03-28-2012 06:56 PM - edited 03-11-2019 03:48 PM
I have an ASA 5510 running 8.2(1) that I recently purchased and installed.
To give you an overview of our network layout, we have 3 remote offices. Our main office is 10.0.0.0/24. The ASA 5510 is 10.0.0.1. Right now I have a VPN router that the ASA 5510 will eventually be taking the place of at 10.0.0.3. It does a VPN tunnel to 10.0.5.0/24. I have an MPLS router at 10.0.0.2 that connects to the other remote office (10.0.3.0/24). I am also trying to get the ASA 5510 to do a vpn tunnel to 10.0.4.0/24 which has an ASA 5505 in place, but before I try and figure out why that is not working, I want to resolve this static route issue.
The ASA 5510 is working fine for us to get out on the internet from the 10.0.0.0/24 network, it is set as our default gateway on our client machines. However, I cannot ping or in any way see anything on our remote networks from any client on the 10.0.0.0/24 network that uses the ASA 5510 as the default gateway. I can however ping the remote equipment from the CLI interface on the ASA 5510, so I think I have my static routes just fine. It makes me think it is an access list issue or some other command I am missing to keep the thing from blocking the traffic.
Thanks so much to anyone who is willing to point me in the right direction. My brain is just about mush.
03-28-2012 11:38 PM
Hi,
The following command(s) came to mind first as I didnt find them on the configuration attached. You traffic is entering and leaving the same interface so you'll need one of the below configurations.
From Cisco material
same-security-traffic
To permit communication between interfaces with equal security levels, or to allow traffic to enter and exit the same interface, use the same-security-traffic command in global configuration mode. To disable the same-security traffic, use the no form of this command.
same-security-traffic permit {inter-interface | intra-interface}
no same-security-traffic permit {inter-interface | intra-interface}
Syntax Description
inter-interface
Permits communication between different interfaces that have the same security level.
intra-interface
Permits communication in and out of the same interface.
Defaults
This command is disabled by default.
Usage Guidelines
Allowing communication between same security interfaces (enabled by the same-security-traffic inter-interface command) provides the following benefits:
•
You can configure more than 101 communicating interfaces. If you use different levels for each interface, you can configure only one interface per level (0 to 100).
•
You can allow traffic to flow freely between all same security interfaces without access lists.
The same-security-traffic intra-interface command lets traffic enter and exit the same interface, which is normally not allowed. This feature might be useful for VPN traffic that enters an interface, but is then routed out the same interface. The VPN traffic might be unencrypted in this case, or it might be reencrypted for another VPN connection. For example, if you have a hub and spoke VPN network, where the adaptive security appliance is the hub, and remote VPN networks are spokes, for one spoke to communicate with another spoke, traffic must go into the adaptive security appliance and then out again to the other spoke.
Note
All traffic allowed by the same-security-traffic intra-interface command is still subject to firewall rules. Be careful not to create an asymmetric routing situation that can cause return traffic not to traverse the adaptive security appliance.
Examples
The following example shows how to enable the same-security interface communication:
hostname(config)# same-security-traffic permit inter-interfaceThe following example shows how to enable traffic to enter and exit the same interface:
hostname(config)# same-security-traffic permit intra-interface
Hope this helps
- Jouni
03-29-2012 06:11 AM
That is a great suggesting, and I tried it, but it didn't solve the problem. Still can't ping from a client, but can from inside the device.
03-29-2012 07:18 AM
Hi,
The above quoted text mentions that the traffic is still subject to normal firewall rules.
Can you make sure that you have permitted ICMP from the interface that has the routes to the remote network.
Can you also check that you have the following inspect configured
policy-map global_policy
class inspection_default
inspect icmp
The "inspect icmp" line basicly simplifies the ICMP handling with the firewall. You wont have to use access-list in both directions to get the ICMP working. Atleast thats how I understood it.
Doesnt seem you have that configured in the attached ASA configuration. Though I'm not sure if its needed in the way your traffic is going. But I'm sure it wont hurt adding the "inspect icmp" anyway.
PS.
Why does both your routes have the same gateway address? Wasn't the other network supposed to be reached from 10.0.0.2 and not 10.0.0.3?
- Jouni
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide