cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
4724
Views
0
Helpful
50
Replies

ASA 5545 & L3 configuration help

sachinc01
Level 1
Level 1

Hi,

Please read following configuration & Issue & please help to resolve this.(Network Structure Router to ASA to L3 Switch) 

Router 3945

R1 WAN 10.84.35.202/30
R1 LAN 10.84.35.211/28 (Primary router)


ASA (5545):-10.84.35.210/28 Outside
                   10.84.35.65/26 Inside
                  Default route for 0.0.0.0 0.0.0.0 10.84.35.211

L3:- L3 VLAN on Switch
Vlan 2 10.84.32.1/23
Vlan 3 10.84.34.1/24
Vlan 4 10.84.35.1/26
VLAN 5 10.84.35.65/26


In this case from ASA i will be reach to router (35.211 & 202) & switch (10.84.35.66)
From router able to reach ASA (10.84.35.210) & Switch also able to rech 10.84.35.65

Issue:- From L3 Switch uable to reach 10.84.35.210 (ASA) & router (10.84.35.211 )also

So some can help me what configuration i wil ned to reach ASA outside interface & Router
From L3 Switch....


Sachin

50 Replies 50

Change everything back to the original configuration and just remove the 'management-only' command from the interface connecting the firewall to the router. That command alone will stop all traffic passing through that interface.

I have reset ASA & reconfigured I think issue is happen caus of ACL please see log & guide

Hello,

can you post the new configuration ?

Hi Sir,

Please attached Config of ASA.

Following output from ASA.

#show run

#show access-;list

& see attached snap also for ACL which is block our traffic.

Please see & guide which access list we need to apply on ASA

FYI...Following Subnet is our Internal (Inside) Network scope.

subnet 10.84.34.0 255.255.255.0
subnet 10.84.32.0 255.255.254.0
subnet 10.84.35.0 255.255.255.192 subnet 10.84.35.64  255.255.255.192

Outside scope is subnet 10.84.35.208 255.255.255.240

We have L3 config in last post it is same 

NOTE :-We able to reach system from ASA which is connected to L3 switch (VLAN 10.84.32.50/23) but unable to reach ASA (10.84.35.65)from system & switch..

             

Hello,

remove all access lists from the ASA, that way, you know if access lists are blocking your traffic. Where does a traceroute from 10.84.32.50 to 10.84.35.65 stop ?

Hi Sachin

didnt read entire posts,But as far as noted issue inspect icmp command under policy map,by default icmp restricted in asa bcz of state-full feature

1.inspect icmp under policymap

policy-map global_policy
class inspection_default

inspect icmp

2.issue sho ip route x.x.x.x command to know next hop for same subnet from router 

3.Decide which device will serve nat for internet purpose and configure DNS

Remember cisco interface ping by default restricted and lower security-level to high security level is also restricted

Hello,

here are the revised configurations. On your ASA, remove the 'route inside' and also the GigabitEthernet0/1.1 subinterface. Also, remove all access lists from the ASA.

On the switch, make sure you only have the default route, no default gateway.

Switch:

Core-Switch#show run
Building configuration...

Current configuration : 4669 bytes
!
version 12.2
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname Core-Switch
!
boot-start-marker
boot-end-marker
!
enable secret 5 $1$IagS$/fGTqA8BL663p3p.L.F2Z.
enable password 7 0028120B26570A0F01781B
!
no aaa new-model
switch 1 provision ws-c3750g-24ts-1u
system mtu routing 1500
ip subnet-zero
ip routing
no ip domain-lookup
!
crypto pki trustpoint TP-self-signed-1202638080
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-1202638080
revocation-check none
rsakeypair TP-self-signed-1202638080
!
crypto pki certificate chain TP-self-signed-1202638080
certificate self-signed 01
30820244 308201AD A0030201 02020101 300D0609 2A864886 F70D0101 04050030
31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 31323032 36333830 3830301E 170D3933 30333031 30303031
33365A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D31 32303236
33383038 3030819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
8100C163 2981568E 4B94F0F1 5020B55C 1C04A6E3 98E7023B 01AB252E 32B4EF24
E89FA940 1CED8CC9 DC1AEF92 FADC7A1A 3042CE29 6336CB23 DECECE5C 6166BDEC
F3F83893 713F3840 DAC80486 AB1D876A 396772B5 8FDF8EAE 5C629BA5 E6EC55D9
561AE05D 6AE7F8BB 6A4DC503 2FFFDD27 3A3811AF 2F3A2156 8B246372 6AFF91C6
E5690203 010001A3 6C306A30 0F060355 1D130101 FF040530 030101FF 30170603
551D1104 10300E82 0C436F72 652D5377 69746368 2E301F06 03551D23 04183016
8014C013 DC43A976 00A29223 50EBDC8E 1FA5722D EB53301D 0603551D 0E041604
14C013DC 43A97600 A2922350 EBDC8E1F A5722DEB 53300D06 092A8648 86F70D01
01040500 03818100 7530D149 0F509AFE 4F9A31B4 F44F95F5 3CB50F34 B9525133
E2AE6F92 8AA59CA0 0A749E89 FE9CFD5D EC9EBCA0 DFC402D4 A9552CE7 212875C5
88697781 22692FDA E4770A2A C47E7937 CB18BA6A 585D7FC6 BC337435 45FF4755
AED26905 157406B6 93D957A3 132644D7 E1DFEE63 946DCF78 C1A0AEDD 4929547B
954C1047 8E5B0431
quit
!
spanning-tree mode pvst
spanning-tree extend system-id
!
vlan internal allocation policy ascending
!
interface GigabitEthernet1/0/1
switchport access vlan 2
switchport mode access
!
interface GigabitEthernet1/0/2
switchport access vlan 2
switchport mode access
!
interface GigabitEthernet1/0/3
switchport access vlan 2
switchport mode access
no cdp enable
!
interface GigabitEthernet1/0/4
switchport access vlan 2
switchport mode access
!
interface GigabitEthernet1/0/5
switchport access vlan 5
switchport mode access
!
interface GigabitEthernet1/0/6
switchport access vlan 5
switchport mode access
!
interface GigabitEthernet1/0/7
switchport access vlan 3
switchport mode access
!
interface GigabitEthernet1/0/8
switchport access vlan 3
switchport mode access
!
interface GigabitEthernet1/0/9
switchport access vlan 3
switchport mode access
!
interface GigabitEthernet1/0/10
description "Connected to ASA"
no switchport
ip address 10.84.35.66 255.255.255.192
!
interface GigabitEthernet1/0/11
switchport access vlan 4
switchport mode access
!
interface GigabitEthernet1/0/12
switchport access vlan 4
switchport mode access
!
interface GigabitEthernet1/0/13
switchport access vlan 10
switchport trunk encapsulation dot1q
switchport mode access
!
interface GigabitEthernet1/0/14
switchport access vlan 10
switchport mode access
!
interface GigabitEthernet1/0/15
switchport access vlan 10
switchport mode access
!
interface GigabitEthernet1/0/16
!
interface GigabitEthernet1/0/17
!
interface GigabitEthernet1/0/18
!
interface GigabitEthernet1/0/19
!
interface GigabitEthernet1/0/20
!
interface GigabitEthernet1/0/21
!
interface GigabitEthernet1/0/22
!
interface GigabitEthernet1/0/23
!
interface GigabitEthernet1/0/24
!
interface GigabitEthernet1/0/25
!
interface GigabitEthernet1/0/26
!
interface GigabitEthernet1/0/27
!
interface GigabitEthernet1/0/28
!
interface Vlan1
no ip address
!
interface Vlan2
ip address 10.84.32.1 255.255.254.0
!
interface Vlan3
ip address 10.84.35.1 255.255.255.192
!
interface Vlan4
no ip address
!
interface Vlan5
ip address 10.84.34.1 255.255.255.0
!
interface Vlan10
ip address 10.84.35.215 255.255.255.240
!
ip classless
ip route 0.0.0.0 0.0.0.0 10.84.35.65
ip http server
ip http secure-server
!
control-plane
banner motd ^C
********************************************************
********************************************************
***Unauthorized a^C
!
line con 0
line vty 0 4
password 7 030752180500011D1C5A
login
transport input telnet
line vty 5 15
login
!
end

ASA

GITFirewall# show run
: Saved
:
: Serial Number: FCH193478NR
: Hardware: ASA5545, 12288 MB RAM, CPU Lynnfield 2660 MHz, 1 CPU (8 cores)
:
ASA Version 9.2(2)4
!
hostname GITFirewall
enable password 2KFQnbNIdI.2KYOU encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface GigabitEthernet0/0
nameif management
security-level 100
ip address 10.84.32.5 255.255.254.0
!
interface GigabitEthernet0/1
description "Connected to R1"
nameif OUTSIDE1
security-level 0
ip address 10.84.35.213 255.255.255.240
!

--> remove this interface<--
interface GigabitEthernet0/1.1
no vlan
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/2
description "CONNECTED TO R2"
management-only
nameif OUTSIDE2
security-level 0
no ip address
!
interface GigabitEthernet0/3
nameif inside
security-level 100
ip address 10.84.35.65 255.255.255.192
!
interface GigabitEthernet0/4
nameif WAN-Secondary
security-level 0
no ip address
!
interface GigabitEthernet0/5
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/6
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/7
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
management-only
no nameif
security-level 0
ip address 10.0.0.1 255.255.255.0
!
ftp mode passive
object network obj_any
subnet 0.0.0.0 0.0.0.0
!
object network asai
host 10.84.35.65
description test
object network inside-subnet
subnet 10.84.0.0 255.255.255.0
object-group protocol TCPUDP
protocol-object udp
protocol-object tcp
access-list Primary-WAN extended permit ip any any
access-list OUTSIDE1 extended permit ip any any
access-list 100 standard permit any4
access-list lan standard permit any4
access-list inside_access_in extended permit object-group TCPUDP interface OUTSIDE1 10.84.35.64 255.255.255.192
access-list inside_access_in extended permit object-group TCPUDP interface OUTSIDE1 10.84.32.0 255.255.254.0
pager lines 24
logging enable
logging asdm informational
mtu management 1500
mtu OUTSIDE1 1500
mtu OUTSIDE2 1500
mtu inside 1500
mtu WAN-Secondary 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
!
asdm history enable
arp timeout 14400
no arp permit-nonconnected
nat (any,OUTSIDE1) source dynamic any interface
!
object network obj_any
nat (any,OUTSIDE1) dynamic interface
access-group inside_access_in in interface inside
route OUTSIDE1 0.0.0.0 0.0.0.0 10.84.35.210 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
http server enable
http 192.168.1.0 255.255.255.0 management
http 10.84.32.0 255.255.254.0 management
no snmp-server location
no snmp-server contact
crypto ipsec security-association pmtu-aging infinite
crypto ca trustpool policy
telnet 10.84.32.50 255.255.255.255 management
telnet 10.84.32.0 255.255.254.0 management
telnet 10.84.32.4 255.255.255.254 management
telnet 10.84.32.5 255.255.255.255 management
telnet timeout 5
no ssh stricthostkeycheck
ssh timeout 5
ssh key-exchange group dh-group1-sha1
console timeout 0
dhcpd ping_timeout 750
dhcpd auto_config management
!
dhcpd address 10.84.32.3-10.84.32.4 management
dhcpd enable management
!
tls-proxy maximum-session 1000
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
!
username cisco password ffIRPGpDSOJh9YLq encrypted
!
class-map inspection_default
match default-inspection-traffic
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
Cryptochecksum:58d12cf9b771bc8d9e6950180d74e558
: end

Primary-Router

Primary-Router#show run
Building configuration...


Current configuration : 2403 bytes
!
! Last configuration change at 11:19:16 UTC Fri Dec 23 2016
! NVRAM config last updated at 11:19:17 UTC Fri Dec 23 2016
! NVRAM config last updated at 11:19:17 UTC Fri Dec 23 2016
version 15.2
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Primary-Router
!
boot-start-marker
boot-end-marker

card type command needed for slot/vwic-slot 0/0
enable secret 5 $1$4GgZ$Pocj5q/v5/jTiBjhWVldp.
!
no aaa new-model
!
no ipv6 cef
! 
ip cef
multilink bundle-name authenticated
!
crypto pki token default removal timeout 0
!
voice-card 0
!
license udi pid C3900-SPE250/K9 sn FOC18161VCT 
!
hw-module pvdm 0/0
!
redundancy
!
interface GigabitEthernet0/0
ip address 10.84.35.201 255.255.255.252
duplex auto
speed auto
!
interface GigabitEthernet0/1
no ip address
shutdown
duplex auto
speed auto
!
interface GigabitEthernet0/2
ip address 10.84.35.210 255.255.255.240
duplex auto
speed auto
!
interface GigabitEthernet0/3
no ip address
shutdown
duplex auto
speed auto
!
ip forward-protocol nd
!
no ip http server
no ip http secure-server
!
ip route 10.84.64.0 255.255.255.0 10.84.35.202
ip route 10.84.71.71 255.255.255.255 10.84.35.202
ip route 10.84.71.72 255.255.255.252 10.84.35.202
ip route 10.84.71.72 255.255.255.254 10.84.35.202
ip route 10.84.71.72 255.255.255.255 10.84.35.202
ip route 10.84.71.73 255.255.255.255 10.84.35.202
ip route 10.84.71.74 255.255.255.255 10.84.35.202
ip route 10.84.75.107 255.255.255.255 10.84.35.202
ip route 10.84.86.24 255.255.255.254 10.84.35.202
ip route 10.84.86.26 255.255.255.254 10.84.35.202
ip route 10.84.86.39 255.255.255.255 10.84.35.202
ip route 10.84.86.40 255.255.255.254 10.84.35.202
ip route 10.84.86.42 255.255.255.254 10.84.35.202
ip route 10.84.86.44 255.255.255.254 10.84.35.202
ip route 10.84.86.46 255.255.255.254 10.84.35.202
ip route 10.84.89.106 255.255.255.254 10.84.35.202
ip route 103.0.0.0 255.255.255.0 10.84.35.202
ip route 103.255.172.177 255.255.255.255 10.84.35.202
ip route 10.84.35.0 255.255.255.0 10.84.35.213

;

Hello

Please confirm the correct addressing of the WAN rtr, ASA and L3 connections and can you summarize what connectivity you do have?

I have noticed in your previous postings there are various comments regarding typos and due to that its hard to understand what is supposed to be correctly assigned addressing and what isnt.

I am aware you don't have access from the lan switch, but do you have any access from the ASA , As looking at the current configuration it seems you have a incorrect static routes on WAN rtr and again on the ASA also the natting doesn't seem correct

Can you try the following:

WAN
no ip route 10.84.35.0 255.255.255.0 10.84.35.213
interface GigabitEthernet0/2
no standby 8 ip 10.84.35.209

ASA
object network inside-subnet
subnet 10.84.34.0 255.255.255.0
subnet 10.84.32.0 255.255.254.0
subnet 10.84.35.1 255.255.255.128
subnet 10.84.35.208 255.255.255.240

object-group network ECHO-REPLY
network-object inside-subnet

access-list 110 remark PING Responce
access-list 110 extended permit icmp any object-group ECHO-REPLY echo-reply

nat (inside,OUTSIDE1) after-auto source dynamic any interface
access-group 110 in interface OUTSIDE1
route OUTSIDE1 0.0.0.0 0.0.0.0 10.84.35.210 1

L3 SW
IP route 0.0.0.0 0.0.0.0 10.84.35.65

EDITED
Apologies didn't notice gpauwen response



res
Paul





Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

Suggested config done (10.84.35.0 /26 correct & add).

Following two command not work on ASA

GITFirewall(config-network-object-group)# network-object inside-subnet
^
ERROR: % Invalid Hostname

GITFirewall(config)# nat (inside,OUTSIDE1) after-auto source dynamic any inte$
GITFirewall(config)# access-group 110 in interface OUTSIDE1
ERROR: access-list 110 is empty, no access control elements configured

Suggest  config done but same issue unable to reach ASA (Outside interface )Or router .

WAN means this is MPLS link.Please see attach logs recived on ASA

Hello

Did you apply all the configuration I stated above to all devices?

Can you attach by file the current configuration  of that ASA -You should be able to ping the directly connected wan rtr lan ASA facing interface 

Res

Paul


Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

Hi Thank for replay,

Server Subnets 10.84.35.0/26 10.84.35.1 - 10.84.35.62 10.84.35.63 255.255.255.192
ASA to Core Switch Connectivity 10.84.35.64/26 10.84.35.65 - 10.84.35.126 10.84.35.127 255.255.255.192
ASA to Router Connectivity 10.84.35.208/28 10.84.35.209 - 10.84.35.222 10.84.35.223 255.255.255.240

Please guide how to rech ASA out side interface & RRouter I think Subnnet & Ip is ok If any think elase please guide & suggest

Hello,

make sure your switch config looks like this (important parts in bold):

Core-Switch#show run
Building configuration...

Current configuration : 4664 bytes
!
version 12.2
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname Core-Switch
!
boot-start-marker
boot-end-marker
!
enable secret 5 $1$IagS$/fGTqA8BL663p3p.L.F2Z.
enable password 7 0028120B26570A0F01781B
!
no aaa new-model
switch 1 provision ws-c3750g-24ts-1u
system mtu routing 1500
ip subnet-zero
ip routing
no ip domain-lookup
--More--  !
!
!
crypto pki trustpoint TP-self-signed-1202638080
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-1202638080
revocation-check none
rsakeypair TP-self-signed-1202638080
!
!
crypto pki certificate chain TP-self-signed-1202638080
certificate self-signed 01
30820244 308201AD A0030201 02020101 300D0609 2A864886 F70D0101 04050030
31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 31323032 36333830 3830301E 170D3933 30333031 30303031
33365A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D31 32303236
33383038 3030819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
8100C163 2981568E 4B94F0F1 5020B55C 1C04A6E3 98E7023B 01AB252E 32B4EF24
E89FA940 1CED8CC9 DC1AEF92 FADC7A1A 3042CE29 6336CB23 DECECE5C 6166BDEC
F3F83893 713F3840 DAC80486 AB1D876A 396772B5 8FDF8EAE 5C629BA5 E6EC55D9
561AE05D 6AE7F8BB 6A4DC503 2FFFDD27 3A3811AF 2F3A2156 8B246372 6AFF91C6
E5690203 010001A3 6C306A30 0F060355 1D130101 FF040530 030101FF 30170603
--More--   551D1104 10300E82 0C436F72 652D5377 69746368 2E301F06 03551D23 04183016
8014C013 DC43A976 00A29223 50EBDC8E 1FA5722D EB53301D 0603551D 0E041604
14C013DC 43A97600 A2922350 EBDC8E1F A5722DEB 53300D06 092A8648 86F70D01
01040500 03818100 7530D149 0F509AFE 4F9A31B4 F44F95F5 3CB50F34 B9525133
E2AE6F92 8AA59CA0 0A749E89 FE9CFD5D EC9EBCA0 DFC402D4 A9552CE7 212875C5
88697781 22692FDA E4770A2A C47E7937 CB18BA6A 585D7FC6 BC337435 45FF4755
AED26905 157406B6 93D957A3 132644D7 E1DFEE63 946DCF78 C1A0AEDD 4929547B
954C1047 8E5B0431
quit
!
!
!
!
!
spanning-tree mode pvst
spanning-tree extend system-id
!
vlan internal allocation policy ascending
!
!
!
!
interface GigabitEthernet1/0/1
--More--   switchport access vlan 2
switchport mode access
!
interface GigabitEthernet1/0/2
switchport access vlan 2
switchport mode access
!
interface GigabitEthernet1/0/3
switchport access vlan 2
switchport mode access
no cdp enable
!
interface GigabitEthernet1/0/4
switchport access vlan 2
switchport mode access
!
interface GigabitEthernet1/0/5
switchport access vlan 5
switchport mode access
!
interface GigabitEthernet1/0/6
switchport access vlan 5
switchport mode access
--More--  !
interface GigabitEthernet1/0/7
switchport access vlan 3
switchport mode access
!
interface GigabitEthernet1/0/8
switchport access vlan 3
switchport mode access
!
interface GigabitEthernet1/0/9
switchport access vlan 3
switchport mode access
!
interface GigabitEthernet1/0/10
switchport access vlan 4
switchport mode access
!
interface GigabitEthernet1/0/11
switchport access vlan 4
switchport mode access
!
interface GigabitEthernet1/0/12
--More--   switchport access vlan 4
switchport mode access
!
interface GigabitEthernet1/0/13
switchport access vlan 10
switchport trunk encapsulation dot1q
switchport mode access
!
interface GigabitEthernet1/0/14
switchport access vlan 10
switchport mode access
!
interface GigabitEthernet1/0/15
switchport access vlan 10
switchport mode access
!
interface GigabitEthernet1/0/16
!
interface GigabitEthernet1/0/17
!
interface GigabitEthernet1/0/18
!
interface GigabitEthernet1/0/19
--More--  !
interface GigabitEthernet1/0/20
!
interface GigabitEthernet1/0/21
!
interface GigabitEthernet1/0/22
!
interface GigabitEthernet1/0/23
!
interface GigabitEthernet1/0/24
!
interface GigabitEthernet1/0/25
!
interface GigabitEthernet1/0/26
!
interface GigabitEthernet1/0/27
!
interface GigabitEthernet1/0/28
!
interface Vlan1
no ip address
!
interface Vlan2
--More--   ip address 10.84.32.1 255.255.254.0
!
interface Vlan3
ip address 10.84.35.1 255.255.255.192
!
interface Vlan4
ip address 10.84.35.66 255.255.255.192
!
interface Vlan5
ip address 10.84.34.1 255.255.255.0
!
interface Vlan10
ip address 10.84.35.215 255.255.255.240
!
ip classless
ip route 0.0.0.0 0.0.0.0 10.84.35.65
ip http server
ip http secure-server
!
!
!
control-plane

Done but Unable to reach ASA out side interface & router ..

Hello,

post the config of the ASA...something is missing.

Review Cisco Networking for a $25 gift card