cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
999
Views
0
Helpful
5
Replies

ASA Routing problems?

vlatko.runchev
Level 1
Level 1

Hi there,

i have a problem with Routing on ASA 5505.

Here is a brief explanation of the topology:

DC Upstream IP: 77.246.165.141/30

ASA 5505 Upstream to DC IP: 77.246.165.142/30

Interface outside.

There is a Cisco Switch connected to one of ASA Ethernet ports, forming Public/DMZ VLAN.

ASA 5505 Public VLAN interface ip: 31.24.36.1/26

Cisco 3750 Public VLAN interface ip: 31.24.36.62, default gateway: 31.24.36.1, IP Routing enabled on Switch.

From the Cisco Switch I can access the Internet with source ip: 31.24.36.62.

Now I have asked from DC additional subnet: 31.24.36.192/26 and they have it routed correctly towards the ASA Outside interface ip: 77.246.165.142.

I have created additional Public2 VLAN on the Switch with IP address of: 31.24.36.193/26.

On the ASA 5505 i added the route to this Public2 VLAN:

#route public 31.24.36.192 255.255.255.192 31.24.36.62 1

Now the problem is that from the Switch with Source IP: 31.24.36.193 i can ping ASA 5505 Public VLAN IP: 31.24.36.1 so the routing between subnets 31.24.36.0/26 and 31.24.36.192/26 is working OK on both the ASA 5505 and the Switch.

But I can't access the Internet from the Switch with Source IP: 31.24.36.193.

5 Replies 5

mvsheik123
Level 7
Level 7

Hi.

Any NAT/PAT related config missed on ASA for the new Subnet?

Post the sanitized configs from ASA & Switch.

Thx

MS

Julio Carvajal
VIP Alumni
VIP Alumni

Hello Vladimir,

What version are you running, I do not think you have any NAT as you are already playing with a public range.

Do you have any ACL applied to the public interface on the ASA?

Can you place here the Configuration from both devices?

Regards,

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

vlatko.runchev
Level 1
Level 1

Thanks for the replies.

I am running:

Cisco Adaptive Security Appliance Software Version 8.2(2)

As for NAT configuration, there is NAT configured between the Outside Interface IP and the Internal Subnet:

global (outside) 1 interface

nat (inside) 1 192.168.X.0 255.255.255.0

nat (inside) 1 0.0.0.0 0.0.0.0

also there is NAT exemption configured because of the Site-to-Site IPSec VPN that we have:

nat (inside) 0 access-list inside_nat0_outbound1

access-list inside_nat0_outbound1 extended permit ip any 192.168.X.0 255.255.255.0

access-list inside_nat0_outbound1 extended permit ip 192.168.X.0 255.255.255.0 OtherSiteLAN 255.255.255.0

access-list inside_nat0_outbound1 extended permit ip any 192.168.X.240 255.255.255.248

access-list inside_nat0_outbound1 extended permit ip 192.168.X.0 255.255.255.128 OtherSiteLAN 255.255.255.0

I don't have any ACL configured on the Public interface in any direction.

Here is the configuration on the Switch regarding this scenario:

!

interface FastEthernet2/0/X

description Access Port for Public Subnet(31.24.32.0/26) to ASA

switchport access vlan 500

switchport mode access

!

interface Vlan500

description Public VLAN 1

ip address 31.24.36.62 255.255.255.192

!

interface Vlan510

description Public VLAN 2

ip address 31.24.36.193 255.255.255.192

!

ip route 0.0.0.0 0.0.0.0 31.24.36.1

Here is the output when pinging the ASA Public Interface IP with source IP address of: 31.24.36.193(VLAN 510)

SWITCH#ping 31.24.36.1 source vlan 510

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 31.24.36.1, timeout is 2 seconds:

Packet sent with a source address of 31.24.36.193

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 1/4/9 ms

And here is when I try to ping some Internet host:

SWITCH#ping 8.8.8.8 source vlan 510

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 8.8.8.8, timeout is 2 seconds:

Packet sent with a source address of 31.24.36.193

.....

Success rate is 0 percent (0/5)

Hello Vladimir,

Can you add the following command.

fixup protocol icmp and provide us the result

If this does not work I would like to check the entire config of both devices

rate all the answers, that is more important for us that a thanks

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

vlatko.runchev
Level 1
Level 1

Hello,

sorry for the late response...

The command:

fixup protocol icmp also didn't solved the problem.

Can this have anything related to the Base licence, that this device is having and it's 3 VLAN limitation?

I have configured:      

interface Vlan500

no forward interface Vlan1 <--Private VLAN

Review Cisco Networking for a $25 gift card