cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
3556
Views
0
Helpful
16
Replies

ASA 5505 Connecting 2 internal networks

bkana2112
Level 1
Level 1

We recently changed locations and acquired a new circuit from our provider. They also connected our remote branch office to our main office through MPLS. Now, as I understand it, the branch office basically connects back to the main office through our providers network (MPLS). We have a new router at the branch office which has a gateway of 192.168.1.225. The clients in that office have IP's of 192.168.1.96 - 100, using the gateway of 192.168.1.225.

The main office network is 192.168.0.0 (Gateway of 192.168.0.1)

At this end (Main office), I also have a new Cisco 2900 provided by the ISP, with port 0/0 for the outside connection (connected to the 0 port on my ASA 5505). The ASA's port 1 obviously running into my network hub. The provider tells me that port 0/1 on the 2900 is or should be used to connect the branch office back to here and has an IP of 192.168.0.225, as that's how the provider provisioned it. So, I plug that into the ASA's Ethernet port 0/2. And I'm assuming they have a route setup either on the 2900 or the router in the branch office so that 192.168.1.225 can reach me here at 192.168.0.0.

There is already a static route setup on the ASA: (192.168.1.0 255.255.255.255 192.168.0.225 1). As soon as I plug in the cable, the IP phones at the branch office work, but they can't access the internet or any resources in the main office. My questions are:

1. Shouldn't I be able to just go straight from the 0/1 port on the Cisco 2900 to my hub. At first I was plugging right into the ASA, but I don't think I need to do that, why go from the branch office through my ASA to access resources and then back out the ASA for internet. If they're already coming from 192.168.1.225, through the MPLS network, then they should go right to my network and then back out the ASA.

0r

2. They have to route through the ASA first, in which case, do I need to setup another VLAN for that branch network in conjunction with a static route? I can ping the router and hosts in the branch office through the ASA only!

                 

Below is the running sanitized config:

Result of the command: "show running-config"

