12-17-2020 09:39 PM - edited 12-17-2020 09:42 PM
Hi, all as this is my first post in the community I do not know the rules properly and as such sorry for posting in the wrong section.
My problem is that I am setting up a VLSM network on configuration but the firewall is giving me lots of problems.
Currently, I have already set up the VLAN 1 on the firewall which is the inside network with an IP address of 192.168.1.1 /27 on et0/1. On Vlan 2, the IP address is 192.168.1.78 /30, on et0/0, which is the outside network.
The router connected to et0/0 has an IP address of 192.168.1.77 /30.
Now the issue is when I set up VLAN 2, the inside subnet cannot ping the firewall anymore nor can it ping outside the firewall even after setting up the IP route on the firewall. But the router can ping to the firewall, I am still new to this so I am very confused as to what is happening here.
Attached below are the screenshots and configuration of my devices.
Solved! Go to Solution.
12-19-2020 05:18 AM
Hello,
I think the ASA has problems with classless IP addressing. Try the configuration below (IP address of Vlan 2 changed, default route changed, and service policy added). You also need to change the IP address of the HQ1 FastEthernet0/0 interface to 209.12.1.1/30, and change any routing as well.
ciscoasa#sh run
: Saved
:
ASA Version 8.4(2)
!
hostname ciscoasa
domain-name ccnasecurity.com
names
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
interface Vlan1
nameif inside
security-level 100
ip address 192.168.1.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address 209.12.1.2 255.255.255.252
!
route outside 0.0.0.0 0.0.0.0 209.12.1.1 1
!
class-map inspection_default
match default-inspection-traffic
!
policy-map global_policy
class inspection_default
inspect icmp
!
service-policy global_policy global
!
telnet timeout 5
ssh timeout 5
!
dhcpd auto_config outside
!
dhcpd enable inside
!
ciscoasa#
12-18-2020 01:20 AM
Hello,
looks like you are doing this in Packet Tracer ? It has a few quirks where especially the ASA5505 does not always work as expected.
Post the zipped Packet Tracer project (.pkt) file.
12-18-2020 07:53 AM
12-18-2020 08:31 AM
Hello,
are you sure you have posted the correct project ? The one you have posted has the ASA connected to nothing, and the entire topology looking completely different than what was originally in your screenshot...
12-18-2020 06:39 PM - edited 12-18-2020 06:46 PM
oops sorry, yup it is the correct one it's just that I removed the firewall since it gave me problems. I only gave a part of the topology in the original post as the rest was working fine, I just had troubles to set up the ASA firewall. I have also attached the configuration for my HQ router.
12-18-2020 11:55 PM - edited 12-19-2020 12:04 AM
What are the passwords for the router and the firewall ? Even the ones in the router configuration file do not work...
12-19-2020 12:01 AM - edited 12-19-2020 12:01 AM
Router
Admin1
180874T_Admin1
Firewall
I did not set it
12-19-2020 12:44 AM
Hello,
I tried that password on the router, it doesn't work. If you can log in, set another password (something like admin/cisco) on all routers, and resend the file:
username admin privilege 15 password 0 cisco
12-19-2020 01:34 AM
Hello,
never mind, I know what the problem is. It is a quirk in Packet Tracer and the ASA 5505. By default, the ASA blocks ICMP, but if you put in this:
class-map inspection_default
match default-inspection-traffic
!
policy-map global_policy
class inspection_default
inspect icmp
!
service-policy global_policy global
it should work. But not in Packet Tracer. I seem to remember there was a workaround, let me check, I will get back with you.
12-19-2020 05:18 AM
Hello,
I think the ASA has problems with classless IP addressing. Try the configuration below (IP address of Vlan 2 changed, default route changed, and service policy added). You also need to change the IP address of the HQ1 FastEthernet0/0 interface to 209.12.1.1/30, and change any routing as well.
ciscoasa#sh run
: Saved
:
ASA Version 8.4(2)
!
hostname ciscoasa
domain-name ccnasecurity.com
names
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
interface Vlan1
nameif inside
security-level 100
ip address 192.168.1.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address 209.12.1.2 255.255.255.252
!
route outside 0.0.0.0 0.0.0.0 209.12.1.1 1
!
class-map inspection_default
match default-inspection-traffic
!
policy-map global_policy
class inspection_default
inspect icmp
!
service-policy global_policy global
!
telnet timeout 5
ssh timeout 5
!
dhcpd auto_config outside
!
dhcpd enable inside
!
ciscoasa#
12-18-2020 01:31 AM
Make sure you do the VLSM correct
use online tool good to start with :
http://trk.free.fr/ipcalc/tools.html
what is the not working ? you need to route back from Router to FW , the subnet behind FW, The router do not know how to return back the packets, since you have default route setup to serial interface. you can ping router and FW because it is p2p interface.
so add more static route back for the VLAN 1 and VLAN 2 IP address space towards outside interface of FW to work as expected.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide