.168.0.172)

If the ASA wants to communicate with the RV082 he will need to send the packets to the 69.x.x.x.x right? but who is the default gateway of the ASA 5510 ( Got to be on the same broadcast domain)??

You told us the gateway is 69.x.x. as per : route Outside 0.0.0.0 0.0.0.0 69.20.234.102 1

So of course, there is not going to be communication between those 2 hosts.

You need to:

1-Change the outside ip address of the ASA and place it on the same broadcast domain than the router

2- Place another layer 3 device in-between the router and the ASA ( so connection to the router with 69.x.x.x ip address and connection to asa with ip address 64.x.x.x) in that case default gateway should be the other layer 3 device.

route outside 0.0.0.0 0.0.0.0 64.x.x.x

Regards,

Do rate all the helpful posts!!

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
Rising star

Can't access Cisco ASA 5510 by public IP behind Internet router

Hi Supriya,

As John and Julio suggested, you need to have a gateway ip for the ASA to get on to the internet in the same broadcast domain as 64.x.x.x. I just want to mention couple of points..

I quickly checked the RV082 userguide and the router itself is VPN capable (with inksys vpn client software). You may want to look into that.

If it is mandatory to use ASA- It appears that both (64 & 69) IP range are from the same ISP (Magma comm). You need to talk to ISP and find out how they routed the new ips to your location. If this thru the same DSL modem, then atleast one IP reserved as gateway. You may need to connect your ASA directly to an available port on the DSL modem (if any).

Thx

MS

Beginner

Can't access Cisco ASA 5510 by public IP behind Internet router

Thank you all for your support.

I talked to the ISP provider and found out that the IPs (blockof 16) that we bought are not true static IPs. They're routed through the main router - 69.x.x.x. So, we can't use as public IP for the outside interface of the ASA. They can only be used for port forwarding or natting to the internal IPs of devices.

So, I need to configure ASA differently to be used in the present network with the existing resources. May be I'll NAT one of these IPs to the internal interface of the ASA and configure RAVPN accordingly.

Thanks again.

Supriya