cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
844
Views
0
Helpful
7
Replies

Problem of routing between inside and outside on ASA5505

gwhuang5398
Level 2
Level 2

I have a ASA5505 with mostly factory default configuration. Its license allows only two vlan interfaces (vlan 1 and vlan 2). The default config has interface vlan 1 as inside (security level 100), and interface vlan 2 as outside (security level 0 and using DHCP).

I only changed interface vlan 1 to IP 10.10.10.1/24. After I plugged in a few hosts to vlan 1 ports and connect port Ethernet0/0 (default in vlan 2) to a live network, here are a couple of issues I found:

a) One host I plugged in is a PC, and another host is a WAAS WAE device. Both are in vlan 1 ports. I hard coded their IP to 10.10.10.250 and 10.10.10.101, /24 subnet mask, and gateway of 10.10.10.1. I can ping from the PC to WAE but not from WAE to the PC, although the WAE has 10.10.10.250 in its ARP table. They are in the same vlan and same subnet, how could it be? Here are the ping and WAE ARP table.

WAE#ping 10.10.10.250

PING 10.10.10.250 (10.10.10.250) from 10.10.10.101 : 56(84) bytes of data.

--- 10.10.10.250 ping statistics ---

5 packets transmitted, 0 packets received, 100% packet loss

WAE#sh arp

Protocol Address Flags Hardware Addr Type Interface

Internet 10.10.10.250 Adj 00:1E:37:84:C9:CE ARPA GigabitEthernet1/0

Internet 10.10.10.10 Adj 00:14:5E:85:50:01 ARPA GigabitEthernet1/0

Internet 10.10.10.1 Adj 00:1E:F7:7F:6E:7E ARPA GigabitEthernet1/0

b) None of the hosts in vlan 1 in 10.10.10.0/24 can ping interface vlan 2 (address in 172.26.18.0/24 obtained via DHCP). But on ASA routing table, it has both 10.10.10.0/24 and 172.26.18.0/24, and also a default route learned via DHCP. Is ASA able to route between vlan 1 and vlan 2? (inside and outside). Any changes I can try?

Here are ASA routing table and config of vlan 1 and vlan 2 (mostly its default).

ASA# sh route

Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP

D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area

N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2

E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP

i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area

* - candidate default, U - per-user static route, o - ODR

P - periodic downloaded static route

Gateway of last resort is 172.26.18.1 to network 0.0.0.0

C 172.26.18.0 255.255.255.0 is directly connected, outside

C 127.1.0.0 255.255.0.0 is directly connected, _internal_loopback

C 10.10.10.0 255.255.255.0 is directly connected, inside

d* 0.0.0.0 0.0.0.0 [1/0] via 172.26.18.1, outside

interface Vlan1

nameif inside

security-level 100

ip address 10.10.10.1 255.255.255.0

!

interface Vlan2

nameif outside

security-level 0

ip address dhcp setroute

!

interface Ethernet0/0

switchport access vlan 2

All other ports are in vlan 1 by default.

7 Replies 7

eddie.mitchell
Level 3
Level 3

cdusio
Level 4
Level 4

You cannot ping from the inside network to the outside ip address of the ASA. Problem 2 explained..

Problem number one sounds like you have either a firewall or VPN client restricing inbound ICMP.

Can you ping the pc from anywhere? Can the WAE ping anything else on that network?

I should have made the config easier to read. So here is what's on the ASA and the problems I have. The ASA only allows two VLAN interfaces configured (default to Int VLAN 1 - nameif inside, and Int VLAN 2 - nameif outside)

port 0: in VLAN 2 (outside). DHCP configured. VLAN 2 pulled IP in 172.26.18.0/24, default gateway 172.26.18.1

port 1-7: in VLAN 1 (inside). VLAN 1 IP is 10.10.10.1. I set all devices IP in VLAN 1 to 10.10.10.0/24, default gateway 10.10.10.1

I have one PC in port 1 and one WAE device in port 2. PC IP set to 10.10.10.250 and WAE set to 10.10.10.101. PC can ping WAE but WAE can't ping PC. Both can ping default gateway.

If I can't ping from inside interface to outside interface on ASA, how can I verify inside hosts can get to outside addresses and vise versa? I looked at ASA docs, but didn't find out how to set the routing between inside and outside. They are both connected interfaces, should they route between each other already?

Thanks a lot

They are directly conencted interfaces so as long as you are routing on the firewall and your default gateway is the inside inerface of the firewall you should be fine.

do a sh route and you'll see at least two routes.. both should be showing as connected and you might have a default route on the outside as well..

Again,

turn of the firewall on the PC if you have one.. Try pinging the PC from the firewall. Can you?

They are connected interfaces on the ASA. The default gateway is learned via DHCP from outside interface, not inside as you mentioned. Is that an issue?

Here is sh route, and interface inside and outside config:

ASA# sh route

Gateway of last resort is 172.26.18.1 to network 0.0.0.0

C 172.26.18.0 255.255.255.0 is directly connected, outside

C 127.1.0.0 255.255.0.0 is directly connected, _internal_loopback

C 10.10.10.0 255.255.255.0 is directly connected, inside

d* 0.0.0.0 0.0.0.0 [1/0] via 172.26.18.1, outside

ASA#sh run

interface Vlan1

nameif inside

security-level 100

ip address 10.10.10.1 255.255.255.0

!

interface Vlan2

nameif outside

security-level 0

ip address dhcp setroute

!

if you have not altered any of the inside policy on the security tab in ASDM , all the inside pc's will be able to reach the inside interface .

all host are routed to the connected i/f by default . no routing needed for this .

here the problem would be natting ,

go to the nat tab , click , allow traffic to pass through the box unnatted ..

apply the policy

from hisec to lowsec traffic will pass by default i suppose ..

to clarify , there is a visual packet tracer in the asdm which would give you a clear idea on what and where the packet is getting dropped ..

good luck

You cannnot do nat-control on this deployment. He is inside of a device that has an internal IP address so he will need to nat at least to the external ip of his outside interface.

nat (inside) 1 0.0.0.0

global (outside) 1 interface

Review Cisco Networking for a $25 gift card