Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2212
Views
0
Helpful
5
Replies

ASA 5540 Routing Problem

SuperVitya
Level 1
Level 1

‎12-07-2010 05:54 AM - edited ‎03-06-2019 02:23 PM

Hi!

I have a routing-related problem on my Cisco ASA 5540.

I have configured several interfaces on the appliance. Two of them face to the local subnets.

> interface GigabitEthernet0/0.252

> description -= Catalyst 6000 =-

> vlan 252    

> nameif INSIDE

> security-level 90

> ip address 192.168.252.252 255.255.255.0 standby 192.168.252.242

..............

> interface Management0/0

> description -= Management =-

> nameif management

> security-level 100

> ip address 192.168.253.204 255.255.255.0 standby 192.168.253.205

> management-only

The first one is the interconnect interface with the core switch. All local users come through here to be routed to the external interface. The second one is the management interface where administrators gain access to the appliance.

The problem is that I can not provide users from the admin network 192.168.200.0/24 to access Internet and to access the appliance at the same time.

Now the static route to 192.168.200.0/24 is the following

> route INSIDE 192.168.200.0 255.255.255.0 192.168.252.1 1

This time admin network hosts can access Internet but when a PC with 192.168.200.81 tries to ping 192.168.253.204 it does not succeed. In the appliance log we see the record:

> Routing failed to locate next hop for icmp from management:192.168.253.204/0 to management:192.168.200.81/0

When I change the route to

> route management 192.168.200.0 255.255.255.0 192.168.253.1 1

then it becomes possible to access the device, but return packets from Internet can not find the correct route to 192.168.200.0/24.

Please help me configure the appliance to access Internet through 192.168.252.252 and be able to access 192.168.253.204 at the same time.

Thank you.

Labels:
0 Helpful
5 Replies 5

Ganesh Hariharan
VIP Alumni
VIP Alumni

‎12-07-2010 07:20 AM 

Hi!
I have a routing-related problem on my Cisco ASA 5540.
I have configured several interfaces on the appliance. Two of them face to the local subnets.
> interface GigabitEthernet0/0.252
> description -= Catalyst 6000 =-
> vlan 252     
> nameif INSIDE
> security-level 90
> ip address 192.168.252.252 255.255.255.0 standby 192.168.252.242
..............
> interface Management0/0
> description -= Management =-
> nameif management
> security-level 100
> ip address 192.168.253.204 255.255.255.0 standby 192.168.253.205 
> management-only
The first one is the interconnect interface with the core switch. All local users come through here to be routed to the external interface. The second one is the management interface where administrators gain access to the appliance.
The problem is that I can not provide users from the admin network 192.168.200.0/24 to access Internet and to access the appliance at the same time.
Now the static route to 192.168.200.0/24 is the following
> route INSIDE 192.168.200.0 255.255.255.0 192.168.252.1 1
This time admin network hosts can access Internet but when a PC with 192.168.200.81 tries to ping 192.168.253.204 it does not succeed. In the appliance log we see the record: 
> Routing failed to locate next hop for icmp from management:192.168.253.204/0 to management:192.168.200.81/0
When I change the route to 
> route management 192.168.200.0 255.255.255.0 192.168.253.1 1
then it becomes possible to access the device, but return packets from Internet can not find the correct route to 192.168.200.0/24.
Please help me configure the appliance to access Internet through 192.168.252.252 and be able to access 192.168.253.204 at the same time.
Thank you.


Hi,

The adaptive security appliance has a dedicated interface for device management that is referred to as the Management0/0 port. The Management0/0 port is a Fast Ethernet interface. This port is similar to the Console port, but the Management0/0 port only accepts incoming traffic to the adaptive security appliance.

Note You can configure any interface to be a management-only interface using the management-only command. You can also disable management-only mode on the management interface. For more information about this command

You need to disable the managent functionality on that port in order to use as normal lan port.

Hope to Help !!

Ganesh.H

Remember to rate the helpful post

0 Helpful

SuperVitya
Level 1
Level 1
In response to Ganesh Hariharan

‎12-07-2010 11:48 PM

Hi, Ganesh!

Thank you for the advice. But when I removed 'management-only' parameter from the management0/0 interface nothing changed. It still does not want to send outgoing packets with the source IP of management0/0 interface through another interface.

0 Helpful

Bharat Negi
Level 1
Level 1
In response to SuperVitya

‎12-09-2010 09:47 PM

Hi Viktor

Is it solved?

Regards

Bharat

0 Helpful

Bharat Negi
Level 1
Level 1

‎12-08-2010 01:53 AM

Hi Viktor

Your explaination of the problem is good.  However, I still have some doubts.

I think admin subnet (.200.0/24) must be part of some VLAN on Core Switch and nter VLAN routing is enabled on Core Switch.  ICMP forward traffic will follow inter VLAN routing and will reach ASA management interface.  But the return traffic will follow ASA routing table and icmp echo is dropped due to routing failure.  This time admin subnet can access internet because default route on core switch must be pointing to INSIDE interface of ASA.  Return traffic from internet will follow ASA routing and reach core switch.

In second case, admin subnet can ping management as ASA has correct routing for return traffic. For internet access, you must check NAT rules or access rules on ASA.

Regards

Bharat

0 Helpful

SuperVitya
Level 1
Level 1
In response to Bharat Negi

‎12-09-2010 10:45 PM

Hi, collegues!

After consultations with TAC there has been confirmed the only solution.

1. On the core switch the source-based policy should be configured. So all users will come to ASA through the common interface (.252 in my case) while users from the management subnet (.200/0) will come to ASA through management interface (.253).

2. On ASA management0/0 interface the parameter 'management-only' must be removed.

3. On ASA the route to the admin subnet should be configured through the management interface (route management 192.168.200.0 255.255.255.0 192.168.253.1).

4. To allow admin traffic acces to Internet an additional NAT rule for management0/0 interface should be added.

It seems to work, but temporary we use the common interface (.252) for management.

Thank you all for support.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card