Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1371
Views
0
Helpful
16
Replies

ASA configuration for internal routing

cpartsenidis
Level 1
Level 1

‎06-11-2008 03:24 AM - edited ‎03-11-2019 05:57 AM

Hi everyone,

I've got an ASA5510 (10.0.0.1) which is the gateway for the internal network (10.0.0.0/24). In addition, I've got an additional local network (192.168.0.0/24) which I need to route my internal clients (10.0.0.0/24) to. The local gateway for the 192.168.0.0/24 network is 10.0.0.10, but my ASA device keeps dropping all connections to the 192.168.0.0 network.

I've configured the ASA with the following options:

route inside 192.168.0.0 255.255.255.0 10.0.0.10

access-list inside-access-in extended permit ip 10.0.0.0 255.255.255.0 any

access-list inside-access-in extended permit icmp 10.0.0.0 255.255.255.0 any

access-group inside-access-in in interface inside

I've also got my standard NAT commands, which I don't think are necessary to post.

My question is how can I force the ASA appliance to forward packets to the 192.168.0.0 network?

If any nat commands are required, please include them in your reply.

Many thanks.

Labels:
0 Helpful
16 Replies 16

srue
Level 7
Level 7
In response to JORGE RODRIGUEZ

‎06-11-2008 11:37 AM

as others have stated, the OP needs to upgrade to 7.2(x) or later.

0 Helpful

cpartsenidis
Level 1
Level 1
In response to JORGE RODRIGUEZ

‎06-11-2008 02:13 PM

The response to this thread has been great and I really appreciate the effort and time spent by everyone.

From what I conclude Jorge, according to your test, the scenario should work 'as is' without the need of additional commands.

However, Farrukh supports that the 'intra-interface' command for my situation is required.

Unfortunately, I haven't got access to the equipment right now so I can try it, but I do remember the scenario didn't work using the configuration I posted. If I remember correctly, the syslog messages mentioned my packets heading from the internal lan 10.0.0.0 towards the 192.168.0.0 network, were denied by the inside-access-in list:

access-list inside-access-in extended permit ip 10.0.0.0 255.255.255.0 any

access-list inside-access-in extended permit icmp 10.0.0.0 255.255.255.0 any

access-group inside-access-in in interface inside

All I was doing is trying to access a network share on a computer in the 192.168.0.0 network.

Closing, quoting Farrukh's recommendation:

'please don't confuse the "same-security-traffic intra-interface" with the 'inter-interface' command. In this scenario 'intra-interface' will be required IF the firewall is the default gateway of end hosts' , Yes, all internal 10.0.0.0 hosts do in fact have the ASA (10.0.0.1) as their gateway.

I sometimes fail to see why such 'simple' routing requirements can sometimes become a big headache :)

Cheers guys,

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card