Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2147
Views
0
Helpful
2
Replies

Firewall reverse routing issue:

sanju250.shukla
Level 1
Level 1

‎06-06-2012 06:02 AM - edited ‎03-11-2019 04:16 PM

Dear Friends,

I am using ASA 5505 with base license and ISP connected directly on the firewall.While L# switch is connected through firewall also.

my configuration is :

ASA Version 7.2(4)

!

hostname CiscoFirewall03316

domain-name default.domain.invalid

enable password Ko5SCsPM2YQ1wt2G encrypted

passwd Ko5SCsPM2YQ1wt2G encrypted

names

!

interface Vlan1

nameif inside

security-level 100

ip address 10.192.32.11 255.255.255.0

!

interface Vlan2

nameif outside

security-level 0

ip address 112.23.24.25 255.255.255.248

!

interface Vlan10

no nameif

security-level 90

ip address 192.168.0.3 255.255.240.0

!

<--- More --->

interface Vlan50

no nameif

security-level 80

ip address 10.195.32.15 255.255.255.0

!

interface Ethernet0/0

switchport access vlan 2

!

interface Ethernet0/1

!

interface Ethernet0/2

switchport access vlan 10

!

interface Ethernet0/3

!

interface Ethernet0/4

!

interface Ethernet0/5

switchport access vlan 50

!

interface Ethernet0/6

!

interface Ethernet0/7

!

<--- More --->

ftp mode passive

clock timezone IST 5 30

dns domain-lookup inside

dns domain-lookup outside

dns server-group DefaultDNS

name-server 121.242.190.181

name-server 121.242.190.210

domain-name default.domain.invalid

same-security-traffic permit inter-interface

same-security-traffic permit intra-interface

access-list in_out extended permit ip any any

access-list out_in extended permit ip any any

access-list out_in extended permit ip any 112.23.24.25 255.255.255.248

access-list cisco_splitTunnelAcl standard permit 0.0.0.0 255.255.255.0

access-list cisco_splitTunnelAcl_1 standard permit any

pager lines 24

logging enable

logging asdm informational

mtu inside 1500

mtu outside 1500

ip local pool ciscouser 10.10.10.240-10.10.10.249 mask 255.255.255.0

icmp unreachable rate-limit 1 burst-size 1

icmp permit any inside

icmp permit any outside

<--- More --->

asdm image disk0:/asdm-523.bin

no asdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 1 0.0.0.0 0.0.0.0

access-group in_out in interface inside

access-group out_in in interface outside

route inside 192.168.0.0 255.255.240.0 192.168.0.2 1

route outside 0.0.0.0 0.0.0.0 112.23.24.25 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

http server enable

http 10.192.32.0 255.255.255.0 inside

http 112.23.24.0 255.255.255.248 outside

http 0.0.0.0 0.0.0.0 outside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec transform-set TRANS_ESP_DES_SHA esp-des esp-sha-hmac

crypto ipsec transform-set TRANS_ESP_DES_SHA mode transport

crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac

<--- More --->

crypto dynamic-map outside_dyn_map 20 set pfs

crypto dynamic-map outside_dyn_map 20 set transform-set ESP-DES-SHA

crypto dynamic-map outside_dyn_map 40 set pfs

crypto dynamic-map outside_dyn_map 40 set transform-set ESP-DES-SHA

crypto dynamic-map outside_dyn_map 60 set pfs

crypto dynamic-map outside_dyn_map 60 set transform-set ESP-DES-SHA

crypto dynamic-map outside_dyn_map 80 set pfs

crypto dynamic-map outside_dyn_map 80 set transform-set TRANS_ESP_DES_SHA

crypto dynamic-map outside_dyn_map 100 set pfs

crypto dynamic-map outside_dyn_map 100 set transform-set ESP-DES-SHA

crypto dynamic-map outside_dyn_map 120 set pfs

crypto dynamic-map outside_dyn_map 120 set transform-set ESP-DES-SHA

crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map

crypto map outside_map interface outside

crypto isakmp enable outside

crypto isakmp policy 10

authentication pre-share

encryption des

hash sha

group 2

lifetime 86400

client-update enable

no vpn-addr-assign aaa

no vpn-addr-assign dhcp

<--- More --->

telnet 10.192.32.0 255.255.255.0 inside

telnet 0.0.0.0 0.0.0.0 outside

telnet 112.23.24.0 255.255.255.0 outside

telnet timeout 5

ssh timeout 5

console timeout 0

dhcpd auto_config outside

!

group-policy DefaultRAGroup internal

group-policy DefaultRAGroup attributes

dns-server none

vpn-tunnel-protocol l2tp-ipsec

group-policy cisco internal

group-policy cisco attributes

split-tunnel-policy tunnelspecified

split-tunnel-network-list value cisco_splitTunnelAcl_1

username test password tFqxsrS5ErBk4STW encrypted privilege 0

username test attributes

vpn-group-policy cisco

username admin password V5OS2TRb/vQZ7oZ9 encrypted

username ciscouser password 6aU35/UOvPoumpKWCFYSig== nt-encrypted privilege 0

username ciscouser attributes

vpn-group-policy DefaultRAGroup

<--- More --->

tunnel-group DefaultL2LGroup ipsec-attributes

pre-shared-key *

tunnel-group DefaultRAGroup general-attributes

address-pool ciscouser

default-group-policy DefaultRAGroup

tunnel-group DefaultRAGroup ipsec-attributes

pre-shared-key *

tunnel-group DefaultRAGroup ppp-attributes

no authentication chap

authentication ms-chap-v2

!

class-map inspection_default

match default-inspection-traffic

!

!

policy-map type inspect dns preset_dns_map

parameters

  message-length maximum 512

policy-map global_policy

class inspection_default

  inspect dns preset_dns_map

  inspect ftp

  inspect h323 h225

  inspect h323 ras

<--- More --->

  inspect rsh

  inspect rtsp

  inspect sqlnet

  inspect skinny

  inspect sunrpc

  inspect xdmcp

  inspect sip

  inspect netbios

  inspect tftp

policy-map type inspect im Google

parameters

match protocol msn-im yahoo-im

  drop-connection log

!

service-policy global_policy global

prompt hostname context

Cryptochecksum:a883391680fa205ee31f05881761958c

: end

Everything is running fine on vlan 1 but vlan 10 is not running from user end.there is no ping from inside of 192.168.0.2

Please advise me.Thanks

Labels:
0 Helpful
2 Replies 2

Jennifer Halim
Cisco Employee
Cisco Employee

‎06-06-2012 07:12 AM

There are 2 conflicting configuration:

interface Vlan10

no nameif

security-level 90

ip address 192.168.0.3 255.255.240.0

and "route inside 192.168.0.0 255.255.240.0 192.168.0.2 1"

How do you want to connect VLAN 10? is it on its own interface on the firewall? if it is, then you would need to configure a name for it, via the nameif command, and remove the above route inside

if it is going to be a routed subnet via the inside interface, then the above route needs to be modified as follows:

route inside 192.168.0.0 255.255.240.0 10.192.32.x

--> 10.192.32.x needs to be the next hop which is your L3 switch vlan 1 interface ip

and you would also need to shutdown interface vlan 10 on the ASA and remove the IP Address.

0 Helpful

rizwanr74
Level 7
Level 7

‎06-06-2012 08:09 AM

Hi Sanjeev,

You need a name on the vlan10, which is missing, so you can name it as inside2 or dmz whatever a meaningful name.

interface Vlan10

nameif inside2

nat (inside2) 1 0.0.0.0 0.0.0.0

Let me know, if this helps.

thanks

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card