01-05-2023 01:46 AM - last edited on 01-08-2023 09:51 PM by Translator
Hello all
I have a Cisco Firepower 1010 running ASA. I would like one of the physical ports Ethernet1/6 to be separated from other the other ports on my inside but it should have access to the internet. I will connect my Hikvision video monitoring and Huawei solar panel inverters to this port. I have created a vlan for this named HikvisionHuawei and set up DHCP and DNS for this. When I connect my laptop to port 6 I get assigned an ip address as expected, but I can not reach or ping any address. I get the error message
no route to host
I have tried defining a default route using the
route command
but I keep getting error messages when I try to use the
route command
route HikvisionHuawei 0 0 192.168.1.1
ERROR: Invalid next hop address 192.168.1.1, it matches our IP address
route HikvisionHuawei 0 0 212.130.193.38
ERROR: Invalid next hop address 212.130.193.38, it matches our IP address
I have attached a file with my configuration and various other
show commands
Please let me know what I'm missing in my setup.
Solved! Go to Solution.
01-06-2023 09:09 AM
I have solved it by adding an object. This is the commands I needed to add:
object network IOT
subnet 192.168.20.0 255.255.255.0
description IOT-NETWORK
nat (HikvisionHuawei,outside) dynamic interface
exit
interface vlan20
security-level 20
write mem
And it worked!!!!
I get the right IP address 192.168.20.100 when I connect and I can ping and connect to the internet, and not connect to any other network objects on my 'inside'.
Thanks Georg and MHN for your inspiration and time. I really appreciate your effort.
01-05-2023 03:18 AM - last edited on 01-08-2023 10:16 PM by Translator
Hello,
since you have
ip address dhcp setroute
configured on the outside interface, you don't really have to set another route. If you do a
show route
you should see the default route, which is automatically generated.
I think the problem is related to your global policy map.
Try and add icmp:
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect ip-options
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
--> inspect icmp
01-05-2023 03:57 AM - last edited on 01-08-2023 10:20 PM by Translator
Thank you for the suggestion. I have enabled icmp inspection now by executing these commands
# policy-map global_policy
# class inspection_default
# inspect icmp
Unfortunately, I still can't connect to anything when I attach my laptop to port 6 on the router.
I get assigned an
ip 192.168.20.20
and I can
ping 192.168.20.1
but that is all. Nothing else.
I can't do any nslookup so, maybe my dns setting does'nt work either
When I do a ping like
ping 192.168.1.1 I get ping: sendto: No route to host
01-05-2023 04:10 AM - last edited on 01-08-2023 10:21 PM by Translator
Hello,
odd. What is the output of:
show route
from the ASA ? Also, what OS is the laptop running ? If it is a Windows machine, make sure the firewall/defender are not blocking ICMP.
01-05-2023 04:17 AM - last edited on 01-08-2023 10:25 PM by Translator
Oh thanks for getting back this fast.
show route
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2, V - VPN
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route, + - replicated route
Gateway of last resort is 212.130.193.1 to network 0.0.0.0
S* 0.0.0.0 0.0.0.0 [1/0] via 212.130.193.1, outside
C 192.168.1.0 255.255.255.0 is directly connected, inside
L 192.168.1.1 255.255.255.255 is directly connected, inside
C 192.168.20.0 255.255.255.0 is directly connected, HikvisionHuawei
L 192.168.20.1 255.255.255.255 is directly connected, HikvisionHuawei
C 212.130.193.0 255.255.255.0 is directly connected, outside
L 212.130.193.38 255.255.255.255 is directly connected, outside
I'm using a Mac as laptop. When I'm connected to some of the other ports on the inside, I can ping everything as usual.
01-05-2023 04:28 AM
Try and set the security level of the HikvisionHuawei to 100...
01-05-2023 04:38 AM
Thanks again.
I have changed it to 100 running these commands
interface vlan20
security-level 100
no shut
exit
Unfortunately, I still get the same result. Unable to ping or connect to the internet using that port 6.
01-05-2023 03:22 AM
Hi
I'm not an asa/firewall expert so I haven't digged into that section. But I noticed that the interface et1/6 is down, and that's the reason for 192.168.20.0 network doesn't appear in the routing table. You don't have to configure any routing for this interface, it will be automatic inserted in the routing table as soon as the interface comes up.
/Mikael
01-05-2023 03:59 AM - last edited on 01-08-2023 10:27 PM by Translator
Thank you for you quick reply.
When I did the
show run
command I did not have anything connected to port 6 (as it is not working). When I connect my laptop to it, it says up.
01-05-2023 04:35 AM
Friend one by one,
the ASA can bypass the DNS request from one interface to other and this need
1- apply acl to interface permit the dns request to pass
2- config NAT (optional) if needed
OR
the asa is work as DNS proxy,
this mean that you send to DHCP client the IP address of DNS server which is interface IP and then the ASA when receive the DNS request to modify and send it to DNS server this need
1- config the DNS IP as inteface in ddhcp
2- config lookup in interface that point to DNS server
here which case you use ?
01-05-2023 04:49 AM
Thank you for your reply.
I'm not sure I fully understand the two scenarios, but let me try to describe how I intend DNS to work in my network:
The devices connected to the trusted network (named inside) should use my private DNS server having ip 192.168.1.89 (it is a Raspberry Pi running pi-hole) and secondary DNS will be 1.1.1.1.
The devices connected to the "HikvisionHuawei" vlan associated with port 6 on the router should use the public available DNS servers 1.1.1.1/1.0.0.1 as DNS as I don't want them to be able to connect to my private DNS server.
01-05-2023 04:55 AM
I get request I will check your config send to you the correct steps
but I want to ask,
are router have route to public DNS server 1.1.1.1 ?
01-05-2023 05:05 AM
From the internal/trusted network, I can connect to any website and ping 1.1.1.1. Everything works.
From the vlan HikvisionHuawei on physical port 6, I can't connect to anything or even ping anything (except 192.168.20.1).
When I try I get
sendto: No route to host
01-05-2023 05:09 AM - last edited on 01-19-2023 02:09 AM by Translator
Hello,
do a packet tracer and post the output:
packet-tracer input inside icmp 192.168.20.100 8 0 192.168.1.1
This is assuming that your laptop has been assigned the first available DHCP address, 192.168.20.100, if it is different, change it accordingly.
Also, add the below:
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
icmp permit any inside
icmp permit any echo inside
icmp permit any echo-reply inside
icmp permit any HikvisionHuawei
icmp permit any echo HikvisionHuawei
icmp permit any echo-reply HikvisionHuawei
01-05-2023 05:51 AM - edited 01-05-2023 06:32 AM
Thank you Georg.
I ran the config changes one by one. I get assigned ip 192.168.20.20 when connecting the cable directly to the port 6. (And I did expect to be assigned 192.168.20.100 as you wrote).
I then ran the packet tracer
packet-tracer input inside icmp 192.168.20.20 8 0 192.168.1.1
Phase: 1
Type: ROUTE-LOOKUP
Subtype: Resolve Egress Interface
Result: ALLOW
Config:
Additional Information:
found next-hop 192.168.1.1 using egress ifc identity
Phase: 2
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
Phase: 3
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
Phase: 4
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 5
Type: CLUSTER-REDIRECT
Subtype: cluster-redirect
Result: ALLOW
Config:
Additional Information:
Phase: 6
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
Additional Information:
Phase: 7
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
Additional Information:
Phase: 8
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 2250062, packet dispatched to next module
Phase: 9
Type: ROUTE-LOOKUP
Subtype: Resolve Egress Interface
Result: ALLOW
Config:
Additional Information:
found next-hop 0.0.0.0 using egress ifc identity
Phase: 10
Type: ADJACENCY-LOOKUP
Subtype: next-hop and adjacency
Result: ALLOW
Config:
Additional Information:
adjacency Active
next-hop mac address 0000.0000.0000 hits 75620 reference 2
Result:
input-interface: inside
input-status: up
input-line-status: up
output-interface: NP Identity Ifc
Action: allow
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide