Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1377
Views
0
Helpful
1
Replies

Small Network Routing issues with Cisco ASA 5510

jasonschelert
Level 1
Level 1

‎05-02-2011 12:58 PM - edited ‎03-04-2019 12:14 PM

Edge R1 ===== ASA .1 --- 10.0.0.0 /24 .2 (Core R1) .2 ---Serial Link-- 10.253.253.0 /24 .1 (Router3) 10.2.1.0 /24

                           .1

                             |

                        10.1.1.0 /24

Here is my issue I can ping from 10.1.1.0 /24 to any device on 10.2.1.0

I can ping 10.0.0.2 from Any Device on 10.2.1.0

I can NOT ping any devices on 10.1.1.0 /24 from 10.2.1.0

I have set the security metrics the same and packet-tracer isnt giving me any warnings.

I am new to this realm, any help would be greate appreciated.I have enabled same-security-traffic permit inter-interface and thought that would do it.

==Core Router==


! Last configuration change at 18:53:53 UTC Mon May 2 2011
version 15.1
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Core_R1
!
boot-start-marker
boot-end-marker
!
!
! card type command needed for slot/vwic-slot 0/0
!
no aaa new-model
!
!
dot11 syslog
no ip source-route
!
!
ip cef
!
!
!
!
multilink bundle-name authenticated
!
!
crypto pki token default removal timeout 0
!
!
!
!
redundancy
!
!
!
!
!
!
!
!
!
interface GigabitEthernet0/0
ip address 10.0.0.2 255.255.255.0
duplex auto
speed 100
!
interface GigabitEthernet0/1
no ip address
shutdown
duplex auto
speed auto
!
interface Serial0/3/0
ip address 10.253.253.2 255.255.255.0
encapsulation ppp
no fair-queue
service-module t1 clock source internal
service-module t1 timeslots 1-23
!
ip forward-protocol nd
no ip http server
no ip http secure-server
!
!
ip route 0.0.0.0 0.0.0.0 10.0.0.1
ip route 10.2.1.0 255.255.255.0 10.253.253.1
!
!
!
!
!
!
control-plane
!
!
!
!
scheduler allocate 20000 1000
end

==Router 3==


Building configuration...

Current configuration : 1062 bytes
!
version 12.3
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Router3
!
boot-start-marker
boot-end-marker
!

no aaa new-model
ip subnet-zero
!
!
ip cef
!
!
!
!
!
interface FastEthernet0/0
ip address 10.2.1.1 255.255.255.0
ip helper-address 10.1.1.40
duplex auto
speed auto
!
interface Serial0/0
ip address 10.253.253.1 255.255.255.0
encapsulation ppp
fair-queue
service-module t1 clock source internal
service-module t1 timeslots 1-23
!
interface FastEthernet0/1
no ip address
shutdown
duplex auto
speed auto
!
!
no ip http server
ip classless
ip route 0.0.0.0 0.0.0.0 10.253.253.2
!
!
!

end

===ASA===

Result of the command: "sh run"

: Saved
:
ASA Version 8.3(2)
!
hostname ASAOne

!
interface Ethernet0/0
nameif Outside
security-level 0
ip address
!
interface Ethernet0/1
description MOC
nameif MOC
security-level 100
ip address 10.0.0.1 255.255.255.0
!
interface Ethernet0/2
nameif Inside
security-level 100
ip address 10.1.1.1 255.255.255.0
!
interface Ethernet0/3
shutdown
nameif Failover
security-level 100
no ip address
!
interface Management0/0
nameif Management
security-level 0
ip address 10.22.22.2 255.255.255.0
management-only
!
boot system disk0:/asa832-k8.bin
ftp mode passive
clock timezone PST -8
clock summer-time PDT recurring
same-security-traffic permit inter-interface
object network CHMail002
host 10.1.1.6
object network InternalNetwork
subnet 10.1.1.0 255.255.255.0
object network NatPool
range xxxx xxxx
object network DatabaseServer
host 10.1.1.24
object network MailGateway
host xxxx
object network FWEdge
host xxxx
object network
host 10.1.1.50
object network ViewConnectionServer
host 146.129.248.21
object network 10.2.1.0-Network
subnet 10.2.1.0 255.255.255.0
object-group service SQLService tcp
description SQL Service
port-object eq 1433
object-group service CustomRDP tcp
port-object eq 3389
access-list Inside_access_in extended permit ip object InternalNetwork any log disable
access-list Inside_access_in extended permit tcp object InternalNetwork object FWEdge eq https log disable
access-list Inside_access_in extended permit icmp any any log disable
access-list Inside_access_in extended permit ip any any
access-list Outside_access_in extended permit tcp any host 10.1.1.6 eq https
access-list Outside_access_in extended permit tcp any host 10.1.1.6 eq www
access-list Outside_access_in extended permit icmp any any log disable
access-list Outside_access_in extended permit tcp object MailGateway object CHMail002 eq smtp log disable
access-list Outside_access_in extended permit tcp any object DatabaseServer object-group SQLService log disable
access-list Outside_access_in extended permit tcp any object CHFinance001 object-group CustomRDP log disable
access-list Outside_access_in extended permit tcp any host 10.1.1.6 eq smtp
access-list DMZ_access_in extended permit ip any any log disable
pager lines 24
logging enable
logging monitor debugging
logging buffered debugging
mtu Outside 1500
mtu MOC 1500
mtu Inside 1500
mtu Failover 1500
mtu Management 1500
ip verify reverse-path interface Outside
ip verify reverse-path interface MOC
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-634-53.bin
no asdm history enable
arp timeout 14400
!
object network CHMail002
nat (Inside,Outside) static xxxx dns
object network InternalNetwork
nat (Inside,Outside) dynamic NatPool interface
object network DatabaseServer
nat (Inside,Outside) static xxxx dns
!
nat (Inside,Outside) after-auto source dynamic 10.2.1.0-Network NatPool
access-group Outside_access_in in interface Outside
access-group MOC_access_in in interface MOC
access-group Inside_access_in in interface Inside
route Outside 0.0.0.0 0.0.0.0 146.129.248.17 1
route MOC 10.2.1.0 255.255.255.0 10.0.0.2 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 10.1.1.116 255.255.255.255 Management
http 10.22.22.5 255.255.255.255 Management
http 10.1.1.92 255.255.255.255 Management
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
telnet timeout 5
ssh timeout 5
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
  message-length maximum 1024
policy-map global_policy
class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect sqlnet
  inspect skinny 
  inspect sunrpc
  inspect xdmcp
  inspect sip 
  inspect netbios
  inspect tftp
  inspect ip-options
  inspect icmp
  inspect icmp error
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:31c8ffdbf58f72772ea130dcaa1a0ea0
: end

Labels:
0 Helpful
1 Reply 1

PETER EIJSBERG
Level 1
Level 1

‎05-12-2011 03:10 PM

Hi Jason,

Some observations:

On the ASA there's an ACL enabled on the MOC interface "access-group MOC_access_in in interface MOC" but it sees that ACL is not defined. Without an ACL allowing traffic that would be dropped.

Also it looks like there is no NAT defined between MOC and Inside - even if the traffic should not be NATted you'd still have to configure that.

The Packet Tracer should show you what goes wrong if an ICMP packet arrives at the MOC interface destined for the inside - try it and check the output....

Hope it helps!

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card