cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2973
Views
0
Helpful
16
Replies

Cisco ASA routing

iwan78
Level 1
Level 1

Hi guys,

I need your experience on this issue

Setup:

-WAN-[CISCO ASA]--LAN

.........|......

...----DMZ------...

....|.........|....

.routerA....router B....

DMZ IP: 192.1.1.1

Router A: 192.1.1.10

Router B: 192.1.1.12

Router A and Router B are local routers which will communicate with remote routers.

Applications behind RouterA use 10.100.2.55 address

Applications behind RouterB use 172.10.10.4 address

I have create routes for my LAN traffic to access the application address using the Router as gateway respectively.

Strangely, i can ping and access 172.10.10.4 but not 10.100.2.55.

I do not know where to troubleshoot as route configuration are similar.

Regards

Iwan

16 Replies 16

vijayasankar
Level 4
Level 4

Hi,

Ideally you should have the following in place as far as routing is concerned.

In the ASA, routes for

10.100.2.x pointing to 192.1.1.10

172.10.10.x pointing to 192.168.1.12

On both the Routers A&B, you should be having a default route pointing to the ASA's DMZ ip address.

Lastly, Your inside lan users should have the default gateway configured as the inside address of the ASA.

Ensure that you have all other relevant configurations in place in the ASA.

You can post the ASA's config here for our better understanding.

HTH

-VJ

Thanks for quick reply.

I have the following routes in place.

10.100.2.x pointing to 192.1.1.10

172.10.10.x pointing to 192.168.1.12

Not sure of the Routers A & B having default route pointing to ASA DMZ interface. I will check.

Regards

Riduwan

Hi VJ

Can I email you the config file as it is too big to post here?

Regards

Riduwan

Hi Riduwan,

Sure.

-VJ

Hi VJ

Sorry, what's your email address?

Regards

Riduwan

Hi,

If possible, you can zip it and post it here so that others can also have a look.

Anyway, my email id is vijayasankar.kailasanathan@cognizant.com

-VJ

ok see attachment

Hi,

Your DMZ interface is having the ip 192.1.1.100

And you said that Rotuers A and B are in this DMz.

As per the scenario you have explained, you need to have proper routes in the ASA to reach the networks behind router a and router b.

In your drawing you have mentioned that router A is 192.1.1.10

and Router B is 192.1.1.12.

If this is correct, then you should have following routes in the ASA.

route DMZ 10.100.2.0 255.255.255.0 192.1.1.10 1

route DMZ 172.10.10.0 255.255.255.0 192.1.1.12 1

But these routes are not there in your config.However i could see the following route for one of the above subnets, which is wrong as per the scenario mentioned by you.

route DMZ 10.100.2.0 255.255.255.0 192.1.1.35 1

What is 192.1.1.35 ?

HTH

-VJ

Hi VJ

Sorry the config file reflects the correct IP scenario.

1) DMZ interface IP: 192.1.1.100

2) Routers connected to DMZ interface

a)192.1.1.35

b)192.1.1.124

Ignore the 192.1.1.10 and 192.1.1.12.

Sorry for the confusion.

Hi Iwan,

Thanks for the update.

Still from the config that you have provided i could only see a route for 10.100.2.0/24 pointing to 192.1.1.35.

There is no route available in the the config for 172.10.10.x...?

Then how is that you are able reach 172.10.10.4 ? From where you did tried to reach this.

Also let me From where are you trying to access the resources behind Router A & B?

-VJ

There is a route -> route DMZ 172.19.88.0 255.255.255.0 192.1.1.124 1

Ignore the 172.10.10.x, as I was just quoting an example.

Basically my applications are behind the router are 10.100.2.x and 172.19.88.x. Both of the routers are in my server room. One of them routes to another company in my country, while the other routes to another company in another country.

I am trying to access the applications by using Internet Explorer.

Regards

Iwan

Hi Iwan,

OK. From the config, i could see that you have proper static entry, Acls and routes.

I believe that you are able to access 172.19.88.x properly.

But not 10.100.2.x

If so you have to check the config in the Router A.( 192.1.1.35)

Im still not clear with your topology and i assume that you are trying to reach these problematic segments from your inside network. Correct me if im wrong.

Where is the segment 10.100.2.x located?

Is it located in another ethernet interface of the router A or located across the WAN.

If so, you need to check hop by hop and see where the problem is..

May be a static Route to your inside network segment, is not present in the next hop router from the Router A, which is connected across your WAN.

If more devices involved from Router A to the 10.100.2.x segment, check for proper Routing in all those devices.

-VJ

Yes you are right!! I'm not able to access 10.100.2.X. In fact any applications behind the 192.1.1.35 router, I am not able to access. I am able to access applications behind 192.1.1.124 router.

Yes, I am trying to reach networks behind the 2 routers from my inside network.

The applications are located across WAN.

Actually, I am doing migration from a Netscreen firewall to a Cisco ASA. Everything works fine with the Netscreen in place. But when I use the Cisco ASA I faced this issue with traffic going through the 192.1.1.35 router.

So, what you are saying, on the 192.1.1.35 router, there should be route like this:

ip route 0.0.0.0 0.0.0.0 192.1.1.35

Correct me if I'm wrong.

Thanks so far

Riduwan

Hi Riduwan,

Thanks for the update.

I mean to say that you need to check the routing starting from Router A and all other devices enroute to the destination network.

In you router A, there will be static route statements to reach you network.

It could be a default route or even a specific route. Check the static routes in this router.

It should be something like

ip route 0.0.0.0 0.0.0.0 192.1.1.100

or a specific routes to your internal networks, point to the next hop as PIX DMZ interface ( 192.1.1.100).

Similarly check the routes on other devices starting from Router A till the destination network.

You have stated that when you put netscreen everything works fine. If so, were they running any routing protocol between the netscree and the Router A??? Check this out too.

HTH

-VJ