Solved: Re: Connecting 2 different networks with 2 different ASA

michaeltownley7 · ‎11-30-2021

Greetings,

I am a beginner network hobbyist, working with Cisco's equipment in Packet-Tracer and I am currently trying to connect 2 Cisco ASA Firewall's together. My setup is simple, it consists of 2 main networks (technically 5 if you count the point to point's correct me if I'm wrong) with one computer and one router on each side both with a firewall in the middle. My goal is just to be able to ping from PC0 to PC1. I have a basic understanding of ASA commands like creating ACL's, and NAT'ing and such but I could not seem to make the ASA's communicate regardless of what I did the traffic refuses to go through the other firewall. So my question is how would I go about setting something like this and if there is any helpful information about standards and procedures you could give me along the way that would be awesome.

Thank you, michaeltownley7

Rob Ingram · ‎12-02-2021

@michaeltownley7

Can each PC ping it's local ASA (the inside interface of the ASA)?

Can each ASA ping each others outside interface?

Did you configure the ACL or inspect icmp as per above?

Do you have NAT configured?

Run the following command on ASA0 CLI - "packet-tracer input inside permit icmp 10.1.1.2 8 0 50.1.1.2"

Run the following command on ASA1 CLI - "packet-tracer input inside permit icmp 50.1.1.2 8 0 10.1.1.2"

View solution in original post

michaeltownley7 · ‎11-30-2021

As a note the image I attached in the main post is a clean setup where I started from scratch nothing was configured.

Rob Ingram · ‎12-01-2021

@michaeltownley7 I assume the ASA's themselves can communicate with each other?

For the PCs to ping each other you'll an ACL configured inbound on the outside interface, permitting the icmp reply.

access-list OUTSIDE_IN permit icmp any any echo-reply
access-group OUTSIDE_IN in interface <outside interface name>

or alternatively run the command fixup protocol icmp to inspect icmp traffic and dynamically permit the return traffic.

You'll also need to ensure the ASA's have the correct routes. Each ASA would need static route via it's inside interface for the network the PC is connected to. You should also have a default route via the outside interface for communication to the remote network.

michaeltownley7 · ‎12-01-2021

So would I static route the inside interface to my router as the next hop and the outside interface as the outside interface of the other firewall?

Rob Ingram · ‎12-01-2021

@michaeltownley7 Yes.

ASA0 - route outside 0 0 <ASA1 IP>

ASA0 - route inside 10.1.1.0 255.255.255.0 <Router 1 IP>

ASA1 - route outside 0 0 <ASA0 IP>

ASA1 - route inside 50.1.1.0 255.255.255.0 <Router 0 IP>

Change "outside" and "inside" names if required.

michaeltownley7 · ‎12-01-2021

@Rob Ingram Okay so the pings are still not reaching the PC on the other network. Also I just wanted to say I am appreciative of your time Rob. Here is a basic overview of the network with the routes and such:

PC0:
- IP Address: 10.1.1.2

Router1:
- Interface pointing toward PC0 = 10.1.1.1/24
- Interface pointing toward ASA0 = 20.1.1.1/24
- Static Route to the 50.1.1.0/24 network via 20.1.1.2

ASA0:
- Interface pointing toward Router1 = 20.1.1.2/24, nameif = inside, security-level 100
- Interface pointing toward ASA1 = 30.1.1.1/24, nameif = outside, security-level 0
- ACL configured via following commands ("access-list OUTSIDE_in extended permit icmp any any" & "access-group OUTSIDE_in in interface outside")
- Static Routes via two following commands ("route outside 0.0.0.0 0.0.0.0 30.1.1.2" & "route inside 10.1.1.0 255.255.255.0 20.1.1.1")

ASA1:
- Inteface pointing toward Router0 = 40.1.1.1/24, nameif = inside, security-level 100
- Interface pointing toward ASA0 = 30.1.1.2/24, nameif = outside, security-level 0
- ACL configured via following commands ("access-list OUTSIDE_in extended permit icmp any any" & "access-group OUTSIDE_in in interface outside")
- Static Routes via two following commands ("route outside 0.0.0.0 0.0.0.0 30.1.1.1" & "route inside 50.1.1.0 255.255.255.0 40.1.1.2")

Router0:
- Interface pointing toward PC0 = 50.1.1.1/24
- Interface pointing toward ASA0 = 40.1.1.2/24
- Static Route to the 10.1.1.0/24 network via 20.1.1.2

PC1:
- IP Address: 50.1.1.2

Rob Ingram · ‎12-02-2021

@michaeltownley7

Can each PC ping it's local ASA (the inside interface of the ASA)?

Can each ASA ping each others outside interface?

Did you configure the ACL or inspect icmp as per above?

Do you have NAT configured?

Run the following command on ASA0 CLI - "packet-tracer input inside permit icmp 10.1.1.2 8 0 50.1.1.2"

Run the following command on ASA1 CLI - "packet-tracer input inside permit icmp 50.1.1.2 8 0 10.1.1.2"

michaeltownley7 · ‎12-02-2021

@Rob Ingram This was my fault I didn't configure NAT in the ASA it is working now I appreciate all the help thank you!

enderion · ‎05-28-2023

Hello. I was checking for some solutions to my concern and I noticed this thread. Can I confirm something? What NAT configuration you created to solve the issue? Thank you!

michaeltownley7 · ‎06-01-2023

I'm not 100% sure what I did as I no longer have that file, but I believe it was something along the lines of this (Note that these commands will need to be ran on the firewall and routing will need to be in place already):

object network pc1
host 10.1.1.2
nat (inside,outside) static 30.0.0.1

Also note that this is a statically assigned network not a DHCP configured network.

I'd recommend this article for NAT configurations pretty well explained: CLI Book 2: Cisco ASA Series Firewall CLI Configuration Guide, 9.6 - NAT Examples and Reference [Cisco ASA 5500-X Series Firewalls] - Cisco