Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1898
Views
0
Helpful
21
Replies

ASA 5505 to allow 2nd network segment through mpls

Go to solution
Dennis Newman
Level 1
Level 1

‎06-01-2013 12:42 PM - edited ‎03-11-2019 06:52 PM

I have been having a heck of a time trying to configure my 5505 to allow the second segment on my network to use the internet.

Office 1 has a fiber internet connection, and all traffic flows fine.

Office 2 had gotten it's internet from AT&T, via a network based firewall injecting a default route into the mpls cloud.

both offices connunicate to each other through the mpls.

When we added the fiber to office 1, we had the mpls people change the default internet route to the inside address of the 5505 and things worked fine.

when AT&T attempted to remove the NBF defaut route, and inject the 5505's address as default, things didn't go so well.

AT&T claims that it is within my nat cmmands on the 5505, but won't tell me anything else.  I assume that they are correct, and I assume that I am not good enough with the 5505 ASDM to tell it what to do.

Office 1 uses 10.10.30.xx addresses and Office 2 uses 10.10.10.xx - the 5505 inside interface is 10.10.30.2 the internal interfaces of the mpls are 10.10.30.1 and 10.10.10.1

I don't know what other information you would need, but am stuck here at Office 1 until I can get this working.

Thanks

Labels:
0 Helpful
21 Replies 21

Go to solution
Jouni Forss
VIP Alumni
VIP Alumni
In response to Dennis Newman

‎06-04-2013 09:11 PM

Hi Dennis,

Have you yet tried to change the setup again with the ISP? Would be interested in hearing if you managed to get the 2 LAN network working through the ASA?

- Jouni

0 Helpful

Go to solution
Dennis Newman
Level 1
Level 1
In response to Jouni Forss

‎06-05-2013 06:41 AM

Tried with the suggested changes on Monday night.  Internet connectivity from both offices was successfull.

My NAT rules and acl's seem to be off tho, as none of the servers sitting in the WI office could be accessed via their "new" public ip addresses.

0 Helpful

Go to solution
Jouni Forss
VIP Alumni
VIP Alumni
In response to Dennis Newman

‎06-05-2013 06:50 AM

Hi,

So did you have to revert back to the old setup again?

Looking at your ASA configuration I cant really see the problem.

  • You confirmed that WI office could now use Internet so we now that routing should be fine between WI LAN and ASA
  • You have configured the Static NAT correctly
  • You have ACL rules attached to the "outside" interface. Whether the ACL Rules are the correct ones I cant say.

The first place to look would naturally be the logs and see if connections were getting to your ASA and if they were perhaps being torn down because of SYN Timeout or something similiar.

It also seems that the public IP address space used is directly connected between the ASA and the ISP router so it should be already in the routing of the ISP and I couldnt imagine why they wouldnt be reached from the Internet. Or was there some rerouting of public IP addresses also involved?

It seems though that the old "inside" interface network mask was the problem with the WI Internet through the ASA originally but there is still something more.

Could you please mark a reply as a correct answer since we solved the original problem of connectivity between the LANs. I see no problem with continuing trying to solve the problem with the servers also.

- Jouni

0 Helpful

Go to solution
Jouni Forss
VIP Alumni
VIP Alumni
In response to Jouni Forss

‎06-05-2013 06:55 AM

You can use a "packet-tracer" also to test your configured rules for the servers

Just to take one of the WI public IP addresses as an example

packet-tracer input outside tcp 1.2.3.4 12345 12.227.190.163 80

The source IP 1.2.3.4 and source port 12345 are just random ones selected for the test.

I however dont see a problem with your configuration that you provided originally related to the server Static NAT and ACLs

- Jouni

0 Helpful

Go to solution
Dennis Newman
Level 1
Level 1
In response to Jouni Forss

‎06-05-2013 06:59 AM

HAd to revert back to the old setup as the email server and webserver currently reside in WI so not correctly Natting them stops business flow.  Simple answer is just bringing them out to PA, but that would mean more travel for me as my home base is in WI.

Thank you for your assistance.

Dennis

0 Helpful

Go to solution
Jouni Forss
VIP Alumni
VIP Alumni
In response to Dennis Newman

‎06-05-2013 07:07 AM

Hi,

I would imagine that there is public DNS names related to the case with WI servers as you mention that they are email and web servers.

Did the ISP handle the changes to the public DNS configurations when the public IP addresses of the servers changed?

I am not sure how long it will take before they are updated further on from the ISP.

Did you test the connectivity to the server purely using the new public IP addresses?

- Jouni

0 Helpful

Go to solution
Dennis Newman
Level 1
Level 1
In response to Jouni Forss

‎06-05-2013 10:46 AM

This is what I am pulling my hair out over - Packet tracer shows that everything should work.

I have been using the ip addresses instead of trusting dns

I think I am going to ask AT&T to try one more test tonight, whith me running tests from outside of the network instead of inside.  The last test showed me that the inside addresses connect to each other and internet connectivity works from both sites.

I'm wondering if Monday nights test was just a little quirky.

Dennis

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card