08-15-2011 09:58 AM - edited 03-04-2019 01:17 PM
Attached is a diagram of my network. My company has leased some office space to an outside company that handed me a 5505 and said "We want to VPN to our HQ through your Internet". I have two issues: I need this to work and I need to be able to access the 5505 from the management network. I don't care about the VPN aspect as much as making sure that I have basic communication down. I have everything configured per the diagram, but I can't ping the 5505 outside (Vlan 2) interface. I want to be able to configure and test the VPN setup on the 5505 from Putty on my PC.
The default route on the 5520 sends traffic to 10.10.1.1 and the default route on the 5510 sends traffic to the WAN interface. I added this route on the 5510:
outside 10.94.4.0 255.255.255.0 10.10.8.1
I still can't ping the default gateway on the 5505. There is a switch between my PC and the 5520 but the default route passes the traffic to the 5520. However on my tracert I don't even get to the 5520. What's going on here? Do I have to add a route to the switch just to manage the ASA 5505?
Solved! Go to Solution.
08-17-2011 12:16 PM
No, that is why you a different index number. Just make sure you choose an index number that is not already used. From the look of the 5510 config you have only used 1 as an index number.
Jon
08-15-2011 10:05 AM
Frank
Couple of things -
1) does your route to the 5505 really go via the outside interface ? ie. i would have thought that e0/0 was the outside interface
2) as for the routing, if the default-gateway for the IT management vlan is on the 5520 then no you should only have to add a route to the outside 5510. You may well need to add a route back from the ASA 5505 though.
Jon
08-15-2011 12:47 PM
John,
Thanks for the response. Per the diagram, the e0/2 interface from the 5510 goes to the 5505.
08-15-2011 02:38 PM
Thanks for the response. Per the diagram, the e0/2 interface from the 5510 goes to the 5505.
Not really what i asked. I can see the e0/2 goes to the 5505. What i asked was is that interface designated as "outside" on the 5510 because i would have though that would be e0/0 ?
Jon
08-15-2011 05:40 PM
E0/0 is outside on the 5510.
08-16-2011 05:04 AM
Frank
Is this solved now ?
Jon
08-16-2011 05:31 AM
It's not resolved. I can't get to the Internet from behind the 5505. Default route points to the 5510. May be a DNS problem though.
08-16-2011 06:18 AM
Frank
I only asked because you didn't respond to my original thread so i though perhaps it was resolved.
I thought the main issue currently was to be able to get to the 5505 from your management vlan ? You have this route on the 5510 -
outside 10.94.4.0 255.255.255.0 10.10.8.1
which is why i have been asking about the outside interface on the 5510. This says to get to the 10.94.4.0/24 network behind the 5505 go to the internet. That route should be -
route
does this make sense ?
Jon
08-16-2011 07:18 AM
Yes it does. I got confused. That route was since removed from the config. Now the problem I'm having is that the default access rule on e0/2 (5510) is dropping traffic to the internet. I'm using the packet trace tool and it's dropping at the ACL rule which I can't seem to override.
08-16-2011 07:24 AM
Frank
So the problem is getting to the internet from the ASA 5505 - is that correct ?
If so, where you are natting the 10.94.x.x addresses before they go to the internet. Is it on the ASA5510 ?
Have you setup NAT on the ASA5510 on the e0/2 interface ?
Wihout a lot more details and a clear explanation of what you are trying to do it's going to be difficult to help you.
Jon
08-16-2011 07:39 AM
The 10.94.4.x subnet is being natted on the 5505. I'm just passing traffic to the 5510 to go to the Internet.
08-16-2011 07:47 AM
Frank
Apologies, but i can't keep posting requests and getting one sentence answers ie. if the traffic is getting dropped on the 5510 would it not make sense to perhaps post the config of the 5510 together with some details of what IP you are pinging from and what IP you are pinging to on the internet.
The thread started off with the main problem being connectivity between your management vlan and the 10.94.x.x network. I don't know whether this has been fixed but you are now talking about a completely different problem.
We try our best to help but we can't guess what configs are. If you want to sort the problem out then you need to help us by providing all the relevant details ie. configs. testing details etc.
Jon
08-16-2011 08:08 AM
John, I apologize for the confusion based on my confusion of the network setup. I'm still trying to wrap my head around the fact that we have two firewalls and a seperate company wants to add theirs behind ours. I've decided to split the problem in half instead of worrying about one monolithic configuration. I abandoned plans to do management from the IT network since it's not our device. I'm now focused on Internet access and then IPSEC which is easy to do once we have connectivity.
The 5510 is handling the NAT translation, I was mistaken. The previous admin left things half-configured and I have to finish the configuration. So at least you can understand why I'm a bit scatter-brained.
08-16-2011 08:24 AM
Frank
No problem, wasn't getting annoyed, just trying to get the right information.
IPSEC won't necessarily be easy since you have a firewall with a private IP on it's outside interface ie. the 5505 so NAT/PAT issues arise. Ideally the 5505 would have a public IP on it's outside interface but this is not the case.
What type of IPSEC are they talking about - client VPNs or site to site VPNs ?
Allowing access from the 10.94.x.x network to the internet should be relatively easy so lets sort that out first.
1) make sure you are allowing the traffic through the ASA5505. As long as you have not applied an acl on the inside interface then it should be.
2) make sure there is a default route on the ASA 5505 pointing to 10.10.8.1
3) on the 5510, it all depends on how your NAT is setup. Lets assume you have a standard setup ie. something like -
nat (inside) 1 0.0.0.0
global (outside) 1 0.0.0.0
this would be there for your networks to be able to go out to the internet.
now lets assume you have called e0/2 - dmz1. Then simply add this to the 5510 config -
nat (dmz1) 1 0.0.0.0 0.0.0.0
that should then allow 10.94.x.x clients to be natted as well.
4) the 5510 will need a route back to the 10.94.x.x network ie.
route dmz1 10.94.4.0 255.255.255.0 10.10.8.2
5) DNS. I don't know how internal clients on the 10.94.x.x are getting an IP address ie. DHCP or static. But the clients on the 10.94.x.x network will need valid DNS servers to be able to type a URL into a web browser and resolve the URL to an IP address. Note if DHCP is setup on the 5505 then you can the DNS servers there. You really need to know how the client currently handles DNS because if they had their own DNS server internally then it would need to be setup to forward unknown requests to internet DNS servers (probably the same ISP DNS servers that you use).
6) access-list. If you have applied an acl to e0/2 then you need to allow their internet traffic through.
Jon
08-16-2011 09:40 AM
1. Check.
2. Check
3. This is where it gets hairy. We have a range of public IPs and I want the external company to have their own. So I natted 0.0.0.0 to
4. Fixed. I had this screwed up with a typo.
5. DNS is okay. There's no internal DNS server that I know of so I just had DHCP serve them up openDNS servers.
6. The only ACL on the e0/2 is the default one which is a deny any/any. Would this cause problems?
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: