Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
552
Views
0
Helpful
7
Replies

ASA communication form many inside to many outside

moussa.malqui1
Level 1
Level 1

‎02-03-2017 12:44 PM - edited ‎03-12-2019 01:53 AM

hi all,

how can i make interface vlan2 (GigabitEthernet0/1.1) to communicate with interface tcvpn (GigabitEthernet0/4.1) and interface vlan3 (GigabitEthernet0/1.2) to communicate with interface cacvpn (GigabitEthernet0/4.2)? when i put "route tcvpn 10.240.20.0 255.255.255.0 10.30.60.1" or "route cacvpn 10.240.30.0 255.255.255.0 10.30.70.1" i get error this interface is directly connected, but when i put "route tcvpn 0 0 10.240.20.1' i get communication between interface vlan2 (GigabitEthernet0/1.1) and interface tcvpn (GigabitEthernet0/4.1) and when i try to put route cacvpn 0 0 10.240.30.1 to get communication between interface vlan3 (GigabitEthernet0/1.2) and cacvpn (GigabitEthernet0/4.2) i get this route is already exist.

so what is solution to put many "route interface 0 0 adrs_IP" to get communication from many inside interfaces to many outside interfaces or other possibility to solve that

this is my configuration:

ASA Version 9.2(2)4
!
hostname ciscoasa
enable password 8Ry2YjIyt7RRXU24 encrypted
names
!
interface GigabitEthernet0/0
nameif outside
security-level 0
ip address 192.168.0.100 255.255.255.0
!
interface GigabitEthernet0/1
duplex full
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/1.1
vlan 2
nameif VLAN2
security-level 100
ip address 10.30.60.1 255.255.255.0
!
interface GigabitEthernet0/1.2
vlan 3
nameif VLAN3
security-level 100
ip address 10.30.70.1 255.255.255.0
!
interface GigabitEthernet0/1.3
vlan 5
nameif VLAN5
security-level 100
ip address 10.30.100.1 255.255.255.0
!
interface GigabitEthernet0/1.4
vlan 6
nameif VLAN6
security-level 100
ip address 10.30.110.1 255.255.255.0
!
interface GigabitEthernet0/2
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/2.1
vlan 9
nameif TCDMZ
security-level 50
ip address 192.168.60.254 255.255.255.0
!
interface GigabitEthernet0/2.2
vlan 10
nameif CACDMZ
security-level 50
ip address 192.168.70.254 255.255.255.0
!
interface GigabitEthernet0/2.3
vlan 11
nameif TFDMZ
security-level 50
no ip address
!
interface GigabitEthernet0/2.4
vlan 12
nameif TPIDMZ
security-level 50
no ip address
!
interface GigabitEthernet0/3
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/4
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/4.1
vlan 17
nameif tcvpn
security-level 0
ip address 10.240.20.254 255.255.255.0
!
interface GigabitEthernet0/4.2
vlan 18
nameif cacvpn
security-level 0
ip address 10.240.30.254 255.255.255.0
!
interface GigabitEthernet0/4.3
vlan 19
nameif tfcsvpn
security-level 0
ip address 10.250.139.254 255.255.255.0
!
interface GigabitEthernet0/5
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
management-only
nameif management
security-level 100
ip address 192.168.1.1 255.255.255.0
!
boot system disk0:/asa922-4-smp-k8.bin
ftp mode passive
object network inside-tc
subnet 10.30.60.0 255.255.255.0
object network inside-cac
subnet 10.30.70.0 255.255.255.0
object network dmz-tc
subnet 192.168.60.0 255.255.255.0
object network dmz-cac
subnet 192.168.70.0 255.255.255.0
object network tc-vpn
subnet 10.30.60.0 255.255.255.0
object network cac-vpn
subnet 10.30.70.0 255.255.255.0
object network inside-tpi
subnet 10.30.100.0 255.255.255.0
object network inside-tf
subnet 10.30.110.0 255.255.255.0
object network tpi-vpn
subnet 10.30.100.0 255.255.255.0
object network tf-vpn
subnet 10.30.110.0 255.255.255.0
pager lines 24
logging asdm informational
mtu outside 1500
mtu VLAN2 1500
mtu VLAN3 1500
mtu TCDMZ 1500
mtu CACDMZ 1500
mtu TFDMZ 1500
mtu TPIDMZ 1500
mtu tcvpn 1500
mtu cacvpn 1500
mtu tfcsvpn 1500
mtu VLAN5 1500
mtu management 1500
mtu VLAN6 1500
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-7221.bin
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
!
object network inside-tc
nat (VLAN2,outside) dynamic interface
object network inside-cac
nat (VLAN3,outside) dynamic interface
object network dmz-tc
nat (TCDMZ,outside) dynamic interface
object network dmz-cac
nat (CACDMZ,outside) dynamic interface
object network tc-vpn
nat (VLAN2,tcvpn) dynamic interface
object network cac-vpn
nat (VLAN3,cacvpn) dynamic interface
object network inside-tpi
nat (VLAN5,outside) dynamic interface
object network inside-tf
nat (VLAN6,outside) dynamic interface
object network tpi-vpn
nat (VLAN5,tfcsvpn) dynamic interface
object network tf-vpn
nat (VLAN6,tfcsvpn) dynamic interface
route outside 0.0.0.0 0.0.0.0 192.168.0.1 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
http server enable
http 192.168.1.0 255.255.255.0 management
no snmp-server location
no snmp-server contact
crypto ipsec security-association pmtu-aging infinite
crypto ca trustpool policy
telnet timeout 5
no ssh stricthostkeycheck
ssh timeout 5
ssh key-exchange group dh-group1-sha1
console timeout 0
dhcpd address 192.168.1.2-192.168.1.254 management
dhcpd enable management
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ssl encryption rc4-sha1 aes128-sha1 aes256-sha1 3des-sha1
username admin password 9UXn7hOsRRC8SKFP encrypted privilege 15
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
Cryptochecksum:9259d0aa6e5fcca1e2c0c893607c0a8d
: end

thanks in advance,

regards,

MM

Labels:
0 Helpful
7 Replies 7

Marius Gunnerud
VIP
VIP

‎02-03-2017 02:18 PM

Is this a Lab?  Why do you have dynamic NAT between all your LAN interfaces?  The only dynamic NAT you should have is between your LAN interfaces and the outside interface (internet facing interface). No NAT needed between the LAN interfaces.

You do not need routes to route traffic to subnets that are directly connected to the ASA.

Run a packet-tracer to find out what is stopping the packet in the firewall.

--

Please remember to select a correct answer and rate helpful posts

--
Please remember to select a correct answer and rate helpful posts
0 Helpful

moussa.malqui1
Level 1
Level 1
In response to Marius Gunnerud

‎02-03-2017 03:01 PM

this is not LAN interfaces they are vpn link interfaces (tcvpn,cacvpn) to router in my LAN and outside (internet) but whithout deefault route i didn't get access to vpn applications this is my archetcture: i have sub-interfaces for vpn and sub interfaces for LAN (VLAN)

0 Helpful

Marius Gunnerud
VIP
VIP
In response to moussa.malqui1

‎02-04-2017 12:32 PM

You do not need default routes out each interface. the reason you don't have reachability is because the ASA does not have routes to the remote destinations pointing out the correct interfaces.  So what you need to do is add static routes for all the subnets and point them out the correct interfaces.

So for example for subnets A and B

route INTERFACE1 A.A.A.0 255.255.255.0 <INTERFACE1 next hop IP>

route INTERFACE2 B.B.B.0 255.255.255.0 <INTERFACE2 next hop IP>

--

Please remember to select a correct answer and rate helpful posts

--
Please remember to select a correct answer and rate helpful posts
0 Helpful

moussa.malqui1
Level 1
Level 1
In response to Marius Gunnerud

‎02-06-2017 07:31 AM

thanks Marius , in my architecture i have 2 hops, what routes i should do my architecture as the following

regards,

MM

0 Helpful

Marius Gunnerud
VIP
VIP
In response to moussa.malqui1

‎02-06-2017 12:27 PM

Could you run a packet tracer

packet-tracer input VLAN2 tcp 10.30.60.10 12345 10.240.1.10 80 detail

Also, can you try to ping 10.240.20.1 from a host on VLAN2.

If both of these are successful then your issue is routing.

--

Please remember to select a correct answer and rate helpful posts

--
Please remember to select a correct answer and rate helpful posts
0 Helpful

moussa.malqui1
Level 1
Level 1
In response to Marius Gunnerud

‎02-07-2017 02:03 AM

thanks Marius , what is the routes i should put in my case ?

route tcvpn 10.240.1.0 255.255.255.0 10.240.20.1  .

this route sufficient or i should add the route:

route tcvpn 10.240.145.0 255.255.255.0 10.240.20.1

regards,

MM

0 Helpful

Marius Gunnerud
VIP
VIP
In response to moussa.malqui1

‎02-07-2017 08:12 AM

route tcvpn 10.240.1.0 255.255.255.0 10.240.20.1  

this route is sufficient. the other route is not needed.

--

Please remember to select a correct answer and rate helpful posts

--
Please remember to select a correct answer and rate helpful posts
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card