06-15-2009 12:49 PM - edited 03-06-2019 06:16 AM
Problem:
I am having problems geting the two interfaces to comunicate with each other. I can ping my Linksys Router from the outside interface of the firewall, but I am unable to do this from the inside interface. Also I heard that I need ACL's. What are they? Do I have to have them? How do you implement them?
Setup:
I currently have a Linksys RV082 connected to two ISP's, connected on the LAN side of that is a Cisco ASA 5510 firewall, connected on the lan side of that is a Cisco 2821 router.
NAT:
Original:
Interface: interior
Source Network: interior:any/0
Destination Network: any
Translated:
Interface: Exterior
Address: interface PAT
Static routes:
Linksys to Firewall:
Destination IP: 192.168.6.0
Subnet mask: 255.255.255.0
Default Gateway: 192.168.0.101
Hop count: 1
Interface: lan
Firewall to Linksys
Exterior 0.0.0.0 0.0.0.0 192.168.0.1 1
IP Addresses:
Inside firewall: 192.168.6.0
Outside firewall: 192.168.0.101
Linksys: 192.168.0.1
Cisco Router Outside: 192.168.6.101
Cisco Router Inside: 192.168.4.0
____________Cisco ASA 5510 Configuration_____________________________
Firewall# show running-config
: Saved
:
ASA Version 7.0(8)
!
hostname Firewall
domain-name default.domain.invalid
enable password 6efABQ2cPmP7OKuA encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
dns-guard
!
interface Ethernet0/0
nameif Interior
security-level 0
ip address 192.168.6.1 255.255.255.0
!
interface Ethernet0/1
nameif Exterior
security-level 100
ip address dhcp setroute
!
interface Ethernet0/2
shutdown
nameif 0
security-level 0
no ip address
!
interface Management0/0
nameif management
security-level 100
ip address 192.168.1.1 255.255.255.0
management-only
!
ftp mode passive
same-security-traffic permit inter-interface
pager lines 24
logging asdm informational
mtu management 1500
mtu Exterior 1500
mtu Interior 1500
mtu 0 1500
asdm image disk0:/asdm-508.bin
no asdm history enable
arp timeout 14400
global (Exterior) 100 interface
nat (Interior) 100 0.0.0.0 0.0.0.0
nat (Interior) 100 0.0.0.0 0.0.0.0 outside
route Exterior 0.0.0.0 0.0.0.0 192.168.0.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00
timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
http server enable
http 192.168.1.0 255.255.255.0 management
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
sysopt noproxyarp 0
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd address 192.168.1.2-192.168.1.254 management
dhcpd address 192.168.6.2-192.168.6.10 Interior
dhcpd lease 3600
dhcpd ping_timeout 50
dhcpd enable management
dhcpd enable Interior
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map global_policy
class inspection_default
inspect dns maximum-length 512
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect icmp error
inspect mgcp
inspect pptp
inspect ctiqbe
inspect snmp
inspect http
inspect icmp
inspect ils
!
service-policy global_policy global
Cryptochecksum:ff820992c3c5d0aa4866e518fe0f9766
: end
06-16-2009 06:34 AM
I'm assuming that your management station isn't the one that you're trying to get on the internet from, is it? Do you have a workstation on the 192.168.6.0 subnet?
06-16-2009 06:38 AM
Not yet but I can put one on if need be. Should I? Currently I do not have a management station on that subnet just the 2821 router(not configured yet). Shouldn't the ping just work with out a management computer on the subnet?
06-16-2009 06:40 AM
Your nat statements don't cover your management subnet.
Try:
nat (management) 100 0 0
Then ping from your management station outbound.
06-16-2009 07:06 AM
Also: I see your extrior interface is getting an IP from DHCP. Try setting this statically, as well as a static default route pointing to the linksys. The route back from the linksys to the asa should correspong to this config...
Unless you have a static DHCP reservation, the route back from the Linksys to the ASA will not work, since the default gateway (ASA Exterior) IP could change.
"Routing failed to locate next hop for icmp from" tells me the ASA might not be getting an IP and default route via DHCP.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide