cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1297
Views
0
Helpful
7
Replies

Multiple subnets on ASA 5510

newinnovations
Level 1
Level 1

I have an ASA5510 that is connected to outside for WAN, inside for LAN (10.22.254.0/24), and a iSCSI switch plugged into Ethernet 0/3 (10.22.244.0/24). I can ping the Eth0/3 interface (10.22.244.1) but I can't ping across that interface from WAN or LAN side. Any idea?

START CONFIGURATION

ASA Version 9.1(1)

!

hostname ASA5510

enable password ********** encrypted

xlate per-session deny tcp any4 any4

xlate per-session deny tcp any4 any6

xlate per-session deny tcp any6 any4

xlate per-session deny tcp any6 any6

xlate per-session deny udp any4 any4 eq domain

xlate per-session deny udp any4 any6 eq domain

xlate per-session deny udp any6 any4 eq domain

xlate per-session deny udp any6 any6 eq domain

passwd ********** encrypted

names

!

interface Ethernet0/0

speed 100

duplex full

nameif outside

security-level 0

ip address 2.2.188.4 255.255.255.224

!

interface Ethernet0/1

duplex full 

nameif inside

security-level 100

ip address 10.22.254.129 255.255.255.224

!

interface Ethernet0/2

shutdown

no nameif

no security-level

no ip address

!

interface Ethernet0/3

duplex full

nameif backup

security-level 100

ip address 10.22.244.1 255.255.255.0

!

interface Management0/0

shutdown

no nameif

no security-level

no ip address

!

ftp mode passiv

object network MAIL1-LA

host 10.22.254.147

object network MAIL1-WAN

host 2.2.188.13

object network MEDIA1-LAN

host 10.22.254.143

object network MEDIA1-WAN

host 2.2.188.14

object network WEB1-LAN

host 10.22.254.134

object network WEB1-WAN

host 2.2.188.10

object service http

service tcp destination eq www

object service https

service tcp destination eq https

object network obj_any

subnet 0.0.0.0 0.0.0.0

object network LA-LAN

subnet 10.22.254.128 255.255.255.224

object network LON-LAN

subnet 10.22.22.0 255.255.255.0

object network LON-WAN

host 1.1.253.230

object service rdp

service tcp destination eq 3389

object network obj_local

subnet 10.22.254.128 255.255.255.224

object network obj_london

subnet 10.22.22.0 255.255.255.0

object network obj_nyc

subnet 10.22.251.0 255.255.255.0

object-group service WEB-SSL

service-object tcp destination eq www

service-object tcp destination eq https

object-group network WEB2-WAN

network-object object MEDIA1-ILO

network-object object WEB1-ILO

object-group service FTPS-SSH

service-object tcp destination eq ftp

service-object tcp destination eq ssh

object-group network AppRiver-Servers

network-object object AppRiver-Backup-Server

access-list outside_access_in extended permit object-group WEB-SSL any object WEB1-LAN

access-list outside_access_in extended permit object rdp object LONDON-WAN object WEB1-LAN

access-list outside_access_in extended permit tcp object-group AppRiver-Servers object MAIL1-LAN eq smtp

access-list outside_access_in extended permit object-group FTPS-SSH any object WEB1-LAN

access-list outside_access_in extended permit object-group WEB-SSL any object MEDIA1-LAN

access-list outside_access_in extended permit object-group WEB-SSL any object-group WEB2-WAN

access-list outside_access_in extended permit tcp host 1.1.253.230 host 10.22.254.147 eq smtp

access-list outside_access_in extended permit tcp object UNI-WAN object MAIL1-LAN eq smtp inactive

access-list outside_access_in extended permit ip any 10.22.244.0 255.255.255.0

access-list l2l_list extended permit ip 10.22.22.0 255.255.255.0 10.22.254.128 255.255.255.224 inactive

access-list l2l_list extended permit ip 10.22.254.128 255.255.255.224 10.22.22.0 255.255.255.0

access-list l2l_nyc_list extended permit ip 10.22.254.128 255.255.255.224 10.22.251.0 255.255.255.0

access-list l2l_nyc_list extended permit ip 10.22.251.0 255.255.255.0 10.22.254.128 255.255.255.224 inactive

access-list backup_access_in extended permit tcp any 10.22.244.0 255.255.255.0 eq echo

pager lines 24

logging enable

logging asdm warnings

mtu outside 1500

mtu inside 1500

mtu backup 1500

icmp unreachable rate-limit 1 burst-size 1

no asdm history enable

arp timeout 14400

no arp permit-nonconnected

nat (inside,outside) source static obj_local obj_local destination static obj_london obj_london

nat (inside,outside) source static obj_local obj_local destination static obj_nyc obj_nyc

!

object network MAIL1-LAN

nat (inside,outside) static MAIL1-WAN

object network MEDIA1-LAN

nat (inside,outside) static MEDIA1-WAN

object network WEB1-LAN

nat (inside,outside) static WEB1-WAN

object network obj_any

nat (inside,outside) dynamic interface

access-group outside_access_in in interface outside

access-group backup_access_in in interface backu

route outside 0.0.0.0 0.0.0.0 2.2.188.1 1

timeout xlate 3:00:00

timeout pat-xlate 0:00:30

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

timeout floating-conn 0:00:00

dynamic-access-policy-record DfltAccessPolicy

user-identity default-domain LOCAL

aaa authentication ssh console LOCAL

http server enable

http 0.0.0.0 0.0.0.0 outside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart

crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS esp-aes esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS mode transport

crypto ipsec ikev1 transform-set ESP-AES-128-MD5-TRANS esp-aes esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-AES-128-MD5-TRANS mode transport

crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS esp-aes-192 esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS mode transport

crypto ipsec ikev1 transform-set ESP-AES-192-MD5-TRANS esp-aes-192 esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-AES-192-MD5-TRANS mode transport

crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS esp-aes-256 esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS mode transport

crypto ipsec ikev1 transform-set ESP-AES-256-MD5-TRANS esp-aes-256 esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-AES-256-MD5-TRANS mode transport

crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS esp-3des esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS mode transport

crypto ipsec ikev1 transform-set ESP-3DES-MD5-TRANS esp-3des esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-3DES-MD5-TRANS mode transport

crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS esp-des esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS mode transport

crypto ipsec ikev1 transform-set ESP-DES-MD5-TRANS esp-des esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-DES-MD5-TRANS mode transport

crypto ipsec ikev1 transform-set LondonSet esp-aes-256 esp-sha-hmac

crypto ipsec ikev1 transform-set NYCSet esp-aes-256 esp-sha-hmac

crypto ipsec ikev2 ipsec-proposal DES

protocol esp encryption des

protocol esp integrity sha-1 md5

crypto ipsec ikev2 ipsec-proposal 3DES

protocol esp encryption 3des

protocol esp integrity sha-1 md5

crypto ipsec ikev2 ipsec-proposal AES

protocol esp encryption aes

protocol esp integrity sha-1 md5

crypto ipsec ikev2 ipsec-proposal AES192

protocol esp encryption aes-192

protocol esp integrity sha-1 md5

crypto ipsec ikev2 ipsec-proposal AES256

protocol esp encryption aes-256

protocol esp integrity sha-1 md5

crypto ipsec security-association lifetime seconds 86400

crypto ipsec security-association pmtu-aging infinite

crypto map hqmap 1 match address l2l_list

crypto map hqmap 1 set peer 1.1.253.230

crypto map hqmap 1 set ikev1 transform-set LondonSet

crypto map hqmap 2 match address l2l_NYC_list

crypto map hqmap 2 set peer 2.2.187.98

crypto map hqmap 2 set ikev1 transform-set NYCSet

crypto map hqmap interface outside

crypto ca trustpool policy

crypto ikev2 enable outside

crypto ikev1 enable outside

crypto ikev1 policy 1

authentication pre-share

encryption aes-256

hash sha

group 2

lifetime 86400

telnet timeout 5

ssh 1.1.253.230 255.255.255.255 outside

ssh timeout 5

console timeout 0

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

username theadmin password ************ encrypted privilege 15

tunnel-group 1.1.253.230 type ipsec-l2l

tunnel-group 1.1.253.230 ipsec-attributes

ikev1 pre-shared-key ********

tunnel-group 2.2.187.98 type ipsec-l2l

tunnel-group 2.2.187.98 ipsec-attributes

ikev1 pre-shared-key **********

!

class-map inspection_default

match default-inspection-traffic

!

policy-map type inspect dns preset_dns_map

parameters

  message-length maximum client auto

  message-length maximum 512

policy-map global_policy

class inspection_default

  inspect dns preset_dns_map

  inspect ftp

  inspect h323 h225

  inspect h323 ras

  inspect ip-options

  inspect netbios

  inspect rsh

  inspect rtsp

  inspect skinny 

  inspect sqlnet

  inspect sunrpc

  inspect tftp

  inspect sip 

  inspect xdmcp

service-policy global_policy global

prompt hostname context

no call-home reporting anonymous

call-home

profile CiscoTAC-1

  no active

  destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService

  destination address email callhome@cisco.com

  destination transport-method http

  subscribe-to-alert-group diagnostic

  subscribe-to-alert-group environment

  subscribe-to-alert-group inventory periodic monthly

  subscribe-to-alert-group configuration periodic monthly

  subscribe-to-alert-group telemetry periodic daily

Cryptochecksum:abcdef0123456789

: end

END CONFIGURATION

7 Replies 7

jocamare
Level 4
Level 4

Try these two commands:

"Fixup protocol icmp"

And

"Same-security-traffic permit inter-interface"

I ran both of those commands and still cannot access/ping.

Hello Steve,

May I know the source IP address and the destination IP address of the PING,

Remember that you cannot ping a distant interface

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

I can't get there from the inside (10.22.254.0/24) or VPN (10.22.22.0/24) to ping 10.22.244.1 network.

source = 10.22.254.0/24 or 10.22.22.0/24 and destination 10.22.244.0/24

Neither work

Hello Steve,

Okay so just to be sure, do not try to ping the other ASA's ip address okay?

Let's work with Host's IP addresses...

can you share

packet-tracer input inside icmp 10.22.254.10 8 0 10.22.244.15

Regards

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

# packet-tracer input inside icmp 10.22.254.134 8 0 10.22.244.5

Phase: 1

Type: ROUTE-LOOKUP

Subtype: input

Result: ALLOW

Config:

Additional Information:

in   10.22.244.0    255.255.255.0   backup

Phase: 2

Type: ACCESS-LIST

Subtype:

Result: ALLOW

Config:

Implicit Rule

Additional Information:

Phase: 3

Type: NAT

Subtype: per-session

Result: ALLOW

Config:

Additional Information:

Phase: 4

Type: IP-OPTIONS

Subtype:

Result: ALLOW

Config:

Additional Information:

Phase: 5

Type: INSPECT

Subtype: np-inspect

Result: ALLOW

Config:

class-map inspection_default

match default-inspection-traffic

policy-map global_policy

class inspection_default

  inspect icmp

service-policy global_policy global

Additional Information:

Phase: 6

Type: INSPECT

Subtype: np-inspect

Result: ALLOW

Config:

Additional Information:

Phase: 7

Type: NAT

Subtype: per-session

Result: ALLOW

Config:

Additional Information:

Phase: 8

Type: IP-OPTIONS

Subtype:

Result: ALLOW

Config:

Additional Information:

Phase: 9

Type: FLOW-CREATION

Subtype:

Result: ALLOW

Config:

Additional Information:

New flow created with id 54905137, packet dispatched to next module

Result:      

input-interface: inside

input-status: up

input-line-status: up

output-interface: backup

output-status: up

output-line-status: up

Action: allow

Hello Steve,

Looks good to me..

if you try to ping to those hosts do you get any logs on the asa?

can you share the IP address of the destination you are trying to ping ( as specific as possible)

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
Review Cisco Networking for a $25 gift card