cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1222
Views
0
Helpful
13
Replies
Joe Carey
Beginner

Cisco ASA static routing to Cisco 831. help with ACL maybe?

Hi all,

 

What should be a simple task is proving to be difficult and I really need some help.

 

The Cisco ASA is obviously not a strong point on mine and could do with a point in the right direction. Hopefully this will allow me to learn more about the ASA 5505.

 

 

Ok so I have an ASA 5505. Vlan 1 is 192.168.254.1 and VLAN 2 is DHCP from my cable modem.

I have a cisco 831 Ethernet router which will sit between my main LAN and my test LAN which I am setting up for multicast. the Cisco 831 has Ethernet 1 as 192.168.254.254 and the Ethernet 0 is 10.1.1.1.

 

On the ASA I have an inside route of 10.0.0.0 255.0.0.0 192.168.254.254.

On the Cisco 831 there is a route of 0.0.0.0 0.0.0.0 192.168.254.1. I can pass traffic through the Cisco 831 to the ASA 5505 and out to the internet, I can ping 8.8.8.8 for example and access everything on my main lan, but the other wan from any host inside the ASA 5505 is unable to ping anything on 10.1.1.x.

Where am I going wrong? I made all my access of my ASA any any, but still it is unable to do anything.

I will attached my configs here with the passwords removed and would appreciate a good kick in the right direction. No doubt this is something simple that I am missing and I am sure it is with the ACL on the ASA 5505 as the packet tracer says the packet is dropped because of the ACL

 

Thanks. :)

 

 

2 ACCEPTED SOLUTIONS

Accepted Solutions

So, on ASA, all the traffic between these two LANs will traverse on the same interface.
Then please add this command in the global config on ASA:
same-security-traffic permit intra-interface

View solution in original post

TTL Exceeded means you have a loop.

The ASA routes 10/8 to the router, but the router has no idea of this range, so chooses the default route which points to the ASA.

This is a loop.

I see that the e0 on the router is connected to 10.1.1.0/24. Maybe the interface is down? Because the route doesn't show up in "show ip route" on the router.

View solution in original post

13 REPLIES 13
Dennis Mink
Advisor

your interface vlan 2 has no ip address configured on it, so the ASA is not in the transit path between the two VLANS. correct this first.

Please remember to rate useful posts, by clicking on the stars below.

this is not the issue. VLAN 2 goes out to my ISP and my internet is up and working.

 

When I do a sh ip address I can clearly see that vlan 2 has the external IP assigned to it from my ISP.

 

The issues is internally from VLAN1 routing to 10.1.1.x.

 

As I said, the Cisco 831 and anything attached to it can access anything on 192.168.254.x and beyond out to the internet. the problem is I can access anything from 192.168.254.x to 10.1.1.x.

There are no issues between vlan 1 and vlan 2 on the ASA. VLAN 1 is inside and vlan 2 is outside on the ASA only. My issue is between the ASA and the Cisco 831.

 

ISP-----ASA on VLAN 2 (nat outside) ----ASA Vlan 1 (nat inside) 192.168.254.1--- That is all good.

 

ASA (inside) static route 10.0.0.0 255.0.0.0 192.168.254.254 (ip on eth 1 on C831)

Cisco 831 has a static route of 0.0.0.0 0.0.0.0 192.168.254.1 (vlan 1 of the ASA)

 

Traffic on the C831 on 10.1.1.x can pass through the asa out to the internet, but anything on my main lan 192.168.254.x is unable to access anything on 10.1.1.x.

 

Does that make sense?

 

What would be the gateway for your hosts in each LAN?

Could you post a topology, and also describe the desired traffic flow from a host in 10.1.1.x and a host int 192.168.254.x ?

Thanks,
Mohammad

I hope this is clear enough.

So, on ASA, all the traffic between these two LANs will traverse on the same interface.
Then please add this command in the global config on ASA:
same-security-traffic permit intra-interface

All this has presented me with was ttl expired in transit :( I cannot see why that is because all static routes are correct, the metric is good so there should be no issues and the 10.1.1.x range can access the internet and main lan.

 

I did noticed that there was a typo in my static route which has been corrected and my metric is set to 2 so there the TTL is ok.

the C831 can access the main lan and internet without issues but anything on my main lan cannot access the C831 10.1.1.1 address or anything on the 10 range.

 

I don't see a route for 10.1.1.0/24 on the ASA. There's only a host route for 10.1.1.1.

Try this:

no route inside 10.1.1.1 255.255.255.255 192.168.254.254 2
route inside 10.1.1.0 255.255.255.0 192.168.254.254
Joe Carey
Beginner