Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1132
Views
0
Helpful
6
Replies

ASA

Ketan Bheda
Level 1
Level 1

‎11-09-2017 02:25 AM - edited ‎03-05-2019 09:27 AM

Can we use ASA after router from down link to up link direction.

 

Is it necessary to use it after the core switches.

Labels:
0 Helpful
6 Replies 6

Georg Pauwen
VIP
VIP

‎11-09-2017 03:58 AM

Hello,

 

the ASA is supposed to protect your network, so you should place it as close to the network edge (which means, as close to the outside connection) of your network. That is the (very) general idea. You can obviously place a router in front of the ASA. What is your network supposed to look like ?

0 Helpful

Ketan Bheda
Level 1
Level 1
In response to Georg Pauwen

‎11-09-2017 04:38 AM - edited ‎11-09-2017 04:40 AM

Hi Georg,

 

Please find the image of infrastructure.

 

In the infrastructure given in the image i have configured HSRP for a redundanency network.

I have tried configuring the ASA but my ASA was able to ping only to its neighboring routers but not user end pc's. 

 

Also after configuring the ASA box Users cannot reach to the internet 4.4.4.4 and 8.8.8.8.

 

Note: Please consider that all the users are connected with the switch.

 

I have also applied an ACL's on both standby and active routers where only VLAN 40 (the group of users connected to MUM-DSW04) are allow to communicate with remote location (Delhi).

 

Can you please suggest me the set of rules to follow while configuring ASA. If you would help me in commands also will do .

 

Thank you

Preview file
125 KB
0 Helpful

paul driver
VIP
VIP
In response to Ketan Bheda

‎11-09-2017 05:06 AM

Hello 

Can you post a topology please 

res

paul


Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul
0 Helpful

Ketan Bheda
Level 1
Level 1
In response to paul driver

‎11-09-2017 08:48 AM

Hi Paul,

 

Please refer the below reply with commands and Image file.

 

Thank you!

0 Helpful

Julio E. Moisa
VIP Alumni
VIP Alumni
In response to Ketan Bheda

‎11-09-2017 05:09 AM - edited ‎11-09-2017 05:10 AM

Hi,

Please correct me if I understanding wrong, but currently the ASA is isolated from the rest of the network, well. Im not really sure how the infrastructure will be but the first step I suggest is create an any any ACLs just to verify the proper connectivity.

 

ASA 

 

interface g0/0

nameif OUTSIDE

security-level 0

ip address x.x.x.x x.x.x.x

 

interface g0/1

nameif INSIDE

security-level 100

ip address y.y.y.y y.y.y.y

 

ip access-list INSIDE-ACL extended permit icmp any any 

ip access-list INSIDE-ACL extended permit icmp any any echo

ip access-list INSIDE-ACL extended permit icmp any any echo-reply

ip access-list INSIDE-ACL extended permit ip any any

 

ip access-list OUTSIDE-ACL extended permit icmp any any 

ip access-list OUTSIDE-ACL extended permit icmp any any echo

ip access-list OUTSIDE-ACL extended permit icmp any any echo-reply

ip access-list OUTSIDE-ACL extended permit ip any any

 

access-group INSIDE-ACL in interface INSIDE

access-group OUTSIDE-ACL in interface OUTSIDE

 

route OUTSIDE 0.0.0.0 0.0.0.0 ISP1

route INSIDE <Inside networks> <inside next hop IP>

 

 

Hope it is useful

:-)




>> Marcar como útil o contestado, si la respuesta resolvió la duda, esto ayuda a futuras consultas de otros miembros de la comunidad. <<
0 Helpful

Ketan Bheda
Level 1
Level 1
In response to Julio E. Moisa

‎11-09-2017 08:40 AM - edited ‎11-09-2017 08:44 AM 

 Current configuration : 4408 bytes
!
version 12.4
no service timestamps log datetime msec
no service timestamps debug datetime msec
no service password-encryption
!
hostname MUM-RT01-Active
!
!
!
enable secret 5 $1$mERr$iReMtoOFQEl2wyGEfLcyU/
!
!
ip dhcp excluded-address 192.168.50.100 192.168.50.200
!
ip dhcp pool voice
 network 192.168.50.0 255.255.255.0
 default-router 192.168.50.103
 option 150 ip 192.168.50.103
 dns-server 4.4.4.4
!
!
!
ip cef
no ipv6 cef
!
!
!
username ntw1 password 0 support
!
!
!
!
!
!
!
!
ip ssh version 2
ip domain-name abc.com
!
!
spanning-tree mode pvst
!
!
!
!
!
!
interface Tunnel10
 ip address 172.16.0.1 255.255.0.0
 mtu 1476
 tunnel source FastEthernet0/1
 tunnel destination 192.1.45.5
!
!
interface FastEthernet0/0
 no ip address
 duplex auto
 speed auto
!
interface FastEthernet0/0.1
 encapsulation dot1Q 10
 ip address 192.168.10.100 255.255.255.0
 ip access-group nodelhi in
 standby 1 ip 192.168.10.103
 standby 1 priority 250
 standby 1 preempt
!
interface FastEthernet0/0.2
 encapsulation dot1Q 20
 ip address 192.168.20.100 255.255.255.0
 ip access-group nodelhi in
 standby 1 ip 192.168.20.103
 standby 1 priority 200
 standby 1 preempt
!
interface FastEthernet0/0.3
 encapsulation dot1Q 30
 ip address 192.168.30.100 255.255.255.0
 ip access-group nodelhi in
 standby 1 ip 192.168.30.103
 standby 1 priority 244
 standby 1 preempt
!
interface FastEthernet0/0.4
 encapsulation dot1Q 40
 ip address 192.168.40.100 255.255.255.0
 standby 1 ip 192.168.40.103
 standby 1 priority 254
 standby 1 preempt
!
interface FastEthernet0/0.5
 encapsulation dot1Q 50
 ip address 192.168.50.100 255.255.255.0
 standby 1 ip 192.168.50.103
 standby 1 priority 244
 standby 1 preempt
!
interface FastEthernet0/1
 ip address 192.168.1.2 255.255.255.0
 duplex auto
 speed auto
 standby 1 ip 192.168.1.4
 standby 1 priority 200
 standby 1 preempt
!
interface Vlan1
 no ip address
 shutdown
!
router ospf 1
 log-adjacency-changes
 network 192.168.50.0 0.0.0.255 area 0
 network 172.16.0.0 0.0.255.255 area 0
!
ip classless
ip route 0.0.0.0 0.0.0.0 192.168.1.1 
!
ip flow-export version 9
!
!
ip access-list extended nodelhi
 deny ip 192.168.10.0 0.0.0.255 10.10.10.0 0.0.0.255
 deny ip 192.168.10.0 0.0.0.255 10.10.20.0 0.0.0.255
 deny ip 192.168.10.0 0.0.0.255 10.10.30.0 0.0.0.255
 deny ip 192.168.20.0 0.0.0.255 10.10.10.0 0.0.0.255
 deny ip 192.168.20.0 0.0.0.255 10.10.20.0 0.0.0.255
 deny ip 192.168.20.0 0.0.0.255 10.10.30.0 0.0.0.255
 deny ip 192.168.30.0 0.0.0.255 10.10.10.0 0.0.0.255
 deny ip 192.168.30.0 0.0.0.255 10.10.20.0 0.0.0.255
 deny ip 192.168.30.0 0.0.0.255 10.10.30.0 0.0.0.255
 permit ip any any
!
!
!
!
!
logging 192.168.40.50
dial-peer voice 100 voip
 destination-pattern 2...
 session target ipv4:172.16.0.2
!
telephony-service
 max-ephones 16
 max-dn 20
 ip source-address 192.168.50.103 port 2000
!
ephone-dn 1
 number 1101
!
ephone-dn 2
 number 1102
!
ephone-dn 3
 number 1103
!
ephone-dn 4
 number 1201
!
ephone-dn 5
 number 1202
!
ephone-dn 6
 number 1203
!
ephone-dn 7
 number 1301
!
ephone-dn 8
 number 1302
!
ephone-dn 9
 number 1303
!
ephone-dn 10
 number 1401
!
ephone-dn 11
 number 1402
!
ephone-dn 12
 number 1403
!
ephone 1
 device-security-mode none
 mac-address 000C.CFB9.6397
 type 7960
 button 1:1
!
ephone 2
 device-security-mode none
 mac-address 0090.0CA2.8138
 type 7960
 button 1:2
!
ephone 3
 device-security-mode none
 mac-address 000A.F3DC.A6BA
 type 7960
 button 1:3
!
ephone 4
 device-security-mode none
 mac-address 00E0.A39A.7D6A
 type 7960
 button 1:4
!
ephone 5
 device-security-mode none
 mac-address 0001.641B.E859
 type 7960
 button 1:5
!
ephone 6
 device-security-mode none
 mac-address 000A.F398.3348
 type 7960
 button 1:6
!
ephone 7
 device-security-mode none
 mac-address 0030.F225.4282
 type 7960
 button 1:7
!
ephone 8
 device-security-mode none
 mac-address 0030.F296.A783
 type 7960
 button 1:8
!
ephone 9
 device-security-mode none
 mac-address 0060.3EC5.1B7D
 type 7960
 button 1:9
!
ephone 10
 device-security-mode none
 mac-address 0090.2BAD.0487
 type 7960
 button 1:10
!
ephone 11
 device-security-mode none
 mac-address 000C.85C9.631E
 type 7960
 button 1:11
!
ephone 12
 device-security-mode none
 mac-address 0003.E40C.AAA9
 type 7960
 button 1:12
!
ephone 13
 device-security-mode none
 mac-address 0002.16EB.207B
!
line con 0
 password cisco
 login
!
line aux 0
!
line vty 0 4
 login local
!
!
ntp server 192.168.40.50 key 1234
!
end
Current configuration : 4365 bytes
!
version 12.4
no service timestamps log datetime msec
no service timestamps debug datetime msec
no service password-encryption
!
hostname MUM-RT01-Standby
!
!
!
enable secret 5 $1$mERr$iReMtoOFQEl2wyGEfLcyU/
!
!
ip dhcp excluded-address 192.168.50.100 192.168.50.200
!
ip dhcp pool voice
 network 192.168.50.0 255.255.255.0
 default-router 192.168.50.103
 option 150 ip 192.168.50.103
 dns-server 4.4.4.4
!
!
!
ip cef
no ipv6 cef
!
!
!
username ntw1 password 0 support
!
!
!
!
!
!
!
!
ip ssh version 2
ip domain-name abc.com
!
!
spanning-tree mode pvst
!
!
!
!
!
!
interface Tunnel10
 ip address 172.16.0.3 255.255.0.0
 mtu 1476
 tunnel source FastEthernet0/1
 tunnel destination 192.1.54.5
!
!
interface FastEthernet0/0
 no ip address
 duplex auto
 speed auto
!
interface FastEthernet0/0.1
 encapsulation dot1Q 10
 ip address 192.168.10.101 255.255.255.0
 ip access-group nodelhi in
 standby 1 ip 192.168.10.103
 standby 1 preempt
!
interface FastEthernet0/0.2
 encapsulation dot1Q 20
 ip address 192.168.20.101 255.255.255.0
 ip access-group nodelhi in
 standby 1 ip 192.168.20.103
 standby 1 preempt
!
interface FastEthernet0/0.3
 encapsulation dot1Q 30
 ip address 192.168.30.101 255.255.255.0
 standby 1 ip 192.168.30.103
 standby 1 preempt
!
interface FastEthernet0/0.4
 encapsulation dot1Q 40
 ip address 192.168.40.101 255.255.255.0
 standby 1 ip 192.168.40.103
 standby 1 preempt
!
interface FastEthernet0/0.5
 encapsulation dot1Q 50
 ip address 192.168.50.101 255.255.255.0
 standby 1 ip 192.168.50.103
 standby 1 preempt
!
interface FastEthernet0/1
 ip address 192.168.1.3 255.255.255.0
 duplex auto
 speed auto
 standby 1 ip 192.168.1.4
 standby 1 preempt
!
interface Serial0/2/0
 no ip address
 clock rate 2000000
 shutdown
!
interface Serial0/2/1
 no ip address
 clock rate 2000000
!
interface Vlan1
 no ip address
 shutdown
!
router ospf 1
 log-adjacency-changes
 network 192.168.50.0 0.0.0.255 area 0
 network 172.16.0.0 0.0.255.255 area 0
!
ip classless
ip route 0.0.0.0 0.0.0.0 192.168.1.1 
!
ip flow-export version 9
!
!
ip access-list extended nodelhi
 deny ip 192.168.10.0 0.0.0.255 10.10.10.0 0.0.0.255
 deny ip 192.168.10.0 0.0.0.255 10.10.20.0 0.0.0.255
 deny ip 192.168.10.0 0.0.0.255 10.10.30.0 0.0.0.255
 deny ip 192.168.20.0 0.0.0.255 10.10.10.0 0.0.0.255
 deny ip 192.168.20.0 0.0.0.255 10.10.20.0 0.0.0.255
 deny ip 192.168.20.0 0.0.0.255 10.10.30.0 0.0.0.255
 deny ip 192.168.30.0 0.0.0.255 10.10.10.0 0.0.0.255
 deny ip 192.168.30.0 0.0.0.255 10.10.20.0 0.0.0.255
 deny ip 192.168.30.0 0.0.0.255 10.10.30.0 0.0.0.255
 permit ip any any
!
!
!
!
!
logging 192.168.40.50
dial-peer voice 100 voip
 destination-pattern 2...
 session target ipv4:172.16.0.4
!
telephony-service
 max-ephones 16
 max-dn 20
 ip source-address 192.168.50.103 port 2000
!
ephone-dn 1
 number 1101
!
ephone-dn 2
 number 1102
!
ephone-dn 3
 number 1103
!
ephone-dn 4
 number 1201
!
ephone-dn 5
 number 1202
!
ephone-dn 6
 number 1203
!
ephone-dn 7
 number 1301
!
ephone-dn 8
 number 1302
!
ephone-dn 9
 number 1303
!
ephone-dn 10
 number 1401
!
ephone-dn 11
 number 1402
!
ephone-dn 12
 number 1403
!
ephone 1
 device-security-mode none
 mac-address 000C.CFB9.6397
 type 7960
 button 1:1
!
ephone 2
 device-security-mode none
 mac-address 0090.0CA2.8138
 type 7960
 button 1:2
!
ephone 3
 device-security-mode none
 mac-address 000A.F3DC.A6BA
 type 7960
 button 1:3
!
ephone 4
 device-security-mode none
 mac-address 00E0.A39A.7D6A
 type 7960
 button 1:4
!
ephone 5
 device-security-mode none
 mac-address 0001.641B.E859
 type 7960
 button 1:5
!
ephone 6
 device-security-mode none
 mac-address 000A.F398.3348
 type 7960
 button 1:6
!
ephone 7
 device-security-mode none
 mac-address 0030.F225.4282
 type 7960
 button 1:7
!
ephone 8
 device-security-mode none
 mac-address 0030.F296.A783
 type 7960
 button 1:8
!
ephone 9
 device-security-mode none
 mac-address 0060.3EC5.1B7D
 type 7960
 button 1:9
!
ephone 10
 device-security-mode none
 mac-address 0090.2BAD.0487
 type 7960
 button 1:10
!
ephone 11
 device-security-mode none
 mac-address 000C.85C9.631E
 type 7960
 button 1:11
!
ephone 12
 device-security-mode none
 mac-address 0003.E40C.AAA9
 type 7960
 button 1:12
!
ephone 13
 device-security-mode none
 mac-address 0002.16EB.207B
!
line con 0
 password cisco
 login
!
line aux 0
!
line vty 0 4
 login local
!
!
ntp server 192.168.40.50 key 1234
!
end

Hi Julio,

 

Please find the attachments.

 

The image is the half of the infrastructure and initially I am working on entire location of Mumbai to get the access to internet using ASA.

Please find the codes I have written and I found that my ASA can reached its neighbor routers (HSRP and ISP Routers) but my none of these switches is able to reach to ASA and through ASA.

 

Also can you please let me know the meaning of the command:

route INSIDE <Inside networks> <inside next hop IP>

I did tracert from the user end and found that it got stuck up at 192.168.1.1 ie inside interface but cant get through that.

 

Also when I try to reach from Server 4.4.4.4 to one of my user its shows "request time out". When I did tracert from the server to reached my user then it get stuck up at 192.1.23.2.

 

From the above I conclude it turn out to be as follows:

 

-ASA Can ping neighbors and vice versa.

-Users cant get a access to internet 4.4.4.4 and 8.8.8.8 (it shows request time out).

-Internet server can only be reachable till 192.1.23.2 ie ISPR1.

-While doing tracert users can only reach upto 192.168.1.1 (i.e ASA)newinfra.PNG

Preview file
2 KB
0 Helpful
Customers Also Viewed These Support Documents