ASA5505 - static route is not working

JohnDbury71 · ‎07-24-2013

Hello everyone,

I've got two internal networks which belong to the inside vlan (or I guess it is) : 10.0.0.0/24 and 192.168.2.0/24.

The IP address of my ASA is 10.0.0.1 and the router used to make the two networks talk has got two interfaces 10.0.0.42 and 192.168.2.1.

Thanks to the route command, the ASA should redirect the packets for 192.168.2.0 to 10.0.0.42 and it will manage to give them to the other network.

Here is my config :

: Saved

:

ASA Version 8.2(5)

!

hostname Cisco-ASA-5505

enable password 8Ry2YjIyt7RRXU24 encrypted

passwd 2KFQnbNIdI.2KYOU encrypted

names

!

interface Ethernet0/0

switchport access vlan 2

!

interface Ethernet0/1

!

interface Ethernet0/2

!

interface Ethernet0/3

!

interface Ethernet0/4

!

interface Ethernet0/5

!

interface Ethernet0/6

!

interface Ethernet0/7

!

interface Vlan1

nameif inside

security-level 100

ip address 10.0.0.1 255.255.255.0

!

interface Vlan2

nameif outside

security-level 0

ip address 192.168.1.254 255.255.255.0

!

ftp mode passive

clock timezone GMT 1

access-list NONAT extended permit ip 10.0.0.0 255.255.255.0 10.0.1.0 255.255.255.0

pager lines 24

logging asdm informational

mtu inside 1500

mtu outside 1500

ip local pool VPNpool 10.0.1.1-10.0.1.50

icmp unreachable rate-limit 1 burst-size 1

no asdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 0 access-list NONAT

nat (inside) 1 0.0.0.0 0.0.0.0

route outside 0.0.0.0 0.0.0.0 192.168.1.1 1

route inside 192.168.2.0 255.255.255.0 10.0.0.42 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

timeout floating-conn 0:00:00

dynamic-access-policy-record DfltAccessPolicy

aaa authentication ssh console LOCAL

http server enable

http 192.168.1.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec transform-set RA-TS esp-aes-256 esp-sha-hmac

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

crypto dynamic-map DYN-MAP 10 set transform-set RA-TS

crypto map VPN-MAP 30 ipsec-isakmp dynamic DYN-MAP

crypto map VPN-MAP interface outside

crypto isakmp enable outside

crypto isakmp policy 20

authentication pre-share

encryption aes-256

hash sha

group 2

lifetime 3600

telnet timeout 5

ssh 192.168.1.0 255.255.255.0 inside

ssh 10.0.0.0 255.255.255.0 inside

ssh timeout 5

console timeout 0

dhcpd address 10.0.0.10-10.0.0.40 inside

dhcpd dns 81.253.149.9 80.10.246.1 interface inside

dhcpd update dns both override interface inside

dhcpd enable inside

!

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

tftp-server inside 10.0.0.42 /srv/tftp/cisco-rtr-01-config

webvpn

username admin password 4RdDnLO1w29lihWc encrypted

username cld password zGOnThs6HPdAZhqs encrypted

tunnel-group synvpn type remote-access

tunnel-group synvpn general-attributes

address-pool VPNpool

tunnel-group synvpn ipsec-attributes

pre-shared-key *****

!

prompt hostname context

no call-home reporting anonymous

Cryptochecksum:c3d233f44e742110aa0ce1f81173d47c

: end

I can ping the router through the IP address 10.0.0.42 but not with the other one : 192.168.2.1. Do you know why I can't talk to this network even if I defined a route ?

Thanks !

John

cadet alain · ‎07-24-2013

Hi John,

Can you provide the config of the router please.

Regards

Alain

Don't forget to rate helpful posts.

JohnDbury71 · ‎07-24-2013

It is a Debian machine with routing functinality activated and 2 interfaces, so it simply route

JohnDbury71 · ‎07-24-2013

If I execute the command "tracert 192.168.2.1" from my laptop (IP : 10.0.0.10), I get a time out

If I try to ping it, I get also a time out.

I don't understand why the command "route inside 192.168.2.0 255.255.255.0 10.0.042 1" is not working, it's quite simple.

My laptop will talk to the ASA, packets will be forwarded to the router (10.0.0.42) and its second interface will get them (192.168.1.1).

I need help please.

cadet alain · ‎07-24-2013

Hi,

you're talking about 192.168.2.0 subnet but then talk about 192.168.1.1, is this a typo ?

Also for your laptop in 10.0.0.0 subnet I suppose the default-gateway is the ASA which then sends out to the Linux router ?

So you enter the inside interface and go back the same interface to get to the linux box ?

Can you do this :

same-security-traffic permit intra-interface in global config

Regards

Alain

Don't forget to rate helpful posts.

JohnDbury71 · ‎07-24-2013

Hi Alain,

My mistake, the IP address of the Linux router is 192.168.2.1/24.

You are right, my laptop gets all the DHCP information from ASA so my default gateway is the ASA.

Yes I enter the inside interface and go bakc to it.

I tried to execute the command "same-security-traffic permit intra-interface" but unfortunately, it didn't change anything.

When I try to reach a web service with the IP address 192.168.2.2, Firefox tells methat the "connection has been reset".

When I do a ping to 192.168.2.1, I can see ping requests in Wireshark but no reply, and no error message.

thomas.g.fan · ‎07-24-2013

if your network is like below

then you are having asymmetric routing and connection won't work when there is a firewall in the path. to verify it you could add a static route in your laptop with this command: route 192.168.2.0 mask 255.255.255.0 10.0.0.42 if asymmetric routing is the case then this command would bring your laptop's connection back to normal.

but as you said you can't get any reply while capturing in wireshark, then i think the problem is due to debian machine's ip forwarding. run below command and see if you can get 1 for result:

cat /proc/sys/net/ipv4/ip_forward

also try this from debian:

ping -I 10.0.0.42 192.168.2.2

ping 192.168.2.2

Message was edited by: Thomas Fan

JohnDbury71 · ‎07-25-2013

Thanks Thomas,

Yes my network is like your schema.

I've added the route on y machine and it is working. But I can't add static routes to every device on my network, I have to make it work through the ASA.

The ip_forward file contains 1 and all the ping commands are working.

Do you know what I could do please ? I don't understand why the firewall (the ASA ?) is making problem and why it is an asymmetric routing.

thomas.g.fan · ‎07-25-2013

I would suggest to enable a unused port in firewall, assign it with ip address 192.168.2.1 and plug debian machine's LAN cable into this port. this would make your firewall also acting as a router+firewall between 10.0.0.0 network and 192.168.2.0 network. If you have problem with this solution please let me know.

JohnDbury71 · ‎07-25-2013

Thanks, I'll try your solution.

But I understand why packets would lose themselves, the default gw of the debian is the ASA, my laptop's default gw is the ASA, they can't go through an other router to come back. It's the only way.

JohnDbury71 · ‎07-25-2013

Unfortunately I don't have the license which allow me to have a third vlan.

Is there any solution to solve the asymmetric routing problem please ?