Solved: Re: Problem setting up my asa 5055 firewall within my vlsm subnet

Peter17 · ‎12-17-2020

Hi, all as this is my first post in the community I do not know the rules properly and as such sorry for posting in the wrong section.

My problem is that I am setting up a VLSM network on configuration but the firewall is giving me lots of problems.

Currently, I have already set up the VLAN 1 on the firewall which is the inside network with an IP address of 192.168.1.1 /27 on et0/1. On Vlan 2, the IP address is 192.168.1.78 /30, on et0/0, which is the outside network.

The router connected to et0/0 has an IP address of 192.168.1.77 /30.

Now the issue is when I set up VLAN 2, the inside subnet cannot ping the firewall anymore nor can it ping outside the firewall even after setting up the IP route on the firewall. But the router can ping to the firewall, I am still new to this so I am very confused as to what is happening here.

Attached below are the screenshots and configuration of my devices.

Georg Pauwen · ‎12-19-2020

Hello,

I think the ASA has problems with classless IP addressing. Try the configuration below (IP address of Vlan 2 changed, default route changed, and service policy added). You also need to change the IP address of the HQ1 FastEthernet0/0 interface to 209.12.1.1/30, and change any routing as well.

ciscoasa#sh run
: Saved
:
ASA Version 8.4(2)
!
hostname ciscoasa
domain-name ccnasecurity.com
names
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
interface Vlan1
nameif inside
security-level 100
ip address 192.168.1.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address 209.12.1.2 255.255.255.252
!
route outside 0.0.0.0 0.0.0.0 209.12.1.1 1
!
class-map inspection_default
match default-inspection-traffic
!
policy-map global_policy
class inspection_default
inspect icmp
!
service-policy global_policy global
!
telnet timeout 5
ssh timeout 5
!
dhcpd auto_config outside
!
dhcpd enable inside
!
ciscoasa#

View solution in original post

Georg Pauwen · ‎12-18-2020

Hello,

looks like you are doing this in Packet Tracer ? It has a few quirks where especially the ASA5505 does not always work as expected.

Post the zipped Packet Tracer project (.pkt) file.

Peter17 · ‎12-18-2020

Ahh, I see yes my teacher did say that the firewall would have problems. Alright, here's the packet tracer attached.

Georg Pauwen · ‎12-18-2020

Hello,

are you sure you have posted the correct project ? The one you have posted has the ASA connected to nothing, and the entire topology looking completely different than what was originally in your screenshot...

Peter17 · ‎12-18-2020

oops sorry, yup it is the correct one it's just that I removed the firewall since it gave me problems. I only gave a part of the topology in the original post as the rest was working fine, I just had troubles to set up the ASA firewall. I have also attached the configuration for my HQ router.

Georg Pauwen · ‎12-18-2020

What are the passwords for the router and the firewall ? Even the ones in the router configuration file do not work...

Peter17 · ‎12-19-2020

Router

Admin1

180874T_Admin1

Firewall

I did not set it

Georg Pauwen · ‎12-19-2020

Hello,

I tried that password on the router, it doesn't work. If you can log in, set another password (something like admin/cisco) on all routers, and resend the file:

username admin privilege 15 password 0 cisco

Georg Pauwen · ‎12-19-2020

Hello,

never mind, I know what the problem is. It is a quirk in Packet Tracer and the ASA 5505. By default, the ASA blocks ICMP, but if you put in this:

class-map inspection_default
match default-inspection-traffic
!
policy-map global_policy
class inspection_default
inspect icmp
!
service-policy global_policy global

it should work. But not in Packet Tracer. I seem to remember there was a workaround, let me check, I will get back with you.

Georg Pauwen · ‎12-19-2020

Hello,

I think the ASA has problems with classless IP addressing. Try the configuration below (IP address of Vlan 2 changed, default route changed, and service policy added). You also need to change the IP address of the HQ1 FastEthernet0/0 interface to 209.12.1.1/30, and change any routing as well.

ciscoasa#sh run
: Saved
:
ASA Version 8.4(2)
!
hostname ciscoasa
domain-name ccnasecurity.com
names
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
interface Vlan1
nameif inside
security-level 100
ip address 192.168.1.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address 209.12.1.2 255.255.255.252
!
route outside 0.0.0.0 0.0.0.0 209.12.1.1 1
!
class-map inspection_default
match default-inspection-traffic
!
policy-map global_policy
class inspection_default
inspect icmp
!
service-policy global_policy global
!
telnet timeout 5
ssh timeout 5
!
dhcpd auto_config outside
!
dhcpd enable inside
!
ciscoasa#

balaji.bandi · ‎12-18-2020

Make sure you do the VLSM correct

use online tool good to start with :

http://trk.free.fr/ipcalc/tools.html

what is the not working ? you need to route back from Router to FW , the subnet behind FW, The router do not know how to return back the packets, since you have default route setup to serial interface. you can ping router and FW because it is p2p interface.

so add more static route back for the VLAN 1 and VLAN 2 IP address space towards outside interface of FW to work as expected.

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help