cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
6216
Views
0
Helpful
15
Replies

ASA5505 - static route is not working

JohnDbury71
Level 1
Level 1

Hello everyone,

I've got two internal networks which belong to the inside vlan (or I guess it is) : 10.0.0.0/24 and 192.168.2.0/24.

The IP address of my ASA is 10.0.0.1 and the router used to make the two networks talk has got two interfaces 10.0.0.42 and 192.168.2.1.

Thanks to the route command, the ASA should redirect the packets for 192.168.2.0 to 10.0.0.42 and it will manage to give them to the other network.

Here is my config :

: Saved

:

ASA Version 8.2(5)

!

hostname Cisco-ASA-5505

enable password 8Ry2YjIyt7RRXU24 encrypted

passwd 2KFQnbNIdI.2KYOU encrypted

names

!

interface Ethernet0/0

switchport access vlan 2

!

interface Ethernet0/1

!

interface Ethernet0/2

!

interface Ethernet0/3

!

interface Ethernet0/4

!

interface Ethernet0/5

!

interface Ethernet0/6

!

interface Ethernet0/7

!

interface Vlan1

nameif inside

security-level 100

ip address 10.0.0.1 255.255.255.0

!

interface Vlan2

nameif outside

security-level 0

ip address 192.168.1.254 255.255.255.0

!

ftp mode passive

clock timezone GMT 1

access-list NONAT extended permit ip 10.0.0.0 255.255.255.0 10.0.1.0 255.255.255.0

pager lines 24

logging asdm informational

mtu inside 1500

mtu outside 1500

ip local pool VPNpool 10.0.1.1-10.0.1.50

icmp unreachable rate-limit 1 burst-size 1

no asdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 0 access-list NONAT

nat (inside) 1 0.0.0.0 0.0.0.0

route outside 0.0.0.0 0.0.0.0 192.168.1.1 1

route inside 192.168.2.0 255.255.255.0 10.0.0.42 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

timeout floating-conn 0:00:00

dynamic-access-policy-record DfltAccessPolicy

aaa authentication ssh console LOCAL

http server enable

http 192.168.1.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec transform-set RA-TS esp-aes-256 esp-sha-hmac

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

crypto dynamic-map DYN-MAP 10 set transform-set RA-TS

crypto map VPN-MAP 30 ipsec-isakmp dynamic DYN-MAP

crypto map VPN-MAP interface outside

crypto isakmp enable outside

crypto isakmp policy 20

authentication pre-share

encryption aes-256

hash sha

group 2

lifetime 3600

telnet timeout 5

ssh 192.168.1.0 255.255.255.0 inside

ssh 10.0.0.0 255.255.255.0 inside

ssh timeout 5

console timeout 0

dhcpd address 10.0.0.10-10.0.0.40 inside

dhcpd dns 81.253.149.9 80.10.246.1 interface inside

dhcpd update dns both override interface inside

dhcpd enable inside

!

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

tftp-server inside 10.0.0.42 /srv/tftp/cisco-rtr-01-config

webvpn

username admin password 4RdDnLO1w29lihWc encrypted

username cld password zGOnThs6HPdAZhqs encrypted

tunnel-group synvpn type remote-access

tunnel-group synvpn general-attributes

address-pool VPNpool

tunnel-group synvpn ipsec-attributes

pre-shared-key *****

!

!

prompt hostname context

no call-home reporting anonymous

Cryptochecksum:c3d233f44e742110aa0ce1f81173d47c

: end

I can ping the router through the IP address 10.0.0.42 but not with the other one : 192.168.2.1. Do you know why I can't talk to this network even if I defined a route ?

Thanks !

John

15 Replies 15

Deepak Kumar
VIP Alumni
VIP Alumni

Hi,

As I am understanding that you are facing an Asymmetric routing issue in your network. 

Here is the guide for the same:

 

object network Local_LAN
subnet 10.0.0.0 255.255.255.0
!
object network Local_LAN2
subnet 192.168.2.0 255.255.255.0
!
access-list firewall_bypass extended permit ip object Local_LAN object Local_LAN2
access-list firewall_bypass extended permit ip object Local_LAN2 object Local_LAN
!
class-map class_firewall_bypass
match access-list firewall_bypass
!
policy-map inside-policy
class class_firewall_bypass
set connection advanced-options tcp-state-bypass
!
service-policy inside-policy interface inside

 

https://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/118995-configure-asa-00.html

https://matthewjwhite.co.uk/2012/02/13/asymmetric-routing-with-cisco-asa-firewalls/

Regards,
Deepak Kumar,
Don't forget to vote and accept the solution if this comment will help you!
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: