Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1039
Views
0
Helpful
3
Replies

Help with ASA 5505 routing

MikeJohnson35491
Level 1
Level 1

‎02-20-2020 11:52 PM

Hello,

 

I'm trying to add a separate subnet with access to another subnet, but can't make it work:

 

Existing configuration:

MAIN-LAN is the main local network on interface inside with address range 192.168.10.0/24

outside is internet access,
EZdr is another private network with interface IP 10.159.255.132. IP adress ranges 172.24.0.0 and 172.29.0.0 are routed to this network.

 

Interface inside has access to both outside and EZdr. That works.

 

I want to add another local network LAN_EZDR on it's own interface with IP 192.168.25.10 and I want this network to only have access to EZdr and no other network (neither MAIN-LAN or internet).

 

Packet tracer shows that the packets are routed correctly and are passed through. But nothing works (http, dns, ping, traceroute). It works from the MAIN-LAN but not from the new LAN_EZDR.

 

Attached is the configuration. Can someone please take a look and tell me what I'm missing?

 

Thank you.

Preview file
18 KB
0 Helpful
3 Replies 3

Marius Gunnerud
VIP
VIP

‎02-21-2020 12:38 PM

From what you have poster it looks like you are missing NAT statements for LAN_EZDR to the internet.   Also looks like you have not posted all the NAT configuration from your device.  As for access from inside to LAN_EZDR without seeing your full NAT configration it is difficult to pin point but I suspect that you have NAT-control configured?  If yes, then you will need a NAT statement for traffic from inside to LAN_EZDR

--
Please remember to select a correct answer and rate helpful posts
0 Helpful

MikeJohnson35491
Level 1
Level 1
In response to Marius Gunnerud

‎02-22-2020 04:00 AM

Thank you,

The attached file is the whole configuration - output of "show running-config". Is there some other command to show NAT config? Just to clarify, LAN_EZDR should have access to Ezdr but not to "outside" or "inside".

0 Helpful

Marius Gunnerud
VIP
VIP
In response to MikeJohnson35491

‎02-22-2020 11:50 AM

Currently you are allowing LAN-EZDR access to everything.  Is that for testing?

Could you issue the command show run all nat and post the output.

--
Please remember to select a correct answer and rate helpful posts
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card