: Saved
:
ASA Version 8.2(2)
!
hostname ciscoasa
domain-name audiology.org
enable password ulzaQiFnKVzDwUmW encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface Vlan1
nameif inside
security-level 100
ip address 192.168.0.1 255.255.255.0
ospf cost 10
!
interface Vlan2
nameif outside
security-level 0
ip address 1.2.3.4 255.255.255.240
ospf cost 10
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
boot system disk0:/asa822-k8.bin
ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
dns server-group DefaultDNS
domain-name audiology.org
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
access-list inside_access_in extended permit tcp host 192.168.0.8 any eq smtp
access-list inside_access_in extended deny tcp any any eq smtp
access-list inside_access_in extended permit udp any any
access-list inside_access_in extended permit tcp any any eq https
access-list inside_access_in extended permit tcp any any eq www
access-list inside_access_in remark port to protech
access-list inside_access_in extended permit tcp any any eq 15864
access-list inside_access_in remark Tight VNC to calprogrp
access-list inside_access_in extended permit tcp any any eq 5900
access-list inside_access_in remark BlackBerry Server access from AAAEXCH
access-list inside_access_in extended permit tcp host 192.168.0.10 any eq 3101
access-list inside_access_in remark BlackBerry Server Access for WSVR2-2K8R2
access-list inside_access_in extended permit tcp host 192.168.0.9 any eq 3101
access-list inside_access_in extended permit tcp any any eq ftp
access-list inside_access_in remark Congress Web Site for Kate
access-list inside_access_in extended permit tcp any any eq 4433
access-list inside_access_in extended permit tcp 192.168.0.0 255.255.255.0 any eq 1433
access-list inside_access_in extended permit tcp any any eq sqlnet
access-list inside_access_in extended permit tcp any any eq 50000
access-list inside_access_in extended deny ip 192.168.0.0 255.255.255.0 host 92.241.184.190
access-list inside_access_in extended permit tcp any any eq 667
access-list inside_access_in remark Access to MagnetMail
access-list inside_access_in extended permit ip any host 64.27.100.172
access-list inside_access_in extended permit tcp any any eq 3389
access-list inside_access_in extended permit icmp any any echo-reply
access-list inside_access_in extended permit ip any any inactive
access-list Audiology_VPN_splitTunnelAcl standard permit 192.168.0.0 255.255.255.0
access-list outside_access_in extended permit tcp any host 1.2.3.10 eq smtp
access-list outside_access_in extended permit tcp any host 1.2.3.10 eq https
access-list outside_access_in remark Hacking Service
access-list outside_access_in extended deny tcp any 192.168.0.0 255.255.255.0 eq 4245
access-list outside_access_in remark Deny Access to this IP found on the AAAEX10
access-list outside_access_in extended deny ip host 184.191.175.58 192.168.0.0 255.255.255.0
access-list outside_access_in remark Hacking Service
access-list outside_access_in extended deny tcp any 192.168.0.0 255.255.255.0 eq 4242
access-list outside_access_in extended deny ip host 92.241.184.190 192.168.0.0 255.255.255.0
access-list outside_access_in extended deny ip host 92.241.184.164 192.168.0.0 255.255.255.0
access-list outside_access_in remark Deny Facebook
access-list outside_access_in extended deny ip host 69.63.176.12 192.168.0.0 255.255.255.0
access-list outside_access_in remark Deny Facebook 6
access-list outside_access_in extended deny ip host 69.63.176.11 192.168.0.0 255.255.255.0
access-list outside_access_in remark Deny Facebook
access-list outside_access_in extended deny ip host 69.63.178.11 192.168.0.0 255.255.255.0
access-list outside_access_in remark Deny Facebook 2
access-list outside_access_in extended deny ip host 69.63.178.12 192.168.0.0 255.255.255.0
access-list outside_access_in remark Deny Facebook 5
access-list outside_access_in extended deny ip host 69.63.178.14 192.168.0.0 255.255.255.0
access-list outside_access_in remark Deny Facebook 4
access-list outside_access_in extended deny ip host 69.63.178.13 192.168.0.0 255.255.255.0
access-list outside_access_in extended deny ip host 203.93.111.240 192.168.0.0 255.255.255.0
access-list outside_access_in extended deny ip host 112.137.162.147 192.168.0.0 255.255.255.0
access-list outside_access_in remark Deny Facebook 3
access-list outside_access_in extended deny ip host 69.63.179.27 192.168.0.0 255.255.255.0
access-list outside_access_in remark FTP for AAADCSVR4 (JoyAnna)
access-list outside_access_in extended permit tcp any host 1.2.3.9 eq ftp
access-list outside_access_in remark HTTP access to temp AUDNOW13 site
access-list outside_access_in extended permit tcp any host 1.2.3..9 eq www inactive
access-list outside_access_in remark RDP for Bkana
access-list outside_access_in extended permit tcp any host 1.2.3.12 eq 3389
access-list outside_access_in extended permit tcp any host 1.2.3.5 eq 3389
access-list outside_access_in remark Web Portal/AAACRM4M
access-list outside_access_in extended permit tcp any host 1.2.3.4 eq https
access-list outside_access_in remark RDP for Web Portal and Web Site uploads
access-list outside_access_in extended permit tcp any host 1.2.3.4 eq 3389
access-list outside_access_in remark Web Portal/AAACRM4M
access-list outside_access_in extended permit tcp any host 1.2.3.4 eq www
access-list outside_access_in extended permit icmp any any echo-reply
access-list outside_access_in extended permit icmp any any time-exceeded
access-list inside_nat0_outbound extended permit ip any 192.168.50.0 255.255.255.240
access-list inside_nat0_outbound extended permit ip any 192.168.100.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip any 192.168.25.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip any 192.168.60.0 255.255.255.0
access-list outside_20_cryptomap standard permit 192.168.0.0 255.255.255.0
access-list clientgroup_VPN_splitTunnelACL standard permit host 98.129.60.99
access-list clientgroup_VPN_splitTunnelACL standard permit 192.168.0.0 255.255.255.0
pager lines 24
logging enable
logging trap debugging
logging asdm debugging
logging queue 150
mtu inside 1500
mtu outside 1500
ip local pool vpnippool 192.168.50.1-192.168.50.10 mask 255.255.255.0
ip local pool webpool 192.168.60.1-192.168.60.10 mask 255.255.255.0
ip local pool AAAIPPOOL 192.168.0.161-192.168.0.190 mask 255.255.255.0
ip local pool SSLClientPool 192.168.25.1-192.168.25.50 mask 255.255.255.0
ip local pool AAAPOOL 192.168.100.1-192.168.100.50 mask 255.255.255.0
ip verify reverse-path interface outside
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-625-53.bin
no asdm history enable
arp timeout 14400
global (outside) 1 1.2.3.10 netmask 255.0.0.0
global (outside) 2 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 2 192.168.0.217 255.255.255.255
nat (inside) 2 192.168.0.219 255.255.255.255
nat (inside) 2 192.168.0.229 255.255.255.255
nat (inside) 1 0.0.0.0 0.0.0.0
nat (outside) 1 192.168.60.0 255.255.255.0
static (inside,outside) tcp 1.2.3.10 smtp 192.168.0.8 smtp netmask 255.255.255.255
static (inside,outside) tcp 1.2.3.10 https 192.168.0.10 https netmask 255.255.255.255
static (inside,outside) tcp 1.2.3.12 3389 192.168.0.221 3389 netmask 255.255.255.255
static (inside,inside) tcp 1.2.3.5 3389 192.168.0.22 3389 netmask 255.255.255.255
static (inside,outside) tcp 1.2.3.4 www 192.168.0.11 www netmask 255.255.255.255
static (inside,outside) tcp 1.2.3.4 3389 192.168.0.11 3389 netmask 255.255.255.255
static (inside,outside) tcp 1.2.3.4 https 192.168.0.11 https netmask 255.255.255.255
static (inside,outside) tcp 1.2.3.9 ftp 192.168.0.8 ftp netmask 255.255.255.255
access-group inside_access_in in interface inside
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 216.64.78.1 1
route inside 192.168.1.0 255.255.255.0 192.168.0.225 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
aaa-server NTWRKSVRS protocol ldap
aaa-server NTWRKSVRS (inside) host 192.168.0.8
ldap-base-dn DC=audiology,DC=org
ldap-scope subtree
ldap-naming-attribute sAMAccountName
ldap-login-password *****
ldap-login-dn CN=tss,CN=Users,DC=audiology,DC=org
server-type microsoft
nac-policy DfltGrpPolicy-nac-framework-create nac-framework
reval-period 36000
sq-period 300
aaa authorization command LOCAL
http server enable
http 192.168.0.0 255.255.255.0 inside
http 192.168.50.0 255.255.255.255 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map outside_dyn_map 20 set pfs
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 40 set pfs
crypto dynamic-map outside_dyn_map 40 set transform-set ESP-AES-128-SHA
crypto map outside_map 20 set pfs
crypto map outside_map 20 set transform-set ESP-DES-SHA
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
crypto ca trustpoint ASDM_TrustPoint0
enrollment self
subject-name CN=ciscoasa.audiology.org
keypair sslvpnkeypair
crl configure
crypto ca server
shutdown
crypto ca certificate chain ASDM_TrustPoint0
certificate 7564 696f6c6f 67792e6f 72673081 9f300d06 092a8648
    86f70d01 01010500 03818d00 30818902 818100a0 8b90b08f bbfaf555 4b19f899
    6b04b4b1 ec7b07f8 3ba2504d bb5b54bb 3450bfed 80607843 13a6f146 79472b79
    2e08f1f7 ef32fb77 cf33f0b5 55982455 ef74c3b2 c054efff c58d3698 2bb5e44d
    e6f148b2 81aa2fa0 d317175f 2b8364cd 3c8b0290 12f0a01f 06c6af47 7a7d70cc
    975a3567 9b2e7f24 0d88bcb8 daaf1f7d d0e74d02 03010001 300d0609 2a864886
    f70d0101 05050003 8181005d 269ebb82 ad21cb8c fd5ce3ce bbc51073 370cdd5a
    bccf01e3 b993caf4 b2582663 f18248ed 3634e670 c2c4dd72 abeabbe1 406293a8
    48085355 55885f72 cb78a10e 4d6c1267 ad0fc28e e883e002 6ea9af97 6d722868
    537966f4 de71bd98 f07ba491 7929e460 17062837 5570ce10 b2aba39e 0b1c9e83
    6176373b 33b7204c f92bb6
  quit
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp policy 20
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 86400
client-update enable
telnet 192.168.0.0 255.255.255.0 inside
telnet timeout 5
ssh timeout 5
console timeout 0
management-access inside
dhcpd auto_config outside vpnclient-wins-override
!
dhcpd address 192.168.0.2-192.168.0.129 inside
!

threat-detection basic-threat
threat-detection statistics port
threat-detection statistics protocol
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
tftp-server inside 192.168.0.3 /tftp
ssl trust-point ASDM_TrustPoint0 outside
webvpn
enable outside
svc image disk0:/anyconnect-win-2.4.1012-k9.pkg 1
svc image disk0:/anyconnect-dart-win-2.4.1012-k9.pkg 2
svc image disk0:/anyconnect-macosx-i386-2.4.1012-k9.pkg 3
svc enable
tunnel-group-list enable
group-policy SSLClientPolicy internal
group-policy SSLClientPolicy attributes
dns-server value 192.168.0.240
vpn-tunnel-protocol l2tp-ipsec svc
default-domain value audiology
address-pools value SSLClientPool
group-policy DfltGrpPolicy attributes
banner value Welcome to the Audiology Domain.
dns-server value 192.168.0.240
vpn-simultaneous-logins 10
vpn-tunnel-protocol IPSec l2tp-ipsec svc
ipsec-udp enable
default-domain value audiology
nac-settings value DfltGrpPolicy-nac-framework-create
address-pools value AAAPOOL
webvpn
  svc keepalive none
  svc dpd-interval client none
  svc dpd-interval gateway none
  svc compression deflate
  svc ask none default svc
  customization value DfltCustomization
group-policy Audiology_VPN internal
group-policy Audiology_VPN attributes
dns-server value 192.168.0.240
vpn-tunnel-protocol IPSec l2tp-ipsec svc
split-tunnel-policy tunnelspecified
split-tunnel-network-list value Audiology_VPN_splitTunnelAcl
default-domain value audiology
webvpn
  svc ask none default svc
group-policy vpnphone internal
group-policy vpnphone attributes
dns-server value 192.168.0.240
vpn-tunnel-protocol IPSec l2tp-ipsec
default-domain value audiology.org
address-pools value vpnippool
group-policy clientgroup internal
group-policy clientgroup attributes
dns-server value 192.168.0.240
vpn-tunnel-protocol IPSec l2tp-ipsec svc
split-tunnel-policy tunnelspecified
split-tunnel-network-list value clientgroup_VPN_splitTunnelACL
address-pools value webpool
webvpn
  svc keep-installer installed
  svc ask none default svc
username ssandhu password seufOosICJUVacRN encrypted privilege 5
username ssandhu attributes
vpn-group-policy Audiology_VPN
username ccarey password hkzviXSwo/dzb7dz encrypted privilege 5
username ccarey attributes
vpn-group-policy Audiology_VPN
username ssebastian password cRTSAQvSR1uUboYQ encrypted privilege 5
username ssebastian attributes
vpn-group-policy Audiology_VPN
username ssullivan password Or36GnjdWqlUJJRu encrypted privilege 5
username ssullivan attributes
vpn-group-policy Audiology_VPN
username deba password XUd41fq/C/TjFgfj encrypted privilege 5
username deba attributes
vpn-group-policy vpnphone
vpn-tunnel-protocol IPSec
username edwards password VMXSNPSW0HV4O0cv encrypted privilege 5
username edwards attributes
vpn-group-policy Audiology_VPN
username rsifuentes password aqJUgnzg.dfA8o9z encrypted privilege 5
username rsifuentes attributes
vpn-group-policy Audiology_VPN
username pazouqha password DU7z.RNPJKFsln2i encrypted privilege 5
username pazouqha attributes
vpn-group-policy Audiology_VPN
username aburke password /NPa1tiXBaGOUeG7 encrypted privilege 5
username aburke attributes
vpn-group-policy Audiology_VPN
username abenham password Ui/TXyR4iz.Nm2Oe encrypted privilege 6
username abenham attributes
vpn-group-policy Audiology_VPN
username cgallow password cxuXh2CnVa2e5tEm encrypted privilege 5
username cgallow attributes
vpn-group-policy Audiology_VPN
username lyonkers password 0GBHQTdxHCMx3HFC encrypted privilege 5
username lyonkers attributes
vpn-group-policy Audiology_VPN
username dabel password wLSkDun.YwKsAUJt encrypted privilege 5
username dabel attributes
vpn-group-policy Audiology_VPN
username kmurphy password IlNy9p4SMyv7T/Sc encrypted privilege 5
username kmurphy attributes
vpn-group-policy Audiology_VPN
username tbrazell password 05gnhCY2EWMXLG8A encrypted privilege 5
username tbrazell attributes
vpn-group-policy Audiology_VPN
username tconte password iRHacxgQVU.WcpEe encrypted privilege 5
username tconte attributes
vpn-group-policy Audiology_VPN
username sduty password Epb3K3ZfUSo9m04g encrypted privilege 5
username sduty attributes
vpn-group-policy Audiology_VPN
username kculver password L2v7uYSr3CyfUsWt encrypted privilege 5
username kculver attributes
vpn-group-policy Audiology_VPN
username meggano password 3/LzBzM.c3NO9PjK encrypted privilege 5
username meggano attributes
vpn-group-policy Audiology_VPN
username skelley password fLQvCBmxMLbGw02J encrypted privilege 5
username skelley attributes
vpn-group-policy Audiology_VPN
username bkana password cY7LQDRflLqXm18t encrypted privilege 15
username bkana attributes
vpn-group-policy Audiology_VPN
username kbrown password 7LuT1QL/7oAYbSs9 encrypted privilege 5
username kbrown attributes
vpn-group-policy Audiology_VPN
username kbudhathoki password xE1hvb6QKBkElha2 encrypted privilege 5
username kbudhathoki attributes
vpn-group-policy Audiology_VPN
username sotta password kWf0WtIQWWL/mFWH encrypted privilege 5
username sotta attributes
vpn-group-policy Audiology_VPN
username amiedema password mGKqpTC.fdKmd5ns encrypted privilege 5
username amiedema attributes
vpn-group-policy Audiology_VPN
username nbisbee password l3kVh/oSMNR7I5Q2 encrypted privilege 5
username nbisbee attributes
vpn-group-policy Audiology_VPN
username marco password MPVAtQgiWJ9tqgGc encrypted privilege 5
username marco attributes
vpn-group-policy clientgroup
username jwilson password yhQDuki0An31.NuN encrypted privilege 5
username jwilson attributes
vpn-group-policy Audiology_VPN
username msinden password 2ZsWE7kvAK/kGB2m encrypted privilege 5
username msinden attributes
vpn-group-policy Audiology_VPN
username mbovo password /eF0H3C5G4uTJRmw encrypted privilege 5
username mbovo attributes
vpn-group-policy Audiology_VPN
username kthomas password uRkdY0JH8UEfiNcr encrypted privilege 5
username kthomas attributes
vpn-group-policy Audiology_VPN
tunnel-group DefaultRAGroup general-attributes
default-group-policy Audiology_VPN
tunnel-group DefaultWEBVPNGroup general-attributes
address-pool AAAPOOL
tunnel-group Audiology_VPN type remote-access
tunnel-group Audiology_VPN general-attributes
address-pool AAAPOOL
default-group-policy Audiology_VPN
tunnel-group Audiology_VPN ipsec-attributes
pre-shared-key *****
tunnel-group Audiology_VPN ppp-attributes
authentication ms-chap-v2
tunnel-group vpnphone type remote-access
tunnel-group vpnphone general-attributes
address-pool vpnippool
default-group-policy vpnphone
tunnel-group vpnphone ipsec-attributes
pre-shared-key *****
tunnel-group vpnphone ppp-attributes
authentication ms-chap-v2
tunnel-group SSLClientProfile type remote-access
tunnel-group SSLClientProfile general-attributes
default-group-policy SSLClientPolicy
tunnel-group SSLClientProfile webvpn-attributes
group-alias SSLVPNClient enable
tunnel-group webgroup type remote-access
tunnel-group webgroup general-attributes
address-pool webpool
default-group-policy clientgroup
tunnel-group webgroup webvpn-attributes
group-alias webgroup_users enable
tunnel-group webgroup ipsec-attributes
pre-shared-key *****
tunnel-group-map default-group DefaultL2LGroup
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
  message-length maximum 1024
policy-map global_policy
class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect sqlnet
  inspect skinny 
  inspect sunrpc
  inspect xdmcp
  inspect sip 
  inspect netbios
  inspect tftp
  inspect icmp
  inspect pptp
  inspect ip-options
policy-map asa_global_fw_policy
class inspection_default
  inspect ftp
!
service-policy global_policy global
privilege cmd level 3 mode exec command perfmon
privilege cmd level 3 mode exec command ping
privilege cmd level 3 mode exec command who
privilege cmd level 3 mode exec command logging
privilege cmd level 3 mode exec command failover
privilege show level 5 mode exec command running-config
privilege show level 3 mode exec command reload
privilege show level 3 mode exec command mode
privilege show level 3 mode exec command firewall
privilege show level 3 mode exec command interface
privilege show level 3 mode exec command clock
privilege show level 3 mode exec command dns-hosts
privilege show level 3 mode exec command access-list
privilege show level 3 mode exec command logging
privilege show level 3 mode exec command ip
privilege show level 3 mode exec command failover
privilege show level 3 mode exec command asdm
privilege show level 3 mode exec command arp
privilege show level 3 mode exec command route
privilege show level 3 mode exec command ospf
privilege show level 3 mode exec command aaa-server
privilege show level 3 mode exec command aaa
privilege show level 3 mode exec command crypto
privilege show level 3 mode exec command vpn-sessiondb
privilege show level 3 mode exec command ssh
privilege show level 3 mode exec command dhcpd
privilege show level 3 mode exec command vpn
privilege show level 3 mode exec command blocks
privilege show level 3 mode exec command uauth
privilege show level 3 mode configure command interface
privilege show level 3 mode configure command clock
privilege show level 3 mode configure command access-list
privilege show level 3 mode configure command logging
privilege show level 3 mode configure command ip
privilege show level 3 mode configure command failover
privilege show level 5 mode configure command asdm
privilege show level 3 mode configure command arp
privilege show level 3 mode configure command route
privilege show level 3 mode configure command aaa-server
privilege show level 3 mode configure command aaa
privilege show level 3 mode configure command crypto
privilege show level 3 mode configure command ssh
privilege show level 3 mode configure command dhcpd
privilege show level 5 mode configure command privilege
privilege clear level 3 mode exec command dns-hosts
privilege clear level 3 mode exec command logging
privilege clear level 3 mode exec command arp
privilege clear level 3 mode exec command aaa-server
privilege clear level 3 mode exec command crypto
privilege cmd level 3 mode configure command failover
privilege clear level 3 mode configure command logging
privilege clear level 3 mode configure command arp
privilege clear level 3 mode configure command crypto
privilege clear level 3 mode configure command aaa-server
prompt hostname context
call-home
profile CiscoTAC-1
  no active
  destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
  destination address email callhome@cisco.com
  destination transport-method http
  subscribe-to-alert-group diagnostic
  subscribe-to-alert-group environment
  subscribe-to-alert-group inventory periodic monthly
  subscribe-to-alert-group configuration periodic monthly
  subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:c76168fa7f31fdfea11dff4130e5f7af
: end

1 Accepted Solution

Accepted Solutions

Good morning hope you had a good weekend.  Were you able to find out from the ISP how they have the Branch Office router setup?  What is the default gateway on the branch office router is it pointing to the ASA 192.168.0.1?  How is that router reaching the 192.168.0.0/24 network per ISP?

View solution in original post

16 Replies 16

ALIAOF_
Level 6
Level 6

Yeah I have done the similar setup couple of times before and I simply connected the ISP router to my switch.  All traffic from both sites was then going through the firewall out to the net.

Yes, that's what I've done. However, the people on the other end (branch office) can't access the internet or any resources on the main network (192.168.0.1) and I'm assuming its still has something to do with my ASA. The switch that I connected them to is a simple Netgear FSM726, which I don't believe can do static routing. I have heard of the problem where the remote network hosts had thier GW set to the ASA, which in my case they don't, they are properly set to use the GW of the remote router (192.168.1.225). Do you have any other insight after looking at my config?

Thanks for responding Ali.

Ok let me try to visualize this, you have:

Site A(Main Site) 192.168.0.0/24

ISP MPLS Router with an IP of 192.168.0.225

fa0/0 --> ASA's Outside Interface

fa0/1 --> ********** This should go to the switch ***********

ASA = 192.168.0.1 (Default gateway 192.168.0.225 which is ISP's MPLS router)

Site B (Branch) 192.168.1.0/24

ISP MPLS Router with an IP of 192.168.1.225

fa0/0 ?

fa0/1 ?

- So I'm assuming the router at Site A is also providing you with internet access as well so fa0/0 should go into the ASA's outside interface which is fine.

- fa0/1 can go into the ASA or switch, but you said when you connect fa0/1 to the switch branch office can't access any resources and internet.  But the IP phones work.  Are these IP phones internet based or do they have a local server etc?

- Can you ping 192.168.1.225(Site B) from Site A, either from a computer or ASA (ping inside 192.168.1.225)?

- Which ports on the router at Site A have the Internet and MPLS connection coming in on?

Site A (Main site) 192.168.0.0 (yes)

ISP MPLS Router with an IP of 192.168.0.225 (yes, but that IP is on port 0/1 and of course 0/0 is going to the ASA)

fa0/0 --> ASA's Outside Interface (yes)

fa0/1 --> ********** This should go to the switch *********** (Yes, it does, to a simple Netgear FSM726 switch)

ASA = 192.168.0.1 (Default gateway 192.168.0.225 which is ISP's MPLS router) (No, the ASA's 0/1 is indeed 192.168.0.1, the 192.168.0.225 is assigned to the 0/1 port on the ISP Routers) I don't use that default gateway. I have that connectec right to the switch.

Site B (Branch) 192.168.1.0/24 (yes)

ISP MPLS Router with an IP of 192.168.1.225 (Yes, but I believe it's a simple router with the WAN connection to the circuit and a gateway of 192.168.1.225). I'm assuming they have routes setup on the WAN side so that 192.168.1.225 can reach me.

So I'm assuming the router at Site A is also providing you with internet access as well so fa0/0 should go into the ASA's outside interface which is fine. (yes)

fa0/1 can go into the ASA or switch, but you said when you connect fa0/1 to the switch branch office can't access any resources and internet.  But the IP phones work.  Are these IP phones internet based or do they have a local server etc?. - If I connect 0/1 from the router to my ASA or the switch, the IP phones work. The phones connect to a server here and my Avaya IP Office.

I can ping the 192.168.1.225 and other hosts at 192.168.1.0 from the ASA only!

Internet comes in on 0/0. The 0/1 is 192.168.0.225 - which I was told should be used to connect the branch office.

What is the default gateway on your computers and servers?  So the branch office can reach the Avaya devices at the main site then atleast?

ISP MPLS Router with an IP of 192.168.1.225

(Yes, but I believe  it's a simple router with the WAN connection to the circuit and a  gateway of 192.168.1.225). I'm assuming they have routes setup on the  WAN side so that 192.168.1.225 can reach me.

So the IP of the router is 192.168.1.225 and the default gateway is also 192.168.1.225? 

The default gateway is 192.168.0.1 (Main office) and 192.168.1.225 at the branch office. I'm going to have to contact the ISP and verify the IP addressing of the router at the branch office.

Good morning hope you had a good weekend.  Were you able to find out from the ISP how they have the Branch Office router setup?  What is the default gateway on the branch office router is it pointing to the ASA 192.168.0.1?  How is that router reaching the 192.168.0.0/24 network per ISP?

Good morning Ali,

Hope you had a nice weekend as well. I have placed a trouble ticket with my ISP to verify all the routes but they haven't gotten back to me yet. I don't know what the GW address is of the branch office router. I can only assume its using my ASA's 0/1 which is 192.168.0.1. Is this how it should be? If that's the case, that would mean the branch office should be able to access the internet, correct? Also, I'm assuming the branch office clients have thier GW set to the inside interface of the branch office router (192.168.1.225), correct? It is bad practice to set the remote clients to use the ASA as thier GW, right?

And, there would also have to be a route on the MPLS router here for it's 0/1 (192.168.0.225) pointing back to the branch office (192.168.1.0) via the branch office's gateway 192.168.1.225), right?

Sorry for all the questions, I just want to make sure I have all my ducks in a row.

Also, should there be 2 routes setup, one on the branch office router and one on the internal router here at the main office. If there going across the MPLS, I would think that 1 would suffice.

(ip route 192.168.1.0 255.255.255.0 192.168.0.225 192.168.0.225) -

Sorry for the late reply I'm hoping that you were able to resolve this issue.  Looks like you already have a route at your main office so your branch office router needs a route too so that it knows how to get to 192.168.0.0/24 network.

  Sorry for the late response. Well, my ISP told me there was already a route setup on the branch office, which I still question. However, I was able to set persistent routes (via the route add statement) on the servers at the main office so that the branch office clients could access email, file svr, etc. I know this isn't the best solution ,but it works for now. The only remaining item is internet access for which I have submitted a work order through my ISP.

Also, I just received an HP V1910 switch which can do L3 type switching and after some research it looks like I can simply connect right from the 0/1 port on the MPLS router to the HP and configure a static route to the 192.168.1.0 network (Branch office). Does this sound like a better option? This should eliminate the need for any route statements on the servers or clients in the branch office, correct?

Well, I installede the HP 1910 switch and added a route (192.168.0.1 MASK 255.255.255.0 192.168.0.225) and nothing. I can't even ping other devices on the 192.168.0.0 network unless I have specifically set up routes on those hosts. Is there anything special other then setting up the route on the swtich that I should be doing?

Can your ISP share the branch office router configuration with you?  Or atleast how they have the route setup?  You mentioned that Servers from 192.168.1.0/24 can reach 192.168.0.0/24 when you setup a persistent route.  So what persistent route are you setting up on the servers, can you post the line?

About the HP switch honestly I have never worked with them.  I know on the L3 router if you want to use it in L3 mode you'll have to enable routing on it.  For instance for a Cisco you'll do it like this for starters:

conf t

!

ip routing

Oh and that route you added, "(192.168.0.1 MASK 255.255.255.0 192.168.0.225)".  Edit it like this 192.168.0.0 255.255.255.0 192.168.0.225

Turns out it was an error in the configuration (routes) on one of the routers owned by the ISP, which they have corrected. O

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: