11-22-2015 10:37 AM - edited 03-08-2019 02:48 AM
I've recently acquired a 5506-X that I want to use in my home lab to implement Firepower. On the outside interface, it is connected to a cable modem, and it is connected to the 2901 router on the inside interface. I can access the WAN from the LAN, but I cannot ping any IP addresses on the LAN from the ASA, and I'm rather new to configuring routes, so I'm not entirely certain why. I've attached the configurations of the router and the ASA, and here are the routing tables from the ASA and the router:
From the ASA:
Gateway of last resort is 73.249.122.1 to network 0.0.0.0
S* 0.0.0.0 0.0.0.0 [1/0] via 73.249.122.1, outside
C 73.249.122.0 255.255.255.0 is directly connected, outside
L 73.249.122.87 255.255.255.255 is directly connected, outside
C 192.168.0.0 255.255.255.0 is directly connected, inside
L 192.168.0.1 255.255.255.255 is directly connected, inside
S 192.168.1.0 255.255.255.0 [1/0] via 192.168.1.1, inside
S 192.168.2.0 255.255.255.0 [1/0] via 192.168.1.1, inside
From the router:
S* 0.0.0.0/0 is directly connected
42.0.0.0/8 is variably subnetted, 2 subnets, 2 masks
C 42.42.42.0/24 is directly connected, Loopback0
L 42.42.42.1/32 is directly connected, Loopback0
192.168.0.0/24 is variably subnetted, 2 subnets, 2 masks
C 192.168.0.0/24 is directly connected, GigabitEthernet0/0
L 192.168.0.7/32 is directly connected, GigabitEthernet0/0
192.168.1.0/24 is variably subnetted, 2 subnets, 2 masks
C 192.168.1.0/24 is directly connected, GigabitEthernet0/1.1
L 192.168.1.1/32 is directly connected, GigabitEthernet0/1.1
192.168.2.0/24 is variably subnetted, 2 subnets, 2 masks
C 192.168.2.0/24 is directly connected, GigabitEthernet0/1.2
L 192.168.2.1/32 is directly connected, GigabitEthernet0/1.2
192.168.3.0/24 is variably subnetted, 2 subnets, 2 masks
C 192.168.3.0/24 is directly connected, GigabitEthernet0/1.3
L 192.168.3.1/32 is directly connected, GigabitEthernet0/1.3
192.168.4.0/24 is variably subnetted, 2 subnets, 2 masks
C 192.168.4.0/24 is directly connected, GigabitEthernet0/1.4
L 192.168.4.1/32 is directly connected, GigabitEthernet0/1.4
What am I doing wrong?
11-23-2015 06:26 AM
Hello,
Are you able to ping 192.168.1.1 from ASA , As you have pointed two static routes twoards this device.
what is this device ?
-GI
11-23-2015 09:06 AM
I now have traffic flowing, and I was able to ping inside the LAN, but now I can't and I can't seem to figure out what I did. Here are the new configurations:
ASA:
ASA Version 9.5(1)
!
hostname RADAR
enable password T1fWrHZ5QAlSt1nT encrypted
names
!
interface GigabitEthernet1/1
nameif outside
security-level 0
ip address dhcp setroute
!
interface GigabitEthernet1/2
nameif inside
security-level 100
ip address 192.168.0.1 255.255.255.0
!
interface GigabitEthernet1/3
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet1/4
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet1/5
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet1/6
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet1/7
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet1/8
shutdown
no nameif
no security-level
no ip address
!
interface Management1/1
management-only
no nameif
no security-level
no ip address
!
ftp mode passive
object-group network INSIDE_NETWORKS
description INSIDE NETWORKS
network-object 192.168.1.0 255.255.255.0
network-object 192.168.2.0 255.255.255.0
network-object 192.168.3.0 255.255.255.0
network-object 192.168.4.0 255.255.255.0
network-object 192.168.0.0 255.255.255.0
access-list OUTSIDE_FLOWING_IN extended permit icmp any4 any4
pager lines 24
logging enable
logging monitor debugging
logging buffered debugging
logging asdm debugging
mtu outside 1500
mtu inside 1500
icmp unreachable rate-limit 1 burst-size 1
icmp permit any echo outside
icmp permit any echo-reply outside
asdm image disk0:/asdm-751.bin
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
nat (inside,outside) source dynamic INSIDE_NETWORKS interface
access-group OUTSIDE_FLOWING_IN in interface outside
route inside 192.168.1.0 255.255.255.0 192.168.0.2 250
route inside 192.168.2.0 255.255.255.0 192.168.0.2 250
route inside 192.168.3.0 255.255.255.0 192.168.0.2 250
route inside 192.168.4.0 255.255.255.0 192.168.0.2 250
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
user-identity default-domain LOCAL
aaa authentication ssh console LOCAL
http server enable
http 192.168.0.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
service sw-reset-button
crypto ipsec security-association pmtu-aging infinite
crypto ca trustpool policy
telnet timeout 5
no ssh stricthostkeycheck
ssh 0.0.0.0 0.0.0.0 outside
ssh 0.0.0.0 0.0.0.0 inside
ssh timeout 5
ssh version 2
ssh key-exchange group dh-group1-sha1
console timeout 0
dhcpd auto_config outside
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
dynamic-access-policy-record DfltAccessPolicy
username emoon password 271aLcXJ/BX03czK encrypted privilege 15
username jsmick password Ly/Cemc44Pbtm2d5 encrypted privilege 15
!
class-map sfr-global-class
match any
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
class sfr-global-class
sfr fail-open
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
Cryptochecksum:e3583289199e8f4e15a3fae50df733a5
: end
Router:
version 15.5
service timestamps debug datetime msec
service timestamps log datetime localtime
service password-encryption
!
hostname Tardis
!
boot-start-marker
boot system flash0:/c2900-universalk9-mz.SPA.154-3.M3.bin
boot-end-marker
!
aqm-register-fnf
!
logging buffered 100000000
!
aaa new-model
!
!
aaa group server radius ADAUTH
server-private 192.168.1.254 key 7 072800604707185543435A5B577C7865
server-private 192.168.1.110 key 7 0221257702080E71181F584E5641414A
!
aaa authentication login default group ADAUTH local enable
aaa authorization exec default group ADAUTH local
!
!
!
!
!
aaa session-id common
ethernet lmi ce
bsd-client server url https://cloudsso.cisco.com/as/token.oauth2
clock timezone EST -5 0
clock summer-time EDT recurring
!
!
!
!
!
!
!
!
ip port-map user-protocol--2 port tcp 902
ip port-map user-protocol--3 port tcp 10000
ip port-map user-protocol--1 port tcp 3389
ip port-map user-protocol--4 port tcp 8080
ip port-map user-protocol--5 port tcp 9443
!
!
ip dhcp pool TARDIS_CLIENTS
import all
network 192.168.1.0 255.255.255.0
default-router 192.168.1.1
domain-name tardis.local
option 150 ip 192.168.1.252 192.168.1.152
dns-server 192.168.1.254 192.168.1.210 8.8.8.8
!
ip dhcp pool TARDIS_WIRELESS_CLIENTS
import all
network 192.168.2.0 255.255.255.0
default-router 192.168.2.1
option 150 ip 192.168.1.252 192.168.1.152 192.168.1.54
domain-name tardis.local
dns-server 192.168.1.254 192.168.1.210 8.8.8.8
!
ip dhcp pool TARDIS_WIRED_CLIENTS
import all
network 192.168.3.0 255.255.255.0
default-router 192.168.3.1
dns-server 192.168.1.254 192.168.1.210 8.8.8.8
option 150 ip 192.168.1.252 192.168.1.152 192.168.1.54
domain-name tardis.local
!
ip dhcp pool TARDIS_VOIP
import all
network 192.168.4.0 255.255.255.0
default-router 192.168.4.1
dns-server 192.168.1.254 192.168.1.210 192.168.1.225 8.8.8.8
option 150 ip 192.168.1.252 192.168.1.152 192.168.1.54
domain-name tardis.local
!
!
!
ip domain name tardis.local
ip name-server 192.168.1.254
ip name-server 192.168.1.210
ip cef
no ipv6 cef
!
parameter-map type ooo global
multilink bundle-name authenticated
!
!
!
!
!
!
chat-script lte "" "AT!CALL" TIMEOUT 20 "OK"
cts logging verbose
!
crypto pki trustpoint TP-self-signed-2879372165
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-2879372165
revocation-check none
rsakeypair TP-self-signed-2879372165
!
!
crypto pki certificate chain TP-self-signed-2879372165
certificate self-signed 01
3082022B 30820194 A0030201 02020101 300D0609 2A864886 F70D0101 05050030
31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 32383739 33373231 3635301E 170D3135 30333236 30373331
35395A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D32 38373933
37323136 3530819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
8100E7F2 F9407268 B26941F7 7B254628 D85314D5 8E1AFF5A A7360001 8AA1FF77
C081A29B 93C53965 76780D13 923B878A 8D582C29 3DD8DA40 BC496964 F22D9CBB
5346F275 76A187E2 E66F987F CD351D2E 0CAE2422 5D90DE4D 792BF4F4 725705B0
613DE12E E9F02C56 8BE559FD 6AF188B6 951063DC AF70FA06 115EA213 E636D3FE
B3DF0203 010001A3 53305130 0F060355 1D130101 FF040530 030101FF 301F0603
551D2304 18301680 14A0EAEF 8ACB147A 598B545F 07723112 936F33C1 9B301D06
03551D0E 04160414 A0EAEF8A CB147A59 8B545F07 72311293 6F33C19B 300D0609
2A864886 F70D0101 05050003 8181009E 4F1270AE 9CA55006 896848BA A34E2F2E
13D458D1 014E9171 4C4D6987 D05DB70F B02563E3 4D00905F 1F82F3A8 0DE635B5
39C7E47B C660BF99 52424FD4 6CECDE9A 4C158631 D979E86E 66CF3145 38426058
DAE9F718 96DF98F0 6025D0EA EC31A772 1C7F09DD 9643CBDE C910931B 168EE16E
01B6030F 815DA2E6 6EFE5616 B5A6D3
quit
voice-card 0
!
!
!
voice service voip
fax protocol t38 version 0 ls-redundancy 0 hs-redundancy 0 fallback none
!
!
!
!
!
!
license udi pid CISCO2901/K9 sn FTX1745Y0EK
hw-module pvdm 0/0
!
!
!
archive
log config
hidekeys
username josh privilege 15 secret 4 L3yDU5muhsZ/hpwNZQ1owTr51gJKqTKSL0o7ewMUVJs
!
redundancy
!
!
!
!
!
controller Cellular 0/1
lte modem link-recovery rssi onset-threshold -110
lte modem link-recovery monitor-timer 20
lte modem link-recovery wait-timer 10
lte modem link-recovery debounce-count 6
!
track 1 ip sla 1 reachability
delay down 10 up 10
!
!
class-map type inspect match-any SDM_BOOTPC
match access-group name SDM_BOOTPC
class-map type inspect match-any ccp-cls-icmp-access
match protocol icmp
match protocol tcp
match protocol udp
class-map type inspect match-any SDM_SSH
match access-group name SDM_SSH
class-map type inspect match-any SDM_HTTPS
match access-group name SDM_HTTPS
class-map type inspect match-any SDM_SHELL
match access-group name SDM_SHELL
!
!
!
!
!
!
!
!
!
!
interface Loopback0
ip address 42.42.42.1 255.255.255.0
!
interface Embedded-Service-Engine0/0
no ip address
shutdown
!
interface GigabitEthernet0/0
description UPLINK INSIDE INTERFACE ASA
mtu 9000
ip address 192.168.0.2 255.255.255.0
ip nat outside
ip virtual-reassembly in
duplex auto
speed auto
!
interface GigabitEthernet0/1
description $FW_INSIDE$
mtu 9000
no ip address
duplex auto
speed auto
!
interface GigabitEthernet0/1.1
encapsulation dot1Q 1 native
ip dhcp client default-router distance 1
ip address 192.168.1.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
!
interface GigabitEthernet0/1.2
encapsulation dot1Q 2
ip address 192.168.2.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
!
interface GigabitEthernet0/1.3
encapsulation dot1Q 3
ip address 192.168.3.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
!
interface GigabitEthernet0/1.4
encapsulation dot1Q 4
ip address 192.168.4.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
!
interface Cellular0/1/0
description $FW_OUTSIDE$
ip address negotiated
ip nat outside
ip virtual-reassembly in
encapsulation slip
dialer in-band
dialer string lte
dialer-group 1
async mode interactive
routing dynamic
!
interface Cellular0/1/1
no ip address
encapsulation slip
!
router bgp 42
bgp log-neighbor-changes
network 42.42.42.0 mask 255.255.255.0
network 192.168.2.0
neighbor 108.20.19.254 remote-as 69
neighbor 108.20.19.254 next-hop-self
!
ip forward-protocol nd
!
ip http server
ip http authentication local
ip http secure-server
!
ip nat inside source route-map nat2cable interface GigabitEthernet0/0 overload
ip nat inside source route-map nat2cell interface Cellular0/1/0 overload
ip route 0.0.0.0 0.0.0.0 192.168.0.1
ip route 0.0.0.0 0.0.0.0 Cellular0/1/0 20
ip ssh version 2
!
ip access-list extended SDM_BOOTPC
remark CCP_ACL Category=0
permit udp any any eq bootpc
ip access-list extended SDM_HTTPS
remark CCP_ACL Category=1
permit tcp any any eq 443
ip access-list extended SDM_SHELL
remark CCP_ACL Category=1
permit tcp any any eq cmd
ip access-list extended SDM_SSH
remark CCP_ACL Category=1
permit tcp any any eq 22
!
ip sla 1
icmp-echo 8.8.8.8 source-interface GigabitEthernet0/0
frequency 10
ip sla schedule 1 life forever start-time now
logging trap debugging
logging source-interface GigabitEthernet0/1.1
logging host 192.168.1.95
dialer-list 1 protocol ip permit
!
route-map nat2cable permit 10
match interface GigabitEthernet0/0
!
route-map nat2cell permit 10
match interface Cellular0/1/0
!
!
snmp-server community public RO
snmp-server enable traps snmp authentication linkdown linkup coldstart warmstart
snmp-server enable traps vrrp
snmp-server enable traps flowmon
snmp-server enable traps transceiver all
snmp-server enable traps ds1
snmp-server enable traps call-home message-send-fail server-fail
snmp-server enable traps tty
snmp-server enable traps eigrp
snmp-server enable traps ospf state-change
snmp-server enable traps ospf errors
snmp-server enable traps ospf retransmit
snmp-server enable traps ospf lsa
snmp-server enable traps ospf cisco-specific state-change nssa-trans-change
snmp-server enable traps ospf cisco-specific state-change shamlink interface
snmp-server enable traps ospf cisco-specific state-change shamlink neighbor
snmp-server enable traps ospf cisco-specific errors
snmp-server enable traps ospf cisco-specific retransmit
snmp-server enable traps ospf cisco-specific lsa
snmp-server enable traps gatekeeper
snmp-server enable traps xgcp
snmp-server enable traps license
snmp-server enable traps envmon
snmp-server enable traps flash insertion
snmp-server enable traps flash removal
snmp-server enable traps auth-framework sec-violation
snmp-server enable traps c3g
snmp-server enable traps ds3
snmp-server enable traps adslline
snmp-server enable traps vdsl2line
snmp-server enable traps icsudsu
snmp-server enable traps isdn call-information
snmp-server enable traps isdn layer2
snmp-server enable traps isdn chan-not-avail
snmp-server enable traps isdn ietf
snmp-server enable traps ds0-busyout
snmp-server enable traps ds1-loopback
snmp-server enable traps energywise
snmp-server enable traps vstack
snmp-server enable traps mac-notification
snmp-server enable traps trustsec-sxp conn-srcaddr-err msg-parse-err conn-config-err binding-err conn-up conn-down binding-expn-fail oper-nodeid-change binding-conflict
snmp-server enable traps bgp cbgp2
snmp-server enable traps isis
snmp-server enable traps ospfv3 state-change
snmp-server enable traps ospfv3 errors
snmp-server enable traps aaa_server
snmp-server enable traps atm subif
snmp-server enable traps cef resource-failure peer-state-change peer-fib-state-change inconsistency
snmp-server enable traps memory bufferpeak
snmp-server enable traps cnpd
snmp-server enable traps config-copy
snmp-server enable traps config
snmp-server enable traps config-ctid
snmp-server enable traps entity
snmp-server enable traps fru-ctrl
snmp-server enable traps resource-policy
snmp-server enable traps event-manager
snmp-server enable traps frame-relay multilink bundle-mismatch
snmp-server enable traps frame-relay
snmp-server enable traps frame-relay subif
snmp-server enable traps hsrp
snmp-server enable traps ipmulticast
snmp-server enable traps msdp
snmp-server enable traps mvpn
snmp-server enable traps nhrp nhs
snmp-server enable traps nhrp nhc
snmp-server enable traps nhrp nhp
snmp-server enable traps nhrp quota-exceeded
snmp-server enable traps pim neighbor-change rp-mapping-change invalid-pim-message
snmp-server enable traps pppoe
snmp-server enable traps cpu threshold
snmp-server enable traps rsvp
snmp-server enable traps l2tun session
snmp-server enable traps l2tun pseudowire status
snmp-server enable traps vtp
snmp-server enable traps waas
snmp-server enable traps ethernet cfm cc mep-up mep-down cross-connect loop config
snmp-server enable traps ethernet cfm crosscheck mep-missing mep-unknown service-up
snmp-server enable traps ipsla
snmp-server enable traps bfd
snmp-server enable traps dial
snmp-server enable traps dsp card-status
snmp-server enable traps dsp oper-state
snmp-server enable traps dsp video-usage
snmp-server enable traps dsp video-out-of-resource
snmp-server enable traps gdoi gm-start-registration
snmp-server enable traps gdoi gm-registration-complete
snmp-server enable traps gdoi gm-re-register
snmp-server enable traps gdoi gm-rekey-rcvd
snmp-server enable traps gdoi gm-rekey-fail
snmp-server enable traps gdoi ks-rekey-pushed
snmp-server enable traps gdoi gm-incomplete-cfg
snmp-server enable traps gdoi ks-no-rsa-keys
snmp-server enable traps gdoi ks-new-registration
snmp-server enable traps gdoi ks-reg-complete
snmp-server enable traps firewall serverstatus
snmp-server enable traps ike policy add
snmp-server enable traps ike policy delete
snmp-server enable traps ike tunnel start
snmp-server enable traps ike tunnel stop
snmp-server enable traps ipsec cryptomap add
snmp-server enable traps ipsec cryptomap delete
snmp-server enable traps ipsec cryptomap attach
snmp-server enable traps ipsec cryptomap detach
snmp-server enable traps ipsec tunnel start
snmp-server enable traps ipsec tunnel stop
snmp-server enable traps ipsec too-many-sas
snmp-server enable traps rf
snmp-server enable traps bulkstat collection transfer
snmp-server enable traps vrfmib vrf-up vrf-down vnet-trunk-up vnet-trunk-down
snmp-server enable traps ethernet cfm alarm
snmp-server enable traps ccme
snmp-server enable traps srst
snmp-server enable traps voice
snmp-server enable traps dnis
snmp mib nhrp
access-list 1 permit any
access-list 101 permit ip 192.168.1.0 0.0.0.255 any
access-list 101 permit ip any any
access-list 181 permit ip any host 192.168.1.81
!
!
!
control-plane
!
!
voice-port 0/0/0
timing hookflash-out 50
timing guard-out 1000
caller-id enable
!
voice-port 0/0/1
shutdown
!
!
!
!
!
mgcp
mgcp call-agent tardis-CUCM 2427 service-type mgcp version 0.1
mgcp rtp unreachable timeout 1000 action notify
mgcp modem passthrough voip mode nse
mgcp package-capability rtp-package
mgcp package-capability sst-package
mgcp package-capability pre-package
no mgcp package-capability res-package
no mgcp timer receive-rtcp
mgcp sdp simple
mgcp fax t38 inhibit
mgcp behavior rsip-range tgcp-only
mgcp behavior comedia-role none
mgcp behavior comedia-check-media-src disable
mgcp behavior comedia-sdp-force disable
!
mgcp profile default
!
!
ccm-manager music-on-hold
!
ccm-manager shut-backhaul-interfaces
ccm-manager redundant-host CUCM-Backup
ccm-manager mgcp
no ccm-manager fax protocol cisco
ccm-manager config server 192.168.1.252 192.168.1.152 192.168.1.54
ccm-manager config
!
dial-peer voice 999000 pots
service mgcpapp
port 0/0/0
!
dial-peer voice 99900990 pots
service mgcpapp
port 0/0/0
!
dial-peer voice 99900099 pots
service mgcpapp
port 0/0/0
!
!
!
!
gatekeeper
shutdown
!
!
telephony-service
max-conferences 8 gain -6
transfer-system full-consult
!
!
!
line con 0
line aux 0
line 2
no activation-character
no exec
transport preferred none
transport output pad telnet rlogin lapb-ta mop udptn v120 ssh
stopbits 1
line 0/1/0
script dialer lte
modem InOut
no exec
line 0/1/1
no exec
line vty 0 4
exec-timeout 0 0
transport input ssh
transport output telnet ssh
line vty 5 15
exec-timeout 0 0
transport input ssh
transport output telnet ssh
!
scheduler allocate 20000 1000
ntp update-calendar
ntp server 129.6.15.30
!
end
11-23-2015 11:02 AM
Hello,
Ping from ASA Inside to LAN is allowed by default. If you want to ping from LAN to ASA Inside interface, you need to set this command "icmp permit any inside" on ASA.
It takes about 30 to 50 seconds until your switch interfaces go to forwarding state based on the configuration if you enable the interface. It might have been the reason for your issue.
Masoud
11-23-2015 11:29 AM
Hi Masoud, I am able to ping from the LAN to the inside interface, but I'm not able to ping any devices on the LAN.
11-23-2015 12:56 PM
Can you give me some IPs which you are pinging from ASA. Can you ping one device from another device? I mean your devices have firewall or antivirus installed?
Masoud
11-25-2015 08:15 PM
Masoud, I am trying to ping devices on the 192.168.1-.4 subnets. I can ping the ASA from any device inside the LAN (including the firepower interface in the 192.168.1.0 subnet, even though it resides on the ASA). No firewall/antivirus.
11-25-2015 08:41 PM
Hello,
I am just understanding your topology.
In ASA routing table you have
192.168.1.0 255.255.255.0 [1/0] via 192.168.1.1, inside [where does it come from?]
but on the configuration
route inside 192.168.1.0 255.255.255.0 192.168.0.2 250
They do not match.
It is the last configuration and the last show command you have?
Masoud
Masoud
11-26-2015 12:13 AM
You are natting that traffic at the router to the routers outside interface if you check the logs on the ASA when running that ping you will see nothing coming from the 192.168.1.0 network
11-24-2015 06:30 AM
Hello Joshua,
Are you able to see mac address of the lan devices on ASA and what is this device 192.168.1.1. Is any acl is configired here ?
-GI
11-25-2015 08:13 PM
Ganesh, how sould I check that?
11-26-2015 12:12 AM
show arp is how you would check but the ASA would have to be in the same layer 2 network as the devices, it currently is not.
11-26-2015 12:11 AM
He won't be able; to the only IP address that's on the ASA is the 192.168.0.0/24 network and whatever DHCP he's getting from the ISP. The reason he's able to ping one way but not the other is that he has NAT configured on the router so anything sent from the ASA looks like it's coming from the routers 192.168.0.0/24 address that was statically configured but is now being assigned by the DHCP pool on the ASA. 192.168.1.1 is the gi0/1.1 interface on his router, which the ASA has no visibility of.
11-26-2015 12:08 AM
You have NAT configured and the ASA so all the traffic from the LAN looks like it's coming from the routers outside IP address (which is in the 192.168.0.0/24 network) unconfigure that NATs on the router put a static IP address (such as 192.168.0.2) on the outside of the router to add as the next hop on the ASA for the inside networks, it has no idea where 192.168.1.0/24 is at the moment since it's not a connected interface nor is there a valid next hop for that network to be the next hop. You also haven't added routes in the ASA for 192.168.3.0/24 or 192.168.4.0/24 which will need to be done as well.
That tracked route isn't actually tracking anything as well you need to have your ip sla (track 1 is referencing sla 1 which doesn't exist) configured my assumption would that it's routing out of your cellular backup route, you can look at the route table to verify
The to get to the internet you will need to configure the NATs on the ASA along with access list for the outside to permit those other NATs to send traffic which the ASA will then route to the router.
HTH
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide