ASA routing issues

s.mallonee · ‎09-23-2011

Ok,

So having some issues with routing on a ASA. Not sure if the ASA can do what we are trying to do with it however it was the equipment we have on hand and was asked to attempt to make it work.

Below is the config of the ASA. The problem I am having is that the 10.116.0.0/19 cannot get to the 10.51.0.0/16. The Akmaaq-LAN interface can ping down to 10.51.0.0/16 but nothing in the NS-LAN can. Can anyone see why I may be having this issue?

Thanks in advance.

Sean

sh run

: Saved

:

ASA Version 8.0(4)

!

hostname AKQ-AK-GW1

enable password U2E6Nz68OvO4VlFL encrypted

passwd 2KFQnbNIdI.2KYOU encrypted

names

!

interface Ethernet0/0

description GCI WAN Network

nameif GCI-WAN

security-level 0

ip address 10.10.10.10 255.255.255.0

!

interface Ethernet0/1

description NanaServices LAN

nameif NS-LAN

security-level 100

ip address 10.116.0.1 255.255.255.0

!

interface Ethernet0/2

shutdown

no nameif

no security-level

no ip address

!

interface Ethernet0/3

description Akmaaq LAN tie

nameif Akmaaq-LAN

security-level 100

ip address 192.168.70.7 255.255.255.0

!

interface Management0/0

nameif management

security-level 100

no ip address

management-only

!

ftp mode passive

same-security-traffic permit inter-interface

pager lines 24

logging asdm informational

mtu GCI-WAN 1500

mtu NS-LAN 1500

mtu Akmaaq-LAN 1500

mtu management 1500

no failover

icmp unreachable rate-limit 1 burst-size 1

no asdm history enable

arp timeout 14400

global (GCI-WAN) 1 interface

nat (NS-LAN) 1 0.0.0.0 0.0.0.0

static (NS-LAN,Akmaaq-LAN) 10.116.0.0 10.116.0.0 netmask 255.255.224.0

route GCI-WAN 0.0.0.0 0.0.0.0 69.178.0.1 1

route Akmaaq-LAN 10.51.0.0 255.255.0.0 192.168.70.1 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

dynamic-access-policy-record DfltAccessPolicy

aaa authentication ssh console LOCAL

http server enable

http 192.168.1.0 255.255.255.0 management

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

telnet timeout 5

ssh 192.168.70.101 255.255.255.255 Akmaaq-LAN

ssh timeout 10

ssh version 2

console timeout 0

dhcpd dns 209.165.131.12 209.165.131.13

dhcpd lease 86400

!

dhcpd address 10.116.0.50-10.116.0.100 NS-LAN

dhcpd enable NS-LAN

!

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

username smallonee password A2NSLOjGBhWoAs/d encrypted privilege 15

!

class-map inspection_default

match default-inspection-traffic

!

policy-map type inspect dns preset_dns_map

parameters

message-length maximum 512

policy-map global_policy

class inspection_default

inspect dns preset_dns_map

inspect ftp

inspect h323 h225

inspect h323 ras

inspect rsh

inspect rtsp

inspect esmtp

inspect sqlnet

inspect skinny

inspect sunrpc

inspect xdmcp

inspect sip

inspect netbios

inspect tftp

!

service-policy global_policy global

prompt hostname context

Cryptochecksum:8f3000929b1e2902f2885254ed4bdbee

: end

Richard Burts · ‎09-23-2011

Sean

The first thing that I notice is that you refer to the source as 10.116.0.0/19. But the ASA has the interface ip address as 10.116.0.1 255.255.255.0. So the ASA only knows how to get to a /24 and not a /19.

If that is not the issue then I would ask questions like is the next hop for the route to 10.51.0.0/16 of 192.168.70.1 reachable.

And if that is not the issue then I would observe that the ASA has a route to 10.51.0.0/16 and ask whether that site has a correct route back to 10.116.0.0?

HTH

Rick

HTH

Rick