cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1320
Views
4
Helpful
4
Replies

Static Route for Outside and Inside

rjanakan
Level 1
Level 1

Hi,

I tried installing a Cisco ASA5510 in our data center today. I assigned a public IP to outside interface and 10.x.x.x to inside interface.(Also configured a diff public IP for ASA management interface). I configured the default gateway of all my servers inside the network as the 'inside' IP of ASA. I configured NAT properly and allowed all traffic in ACL.

I am not sure how to configure the static route. my data center gave default gateway IP and configured that in under Routing in ASDM for outside interface as a default route. What and how should I configure for inside interface and management interface?

When I try to hit the page, in ASDM log, I can see a message saying "No route found from a.b.c.d(public IP address of my webserver) to x.y.z.a(the IP from where I'm trying to access)

Any help would be greatly appreciated!

-Janakan

4 Replies 4

a.kiprawih
Level 7
Level 7

If I understand your question correctly, you're actually trying to ensure access from outside/internet to your server (in data center) via its Public IP is working fine with proper routing.

Basically, for internal servers with internal IP addresses, their default gateway is correctly set to ASA interface interface IP.

For ASA routing to internet router, you can assign all zeros and set the next hop interface/gateway to your internet router FastEthernet interface IP (xx.xx.xx.1) facing ASA outside interface (xx.xx.xx.2), i.e

asa(config)#route outside 0.0.0.0 0.0.0.0 xx.xx.xx.1

*xx.xx.xx.xx should be pubic IP.

As for internet router routing to internal network, you do not have to specify any as access to your internal servers that individually mapped to a public IP will automatically be recognized by the routers. Just make sure the outside interface ACL allows access to the specified service port(s).

Or perhaps you may want to share the ASA config to give clearer picture (pls remove public IPs, password & other sensitive details).

Rgds,

AK

Hi,

Thanks for your reply. Please find the configuration attached.

I have to have another static route for management Interface as it's lying in a different subnet.

-Janakan

Based on the config, the only server group that is allowed to be accessed from internet/outside is the Servers_ref via HTTPS, SMTP, DOMAIN. I assumed the host CPR (65.23.125.130) is host located on the internet. With ACL 101, you have problem allowing access to the Servers_ref from any host from internet and this CPR host as well.

Initially, your problem was unable to access the servers via their public IPs due to (suspecting) routing issue:

"No route found from a.b.c.d (public IP address of my webserver) to x.y.z.a(the IP from where I'm trying to access)

Based on the above, I assumed that the a.b.c.d should be 'x.y.z.a', while the x.y.z.a is your host IP that was trying to access the servers.

Note:

But if my assumption is wrong, then your object-group for Servers and Servers_ref are wrongly configured.

The x.y.z.a to x.y.z.e are mapped to your internal servers. Therefore, you cannot use these x.y.z.* IPs to access those servers. Can you verify this?

What you need to do is to do the following to isolate the problem one at the time:

1. ACL in Firewall

Create a new ACL (with different number, i.e access-list 105) with the following entries. But you may want to do this after office hour to avoid service interruption:

Try this to 1 or 2 servers only. The purpose is to test basic access from outside without using object-group.

access-list 105 extended permit icmp any host x.y.z.a

access-list 105 extended permit tcp any host x.y.z.a eq https

access-list 105 extended permit tcp any host x.y.z.a eq smtp

access-list 105 extended permit tcp any host x.y.z.b eq https

access-list 105 extended permit tcp any host x.y.z.b eq smtp

Try to ping and access the servers via https and SMTP. This should work as your TCPWEB1 and TCPDB1 are correctly configured and mapped with public IP of x.y.z.a & x.y.z.b. This can also be verified by telnetting into x.y.z.a & x.y.z.b via their 443 (https) amd 25 (smtp). You should be able to get some kind of access and not 'connection refused' message.

You can also add host CPR to the ACL, but put it on top of the ACL list so it will first match the ACL. If you put it as last entry, it will be 'eaten' by the top ACL which will take 'any' incoming access. Use 'show access-list' command to verify the hitcount.

Add these lines to the test ACL 105 after the first entry, so it will become like:

access-list 105 extended permit icmp any host x.y.z.a

access-list 105 extended permit tcp host CPR host x.y.z.a eq https

access-list 105 extended permit tcp host CPR host x.y.z.a eq smtp

access-list 105 extended permit tcp host CPR host x.y.z.b eq https

access-list 105 extended permit tcp host CPR host x.y.z.b eq smtp

access-list 105 extended permit tcp any host x.y.z.a eq https

access-list 105 extended permit tcp any host x.y.z.a eq smtp

access-list 105 extended permit tcp any host x.y.z.b eq https

access-list 105 extended permit tcp any host x.y.z.b eq smtp

access-group 105 in interface Outside

2. Ping test from internet router

This should be a quick test. From internet router, ping to the public IP of your TCPWEB1 and TCPDB1 servers via their x.y.z.a & x.y.z.b. You should be able to get reply.

As for routing, the static route should be pointing to the internet router, which in your config, the "route Outside 0.0.0.0 0.0.0.0 a.b.c.d 1" means that the a.b.c.d belongs to the same subnet with your outside interface IP (x1.y1.z1.12 255.255.255.248)

Try this and let me know the results.

Rgds,

AK

Hi AK,

Thanks for your reply. I deleted all ACL and NAT and recreated them. Also, as per your advise I created a static route entry for outside pointing to the default gateway.

It is working fine now.

Thanks for your help and time on reviewing my configuration.

-Janakan Rajendran

Review Cisco Networking for a $25 gift card