Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
964
Views
0
Helpful
8
Replies

ASA Issues

Go to solution
daniel_growth
Level 1
Level 1

‎03-26-2021 04:15 PM

Hi All,

 

I need my CORP lan to ping the server and pc's within their ranges. I am unable to get this to work despite looking at static routing and acl rules. I have attached the PKT file and all passwords are "cisco". If you are able to get it pinging please do return and explain how you got it to work so i can learn from it

 

I look forward to your replies and thank you in advance for support!

 

Switch 1:

version 12.2(37)SE1

no service timestamps log datetime msec

no service timestamps debug datetime msec

service password-encryption

!

hostname CORP_SWT_1

!

!

enable secret 5 $1$mERr$hx5rVt7rPNoS4wqbXKX7m0

!

!

ip dhcp excluded-address 137.223.25.0 137.223.25.10

!

ip dhcp pool CORP_RANGE

network 137.223.25.0 255.255.255.0

default-router 137.223.25.1

!

!

ip routing

!

!

!

!

!

!

!

!

!

!

!

!

!

no ip domain-lookup

!

!

spanning-tree mode pvst

!

!

!

!

!

!

interface Loopback1

ip address 216.27.61.137 255.255.255.248

!

interface FastEthernet0/1

shutdown

!

interface FastEthernet0/2

shutdown

!

interface FastEthernet0/3

shutdown

!

interface FastEthernet0/4

shutdown

!

interface FastEthernet0/5

shutdown

!

interface FastEthernet0/6

shutdown

!

interface FastEthernet0/7

shutdown

!

interface FastEthernet0/8

shutdown

!

interface FastEthernet0/9

shutdown

!

interface FastEthernet0/10

shutdown

!

interface FastEthernet0/11

shutdown

!

interface FastEthernet0/12

shutdown

!

interface FastEthernet0/13

shutdown

!

interface FastEthernet0/14

shutdown

!

interface FastEthernet0/15

shutdown

!

interface FastEthernet0/16

shutdown

!

interface FastEthernet0/17

shutdown

!

interface FastEthernet0/18

shutdown

!

interface FastEthernet0/19

shutdown

!

interface FastEthernet0/20

shutdown

!

interface FastEthernet0/21

shutdown

!

interface FastEthernet0/22

shutdown

!

interface FastEthernet0/23

shutdown

!

interface FastEthernet0/24

shutdown

!

interface GigabitEthernet0/1

switchport access vlan 137

switchport mode access

switchport nonegotiate

!

interface GigabitEthernet0/2

no switchport

ip address 137.223.27.1 255.255.255.252

duplex auto

speed auto

!

interface Vlan1

no ip address

shutdown

!

interface Vlan137

mac-address 0060.5c6e.2601

ip address 137.223.25.1 255.255.255.0

!

ip classless

ip route 0.0.0.0 0.0.0.0 137.223.27.2

!

ip flow-export version 9

!

!

!

no cdp run

!

!

!

!

!

!

line con 0

password 7 0822455D0A16

logging synchronous

login

!

line aux 0

password 7 0822455D0A16

logging synchronous

!

line vty 0 4

password 7 0822455D0A16

logging synchronous

login

line vty 5 15

password 7 0822455D0A16

logging synchronous

login

!

!

!

!

end

 

Firewall:

 

ASA Version 9.6(1)

!

hostname ciscoasa

names

!

interface GigabitEthernet1/1

nameif inside

security-level 100

ip address 172.16.27.2 255.255.255.252

!

interface GigabitEthernet1/2

nameif outside

security-level 0

ip address 137.223.27.2 255.255.255.252

!

interface GigabitEthernet1/3

no nameif

no security-level

no ip address

shutdown

!

interface GigabitEthernet1/4

no nameif

no security-level

no ip address

shutdown

!

interface GigabitEthernet1/5

no nameif

no security-level

no ip address

shutdown

!

interface GigabitEthernet1/6

no nameif

no security-level

no ip address

shutdown

!

interface GigabitEthernet1/7

no nameif

no security-level

no ip address

shutdown

!

interface GigabitEthernet1/8

no nameif

no security-level

no ip address

shutdown

!

interface Management1/1

management-only

no nameif

no security-level

no ip address

!

object network obj_any

subnet 0.0.0.0 0.0.0.0

!

route inside 172.16.24.0 255.255.255.192 172.16.27.1 1

route outside 0.0.0.0 0.0.0.0 137.223.27.1 1

!

access-list R&DZ1-CORP-AllowAll extended permit ip host 172.16.24.11 host 137.223.25.11

access-list outside_access_in extended permit icmp any any

access-list OUTSIDE_IN extended permit icmp any any echo-reply

access-list OUTSIDE_IN extended permit icmp any any unreachable

!

!

access-group OUTSIDE_IN in interface outside

access-group OUTSIDE_IN in interface inside

object network obj_any

nat (any,outside) dynamic interface

!

!

!

!

class-map inspection_default

match default-inspection-traffic

!

policy-map glabal_policy

policy-map global_policy

!

!

telnet timeout 5

ssh timeout 5

!

!

!

!

!

 

Switch 2:

 

version 12.2(37)SE1

no service timestamps log datetime msec

no service timestamps debug datetime msec

service password-encryption

!

hostname R&D_LAN

!

!

enable secret 5 $1$mERr$hx5rVt7rPNoS4wqbXKX7m0

!

!

!

!

!

ip routing

!

!

!

!

!

!

!

!

!

!

!

!

!

no ip domain-lookup

!

!

spanning-tree mode pvst

!

!

!

!

!

!

interface FastEthernet0/1

switchport trunk allowed vlan 51

switchport trunk encapsulation dot1q

switchport mode trunk

switchport nonegotiate

!

interface FastEthernet0/2

switchport trunk allowed vlan 52

switchport trunk encapsulation dot1q

switchport mode trunk

switchport nonegotiate

!

interface FastEthernet0/3

shutdown

!

interface FastEthernet0/4

shutdown

!

interface FastEthernet0/5

shutdown

!

interface FastEthernet0/6

shutdown

!

interface FastEthernet0/7

shutdown

!

interface FastEthernet0/8

shutdown

!

interface FastEthernet0/9

shutdown

!

interface FastEthernet0/10

shutdown

!

interface FastEthernet0/11

shutdown

!

interface FastEthernet0/12

shutdown

!

interface FastEthernet0/13

shutdown

!

interface FastEthernet0/14

shutdown

!

interface FastEthernet0/15

shutdown

!

interface FastEthernet0/16

shutdown

!

interface FastEthernet0/17

shutdown

!

interface FastEthernet0/18

shutdown

!

interface FastEthernet0/19

shutdown

!

interface FastEthernet0/20

shutdown

!

interface FastEthernet0/21

shutdown

!

interface FastEthernet0/22

shutdown

!

interface FastEthernet0/23

shutdown

!

interface FastEthernet0/24

shutdown

!

interface GigabitEthernet0/1

no switchport

ip address 172.16.27.1 255.255.255.252

duplex auto

speed auto

!

interface GigabitEthernet0/2

switchport access vlan 72

switchport mode access

switchport nonegotiate

!

interface Vlan1

no ip address

shutdown

!

interface Vlan51

mac-address 0002.17e1.ed01

ip address 172.16.24.1 255.255.255.192

!

interface Vlan52

mac-address 0002.17e1.ed02

ip address 172.16.24.65 255.255.255.192

!

interface Vlan72

mac-address 0002.17e1.ed03

ip address 172.16.25.1 255.255.255.248

!

ip classless

ip route 0.0.0.0 0.0.0.0 172.16.27.2

!

ip flow-export version 9

!

!

!

no cdp run

!

banner motd ^C

Authorized users only, violaters will be subject to legal charges! ^C

!

!

!

!

!

line con 0

password 7 0822455D0A16

logging synchronous

login

!

line aux 0

password 7 0822455D0A16

logging synchronous

login

!

line vty 0 4

password 7 0822455D0A16

logging synchronous

login

line vty 5 15

password 7 0822455D0A16

logging synchronous

login

!

!

!

!

end

Kind Regards,
Daniel Growth
Labels:
R&D Network Segmentation.zip
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Georg Pauwen
VIP
VIP
In response to daniel_growth

‎03-27-2021 09:40 AM

Hello,

 

not really sure why your setup doesn't work, when I add the routes, I can ping everything. I have attached the revised, working file, and also the working ASA config.

 

ciscoasa#sh run
: Saved
:
ASA Version 9.6(1)
!
hostname ciscoasa
names
!
interface GigabitEthernet1/1
nameif inside
security-level 100
ip address 172.16.27.2 255.255.255.252
!
interface GigabitEthernet1/2
nameif outside
security-level 0
ip address 137.223.27.2 255.255.255.252
!
interface GigabitEthernet1/3
no nameif
no security-level
no ip address
shutdown
!
interface GigabitEthernet1/4
no nameif
no security-level
no ip address
shutdown
!
interface GigabitEthernet1/5
no nameif
no security-level
no ip address
shutdown
!
interface GigabitEthernet1/6
no nameif
no security-level
no ip address
shutdown
!
interface GigabitEthernet1/7
no nameif
no security-level
no ip address
shutdown
!
interface GigabitEthernet1/8
no nameif
no security-level
no ip address
shutdown
!
interface Management1/1
management-only
no nameif
no security-level
no ip address
shutdown
!
route inside 172.16.24.0 255.255.255.192 172.16.27.1 1
route outside 0.0.0.0 0.0.0.0 137.223.27.1 1
route inside 172.16.24.64 255.255.255.192 172.16.27.1 1
route inside 172.16.25.0 255.255.255.248 172.16.27.1 1
!
access-list OUT_IN extended permit ip any any
access-list IN_OUT extended permit ip any any
!
access-group IN_OUT in interface outside
access-group IN_OUT in interface inside
!
class-map inspection_default
match default-inspection-traffic
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect tftp
!
service-policy global_policy global
!
telnet timeout 5
ssh timeout 5
!
ciscoasa#

View solution in original post

R&D Network Segmentation_REV_NEW.zip
0 Helpful
8 Replies 8

Go to solution
Georg Pauwen
VIP
VIP

‎03-26-2021 04:57 PM

Hello,

 

on the ASA, you only have a 'route outside' towards the Vlan 71 network. You need to add a route outside to the other networks in Vlan 72 and 75 as well...

0 Helpful

Go to solution
daniel_growth
Level 1
Level 1
In response to Georg Pauwen

‎03-26-2021 05:10 PM

Hi,

 

Yes I know. From clan 71 I cannot ping corp Lan back and forth. Until I manage to fix this issue I will not attempt to route the others as they will also be wrong based in my current config. 

Kind Regards,
Daniel Growth
0 Helpful

Go to solution
MHM Cisco World
VIP
VIP
In response to daniel_growth

‎03-26-2021 07:31 PM

Icmp inspection to allow asa icmp pass through.

0 Helpful

Go to solution
daniel_growth
Level 1
Level 1
In response to MHM Cisco World

‎03-27-2021 01:30 AM

Hi, thanks for the reply. When i look for those ICMP commands I see that they are not supported within packet tracer. Could you give me an example within context of my network to try and paste within the ASA?

Kind Regards,
Daniel Growth
0 Helpful

Go to solution
Georg Pauwen
VIP
VIP
In response to daniel_growth

‎03-27-2021 01:45 AM

Hello,

 

the access lists are the problem. I allowed everything in and out in the attached revised fiile, and the ping works. You need to look at the access lists.

 

That said, when you open the file, both ASA interfaces are in 'shutdown' mode by defauly.

R&D Network Segmentation_REV.zip
0 Helpful

Go to solution
daniel_growth
Level 1
Level 1
In response to Georg Pauwen

‎03-27-2021 02:09 AM

Hey,

 

Thanks for getting back to me. I tried the ping and it didnt work the first few times but does now from zone 1 to the corp and corp to zone 1. I need to get the server and zone 2 also communicating with the corp lan and vise vera. 

route inside 172.16.24.64 255.255.255.192 172.16.27.1 

i added the above command and based off your route of zone 1 and it doesnt work? I really dont understand

Kind Regards,
Daniel Growth
0 Helpful

Go to solution
Georg Pauwen
VIP
VIP
In response to daniel_growth

‎03-27-2021 09:40 AM

Hello,

 

not really sure why your setup doesn't work, when I add the routes, I can ping everything. I have attached the revised, working file, and also the working ASA config.

 

ciscoasa#sh run
: Saved
:
ASA Version 9.6(1)
!
hostname ciscoasa
names
!
interface GigabitEthernet1/1
nameif inside
security-level 100
ip address 172.16.27.2 255.255.255.252
!
interface GigabitEthernet1/2
nameif outside
security-level 0
ip address 137.223.27.2 255.255.255.252
!
interface GigabitEthernet1/3
no nameif
no security-level
no ip address
shutdown
!
interface GigabitEthernet1/4
no nameif
no security-level
no ip address
shutdown
!
interface GigabitEthernet1/5
no nameif
no security-level
no ip address
shutdown
!
interface GigabitEthernet1/6
no nameif
no security-level
no ip address
shutdown
!
interface GigabitEthernet1/7
no nameif
no security-level
no ip address
shutdown
!
interface GigabitEthernet1/8
no nameif
no security-level
no ip address
shutdown
!
interface Management1/1
management-only
no nameif
no security-level
no ip address
shutdown
!
route inside 172.16.24.0 255.255.255.192 172.16.27.1 1
route outside 0.0.0.0 0.0.0.0 137.223.27.1 1
route inside 172.16.24.64 255.255.255.192 172.16.27.1 1
route inside 172.16.25.0 255.255.255.248 172.16.27.1 1
!
access-list OUT_IN extended permit ip any any
access-list IN_OUT extended permit ip any any
!
access-group IN_OUT in interface outside
access-group IN_OUT in interface inside
!
class-map inspection_default
match default-inspection-traffic
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect tftp
!
service-policy global_policy global
!
telnet timeout 5
ssh timeout 5
!
ciscoasa#

R&D Network Segmentation_REV_NEW.zip
0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card