Solved: New Cisco ASA 5540 - Basic Routing Problem

Mark Cavendish · ‎07-22-2012

Hello

This is my first post on these forums, so please go easy on me. I am new to Cisco ASA and plan to upgrade our current firewalls to this.

Upon testing it seems although I have static routes setup to all of our internal network, I cannot ping anything outside the current subnet (same as ASA 10.22.x.x) whilst choosing the ASA as my default gateway.

So I can ping the ASA itself (10.22.1.7) and I can ping all of the internal network whilst on the ASA, but I cannot route to any internal hosts when I set the ASA as the default gateway on my PC.

I have chose ICMP in the default Service policy rules and I have also added ICMP access rules which haven't worked.

I know it is probably something really simple, but any help would be greatly appreciated. I haven't even got to routing from Private to Public for Internet access etc. Below is my current running config with secure bits changed:

: Saved
:
ASA Version 8.2(5)
!
hostname ciscoasa
domain-name test.com
enable password hf8y89w8f.88 encrypted
passwd fy87er9hfneiornjreo encrypted
names
!
interface GigabitEthernet0/0
description Private Interface
nameif Private
security-level 100
ip address 10.22.1.7 255.255.0.0
!
interface GigabitEthernet0/1
description DMZ Interface
nameif DMZ
security-level 50
ip address 10.96.22.3 255.255.0.0
!
interface GigabitEthernet0/2
description Public Interface
nameif Public
security-level 0
ip address 100.65.35.30 255.255.255.248
!
interface GigabitEthernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
description Management Interface
nameif management
security-level 100
ip address 192.168.1.1 255.255.255.0
management-only
!
banner asdm Test ASDM, Authorised Access Only.
ftp mode passive
clock timezone GMT/BST 0
clock summer-time GMT/BDT recurring last Sun Mar 1:00 last Sun Oct 2:00
dns domain-lookup Private
dns domain-lookup Public
dns server-group DefaultDNS
name-server 208.67.222.222
name-server 208.67.220.200
name-server 10.21.1.1
domain-name test.com
object-group service GWise tcp
description Groupwise
port-object eq 1677
object-group protocol TCPUDP
protocol-object udp
protocol-object tcp
access-list ripACL_FR_1 standard permit 10.0.0.0 255.0.0.0
access-list Public_access_out remark HTTP Outbound
access-list Public_access_out extended permit tcp interface Private eq www interface Public eq www
access-list Public_access_out remark Ping Test
access-list Public_access_out extended permit icmp 10.0.0.0 255.0.0.0 100.65.35.29 255.255.255.248
access-list Public_access_out remark DNS Resolution
access-list Public_access_out extended permit object-group TCPUDP interface Private interface Public eq domain
access-list Private_access_in extended permit ip any any
access-list Private_access_in extended permit icmp any any
access-list ripACL_FR standard permit 10.0.0.0 255.0.0.0
access-list Private_access_out remark Icmp ping LAN
access-list Private_access_out extended permit ip any any log disable
access-list Private_access_out extended permit icmp any any
pager lines 24
logging asdm informational
mtu Private 1500
mtu DMZ 1500
mtu Public 1500
mtu management 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
nat (Private) 101 0.0.0.0 0.0.0.0
access-group Private_access_in in interface Private
access-group Private_access_out out interface Private
access-group Public_access_out out interface Public
!
router rip
network 10.0.0.0
version 2
distribute-list ripACL_FR out interface Private
distribute-list ripACL_FR_1 in interface Private
!
route Public 0.0.0.0 0.0.0.0 100.65.35.29 1
route Private 10.2.0.0 255.255.0.0 10.22.2.15 1
route Private 10.3.0.0 255.255.0.0 10.22.2.15 1
route Private 10.4.0.0 255.255.0.0 10.22.2.15 1
route Private 10.5.0.0 255.255.0.0 10.22.2.15 1
route Private 10.6.0.0 255.255.0.0 10.22.2.15 1
route Private 10.7.0.0 255.255.0.0 10.22.2.15 1
route Private 10.8.0.0 255.255.0.0 10.22.2.15 1
route Private 10.9.0.0 255.255.0.0 10.22.2.15 1
route Private 10.10.0.0 255.255.0.0 10.22.2.15 1
route Private 10.11.0.0 255.255.0.0 10.22.2.15 1
route Private 10.12.0.0 255.255.0.0 10.22.2.15 1
route Private 10.13.0.0 255.255.0.0 10.22.2.15 1
route Private 10.14.0.0 255.255.0.0 10.22.2.15 1
route Private 10.20.0.0 255.255.0.0 10.22.2.15 1
route Private 10.21.0.0 255.255.0.0 10.22.2.15 1
route Private 10.22.0.0 255.255.0.0 10.22.2.15 1
route Private 10.24.0.0 255.255.0.0 10.22.2.15 1
route Private 10.45.0.0 255.255.0.0 10.22.2.15 1
route DMZ 10.96.0.0 255.255.0.0 10.96.22.3 1
route Private 10.97.0.0 255.255.0.0 10.22.2.15 1
route Private 10.98.0.0 255.255.0.0 10.22.2.15 1
route Private 10.99.0.0 255.255.0.0 10.22.2.15 1
route Private 10.210.0.0 255.255.0.0 10.22.2.15 1
route Private 10.215.0.0 255.255.0.0 10.22.2.15 1
route Private 10.220.0.0 255.255.0.0 10.22.2.15 1
route Public 100.65.35.30 255.255.255.248 100.65.35.29 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 192.168.1.0 255.255.255.0 management
http 10.22.0.0 255.255.0.0 Private
http 10.0.0.0 255.0.0.0 Private
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto ca trustpoint _SmartCallHome_ServerCA
crl configure
crypto ca certificate chain _SmartCallHome_ServerCA
<cut>
quit
telnet 10.0.0.0 255.0.0.0 Private
telnet 192.168.1.0 255.255.255.0 management
telnet timeout 5
ssh 10.0.0.0 255.0.0.0 Private
ssh timeout 5
console timeout 0
dhcpd address 192.168.1.2-192.168.1.254 management
dhcpd enable management
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ntp server 10.21.1.1 source Private prefer
webvpn
!
class-map Public-class
match port tcp eq www
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map Public-policy
class Public-class
inspect http
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
inspect http
inspect icmp
inspect icmp error
!
service-policy global_policy global
service-policy Public-policy interface Public
prompt hostname context
call-home reporting anonymous
Cryptochecksum:uh888juhojm9j009kj09
: end
no asdm history enable

Any help would be greatly appreciated again.

Thanks in advance,

Mark

Jennifer Halim · ‎07-23-2012

I assume you are using an explicit proxy server instead of transparent proxy. If that is the case then the proxy traffic should already been routed explicitly to the proxy server so there should be no issue there. All you need to ensure is you have static route for the proxy server pointing towards this firewall.

Sent from Cisco Technical Support iPad App

View solution in original post

Jennifer Halim · ‎07-22-2012

It is recommended that you configure 10.22.2.15 as your default gateway and that switch/router's default gateway to be the ASA inside interface.

The reason is if you configure your PC default gateway to be the ASA inside interface, there will be assymetric routing and the ASA will drop the packet because it does not see the complete session.

To access the internet from the Private subnets, just add the following global statement:

global (Public) 101 interface

Ramraj Sivagnanam Sivajanam · ‎07-22-2012

Hi Bro

As Jennifer Halim advised, it’s best that all workstations default gateway points to the L3 Core Switch i.e. 10.22.2.15, and the L3 Core Switch has a default gateway pointing to the Cisco ASA FW.

Here are some config changes that you’ll need to do. Once you’ve done it, paste your latest config here, so that everyone here can assist you further

Commands to remove

================

no access-list ripACL_FR_1 standard permit 10.0.0.0 255.0.0.0

no access-group Private_access_out out interface Private

no access-group Public_access_out out interface Public

no object-group service GWise tcp

no object-group protocol TCPUDP

no access-list Public_access_out remark HTTP Outbound

no access-list Public_access_out extended permit tcp interface Private eq www interface Public eq www

no access-list Public_access_out remark Ping Test

no access-list Public_access_out extended permit icmp 10.0.0.0 255.0.0.0 100.65.35.29 255.255.255.248

no access-list Public_access_out remark DNS Resolution

no access-list Public_access_out extended permit object-group TCPUDP interface Private interface Public eq domain

no access-list Private_access_in extended permit ip any any

no access-list Private_access_in extended permit icmp any any

no access-list ripACL_FR standard permit 10.0.0.0 255.0.0.0

no access-list Private_access_out remark Icmp ping LAN

no access-list Private_access_out extended permit ip any any log disable

no access-list Private_access_out extended permit icmp any any

no router rip

no route DMZ 10.96.0.0 255.255.0.0 10.96.22.3 1

no route Public 100.65.35.30 255.255.255.248 100.65.35.29 1

no class-map Public-class

no policy-map Public-policy

no service-policy Public-policy interface Public

Commands to add

============

access-group public in interface Public

access-group dmz in interface DMZ

access-list Private_access_in permit ip any any

access-list private permit ip any any

access-list public permit ip any any

static (Private,DMZ) 10.0.0.0 10.0.0.0 netmask 255.255.0.0

global (Public) 101 interface

nat (DMZ) 101 0.0.0.0 0.0.0.0

Warm regards,
Ramraj Sivagnanam Sivajanam

Mark Cavendish · ‎07-23-2012

Hi guys

Many thanks for both your replies. That makes sense not configuring the ASA as the gateway on the PC. I have been able to do this in the past just to test routing, but I had already tested it on the ASA itself so should have realised.

Thank you for both your recommendations anyway, I will make those changes.

One more question if you don't mind. I understand changing the default gateway on the switch/router to be the inside ASA interface so it can route out to the Internet. Yet the site we are migrating first is a secondary Firewall/Proxy and backup E-Mail link on a separate site to our Primary one. At the moment users access this secondary internet service via a Proxy Server.

Is there anyway to point users to the secondary site via the ASA to use the Internet not modifying the default gateway on the router there? We use Proxy on both our sites, yet the Primary one already has the default gateway to the Internet via our current main Firewall which all our sites go through when we don't use the Proxy Server. So I am concerned having 2 default routes and how one would be chosen.

I hope that makes sense, thanks again for all your help.

Mark

Jennifer Halim · ‎07-23-2012

I assume you are using an explicit proxy server instead of transparent proxy. If that is the case then the proxy traffic should already been routed explicitly to the proxy server so there should be no issue there. All you need to ensure is you have static route for the proxy server pointing towards this firewall.

Sent from Cisco Technical Support iPad App

Mark Cavendish · ‎07-24-2012

Hi Jennifer

We will be using an explicit proxy, so a static route should workout perfect. Thanks for clearing it all up for me.

Jennifer Halim · ‎07-24-2012

No problem. Pls kindly mark the questions answered so others can learn from your post. Thank you.