Buy or Renew
Buy or Renew
NOTICE: You can now engage in the community. Learn about the great new Cisco Umbrella content.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1719
Views
0
Helpful
13
Replies

Routing between ASA-5506X and 2901 Router

Joshua Smick
Level 1
Level 1

‎11-22-2015 10:37 AM - edited ‎03-08-2019 02:48 AM

I've recently acquired a 5506-X that I want to use in my home lab to implement Firepower.  On the outside interface, it is connected to a cable modem, and it is connected to the 2901 router on the inside interface.  I can access the WAN from the LAN, but I cannot ping any IP addresses on the LAN from the ASA, and I'm rather new to configuring routes, so I'm not entirely certain why.  I've attached the configurations of the router and the ASA, and here are the routing tables from the ASA and the router:

From the ASA:

Gateway of last resort is 73.249.122.1 to network 0.0.0.0

S*    0.0.0.0 0.0.0.0 [1/0] via 73.249.122.1, outside

C        73.249.122.0 255.255.255.0 is directly connected, outside

L        73.249.122.87 255.255.255.255 is directly connected, outside

C        192.168.0.0 255.255.255.0 is directly connected, inside

L        192.168.0.1 255.255.255.255 is directly connected, inside

S     192.168.1.0 255.255.255.0 [1/0] via 192.168.1.1, inside

S     192.168.2.0 255.255.255.0 [1/0] via 192.168.1.1, inside

From the router:

S*    0.0.0.0/0 is directly connected

      42.0.0.0/8 is variably subnetted, 2 subnets, 2 masks

C        42.42.42.0/24 is directly connected, Loopback0

L        42.42.42.1/32 is directly connected, Loopback0

      192.168.0.0/24 is variably subnetted, 2 subnets, 2 masks

C        192.168.0.0/24 is directly connected, GigabitEthernet0/0

L        192.168.0.7/32 is directly connected, GigabitEthernet0/0

      192.168.1.0/24 is variably subnetted, 2 subnets, 2 masks

C        192.168.1.0/24 is directly connected, GigabitEthernet0/1.1

L        192.168.1.1/32 is directly connected, GigabitEthernet0/1.1

      192.168.2.0/24 is variably subnetted, 2 subnets, 2 masks

C        192.168.2.0/24 is directly connected, GigabitEthernet0/1.2

L        192.168.2.1/32 is directly connected, GigabitEthernet0/1.2

      192.168.3.0/24 is variably subnetted, 2 subnets, 2 masks

C        192.168.3.0/24 is directly connected, GigabitEthernet0/1.3

L        192.168.3.1/32 is directly connected, GigabitEthernet0/1.3

      192.168.4.0/24 is variably subnetted, 2 subnets, 2 masks

C        192.168.4.0/24 is directly connected, GigabitEthernet0/1.4

L        192.168.4.1/32 is directly connected, GigabitEthernet0/1.4

What am I doing wrong?  

Labels:
Preview file
20 KB
0 Helpful
13 Replies 13

Ganesh Hariharan
VIP Alumni
VIP Alumni

‎11-23-2015 06:26 AM

Hello,

Are you able to ping 192.168.1.1 from ASA , As you have pointed two static routes twoards this device.

what is this device ?

-GI

0 Helpful

Joshua Smick
Level 1
Level 1
In response to Ganesh Hariharan

‎11-23-2015 09:06 AM

I now have traffic flowing, and I was able to ping inside the LAN, but now I can't and I can't seem to figure out what I did.  Here are the new configurations:

ASA:

ASA Version 9.5(1) 

!

hostname RADAR

enable password T1fWrHZ5QAlSt1nT encrypted

names

!

interface GigabitEthernet1/1

 nameif outside

 security-level 0

 ip address dhcp setroute 

!

interface GigabitEthernet1/2

 nameif inside

 security-level 100

 ip address 192.168.0.1 255.255.255.0 

!

interface GigabitEthernet1/3

 shutdown

 no nameif

 no security-level

 no ip address

!

interface GigabitEthernet1/4

 shutdown

 no nameif

 no security-level

 no ip address

!

