03-11-2012 07:10 AM - edited 03-11-2019 03:40 PM
Hi all,
I have an ASA5510 software ver 7.2 I will post most of the config below however I believe I am missing something simple so here goes.
Internal server 10.10.1.9 /24
ASA inside interface 10.10.1.1 /24
ISP Router 10.10.1.250 /24
Across the WAN at a different location 10.1.6.240 /24
From 10.10.1.9 I can ping 10.10.1.1 but CAN NOT ping anything past this. However if I manually add a routing entry into the 10.10.1.9 server I can then tracert my way through to 10.1.6.240. We currently have all our connections VPN'd so this is what we are doing for now until this is resolved. Tracert'ing from 10.1.6.240 I see all the hops but dies at the firewall. Please Help!! Below is most the the config
testmexicoASA# sh access-list
access-list cached ACL log flows: total 0, denied 0 (deny-flow-max 4096)
alert-interval 300
access-list outside-acl; 10 elements
access-list outside-acl line 1 extended permit icmp any any (hitcnt=2292)
access-list outside-acl line 2 extended permit tcp any any eq ssh (hitcnt=0)
access-list outside-acl line 3 extended permit ip 207.164.62.0 255.255.255.0 10.10.1.0 255.255.255.0 (hitcnt=207)
access-list outside-acl line 4 extended permit ip 10.1.10.0 255.255.255.0 10.10.1.0 255.255.255.0 (hitcnt=0)
access-list outside-acl line 5 extended permit ip 192.168.8.0 255.255.252.0 10.10.1.0 255.255.255.0 (hitcnt=0)
access-list outside-acl line 6 extended permit ip 207.164.62.0 255.255.255.0 10.10.2.0 255.255.255.0 (hitcnt=0)
access-list outside-acl line 7 extended permit ip 10.1.10.0 255.255.255.0 10.10.2.0 255.255.255.0 (hitcnt=0)
access-list outside-acl line 8 extended permit ip 10.1.6.0 255.255.255.0 10.10.2.0 255.255.255.0 (hitcnt=0)
access-list outside-acl line 9 extended permit ip 192.168.8.0 255.255.255.0 10.10.2.0 255.255.255.0 (hitcnt=0)
access-list outside-acl line 10 extended permit ip 10.1.6.0 255.255.255.0 10.10.1.0 255.255.255.0 (hitcnt=0)
access-list inside_nat0_outbound; 6 elements
access-list inside_nat0_outbound line 1 extended permit ip 10.10.1.0 255.255.255.0 10.10.2.0 255.255.255.0 (hitcnt=0)
access-list inside_nat0_outbound line 2 extended permit ip 10.10.1.0 255.255.255.0 207.164.62.0 255.255.255.0 (hitcnt=0)
access-list inside_nat0_outbound line 3 extended permit ip 10.10.1.0 255.255.255.0 10.1.10.0 255.255.255.0 (hitcnt=0)
access-list inside_nat0_outbound line 4 extended permit ip 10.10.1.0 255.255.255.0 192.168.8.0 255.255.252.0 (hitcnt=0)
access-list inside_nat0_outbound line 5 extended permit ip 10.10.1.0 255.255.255.0 192.168.2.0 255.255.255.0 (hitcnt=0)
access-list inside_nat0_outbound line 6 extended permit ip any 10.10.2.240 255.255.255.240 (hitcnt=0)
access-list outside_cryptomap_20; 6 elements
access-list outside_cryptomap_20 line 1 extended permit ip 10.10.1.0 255.255.255.0 207.164.62.0 255.255.255.0 (hitcnt=7)
access-list outside_cryptomap_20 line 2 extended permit ip 10.10.1.0 255.255.255.0 10.1.10.0 255.255.255.0 (hitcnt=0)
access-list outside_cryptomap_20 line 3 extended permit ip 10.10.2.0 255.255.255.0 207.164.62.0 255.255.255.0 (hitcnt=0)
access-list outside_cryptomap_20 line 4 extended permit ip 10.10.2.0 255.255.255.0 10.1.10.0 255.255.255.0 (hitcnt=0)
access-list outside_cryptomap_20 line 5 extended permit ip 10.10.2.0 255.255.255.0 10.1.6.0 255.255.255.0 (hitcnt=0)
access-list outside_cryptomap_20 line 6 extended permit ip 10.10.1.0 255.255.255.0 10.1.6.0 255.255.255.0 (hitcnt=0)
access-list outside_cryptomap_40; 1 elements
access-list outside_cryptomap_40 line 1 extended permit ip 10.10.1.0 255.255.255.0 192.168.8.0 255.255.252.0 (hitcnt=0)
access-list outside_cryptomap_60; 1 elements
access-list outside_cryptomap_60 line 1 extended permit ip 10.10.1.0 255.255.255.0 192.168.2.0 255.255.255.0 (hitcnt=20)
access-list testout-acl; 7 elements
access-list testout-acl line 1 extended permit ip 10.10.1.0 255.255.255.0 207.164.62.0 255.255.255.0 (hitcnt=0)
access-list testout-acl line 2 extended permit ip 10.10.1.0 255.255.255.0 10.1.10.0 255.255.255.0 (hitcnt=0)
access-list testout-acl line 3 extended permit ip 10.10.1.0 255.255.255.0 192.168.8.0 255.255.252.0 (hitcnt=0)
access-list testout-acl line 4 extended permit ip 10.10.2.0 255.255.255.0 207.164.62.0 255.255.255.0 (hitcnt=0)
access-list testout-acl line 5 extended permit ip 10.10.2.0 255.255.255.0 10.1.10.0 255.255.255.0 (hitcnt=0)
access-list testout-acl line 6 extended permit ip 10.10.2.0 255.255.255.0 10.1.6.0 255.255.255.0 (hitcnt=0)
access-list testout-acl line 7 extended permit ip 10.10.2.0 255.255.255.0 192.168.8.0 255.255.255.0 (hitcnt=0)
access-list inside2_nat0_outbound; 6 elements
access-list inside2_nat0_outbound line 1 extended permit ip 10.10.2.0 255.255.255.0 10.10.1.0 255.255.255.0 (hitcnt=0)
access-list inside2_nat0_outbound line 2 extended permit ip 10.10.2.0 255.255.255.0 207.164.62.0 255.255.255.0 (hitcnt=0)
access-list inside2_nat0_outbound line 3 extended permit ip 10.10.2.0 255.255.255.0 10.1.10.0 255.255.255.0 (hitcnt=0)
access-list inside2_nat0_outbound line 4 extended permit ip 10.10.2.0 255.255.255.0 10.1.6.0 255.255.255.0 (hitcnt=0)
access-list inside2_nat0_outbound line 5 extended permit ip 10.10.2.0 255.255.255.0 192.168.8.0 255.255.255.0 (hitcnt=0)
access-list inside2_nat0_outbound line 6 extended permit ip 10.10.2.0 255.255.255.0 192.168.2.0 255.255.255.0 (hitcnt=0)
access-list testMex_splitTunnelAcl; 1 elements
access-list testMex_splitTunnelAcl line 1 standard permit any (hitcnt=0)
testmexicoASA# sh route
S 0.0.0.0 0.0.0.0 [1/0] via 201.116.156.1, outside
S 10.1.6.0 255.255.255.0 [1/0] via 10.10.1.250, inside
S 10.1.10.0 255.255.255.0 [1/0] via 10.10.1.250, inside
S 10.1.20.0 255.255.255.0 [1/0] via 10.10.1.250, inside
C 10.10.1.0 255.255.255.0 is directly connected, inside
C 10.10.2.0 255.255.255.0 is directly connected, inside2
C 201.116.156.0 255.255.255.240 is directly connected, outside
NAT configuration
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
nat (inside2) 0 access-list inside2_nat0_outbound
nat (inside2) 1 0.0.0.0 0.0.0.0
access-group outside-acl in interface outside
access-group testout-acl out interface inside
03-11-2012 07:54 AM
One more thing I should clarify the route I am putting into the 10.10.1.9 server is
route add 10.1.6.0 mask 255.255.255.0 10.10.1.250 which tells the server to bypass the ASA and go directly to the ISP router.(then i can successfully tracert everything). The big question here is how to make the inside ASA connection 10.10.1.1 to force all traffic to 10.10.1.250.
Thanks in advance.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide