Solved: ip routing from ASA to router and from router to ASA

b2kzone-beniamin · ‎03-11-2021

hey guys,

Finally I setup my network infrastructure of dreams :)))) but I have some question that pop-ups in my mind. Let ms first to sheme my network.

ISP modem(USE PPPOE) --> ASA --> router 2611xm --> switch 2950 --> host

Question 1: After I config all devices I put it together but when I try to access the outside I don't have access, from the host --> sw --> router --> asa --> outside, but when I connect my laptop to the ASA is working perfectly why ?

I setup the route in my case are:

on the router: ip route 172.16.2.0 255.255.255.252 172.16.2.1

on the ASA: route Home-Network 172.16.30.160 255.255.255.240 172.16.2.2 1 (also on the ASA when I set the route I use inside or out side?)

Question 2: Why when I use this config I can access outside, below is the new config (with this I can access but from what I know is not ok to use default route)

on the router: ip route 0.0.0.0 0.0.0.0 172.16.2.1

on the ASA: route Home-Network 172.16.30.160 255.255.255.240 172.16.2.2 1 also on the ASA when I set the route I use inside or out side?)

Question 3: Do you have some tips to improve my network security and QoS?

From here are the config setting on each device

Cisco Switch 2950 config

Building configuration...

Current configuration : 5639 bytes

!

version 12.1

no service pad

service timestamps debug uptime

service timestamps log uptime

service password-encryption

!

hostname S1-BETA

!

enable secret 5 dddddddddd

!

username xxxx password 7 yyyyyy

!

class-map match-all SERVER

match access-group name SERVER

class-map match-all TRANSFER

match access-group name TRANSFER

class-map match-all MANAGEMENT

match access-group name MANAGEMENT

class-map match-all EMAIL

match access-group name EMAIL

class-map match-all WEB

match access-group name WEB

!

policy-map MARKING-TRAFFIC

class SERVER

police 3000000 8192 exceed-action drop

!

ip subnet-zero

!

ip dhcp snooping vlan 55

ip dhcp snooping

no ip domain-lookup

ip domain-name xxxxxx.com

ip ssh time-out 120

ip ssh authentication-retries 3

!

spanning-tree mode pvst

no spanning-tree optimize bpdu transmission

spanning-tree extend system-id

!

interface FastEthernet0/1

description this is a trunk port

switchport trunk native vlan 88

switchport trunk allowed vlan 19,29,55,88,94

switchport mode trunk

switchport nonegotiate

ip dhcp snooping trust

!

interface FastEthernet0/2

switchport access vlan 55

switchport mode access

switchport nonegotiate

switchport port-security maximum 8

spanning-tree portfast

spanning-tree bpduguard enable

ip dhcp snooping limit rate 6

!

interface FastEthernet0/3

switchport access vlan 94

switchport mode access

switchport port-security maximum 2

ip dhcp snooping trust

!

interface FastEthernet0/4 - f0/24

switchport access vlan 999

switchport mode access

shutdown

!

interface Vlan1

no ip address

no ip route-cache

shutdown

!

interface Vlan55

ip address 172.16.30.162 255.255.255.240

ip helper-address 172.16.30.161

no ip route-cache

!

ip default-gateway 172.16.30.161

ip http server

!

ip access-list extended EMAIL

permit tcp 172.16.30.160 0.0.0.15 any eq pop2

permit udp 172.16.30.160 0.0.0.15 any eq 109

permit tcp 172.16.30.160 0.0.0.15 any eq pop3

permit udp 172.16.30.160 0.0.0.15 any eq 110

permit tcp 172.16.30.160 0.0.0.15 any eq 995

permit udp 172.16.30.160 0.0.0.15 any eq 995

permit udp 172.16.30.160 0.0.0.15 any eq 25

permit tcp 172.16.30.160 0.0.0.15 any eq smtp

permit tcp 172.16.30.160 0.0.0.15 any eq 220

permit udp 172.16.30.160 0.0.0.15 any eq 220

permit tcp 172.16.30.160 0.0.0.15 any eq 143

permit udp 172.16.30.160 0.0.0.15 any eq 143

permit tcp 172.16.30.160 0.0.0.15 any eq 993

permit udp 172.16.30.160 0.0.0.15 any eq 993

ip access-list extended MANAGEMENT

permit tcp 172.16.30.160 0.0.0.15 any eq telnet

permit udp 172.16.30.160 0.0.0.15 any eq 23

permit tcp 172.16.30.160 0.0.0.15 any eq 22

permit udp 172.16.30.160 0.0.0.15 any eq 22

ip access-list extended SERVER

permit ip host 172.16.30.173 host 172.16.1.2

ip access-list extended TRANSFER

permit udp 172.16.30.160 0.0.0.15 any eq 20

permit tcp 172.16.30.160 0.0.0.15 any eq ftp-data

permit udp 172.16.30.160 0.0.0.15 any eq 21

permit tcp 172.16.30.160 0.0.0.15 any eq ftp

permit udp 172.16.30.160 0.0.0.15 any eq tftp

permit tcp 172.16.30.160 0.0.0.15 any eq 69

permit tcp 172.16.30.160 0.0.0.15 any eq 115

permit udp 172.16.30.160 0.0.0.15 any eq 115

ip access-list extended WEB

permit tcp 172.16.30.160 0.0.0.15 any eq www

permit udp 172.16.30.160 0.0.0.15 any eq 80

permit tcp 172.16.30.160 0.0.0.15 any eq 443

permit udp 172.16.30.160 0.0.0.15 any eq 443

banner motd ^C If you are not the ADMIN get the got!!!!^C

!

line con 0

exec-timeout 180 0

login local

line vty 0 4

exec-timeout 180 0

login local

transport input ssh

line vty 5 15

exec-timeout 180 0

login local

transport input ssh

!

end

---------------------------------------------------------------------------------------------------------

Cisco Router 2600 config

Building configuration...

Current configuration : 3386 bytes

!

version 12.4

no service pad

service tcp-keepalives-in

service tcp-keepalives-out

service timestamps debug datetime msec

service timestamps log datetime msec

service password-encryption

!

hostname R1-ALFA

!

boot-start-marker

boot-end-marker

!

security authentication failure rate 10 log

security passwords min-length 10

enable secret ggggggggggggg

!

aaa new-model

!

aaa authentication login local_auth local

!

aaa session-id common

no network-clock-participate slot 1

no network-clock-participate wic 0

no ip source-route

no ip gratuitous-arps

ip cef

!

no ip dhcp use vrf connected

ip dhcp excluded-address 172.16.30.161

ip dhcp excluded-address 172.16.30.175

ip dhcp excluded-address 172.16.30.162

ip dhcp excluded-address 172.16.30.173

ip dhcp excluded-address 172.16.30.172

ip dhcp excluded-address 172.16.30.171

!

ip dhcp pool theAPinside

network 172.16.30.160 255.255.255.240

default-router 172.16.30.161

dns-server 213.156.124.1

!

no ip bootp server

login block-for 180 attempts 3 within 180

!

multilink bundle-name authenticated

!

username rrrrrrrrrrr password vvvvvvvvvv

archive

log config

hidekeys

!

ip ssh port xxxxxxx rotary 12

!

class-map match-any SERVER

match access-group name SERVER

class-map match-any TRANSFER

match access-group name TRANSFER

class-map match-any MANAGEMENT

match access-group name MANAGEMENT

class-map match-any EMAIL

match access-group name EMAIL

class-map match-any WEB

match access-group name WEB

!

interface FastEthernet0/0

description The interface that talk with ASA for net

ip address 172.16.2.2 255.255.255.252

no ip redirects

no ip unreachables

no ip proxy-arp

duplex auto

speed auto

no cdp enable

no mop enabled

!

interface FastEthernet0/1

description The interface that let you to play inside

no ip address

no ip redirects

no ip unreachables

no ip proxy-arp

no ip mroute-cache

duplex auto

speed auto

no cdp enable

no mop enabled

!

interface FastEthernet0/1.19

description The vlan from devices like printes (static)

encapsulation dot1Q 19

ip address 172.31.245.145 255.255.255.240

no cdp enable

!

interface FastEthernet0/1.29

description The vlan for something I don't know

encapsulation dot1Q 29

ip address 172.16.0.1 255.255.255.240

no cdp enable

!

interface FastEthernet0/1.55

description The vlan for play on net

encapsulation dot1Q 55

ip address 172.16.30.161 255.255.255.240

no cdp enable

!

interface FastEthernet0/1.88

shutdown

no cdp enable

!

interface FastEthernet0/1.94

description the vlan for farmvile

encapsulation dot1Q 94

ip address 172.16.1.1 255.255.255.240

no cdp enable

!

no ip forward-protocol nd

ip route 0.0.0.0 0.0.0.0 172.16.2.1

!

no ip http server

ip http secure-server

ip dns server

!

ip access-list extended fohSSH

deny tcp any any eq 22

permit tcp any any eq xxxxx

!

no cdp run

!

control-plane

!

banner motd ^CIf you're not the Admin get out!!^C

!

line con 0

exec-timeout 180 0

login authentication local_auth

line aux 0

login authentication local_auth

line vty 0 4

access-class fohSSH in

rotary 12

transport input ssh

line vty 5 9

access-class fohSSH in

rotary 12

transport input ssh

line vty 10

access-class fohSSH in

login authentication local_auth

rotary 12

transport input ssh

line vty 11 15

access-class fohSSH in

rotary 12

transport input ssh

!

end

------------------------------------------------------------------------------------------------------

ASA Version 8.4(5)

!

interface Ethernet0/0

description Home Outside Network

switchport access vlan 888

!

interface Ethernet0/1

description Home Inside Network

switchport access vlan 999

!

interface Vlan 8888

description This is the outside / ISP side

nameif outside

security-level 0

pppoe client vpdn group ISP-CON

ip address pppoe setroute

!

interface Vlan 999

description the Home Network

nameif Home-Network

security-level 100

ip address 172.16.2.1 255.255.255.252

!

nat (Home-Network,outside) after-auto source dynamic any interface

route Home-Network 172.16.30.160 255.255.255.240 172.16.2.2 1

!

vpdn group ISP-CON request dialout pppoe

vpdn group ISP-CON localname xxxxxxxxxxxxx

vpdn group ISP-CON ppp authentication pap

vpdn username ******* password ***** store-local

Georg Pauwen · ‎03-12-2021

Hello,

if yiou just want these two subnets to be natted, then indeed just add these two to your object network:

object network INSIDE_SUBNETS
subnet 172.16.1.0 255.255.255.240
subnet 172.16.30.160 255.255.255.240
nat (any,outside) dynamic interface

The additional route is just so that the ASA knows how to route back to your internal networks:

route Home-Network 172.16.1.0 255.255.255.240 172.16.2.2 1

route Home-Network 172.16.30.160 255.255.255.240 172.16.2.2 1

View solution in original post

b2kzone-beniamin · ‎03-11-2021

also I want to mention when I try to connect with other devices that need an IP from my dhcp server on the router tell me is connected and when I try to access a website or something else is disconnecting me and tell that I don't have access to internet (I'm using subinterface) above are the config

Georg Pauwen · ‎03-12-2021

Hello,

the crucial part that you did not post is the full configuration of the ASA, can you post that as well ?

b2kzone-beniamin · ‎03-12-2021

hey, yes

ASA Version 8.4(5)

!

terminal width 350

hostname Dark-Angel

domain-name xxxxx.com

enable password xfffffffffff encrypted

passwd .fffffffffffffff encrypted

names

!

interface Ethernet0/0

description Home Outside Network

switchport access vlan 888

!

interface Ethernet0/1

description Home Inside Network

switchport access vlan 999

!

interface Ethernet0/2

!

interface Ethernet0/3

!

interface Ethernet0/4

!

interface Ethernet0/5

!

interface Ethernet0/6

!

interface Ethernet0/7

!

interface Vlan1

shutdown

no nameif

no security-level

no ip address

!

interface Vlan888

description This is the outside / ISP side

nameif outside

security-level 0

pppoe client vpdn group ISP-CON

ip address pppoe setroute

!

interface Vlan999

description the Home Network

nameif Home-Network

security-level 100

ip address 172.16.2.1 255.255.255.252

!

banner motd #If you are not the admin get out#

ftp mode passive

dns server-group DefaultDNS

domain-name xxxxxxx.com

pager lines 24

mtu outside 1500

mtu Home-Network 1500

icmp unreachable rate-limit 1 burst-size 1

icmp deny any outside

icmp permit any echo Home-Network

icmp permit any echo-reply Home-Network

no asdm history enable

arp timeout 14400

no arp permit-nonconnected

!

nat (Home-Network,outside) after-auto source dynamic any interface

route Home-Network 172.16.30.160 255.255.255.240 172.16.2.2 1

timeout xlate 3:00:00

timeout pat-xlate 0:00:30

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

timeout floating-conn 0:00:00

dynamic-access-policy-record DfltAccessPolicy

user-identity default-domain LOCAL

aaa authentication ssh console LOCAL

http server enable

http 172.16.30.173 255.255.255.255 Home-Network

http authentication-certificate Home-Network

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart

no service password-recovery

telnet timeout 5

ssh 172.16.30.160 255.255.255.240 Home-Network

ssh 172.16.30.173 255.255.255.255 Home-Network

ssh timeout 5

ssh version 2

ssh key-exchange group dh-group1-sha1

console timeout 5

vpdn group ISP-CON request dialout pppoe

vpdn group ISP-CON localname *****

vpdn group ISP-CON ppp authentication pap

vpdn username ***** password ***** store-local

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

webvpn

username xxxxxxxxx password xxxxxxxxxx encrypted

!

class-map inspection_default

match default-inspection-traffic

!

policy-map type inspect dns preset_dns_map

parameters

message-length maximum client auto

message-length maximum 512

policy-map global_policy

class inspection_default

inspect dns preset_dns_map

inspect ftp

inspect h323 h225

inspect h323 ras

inspect ip-options

inspect netbios

inspect rsh

inspect rtsp

inspect skinny

inspect esmtp

inspect sqlnet

inspect sunrpc

inspect tftp

inspect sip

inspect xdmcp

inspect icmp

inspect icmp error

!

service-policy global_policy global

prompt hostname context

no call-home reporting anonymous

call-home

profile CiscoTAC-1

no active

destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService

destination address email callhome@cisco.com

destination transport-method http

subscribe-to-alert-group diagnostic

subscribe-to-alert-group environment

subscribe-to-alert-group inventory periodic monthly

subscribe-to-alert-group configuration periodic monthly

subscribe-to-alert-group telemetry periodic daily

Cryptochecksum:823de3cb0c0cb0434324c68eaed234234237c1

: end

Georg Pauwen · ‎03-12-2021

Hello,

it looks like you are missing some NAT and static routes. Add the below to your ASA config:

object network INSIDE_SUBNETS
subnet 172.16.0.0 255.255.0.0
nat (any,outside) dynamic interface

route Home-Network 172.31.245.144 255.255.255.240 172.16.2.2 1
route Home-Network 172.16.0.0 255.255.255.240 172.16.2.2 1
route Home-Network 172.16.1.0 255.255.255.240 172.16.2.2 1

b2kzone-beniamin · ‎03-12-2021

ok, thank you, but I have few question (the questions are because I did't told some particularly my bad sorry)

1. if I'm correct the command below is to translate all private ips to public, right ?

object network INSIDE_SUBNETS
subnet 172.16.0.0 255.255.0.0
nat (any,outside) dynamic interface

if yes, can i change to translate just two subnets ? the change that i made are correct ?

object network INSIDE_SUBNETS
subnet 172.16.1.0 255.255.255.240

subnet 172.16.30.160 255.255.255.240
nat (any,outside) dynamic interface

2. the static routes below are use to can access internet from all subnet ?

route Home-Network 172.31.245.144 255.255.255.240 172.16.2.2 1
route Home-Network 172.16.0.0 255.255.255.240 172.16.2.2 1
route Home-Network 172.16.1.0 255.255.255.240 172.16.2.2 1

can you tell me if i'm right what i will write?

let's take the command route from ASA from what i see is a command of next-hop right ?

route = is the command

Home-Network = in my case is the inside net right ? but if I put there "outside" will translate the the outside address to inside ? my logic is correct or is faraway?

172.31.245.144 255.255.255.240 = is the subnet destination that I decided to give access to internet, right ?

172.16.2.2 1 = is the gateway of the ASA eth0/1 right ?

b2kzone-beniamin · ‎03-12-2021

sorry if I ask to much, but when I understand I can go easy to config

Georg Pauwen · ‎03-12-2021

Hello,

if yiou just want these two subnets to be natted, then indeed just add these two to your object network:

object network INSIDE_SUBNETS
subnet 172.16.1.0 255.255.255.240
subnet 172.16.30.160 255.255.255.240
nat (any,outside) dynamic interface

The additional route is just so that the ASA knows how to route back to your internal networks:

route Home-Network 172.16.1.0 255.255.255.240 172.16.2.2 1

route Home-Network 172.16.30.160 255.255.255.240 172.16.2.2 1

b2kzone-beniamin · ‎03-12-2021

hey,

i config ASA with

object network INSIDE_SUBNETS
subnet 172.16.1.0 255.255.255.240
subnet 172.16.30.160 255.255.255.240
nat (any,outside) dynamic interface

and

route Home-Network 172.16.1.0 255.255.255.240 172.16.2.2 1

route Home-Network 172.16.30.160 255.255.255.240 172.16.2.2 1

----------------------------------------

on the router i used

ip route 0.0.0.0 0.0.0.0 172.16.2.1

I still can't access youtube, netflix, cisco, etc

Georg Pauwen · ‎03-12-2021

Hello,

from the workstation that cannot reach YouTube, can you ping 172.16..2.1 ?

b2kzone-beniamin · ‎03-12-2021

so I can ping from workstation to switch, router and ASA but from ASA back I can't

Georg Pauwen · ‎03-13-2021

Hello,

what is the IP address of the workstation ? Do you see any NAT translations in the ASA (show xlate) ?

b2kzone-beniamin · ‎06-09-2021

this was the solution + a ip route on the swithc L3

paul driver · ‎03-13-2021

Hello
on the rtr

interface FastEthernet0/1.88
encapsulation dot1q 88 native
no shutdown

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul