cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
3672
Views
11
Helpful
16
Replies

Can't access Cisco ASA 5510 by public IP behind Internet router

wscis2012
Level 1
Level 1

We need to deploy a Cisco ASA 5510 behind the Internet facing router for Remote Access VPN (RAVPN). We bought the block of 16 IPs (in a different subnet) which is routed through the main router (69.x.x.x)and configured the outside interface of ASA with a public IP 64.x.x.x and subnet mask 255.255.255.240. Below is the network structure.


But, we can't access the ASA by it's public IP. Please suggest.



DSL Modem → RV082 router → Switch → LAN

                      (69.x.x.x)              ↑           (192.168.0.0)

                                       Cisco ASA 5510

                    (outside: 64.x.x.x, inside: 192.168.0.172)

16 Replies 16

JohnTylerPearce
Level 7
Level 7

How does the router connect to the ASA physically? Does it connect through a switch or just directly from an ethernet interface on the router to the ASA?

The asa is connected through the switch.

Can you post the IP configuration for the outside ASA? Also, is the switchport that the

ASA connected to in the VLAN that corresponds to the 69.x.x.x network?

IP configuration for the outside ASA:

Interface: Ethernet 0/0

Name: Outside

Enabled: Yes

Security label: 0

IP address: 64.26.185.50

Subnet mask: 255.255.255.240

Yes, the switchport that the ASA is connected belongs to the 69.x.x.x network.

What is the default route for the ASA? Also, can you setup a packet capture to see if the packets are actually getting to the outside interface of the ASA? And from the ASA can you ping its default gateway?

The default route for the ASA is the 69.x.x.x - the public IP of the RV082 gateway router.

I did setup a packet capture and it's getting to the outside interface of the ASA. But, from the ASA, I can't ping its default gateway 69.x.x.x.

Can you provide the show run route of the ASA??

Regards,

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

route Outside 0.0.0.0 0.0.0.0 69.20.234.102 1

What is the default gateway of 64.26.185.50/28 and where is it on your network?

Hello,

So outside interface of the ASA its on 64.x.x.x subnet and router is on 69.x.x.x subnet, they are nto on the same network, so of course they will not have connectivity.

You need to define how to get to the outside world ( default gateway should be 64.x.x.x not 69.)

Regards,

Julio

Do rate all the helpful posts!!

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

hello John and Julio,

Thanks for helping me out!

As I mentioned in the 1st post, we bought a block of 16 IPs (in a different subnet - 64.x.x.x) which is routed through the main router (69.x.x.x).

So, not sure how to config the ASA outside interface.

Regards

Hello,

Here is the issue:

DSL Modem → RV082 router → Switch → LAN

                      (69.x.x.x)              ↑           (192.168.0.0)

                                       Cisco ASA 5510

                    (outside: 64.x.x.x, inside: 192.168.0.172)

If the ASA wants to communicate with the RV082 he will need to send the packets to the 69.x.x.x.x right? but who is the default gateway of the ASA 5510 ( Got to be on the same broadcast domain)??

You told us the gateway is 69.x.x. as per : route Outside 0.0.0.0 0.0.0.0 69.20.234.102 1

So of course, there is not going to be communication between those 2 hosts.

You need to:

1-Change the outside ip address of the ASA and place it on the same broadcast domain than the router

2- Place another layer 3 device in-between the router and the ASA ( so connection to the router with 69.x.x.x ip address and connection to asa with ip address 64.x.x.x) in that case default gateway should be the other layer 3 device.

route outside 0.0.0.0 0.0.0.0 64.x.x.x

Regards,

Do rate all the helpful posts!!

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

Hi Supriya,

As John and Julio suggested, you need to have a gateway ip for the ASA to get on to the internet in the same broadcast domain as 64.x.x.x. I just want to mention couple of points..

I quickly checked the RV082 userguide and the router itself is VPN capable (with inksys vpn client software). You may want to look into that.

If it is mandatory to use ASA- It appears that both (64 & 69) IP range are from the same ISP (Magma comm). You need to talk to ISP and find out how they routed the new ips to your location. If this thru the same DSL modem, then atleast one IP reserved as gateway. You may need to connect your ASA directly to an available port on the DSL modem (if any).

Thx

MS

Thank you all for your support.

I talked to the ISP provider and found out that the IPs (blockof 16) that we bought are not true static IPs. They're routed through the main router - 69.x.x.x. So, we can't use as public IP for the outside interface of the ASA. They can only be used for port forwarding or natting to the internal IPs of devices.

So, I need to configure ASA differently to be used in the present network with the existing resources. May be I'll NAT one of these IPs to the internal interface of the ASA and configure RAVPN accordingly.

Thanks again.

Supriya

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: