07-24-2013 01:00 AM - edited 03-07-2019 02:33 PM
I've got two internal networks which belong to the inside vlan (or I guess it is) : 10.0.0.0/24 and 192.168.2.0/24.
The IP address of my ASA is 10.0.0.1 and the router used to make the two networks talk has got two interfaces 10.0.0.42 and 192.168.2.1.
Thanks to the route command, the ASA should redirect the packets for 192.168.2.0 to 10.0.0.42 and it will manage to give them to the other network.
Here is my config :
ASA Version 8.2(5)
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
switchport access vlan 2
ip address 10.0.0.1 255.255.255.0
ip address 192.168.1.254 255.255.255.0
ftp mode passive
clock timezone GMT 1
access-list NONAT extended permit ip 10.0.0.0 255.255.255.0 10.0.1.0 255.255.255.0
pager lines 24
logging asdm informational
mtu inside 1500
mtu outside 1500
ip local pool VPNpool 10.0.1.1-10.0.1.50
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list NONAT
nat (inside) 1 0.0.0.0 0.0.0.0
route outside 0.0.0.0 0.0.0.0 192.168.1.1 1
route inside 192.168.2.0 255.255.255.0 10.0.0.42 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
aaa authentication ssh console LOCAL
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set RA-TS esp-aes-256 esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map DYN-MAP 10 set transform-set RA-TS
crypto map VPN-MAP 30 ipsec-isakmp dynamic DYN-MAP
crypto map VPN-MAP interface outside
crypto isakmp enable outside
crypto isakmp policy 20
telnet timeout 5
ssh 192.168.1.0 255.255.255.0 inside
ssh 10.0.0.0 255.255.255.0 inside
ssh timeout 5
console timeout 0
dhcpd address 10.0.0.10-10.0.0.40 inside
dhcpd dns 18.104.22.168 22.214.171.124 interface inside
dhcpd update dns both override interface inside
dhcpd enable inside
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
tftp-server inside 10.0.0.42 /srv/tftp/cisco-rtr-01-config
username admin password 4RdDnLO1w29lihWc encrypted
username cld password zGOnThs6HPdAZhqs encrypted
tunnel-group synvpn type remote-access
tunnel-group synvpn general-attributes
tunnel-group synvpn ipsec-attributes
prompt hostname context
no call-home reporting anonymous
I can ping the router through the IP address 10.0.0.42 but not with the other one : 192.168.2.1. Do you know why I can't talk to this network even if I defined a route ?
07-24-2013 01:41 AM
Can you provide the config of the router please.
Don't forget to rate helpful posts.
07-24-2013 02:27 AM
It is a Debian machine with routing functinality activated and 2 interfaces, so it simply route
07-24-2013 07:09 AM
If I execute the command "tracert 192.168.2.1" from my laptop (IP : 10.0.0.10), I get a time out
If I try to ping it, I get also a time out.
I don't understand why the command "route inside 192.168.2.0 255.255.255.0 10.0.042 1" is not working, it's quite simple.
My laptop will talk to the ASA, packets will be forwarded to the router (10.0.0.42) and its second interface will get them (192.168.1.1).
I need help please.
07-24-2013 07:38 AM
you're talking about 192.168.2.0 subnet but then talk about 192.168.1.1, is this a typo ?
Also for your laptop in 10.0.0.0 subnet I suppose the default-gateway is the ASA which then sends out to the Linux router ?
So you enter the inside interface and go back the same interface to get to the linux box ?
Can you do this :
same-security-traffic permit intra-interface in global config
Don't forget to rate helpful posts.
07-24-2013 07:57 AM
My mistake, the IP address of the Linux router is 192.168.2.1/24.
You are right, my laptop gets all the DHCP information from ASA so my default gateway is the ASA.
Yes I enter the inside interface and go bakc to it.
I tried to execute the command "same-security-traffic permit intra-interface" but unfortunately, it didn't change anything.
When I try to reach a web service with the IP address 192.168.2.2, Firefox tells methat the "connection has been reset".
When I do a ping to 192.168.2.1, I can see ping requests in Wireshark but no reply, and no error message.
07-24-2013 05:53 PM
if your network is like below
then you are having asymmetric routing and connection won't work when there is a firewall in the path. to verify it you could add a static route in your laptop with this command: route 192.168.2.0 mask 255.255.255.0 10.0.0.42 if asymmetric routing is the case then this command would bring your laptop's connection back to normal.
but as you said you can't get any reply while capturing in wireshark, then i think the problem is due to debian machine's ip forwarding. run below command and see if you can get 1 for result:
also try this from debian:
ping -I 10.0.0.42 192.168.2.2
Message was edited by: Thomas Fan
07-25-2013 12:42 AM
Yes my network is like your schema.
I've added the route on y machine and it is working. But I can't add static routes to every device on my network, I have to make it work through the ASA.
The ip_forward file contains 1 and all the ping commands are working.
Do you know what I could do please ? I don't understand why the firewall (the ASA ?) is making problem and why it is an asymmetric routing.
07-25-2013 12:50 AM
I would suggest to enable a unused port in firewall, assign it with ip address 192.168.2.1 and plug debian machine's LAN cable into this port. this would make your firewall also acting as a router+firewall between 10.0.0.0 network and 192.168.2.0 network. If you have problem with this solution please let me know.
07-25-2013 01:12 AM
Thanks, I'll try your solution.
But I understand why packets would lose themselves, the default gw of the debian is the ASA, my laptop's default gw is the ASA, they can't go through an other router to come back. It's the only way.
07-25-2013 02:39 AM
Unfortunately I don't have the license which allow me to have a third vlan.
Is there any solution to solve the asymmetric routing problem please ?