07-24-2013 01:00 AM - edited 03-07-2019 02:33 PM
Hello everyone,
I've got two internal networks which belong to the inside vlan (or I guess it is) : 10.0.0.0/24 and 192.168.2.0/24.
The IP address of my ASA is 10.0.0.1 and the router used to make the two networks talk has got two interfaces 10.0.0.42 and 192.168.2.1.
Thanks to the route command, the ASA should redirect the packets for 192.168.2.0 to 10.0.0.42 and it will manage to give them to the other network.
Here is my config :
: Saved
:
ASA Version 8.2(5)
!
hostname Cisco-ASA-5505
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
interface Vlan1
nameif inside
security-level 100
ip address 10.0.0.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address 192.168.1.254 255.255.255.0
!
ftp mode passive
clock timezone GMT 1
access-list NONAT extended permit ip 10.0.0.0 255.255.255.0 10.0.1.0 255.255.255.0
pager lines 24
logging asdm informational
mtu inside 1500
mtu outside 1500
ip local pool VPNpool 10.0.1.1-10.0.1.50
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list NONAT
nat (inside) 1 0.0.0.0 0.0.0.0
route outside 0.0.0.0 0.0.0.0 192.168.1.1 1
route inside 192.168.2.0 255.255.255.0 10.0.0.42 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
aaa authentication ssh console LOCAL
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set RA-TS esp-aes-256 esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map DYN-MAP 10 set transform-set RA-TS
crypto map VPN-MAP 30 ipsec-isakmp dynamic DYN-MAP
crypto map VPN-MAP interface outside
crypto isakmp enable outside
crypto isakmp policy 20
authentication pre-share
encryption aes-256
hash sha
group 2
lifetime 3600
telnet timeout 5
ssh 192.168.1.0 255.255.255.0 inside
ssh 10.0.0.0 255.255.255.0 inside
ssh timeout 5
console timeout 0
dhcpd address 10.0.0.10-10.0.0.40 inside
dhcpd dns 81.253.149.9 80.10.246.1 interface inside
dhcpd update dns both override interface inside
dhcpd enable inside
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
tftp-server inside 10.0.0.42 /srv/tftp/cisco-rtr-01-config
webvpn
username admin password 4RdDnLO1w29lihWc encrypted
username cld password zGOnThs6HPdAZhqs encrypted
tunnel-group synvpn type remote-access
tunnel-group synvpn general-attributes
address-pool VPNpool
tunnel-group synvpn ipsec-attributes
pre-shared-key *****
!
!
prompt hostname context
no call-home reporting anonymous
Cryptochecksum:c3d233f44e742110aa0ce1f81173d47c
: end
I can ping the router through the IP address 10.0.0.42 but not with the other one : 192.168.2.1. Do you know why I can't talk to this network even if I defined a route ?
Thanks !
John
10-08-2019 10:59 PM
Hi,
As I am understanding that you are facing an Asymmetric routing issue in your network.
Here is the guide for the same:
object network Local_LAN
subnet 10.0.0.0 255.255.255.0
!
object network Local_LAN2
subnet 192.168.2.0 255.255.255.0
!
access-list firewall_bypass extended permit ip object Local_LAN object Local_LAN2
access-list firewall_bypass extended permit ip object Local_LAN2 object Local_LAN
!
class-map class_firewall_bypass
match access-list firewall_bypass
!
policy-map inside-policy
class class_firewall_bypass
set connection advanced-options tcp-state-bypass
!
service-policy inside-policy interface inside
https://matthewjwhite.co.uk/2012/02/13/asymmetric-routing-with-cisco-asa-firewalls/
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: