Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
607
Views
0
Helpful
3
Replies

Static Route Issue

DurableJoe
Level 1
Level 1

‎03-28-2012 06:56 PM - edited ‎03-11-2019 03:48 PM

I have an ASA 5510 running 8.2(1) that I recently purchased and installed.

To give you an overview of our network layout, we have 3 remote offices.  Our main office is 10.0.0.0/24.  The ASA 5510 is 10.0.0.1.  Right now I have a VPN router that the ASA 5510 will eventually be taking the place of at 10.0.0.3.  It does a VPN tunnel to 10.0.5.0/24.  I have an MPLS router at 10.0.0.2 that connects to the other remote office (10.0.3.0/24).  I am also trying to get the ASA 5510 to do a vpn tunnel to 10.0.4.0/24 which has an ASA 5505 in place, but before I try and figure out why that is not working, I want to resolve this static route issue.

The ASA 5510 is working fine for us to get out on the internet from the 10.0.0.0/24 network, it is set as our default gateway on our client machines.  However, I cannot ping or in any way see anything on our remote networks from any client on the 10.0.0.0/24 network that uses the ASA 5510 as the default gateway.  I can however ping the remote equipment from the CLI interface on the ASA 5510, so I think I have my static routes just fine.  It makes me think it is an access list issue or some other command I am missing to keep the thing from blocking the traffic.

Thanks so much to anyone who is willing to point me in the right direction.  My brain is just about mush.

Labels:
125305-running-config.txt.zip
0 Helpful
3 Replies 3

Jouni Forss
VIP Alumni
VIP Alumni

‎03-28-2012 11:38 PM

Hi,

The following command(s) came to mind first as I didnt find them on the configuration attached. You traffic is entering and leaving the same interface so you'll need one of the below configurations.

From Cisco material

 same-security-traffic 


 To permit communication between interfaces with equal security levels,  or to allow traffic to enter and exit the same interface, use the same-security-traffic command in global configuration mode. To disable the same-security traffic, use the no form of this command. 


same-security-traffic permit {inter-interface | intra-interface} 


no same-security-traffic permit {inter-interface | intra-interface} 


 Syntax Description




 





 inter-interface 




 Permits communication between different interfaces that have the same security level. 








 intra-interface 




 Permits communication in and out of the same interface. 








 


 Defaults 


 This command is disabled by default. 

 Usage Guidelines 


 Allowing communication between same security interfaces (enabled by the same-security-traffic inter-interface command) provides the following benefits: 


You  can configure more than 101 communicating interfaces. If you use  different levels for each interface, you can configure only one  interface per level (0 to 100). 


You can allow traffic to flow freely between all same security interfaces without access lists. 


 The same-security-traffic intra-interface command  lets traffic enter and exit the same interface, which is normally not  allowed. This feature might be useful for VPN traffic that enters an  interface, but is then routed out the same interface. The VPN traffic  might be unencrypted in this case, or it might be reencrypted for  another VPN connection. For example, if you have a hub and spoke VPN  network, where the adaptive security appliance is the hub, and remote  VPN networks are spokes, for one spoke to communicate with another  spoke, traffic must go into the adaptive security appliance and then out  again to the other spoke. 


 Note All traffic allowed by the same-security-traffic intra-interface command is still subject to firewall rules. Be careful not to create an  asymmetric routing situation that can cause return traffic not to  traverse the adaptive security appliance. 


 Examples 


 The following example shows how to enable the same-security interface communication: 




hostname(config)# same-security-traffic permit inter-interface





 


 


 


 The following example shows how to enable traffic to enter and exit the same interface: 




 




hostname(config)# same-security-traffic permit intra-interface

Hope this helps

- Jouni

0 Helpful

DurableJoe
Level 1
Level 1
In response to Jouni Forss

‎03-29-2012 06:11 AM

That is a great suggesting, and I tried it, but it didn't solve the problem.  Still can't ping from a client, but can from inside the device.

0 Helpful

Jouni Forss
VIP Alumni
VIP Alumni
In response to DurableJoe

‎03-29-2012 07:18 AM

Hi,

The above quoted text mentions that the traffic is still subject to normal firewall rules.

Can you make sure that you have permitted ICMP from the interface that has the routes to the remote network.

Can you also check that you have the following inspect configured

policy-map global_policy

class inspection_default

  inspect icmp

The "inspect icmp" line basicly simplifies the ICMP handling with the firewall. You wont have to use access-list in both directions to get the ICMP working. Atleast thats how I understood it.

Doesnt seem you have that configured in the attached ASA configuration. Though I'm not sure if its needed in the way your traffic is going. But I'm sure it wont hurt adding the "inspect icmp" anyway.

PS.

Why does both your routes have the same gateway address? Wasn't the other network supposed to be reached from 10.0.0.2 and not 10.0.0.3?

- Jouni

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card