02-06-2012 06:21 AM - edited 03-11-2019 03:24 PM
We need to deploy a Cisco ASA 5510 behind the Internet facing router for Remote Access VPN (RAVPN). We bought the block of 16 IPs (in a different subnet) which is routed through the main router (69.x.x.x)and configured the outside interface of ASA with a public IP 64.x.x.x and subnet mask 255.255.255.240. Below is the network structure.
But, we can't access the ASA by it's public IP. Please suggest.
DSL Modem → RV082 router → Switch → LAN
(69.x.x.x) ↑ (192.168.0.0)
Cisco ASA 5510
(outside: 64.x.x.x, inside: 192.168.0.172)
02-06-2012 06:24 AM
How does the router connect to the ASA physically? Does it connect through a switch or just directly from an ethernet interface on the router to the ASA?
02-06-2012 07:01 AM
The asa is connected through the switch.
02-06-2012 07:50 AM
Can you post the IP configuration for the outside ASA? Also, is the switchport that the
ASA connected to in the VLAN that corresponds to the 69.x.x.x network?
02-06-2012 08:53 AM
IP configuration for the outside ASA:
Interface: Ethernet 0/0
Name: Outside
Enabled: Yes
Security label: 0
IP address: 64.26.185.50
Subnet mask: 255.255.255.240
Yes, the switchport that the ASA is connected belongs to the 69.x.x.x network.
02-06-2012 09:36 AM
What is the default route for the ASA? Also, can you setup a packet capture to see if the packets are actually getting to the outside interface of the ASA? And from the ASA can you ping its default gateway?
02-06-2012 09:52 AM
The default route for the ASA is the 69.x.x.x - the public IP of the RV082 gateway router.
I did setup a packet capture and it's getting to the outside interface of the ASA. But, from the ASA, I can't ping its default gateway 69.x.x.x.
02-06-2012 10:20 AM
Can you provide the show run route of the ASA??
Regards,
02-06-2012 10:33 AM
route Outside 0.0.0.0 0.0.0.0 69.20.234.102 1
02-06-2012 10:42 AM
What is the default gateway of 64.26.185.50/28 and where is it on your network?
02-06-2012 10:49 AM
Hello,
So outside interface of the ASA its on 64.x.x.x subnet and router is on 69.x.x.x subnet, they are nto on the same network, so of course they will not have connectivity.
You need to define how to get to the outside world ( default gateway should be 64.x.x.x not 69.)
Regards,
Julio
Do rate all the helpful posts!!
02-06-2012 11:00 AM
hello John and Julio,
Thanks for helping me out!
As I mentioned in the 1st post, we bought a block of 16 IPs (in a different subnet - 64.x.x.x) which is routed through the main router (69.x.x.x).
So, not sure how to config the ASA outside interface.
Regards
02-06-2012 11:12 AM
Hello,
Here is the issue:
DSL Modem → RV082 router → Switch → LAN
(69.x.x.x) ↑ (192.168.0.0)
Cisco ASA 5510
(outside: 64.x.x.x, inside: 192.168.0.172)
If the ASA wants to communicate with the RV082 he will need to send the packets to the 69.x.x.x.x right? but who is the default gateway of the ASA 5510 ( Got to be on the same broadcast domain)??
You told us the gateway is 69.x.x. as per : route Outside 0.0.0.0 0.0.0.0 69.20.234.102 1
So of course, there is not going to be communication between those 2 hosts.
You need to:
1-Change the outside ip address of the ASA and place it on the same broadcast domain than the router
2- Place another layer 3 device in-between the router and the ASA ( so connection to the router with 69.x.x.x ip address and connection to asa with ip address 64.x.x.x) in that case default gateway should be the other layer 3 device.
route outside 0.0.0.0 0.0.0.0 64.x.x.x
Regards,
Do rate all the helpful posts!!
Julio
02-06-2012 08:21 PM
Hi Supriya,
As John and Julio suggested, you need to have a gateway ip for the ASA to get on to the internet in the same broadcast domain as 64.x.x.x. I just want to mention couple of points..
I quickly checked the RV082 userguide and the router itself is VPN capable (with inksys vpn client software). You may want to look into that.
If it is mandatory to use ASA- It appears that both (64 & 69) IP range are from the same ISP (Magma comm). You need to talk to ISP and find out how they routed the new ips to your location. If this thru the same DSL modem, then atleast one IP reserved as gateway. You may need to connect your ASA directly to an available port on the DSL modem (if any).
Thx
MS
02-07-2012 09:01 AM
Thank you all for your support.
I talked to the ISP provider and found out that the IPs (blockof 16) that we bought are not true static IPs. They're routed through the main router - 69.x.x.x. So, we can't use as public IP for the outside interface of the ASA. They can only be used for port forwarding or natting to the internal IPs of devices.
So, I need to configure ASA differently to be used in the present network with the existing resources. May be I'll NAT one of these IPs to the internal interface of the ASA and configure RAVPN accordingly.
Thanks again.
Supriya
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: