Solved: Re: ASA 5505 Interface Communication - Page 5

stephilewis · ‎05-07-2010

I have configured our ASA with an interface for the internal network (BeneNetwork) and our wireless solution (WLAN) everything is working OK the wireless clients receive all configurations from DHCP and can ping the the gateway address., but does not have communication to BeneNetwork.

Attached is my configuration for review,

Thank you,

ASA Version 8.2(2)
!
hostname remote
domain-name benetech.org
enable password sh3Lt8bNBi5BmLfG encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface Vlan1
nameif inside
security-level 100
ip address 172.16.20.100 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address xxx.xxx.xxx.xxx 255.255.255.240
!
interface Vlan3
description WLAN
nameif WLAN
security-level 100
ip address 172.16.30.100 255.255.255.0
!
interface Vlan4
description Benetech Network
nameif BeneNetwork
security-level 100
ip address 10.10.220.100 255.255.255.0
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
switchport access vlan 4
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
switchport access vlan 3
!
interface Ethernet0/7
switchport access vlan 3
!
ftp mode passive
dns server-group DefaultDNS
domain-name benetech.org
same-security-traffic permit inter-interface
pager lines 24
logging asdm informational
mtu inside 1500
mtu outside 1500
mtu WLAN 1500
mtu BeneNetwork 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
icmp permit any inside
icmp permit any BeneNetwork
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
nat (WLAN) 1 0.0.0.0 0.0.0.0
nat (BeneNetwork) 1 0.0.0.0 0.0.0.0
route outside 0.0.0.0 0.0.0.0 xxx.xxx.xxx.xxx 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd dns 10.10.220.23
dhcpd domain benetech.local
dhcpd auto_config outside
dhcpd option 3 ip 172.16.30.100
!
dhcpd address 172.16.30.150-172.16.30.200 WLAN
dhcpd enable WLAN
!

threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:c40d69de4ce1b0e912f403ec6902c2b2
: end

stephilewis · ‎05-12-2010

ok i reset the default gateway back to .101, where would I set the rule and what type of rule.

Federico Coto Fajardo · ‎05-12-2010

Stephen,

In order to tell you the exact command, let me know this first:

The 10.10.220.x is directly connected to what? To a switch? Because that network is on the same segment as the INSIDE of both ASAs. Why is this?

Can't you leave the gateway to be .100?

Or do you need to be .101?

Federico.

stephilewis · ‎05-12-2010

yes they both are connected to the same switch, the .101 handles all our lan and remote access and they do not want to change at this time. Therefore I am forced to use the other asa for this service, i will eventually be configuring this asa for remote access and hopefully after our mail services is moved off-site migrate everything else to this device but, for right now i have to do it this way.

stephilewis · ‎05-12-2010

is this an issue of the .101 not routing back to the .100 or the .100 dropping the packets because it is coming from the .101 and not the destination

Federico Coto Fajardo · ‎05-12-2010

Try this command on the .101 ASA:
global (inside) 1 interface

Federico.

stephilewis · ‎05-13-2010

I added the command and tested from 10.10.220.23 without success, I can ping 172.16.30.191 from the .101 asa but not from 10.10.220.23. I ran packet tracer from 172.16.30.191 to 10.10.220.23 with success from within the .100 asa.

i am not in the office yet but should be soon if I directly connected the asa's together would this solve the issue.

stephilewis · ‎05-13-2010

Also, I can ping .101 and .100 from 172.16.30.191 but nothing else on the 10.10.220.0 network.

Federico Coto Fajardo · ‎05-13-2010

Stephen,

Could you please try this:

static (inside,inside) 10.10.220.0 10.10.220.0 netmask 255.255.255.0

Federico.

stephilewis · ‎05-13-2010

not successful, watching the logs on the .100 asa it appears that no packets are returning from the .101 asa I.E. I can see the outbound packets from the .100 asa but non returning.

stephilewis · ‎05-13-2010

here is what I am getting from the .101 asa

3 May 13 2010 18:15:55 305006 172.16.30.191 regular translation creation failed for icmp src inside:10.10.220.23 dst inside:172.16.30.191 (type 0, code 0)

Federico Coto Fajardo · ‎05-13-2010

Make sure you have this:
On the .100 ASA
static (WLAN, Benetech) 172.16.30.0 172.16.30.0 netmask 255.255.255.0

On the .101 ASA
static (inside,inside) 10.10.220.0 10.10.220.0 netmask 255.255.255.0

If it does not work, do the Packet Tracer test on the .101 ASA
src IP: 10.10.220.x
dst IP: 172.16.30.x

Federico.

stephilewis · ‎05-13-2010

I added this to the .101 asa static (inside,inside) 172.16.30.0 172.16.30.0 netmask 255.255.255.0 and I can now ping 172.16.30.191 from the 10.10.220.0 network, but not vise versa.

stephilewis · ‎05-13-2010

I also add your suggestion of static (inside,inside) 10.10.220.0 10.10.220.0 netmask 255.255.255.0 and all works well.

Thank you Sir.

Federico Coto Fajardo · ‎05-13-2010

Stephen,

I'm very glad to hear that is working now.

Please rate the post if you find it helpful (this was the longest one I remembered ;-))

Federico.

Jon Marshall · ‎05-13-2010

Federico

73 posts in this thread ! - definitely deserves a +5

Jon