Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
390
Views
0
Helpful
4
Replies

ASA 5510 8.0.5 Routing Question

Matt Hoak
Level 1
Level 1

‎03-20-2014 07:01 AM - edited ‎03-11-2019 08:58 PM

Our office has a number of remote employees that use ASA 5505 boxes to access resources and connect their IP phones to our office.  These boxes all connect through a pair of redundant ASA 5510 firewalls.  When we configure these 5505 boxes, we used to test them by connecting though a secondary circuit that we had set up.  We have recently eliminated that circuit to help cut costs, so I am wondering if there is a way to set up one of my internal VLANS to have the correct access and rout to my external gateway to allow us to test the ASA boxes.  Thanks for the help.  

Labels:
0 Helpful
4 Replies 4

Ryan Cigelske
Level 1
Level 1

‎03-24-2014 04:20 PM

Good Afternoon!

It is likely that your remote locations contain the same configuration. I would take a previous configuration and apply it to the ASA you are getting ready to deploy. Given that you have the correct IP address and route outside setup. You should be able to reach the device using SSH to fix anything that is not working properly.

You will need to make sure:

1. Outside interface is setup properly

2. Route outside is correct

3. SSH is open to your IP address or 0.0.0.0 will open it up to everyone

4. Remeber to generate an RSA key; it is required to be able to SSH to the firewall. 

 

Hope this helps you out!

Cheers!

Ryan

0 Helpful

Matt Hoak
Level 1
Level 1
In response to Ryan Cigelske

‎04-04-2014 08:39 AM

Perhaps I didn't explain my problem very well.  All of our remote ASAs are working fine.  The issue I have is I need to be able to test new ASA boxes before I send them out.  The only network I have available in our office now is the inside side of our ASA 5510, so I need to configure some kind of loopback so a 5505 connected from the inside will be able to reach the outside IP of the 5510.  I can obviously take them offsite to test, but that's a lot less convenient.  Thanks for the help.  

0 Helpful

Marius Gunnerud
VIP
VIP
In response to Matt Hoak

‎04-05-2014 10:37 AM

The ability to do this will depend on a few things:

1. do you have available addresses that are on the same subnet as the outside interface? If you are only allocated 1 IP (your subnet mask is /30) then what I am suggesting is not possible.

2. You have 3 available ports on your switch, or are able to place a switch between the ASA and the ISP default gateway.

If you have this, then you could configure a new VLAN on the switch, place 3 ports in that new VLAN and then connect the ASA outside interface to one port and the ISP connection to the other port.  The 3rd port will be used for the ASA5505 test.

If you are not able to set it up this way, then there is no way of testing this from the office.  An option would be to take the ASA5505 home and test from there. Not the best option but doable.

--

Please remember to rate and select a correct answer

--
Please remember to select a correct answer and rate helpful posts
0 Helpful

Marius Gunnerud
VIP
VIP
In response to Marius Gunnerud

‎04-05-2014 10:40 AM

I am assuming that you are setting this up to test site2site vpn setups?  Just for more info. the ASA is designed to not allow any connection across the ASA to another interface.  You will only be able to create a connection to the ingress interface.  you will not even be allowed to ping an interface that is not the ingress interface.

--

Please remember to rate and select a correct answer

--
Please remember to select a correct answer and rate helpful posts
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card