cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2284
Views
0
Helpful
13
Replies

Cisco ASA static routing to Cisco 831. help with ACL maybe?

Joe Carey
Level 1
Level 1

Hi all,

 

What should be a simple task is proving to be difficult and I really need some help.

 

The Cisco ASA is obviously not a strong point on mine and could do with a point in the right direction. Hopefully this will allow me to learn more about the ASA 5505.

 

 

Ok so I have an ASA 5505. Vlan 1 is 192.168.254.1 and VLAN 2 is DHCP from my cable modem.

I have a cisco 831 Ethernet router which will sit between my main LAN and my test LAN which I am setting up for multicast. the Cisco 831 has Ethernet 1 as 192.168.254.254 and the Ethernet 0 is 10.1.1.1.

 

On the ASA I have an inside route of 10.0.0.0 255.0.0.0 192.168.254.254.

On the Cisco 831 there is a route of 0.0.0.0 0.0.0.0 192.168.254.1. I can pass traffic through the Cisco 831 to the ASA 5505 and out to the internet, I can ping 8.8.8.8 for example and access everything on my main lan, but the other wan from any host inside the ASA 5505 is unable to ping anything on 10.1.1.x.

Where am I going wrong? I made all my access of my ASA any any, but still it is unable to do anything.

I will attached my configs here with the passwords removed and would appreciate a good kick in the right direction. No doubt this is something simple that I am missing and I am sure it is with the ACL on the ASA 5505 as the packet tracer says the packet is dropped because of the ACL

 

Thanks. :)

 

 

2 Accepted Solutions

Accepted Solutions

So, on ASA, all the traffic between these two LANs will traverse on the same interface.
Then please add this command in the global config on ASA:
same-security-traffic permit intra-interface

View solution in original post

TTL Exceeded means you have a loop.

The ASA routes 10/8 to the router, but the router has no idea of this range, so chooses the default route which points to the ASA.

This is a loop.

I see that the e0 on the router is connected to 10.1.1.0/24. Maybe the interface is down? Because the route doesn't show up in "show ip route" on the router.

View solution in original post

13 Replies 13

Dennis Mink
VIP Alumni
VIP Alumni

your interface vlan 2 has no ip address configured on it, so the ASA is not in the transit path between the two VLANS. correct this first.

Please remember to rate useful posts, by clicking on the stars below.

this is not the issue. VLAN 2 goes out to my ISP and my internet is up and working.

 

When I do a sh ip address I can clearly see that vlan 2 has the external IP assigned to it from my ISP.

 

The issues is internally from VLAN1 routing to 10.1.1.x.

 

As I said, the Cisco 831 and anything attached to it can access anything on 192.168.254.x and beyond out to the internet. the problem is I can access anything from 192.168.254.x to 10.1.1.x.

There are no issues between vlan 1 and vlan 2 on the ASA. VLAN 1 is inside and vlan 2 is outside on the ASA only. My issue is between the ASA and the Cisco 831.

 

ISP-----ASA on VLAN 2 (nat outside) ----ASA Vlan 1 (nat inside) 192.168.254.1--- That is all good.

 

ASA (inside) static route 10.0.0.0 255.0.0.0 192.168.254.254 (ip on eth 1 on C831)

Cisco 831 has a static route of 0.0.0.0 0.0.0.0 192.168.254.1 (vlan 1 of the ASA)

 

Traffic on the C831 on 10.1.1.x can pass through the asa out to the internet, but anything on my main lan 192.168.254.x is unable to access anything on 10.1.1.x.

 

Does that make sense?

 

What would be the gateway for your hosts in each LAN?

Could you post a topology, and also describe the desired traffic flow from a host in 10.1.1.x and a host int 192.168.254.x ?

Thanks,
Mohammad

I hope this is clear enough.

So, on ASA, all the traffic between these two LANs will traverse on the same interface.
Then please add this command in the global config on ASA:
same-security-traffic permit intra-interface

All this has presented me with was ttl expired in transit :( I cannot see why that is because all static routes are correct, the metric is good so there should be no issues and the 10.1.1.x range can access the internet and main lan.

 

I did noticed that there was a typo in my static route which has been corrected and my metric is set to 2 so there the TTL is ok.

the C831 can access the main lan and internet without issues but anything on my main lan cannot access the C831 10.1.1.1 address or anything on the 10 range.

 

I don't see a route for 10.1.1.0/24 on the ASA. There's only a host route for 10.1.1.1.

Try this:

no route inside 10.1.1.1 255.255.255.255 192.168.254.254 2
route inside 10.1.1.0 255.255.255.0 192.168.254.254

That was the error that I said I resolved. it was a type.

So, is your issue solved now?

If not, please attach the updated configuration, plus the output of show ip route on both ASA and router.

Thanks,
Mohammad

Hola,

 

My issues is still outstanding.

 

form the ASA;


Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
       ia - IS-IS inter area, * - candidate default, U - per-user static route
       o - ODR, P - periodic downloaded static route, + - replicated route

Gateway of last resort is 92.232.216.1 to network 0.0.0.0

S     10.0.0.0 255.0.0.0 [2/0] via 192.168.254.254, inside
C        192.168.254.0 255.255.255.0 is directly connected, inside
L        192.168.254.1 255.255.255.255 is directly connected, inside

 

 

 

From the cisco 831.

Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
       ia - IS-IS inter area, * - candidate default, U - per-user static route
       o - ODR, P - periodic downloaded static route

Gateway of last resort is 192.168.254.1 to network 0.0.0.0

C    192.168.254.0/24 is directly connected, Ethernet1
S*   0.0.0.0/0 [2/0] via 192.168.254.1
Router#

 

Pinging 10.1.1.1 with 32 bytes of data:
Reply from 192.168.254.254: TTL expired in transit.
Reply from 192.168.254.254: TTL expired in transit.
Reply from 192.168.254.254: TTL expired in transit.
Reply from 192.168.254.254: TTL expired in transit.

Ping statistics for 10.1.1.1:
    Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),

C:\Users\Josephc>

from Cisco 831;

Router#
Router#ping google.co.uk
Translating "google.co.uk"...domain server (255.255.255.255) [OK]

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 62.253.72.177, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 8/9/12 ms
Router#

 


From ASA;


Enfield-ASA# ping 10.1.1.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.1.1, timeout is 2 seconds:
?????
Success rate is 0 percent (0/5)
Enfield-ASA#
 

I think this is related to the access-list on the ASA, but I am not that familiar with it.

 

I hope this information helps. Thanks for your help so far :)

 

 

 

I think I was right about the access list;

 

Drop-reason: (acl-drop) Flow is denied by configured rule

Enfield-ASA# packet-tracer input inside icmp 192.168.254.1 8 0 10.1.1.1

Phase: 1
Type: ROUTE-LOOKUP
Subtype: Resolve Egress Interface
Result: ALLOW
Config:
Additional Information:
in   10.0.0.0        255.0.0.0       via 192.168.254.254, inside

Phase: 2
Type: ACCESS-LIST
Subtype:
Result: DROP
Config:
Implicit Rule
Additional Information:

Result:
input-interface: inside
input-status: up
input-line-status: up
output-interface: inside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule

Enfield-ASA#

TTL Exceeded means you have a loop.

The ASA routes 10/8 to the router, but the router has no idea of this range, so chooses the default route which points to the ASA.

This is a loop.

I see that the e0 on the router is connected to 10.1.1.0/24. Maybe the interface is down? Because the route doesn't show up in "show ip route" on the router.

Hey,

 

I've got powered everything up, plugged a device in to the router and can ping both ways now.

 

Thanks for your help. It appears that the issues is now resolved :) I really appreciate your help. I have learned a lot from you.

Review Cisco Networking for a $25 gift card