interface GigabitEthernet1/5

 shutdown

 no nameif

 no security-level

 no ip address

!

interface GigabitEthernet1/6

 shutdown

 no nameif

 no security-level

 no ip address

!

interface GigabitEthernet1/7

 shutdown

 no nameif

 no security-level

 no ip address

!

interface GigabitEthernet1/8

 shutdown

 no nameif

 no security-level

 no ip address

!

interface Management1/1

 management-only

 no nameif

 no security-level

 no ip address

!

ftp mode passive

object-group network INSIDE_NETWORKS

 description INSIDE NETWORKS

 network-object 192.168.1.0 255.255.255.0

 network-object 192.168.2.0 255.255.255.0

 network-object 192.168.3.0 255.255.255.0

 network-object 192.168.4.0 255.255.255.0

 network-object 192.168.0.0 255.255.255.0

access-list OUTSIDE_FLOWING_IN extended permit icmp any4 any4 

pager lines 24

logging enable

logging monitor debugging

logging buffered debugging

logging asdm debugging

mtu outside 1500

mtu inside 1500

icmp unreachable rate-limit 1 burst-size 1

icmp permit any echo outside

icmp permit any echo-reply outside

asdm image disk0:/asdm-751.bin

no asdm history enable

arp timeout 14400

no arp permit-nonconnected

nat (inside,outside) source dynamic INSIDE_NETWORKS interface

access-group OUTSIDE_FLOWING_IN in interface outside

route inside 192.168.1.0 255.255.255.0 192.168.0.2 250

route inside 192.168.2.0 255.255.255.0 192.168.0.2 250

route inside 192.168.3.0 255.255.255.0 192.168.0.2 250

route inside 192.168.4.0 255.255.255.0 192.168.0.2 250

timeout xlate 3:00:00

timeout pat-xlate 0:00:30

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

timeout floating-conn 0:00:00

user-identity default-domain LOCAL

aaa authentication ssh console LOCAL 

http server enable

http 192.168.0.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

service sw-reset-button

crypto ipsec security-association pmtu-aging infinite

crypto ca trustpool policy

telnet timeout 5

no ssh stricthostkeycheck

ssh 0.0.0.0 0.0.0.0 outside

ssh 0.0.0.0 0.0.0.0 inside

ssh timeout 5

ssh version 2

ssh key-exchange group dh-group1-sha1

console timeout 0

dhcpd auto_config outside

!

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

dynamic-access-policy-record DfltAccessPolicy

username emoon password 271aLcXJ/BX03czK encrypted privilege 15

username jsmick password Ly/Cemc44Pbtm2d5 encrypted privilege 15

!

class-map sfr-global-class

 match any

class-map inspection_default

 match default-inspection-traffic

!

!

policy-map type inspect dns preset_dns_map

 parameters

  message-length maximum client auto

  message-length maximum 512

policy-map global_policy

 class inspection_default

  inspect dns preset_dns_map 

  inspect ftp 

  inspect h323 h225 

  inspect h323 ras 

  inspect rsh 

  inspect rtsp 

  inspect esmtp 

  inspect sqlnet 

  inspect skinny  

  inspect sunrpc 

  inspect xdmcp 

  inspect sip  

  inspect netbios 

  inspect tftp 

  inspect ip-options 

 class sfr-global-class

  sfr fail-open

!

service-policy global_policy global

prompt hostname context 

no call-home reporting anonymous

Cryptochecksum:e3583289199e8f4e15a3fae50df733a5

: end

Router:

version 15.5

service timestamps debug datetime msec

service timestamps log datetime localtime

service password-encryption

!

hostname Tardis

!

boot-start-marker

boot system flash0:/c2900-universalk9-mz.SPA.154-3.M3.bin

boot-end-marker

!

aqm-register-fnf

!

logging buffered 100000000

!

aaa new-model

!

!

aaa group server radius ADAUTH

 server-private 192.168.1.254 key 7 072800604707185543435A5B577C7865

 server-private 192.168.1.110 key 7 0221257702080E71181F584E5641414A

!

aaa authentication login default group ADAUTH local enable

aaa authorization exec default group ADAUTH local 

!

!

!

!

!

aaa session-id common

ethernet lmi ce

bsd-client server url https://cloudsso.cisco.com/as/token.oauth2

clock timezone EST -5 0

clock summer-time EDT recurring

!

!

!

!

!

!

!

!         

ip port-map user-protocol--2 port tcp 902

ip port-map user-protocol--3 port tcp 10000

ip port-map user-protocol--1 port tcp 3389

ip port-map user-protocol--4 port tcp 8080

ip port-map user-protocol--5 port tcp 9443

!

!

ip dhcp pool TARDIS_CLIENTS

 import all

 network 192.168.1.0 255.255.255.0

 default-router 192.168.1.1 

 domain-name tardis.local

 option 150 ip 192.168.1.252 192.168.1.152 

 dns-server 192.168.1.254 192.168.1.210 8.8.8.8 

!

ip dhcp pool TARDIS_WIRELESS_CLIENTS

 import all

 network 192.168.2.0 255.255.255.0

 default-router 192.168.2.1 

 option 150 ip 192.168.1.252 192.168.1.152 192.168.1.54 

 domain-name tardis.local

 dns-server 192.168.1.254 192.168.1.210 8.8.8.8 

!

ip dhcp pool TARDIS_WIRED_CLIENTS

 import all

 network 192.168.3.0 255.255.255.0

 default-router 192.168.3.1 

 dns-server 192.168.1.254 192.168.1.210 8.8.8.8 

 option 150 ip 192.168.1.252 192.168.1.152 192.168.1.54 

 domain-name tardis.local

!

ip dhcp pool TARDIS_VOIP

 import all

 network 192.168.4.0 255.255.255.0

 default-router 192.168.4.1 

 dns-server 192.168.1.254 192.168.1.210 192.168.1.225 8.8.8.8 

 option 150 ip 192.168.1.252 192.168.1.152 192.168.1.54 

 domain-name tardis.local

!

!

!

ip domain name tardis.local

ip name-server 192.168.1.254

ip name-server 192.168.1.210

ip cef

no ipv6 cef

!

parameter-map type ooo global

multilink bundle-name authenticated

!

!

!

!

!

!

chat-script lte "" "AT!CALL" TIMEOUT 20 "OK"

cts logging verbose

!

crypto pki trustpoint TP-self-signed-2879372165

 enrollment selfsigned

 subject-name cn=IOS-Self-Signed-Certificate-2879372165

 revocation-check none

 rsakeypair TP-self-signed-2879372165

!

!

crypto pki certificate chain TP-self-signed-2879372165

 certificate self-signed 01

  3082022B 30820194 A0030201 02020101 300D0609 2A864886 F70D0101 05050030 

  31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274 

  69666963 6174652D 32383739 33373231 3635301E 170D3135 30333236 30373331 

  35395A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649 

  4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D32 38373933 

  37323136 3530819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281 

  8100E7F2 F9407268 B26941F7 7B254628 D85314D5 8E1AFF5A A7360001 8AA1FF77 

  C081A29B 93C53965 76780D13 923B878A 8D582C29 3DD8DA40 BC496964 F22D9CBB 

  5346F275 76A187E2 E66F987F CD351D2E 0CAE2422 5D90DE4D 792BF4F4 725705B0 

  613DE12E E9F02C56 8BE559FD 6AF188B6 951063DC AF70FA06 115EA213 E636D3FE 

  B3DF0203 010001A3 53305130 0F060355 1D130101 FF040530 030101FF 301F0603 

  551D2304 18301680 14A0EAEF 8ACB147A 598B545F 07723112 936F33C1 9B301D06 

  03551D0E 04160414 A0EAEF8A CB147A59 8B545F07 72311293 6F33C19B 300D0609 

  2A864886 F70D0101 05050003 8181009E 4F1270AE 9CA55006 896848BA A34E2F2E 

  13D458D1 014E9171 4C4D6987 D05DB70F B02563E3 4D00905F 1F82F3A8 0DE635B5 

  39C7E47B C660BF99 52424FD4 6CECDE9A 4C158631 D979E86E 66CF3145 38426058 

  DAE9F718 96DF98F0 6025D0EA EC31A772 1C7F09DD 9643CBDE C910931B 168EE16E 

  01B6030F 815DA2E6 6EFE5616 B5A6D3

  quit

voice-card 0

!

!

!

voice service voip

 fax protocol t38 version 0 ls-redundancy 0 hs-redundancy 0 fallback none

!

!

!

!

!

!

license udi pid CISCO2901/K9 sn FTX1745Y0EK

hw-module pvdm 0/0

!

!

!

archive

 log config

  hidekeys

username josh privilege 15 secret 4 L3yDU5muhsZ/hpwNZQ1owTr51gJKqTKSL0o7ewMUVJs

!

redundancy

!

!

!

!

!

controller Cellular 0/1

 lte modem link-recovery rssi onset-threshold -110

 lte modem link-recovery monitor-timer 20

 lte modem link-recovery wait-timer 10

 lte modem link-recovery debounce-count 6

!

track 1 ip sla 1 reachability

 delay down 10 up 10

!

!

class-map type inspect match-any SDM_BOOTPC

 match access-group name SDM_BOOTPC

class-map type inspect match-any ccp-cls-icmp-access

 match protocol icmp

 match protocol tcp

 match protocol udp

class-map type inspect match-any SDM_SSH

 match access-group name SDM_SSH

class-map type inspect match-any SDM_HTTPS

 match access-group name SDM_HTTPS

class-map type inspect match-any SDM_SHELL

 match access-group name SDM_SHELL

!         

!

!

!

!

!

!

!

!

!

interface Loopback0

 ip address 42.42.42.1 255.255.255.0

!

interface Embedded-Service-Engine0/0

 no ip address

 shutdown

!

interface GigabitEthernet0/0

 description UPLINK INSIDE INTERFACE ASA

 mtu 9000

 ip address 192.168.0.2 255.255.255.0

 ip nat outside

 ip virtual-reassembly in

 duplex auto

 speed auto

!

interface GigabitEthernet0/1

 description $FW_INSIDE$

 mtu 9000

 no ip address

 duplex auto

 speed auto

!

interface GigabitEthernet0/1.1

 encapsulation dot1Q 1 native

 ip dhcp client default-router distance 1

 ip address 192.168.1.1 255.255.255.0

 ip nat inside

 ip virtual-reassembly in

!

interface GigabitEthernet0/1.2

 encapsulation dot1Q 2

 ip address 192.168.2.1 255.255.255.0

 ip nat inside

 ip virtual-reassembly in

!

interface GigabitEthernet0/1.3

 encapsulation dot1Q 3

 ip address 192.168.3.1 255.255.255.0

 ip nat inside

 ip virtual-reassembly in

!

interface GigabitEthernet0/1.4

 encapsulation dot1Q 4

 ip address 192.168.4.1 255.255.255.0

 ip nat inside

 ip virtual-reassembly in

!

interface Cellular0/1/0

 description $FW_OUTSIDE$

 ip address negotiated

 ip nat outside

 ip virtual-reassembly in

 encapsulation slip

 dialer in-band

 dialer string lte

 dialer-group 1

 async mode interactive

 routing dynamic

!

interface Cellular0/1/1

 no ip address

 encapsulation slip

!

router bgp 42

 bgp log-neighbor-changes

 network 42.42.42.0 mask 255.255.255.0

 network 192.168.2.0

 neighbor 108.20.19.254 remote-as 69

 neighbor 108.20.19.254 next-hop-self

!

ip forward-protocol nd

!

ip http server

ip http authentication local

ip http secure-server

!

ip nat inside source route-map nat2cable interface GigabitEthernet0/0 overload

ip nat inside source route-map nat2cell interface Cellular0/1/0 overload

ip route 0.0.0.0 0.0.0.0 192.168.0.1

ip route 0.0.0.0 0.0.0.0 Cellular0/1/0 20

ip ssh version 2

!         

ip access-list extended SDM_BOOTPC

 remark CCP_ACL Category=0

 permit udp any any eq bootpc

ip access-list extended SDM_HTTPS

 remark CCP_ACL Category=1

 permit tcp any any eq 443

ip access-list extended SDM_SHELL

 remark CCP_ACL Category=1

 permit tcp any any eq cmd

ip access-list extended SDM_SSH

 remark CCP_ACL Category=1

 permit tcp any any eq 22

!

ip sla 1

 icmp-echo 8.8.8.8 source-interface GigabitEthernet0/0

 frequency 10

ip sla schedule 1 life forever start-time now

logging trap debugging

logging source-interface GigabitEthernet0/1.1

logging host 192.168.1.95

dialer-list 1 protocol ip permit

!

route-map nat2cable permit 10

 match interface GigabitEthernet0/0

!

route-map nat2cell permit 10

 match interface Cellular0/1/0

!

!

snmp-server community public RO

snmp-server enable traps snmp authentication linkdown linkup coldstart warmstart

snmp-server enable traps vrrp

snmp-server enable traps flowmon

snmp-server enable traps transceiver all

snmp-server enable traps ds1

snmp-server enable traps call-home message-send-fail server-fail

snmp-server enable traps tty

snmp-server enable traps eigrp

snmp-server enable traps ospf state-change

snmp-server enable traps ospf errors

snmp-server enable traps ospf retransmit

snmp-server enable traps ospf lsa

snmp-server enable traps ospf cisco-specific state-change nssa-trans-change

snmp-server enable traps ospf cisco-specific state-change shamlink interface

snmp-server enable traps ospf cisco-specific state-change shamlink neighbor

snmp-server enable traps ospf cisco-specific errors

snmp-server enable traps ospf cisco-specific retransmit

snmp-server enable traps ospf cisco-specific lsa

snmp-server enable traps gatekeeper

snmp-server enable traps xgcp

snmp-server enable traps license

snmp-server enable traps envmon

snmp-server enable traps flash insertion

snmp-server enable traps flash removal

snmp-server enable traps auth-framework sec-violation

snmp-server enable traps c3g

snmp-server enable traps ds3

snmp-server enable traps adslline

snmp-server enable traps vdsl2line

snmp-server enable traps icsudsu

snmp-server enable traps isdn call-information

snmp-server enable traps isdn layer2

snmp-server enable traps isdn chan-not-avail

snmp-server enable traps isdn ietf

snmp-server enable traps ds0-busyout

snmp-server enable traps ds1-loopback

snmp-server enable traps energywise

snmp-server enable traps vstack

snmp-server enable traps mac-notification

snmp-server enable traps trustsec-sxp conn-srcaddr-err msg-parse-err conn-config-err binding-err conn-up conn-down binding-expn-fail oper-nodeid-change binding-conflict

snmp-server enable traps bgp cbgp2

snmp-server enable traps isis

snmp-server enable traps ospfv3 state-change

snmp-server enable traps ospfv3 errors

snmp-server enable traps aaa_server

snmp-server enable traps atm subif

snmp-server enable traps cef resource-failure peer-state-change peer-fib-state-change inconsistency

snmp-server enable traps memory bufferpeak

snmp-server enable traps cnpd

snmp-server enable traps config-copy

snmp-server enable traps config

snmp-server enable traps config-ctid

snmp-server enable traps entity

snmp-server enable traps fru-ctrl

snmp-server enable traps resource-policy

snmp-server enable traps event-manager

snmp-server enable traps frame-relay multilink bundle-mismatch

snmp-server enable traps frame-relay

snmp-server enable traps frame-relay subif

snmp-server enable traps hsrp

snmp-server enable traps ipmulticast

snmp-server enable traps msdp

snmp-server enable traps mvpn

snmp-server enable traps nhrp nhs

snmp-server enable traps nhrp nhc

snmp-server enable traps nhrp nhp

snmp-server enable traps nhrp quota-exceeded

snmp-server enable traps pim neighbor-change rp-mapping-change invalid-pim-message

snmp-server enable traps pppoe

snmp-server enable traps cpu threshold

snmp-server enable traps rsvp

snmp-server enable traps l2tun session

snmp-server enable traps l2tun pseudowire status

snmp-server enable traps vtp

snmp-server enable traps waas 

snmp-server enable traps ethernet cfm cc mep-up mep-down cross-connect loop config

snmp-server enable traps ethernet cfm crosscheck mep-missing mep-unknown service-up

snmp-server enable traps ipsla

snmp-server enable traps bfd

snmp-server enable traps dial

snmp-server enable traps dsp card-status

snmp-server enable traps dsp oper-state

snmp-server enable traps dsp video-usage

snmp-server enable traps dsp video-out-of-resource

snmp-server enable traps gdoi gm-start-registration

snmp-server enable traps gdoi gm-registration-complete

snmp-server enable traps gdoi gm-re-register

snmp-server enable traps gdoi gm-rekey-rcvd

snmp-server enable traps gdoi gm-rekey-fail

snmp-server enable traps gdoi ks-rekey-pushed

snmp-server enable traps gdoi gm-incomplete-cfg

snmp-server enable traps gdoi ks-no-rsa-keys

snmp-server enable traps gdoi ks-new-registration

snmp-server enable traps gdoi ks-reg-complete

snmp-server enable traps firewall serverstatus

snmp-server enable traps ike policy add

snmp-server enable traps ike policy delete

snmp-server enable traps ike tunnel start

snmp-server enable traps ike tunnel stop

snmp-server enable traps ipsec cryptomap add

snmp-server enable traps ipsec cryptomap delete

snmp-server enable traps ipsec cryptomap attach

snmp-server enable traps ipsec cryptomap detach

snmp-server enable traps ipsec tunnel start

snmp-server enable traps ipsec tunnel stop

snmp-server enable traps ipsec too-many-sas

snmp-server enable traps rf

snmp-server enable traps bulkstat collection transfer

snmp-server enable traps vrfmib vrf-up vrf-down vnet-trunk-up vnet-trunk-down

snmp-server enable traps ethernet cfm alarm

snmp-server enable traps ccme

snmp-server enable traps srst

snmp-server enable traps voice

snmp-server enable traps dnis

snmp mib nhrp

access-list 1 permit any

access-list 101 permit ip 192.168.1.0 0.0.0.255 any

access-list 101 permit ip any any

access-list 181 permit ip any host 192.168.1.81

!

!

!

control-plane

!

!

voice-port 0/0/0

 timing hookflash-out 50

 timing guard-out 1000

 caller-id enable

!

voice-port 0/0/1

 shutdown

 !

 !

 !

 !

!

mgcp

mgcp call-agent tardis-CUCM 2427 service-type mgcp version 0.1

mgcp rtp unreachable timeout 1000 action notify

mgcp modem passthrough voip mode nse

mgcp package-capability rtp-package

mgcp package-capability sst-package

mgcp package-capability pre-package

no mgcp package-capability res-package

no mgcp timer receive-rtcp

mgcp sdp simple

mgcp fax t38 inhibit

mgcp behavior rsip-range tgcp-only

mgcp behavior comedia-role none

mgcp behavior comedia-check-media-src disable

mgcp behavior comedia-sdp-force disable

!         

mgcp profile default

!

!

ccm-manager music-on-hold

!

ccm-manager shut-backhaul-interfaces 

ccm-manager redundant-host CUCM-Backup

ccm-manager mgcp

no ccm-manager fax protocol cisco

ccm-manager config server 192.168.1.252 192.168.1.152 192.168.1.54

ccm-manager config

!

dial-peer voice 999000 pots

 service mgcpapp

 port 0/0/0

!

dial-peer voice 99900990 pots

 service mgcpapp

 port 0/0/0

!

dial-peer voice 99900099 pots

 service mgcpapp

 port 0/0/0

!

!

!

!

gatekeeper

 shutdown

!

!

telephony-service

 max-conferences 8 gain -6

 transfer-system full-consult

!

!

!

line con 0

line aux 0

line 2

 no activation-character

 no exec

 transport preferred none

 transport output pad telnet rlogin lapb-ta mop udptn v120 ssh

 stopbits 1

line 0/1/0

 script dialer lte

 modem InOut

 no exec

line 0/1/1

 no exec

line vty 0 4

 exec-timeout 0 0

 transport input ssh

 transport output telnet ssh

line vty 5 15

 exec-timeout 0 0

 transport input ssh

 transport output telnet ssh

!

scheduler allocate 20000 1000

ntp update-calendar

ntp server 129.6.15.30

!

end

0 Helpful

Masoud Pourshabanian
VIP Alumni
VIP Alumni
In response to Joshua Smick

‎11-23-2015 11:02 AM

Hello,

Ping from ASA Inside to LAN is allowed by default. If you want to ping from LAN to ASA Inside interface, you need to set this command "icmp permit any inside" on ASA.

It takes about 30 to 50 seconds until your switch interfaces go to forwarding state based on the configuration if you enable the interface. It might have been the reason for your issue.

Masoud

0 Helpful

Joshua Smick
Level 1
Level 1
In response to Masoud Pourshabanian

‎11-23-2015 11:29 AM

Hi Masoud, I am able to ping from the LAN to the inside interface, but I'm not able to ping any devices on the LAN.  

0 Helpful

Masoud Pourshabanian
VIP Alumni
VIP Alumni
In response to Joshua Smick

‎11-23-2015 12:56 PM

Can you give me some IPs which you are pinging from ASA. Can you ping one device from another device? I mean your devices have firewall or antivirus installed?

Masoud

0 Helpful

Joshua Smick
Level 1
Level 1
In response to Masoud Pourshabanian

‎11-25-2015 08:15 PM

Masoud, I am trying to ping devices on the 192.168.1-.4 subnets.  I can ping the ASA from any device inside the LAN (including the firepower interface in the 192.168.1.0 subnet, even though it resides on the ASA).  No firewall/antivirus.  

0 Helpful

Masoud Pourshabanian
VIP Alumni
VIP Alumni
In response to Joshua Smick

‎11-25-2015 08:41 PM

Hello,

I am just understanding your topology.

In ASA routing table you have

192.168.1.0 255.255.255.0 [1/0] via 192.168.1.1, inside [where does it come from?]

but on the configuration

route inside 192.168.1.0 255.255.255.0 192.168.0.2 250

They do not match.

It is the last configuration and the last show command you have?

Masoud

Masoud

0 Helpful

Fallacy11
Level 1
Level 1
In response to Joshua Smick

‎11-26-2015 12:13 AM

You are natting that traffic at the router to the routers outside interface if you check the logs on the ASA when running that ping you will see nothing coming from the 192.168.1.0 network

0 Helpful

Ganesh Hariharan
VIP Alumni
VIP Alumni
In response to Joshua Smick

‎11-24-2015 06:30 AM

Hello Joshua,

Are you able to see mac address of the lan devices on ASA and what is this device 192.168.1.1. Is any acl is configired here ?

-GI

0 Helpful

Joshua Smick
Level 1
Level 1
In response to Ganesh Hariharan

‎11-25-2015 08:13 PM

Ganesh, how sould I check that?  

0 Helpful

Fallacy11
Level 1
Level 1
In response to Joshua Smick

‎11-26-2015 12:12 AM

show arp is how you would check but the ASA would have to be in the same layer 2 network as the devices, it currently is not.

0 Helpful

Fallacy11
Level 1
Level 1
In response to Ganesh Hariharan

‎11-26-2015 12:11 AM

He won't be able; to the only IP address that's on the ASA is the 192.168.0.0/24 network and whatever DHCP he's getting from the ISP. The reason he's able to ping one way but not the other is that he has NAT configured on the router so anything sent from the ASA looks like it's coming from the routers 192.168.0.0/24 address that was statically configured but is now being assigned by the DHCP pool on the ASA. 192.168.1.1 is the gi0/1.1 interface on his router, which the ASA has no visibility of.

0 Helpful

Fallacy11
Level 1
Level 1

‎11-26-2015 12:08 AM

You have NAT configured and the ASA so all the traffic from the LAN looks like it's coming from the routers outside IP address (which is in the 192.168.0.0/24 network) unconfigure that NATs on the router put a static IP address (such as 192.168.0.2) on the outside of the router to add as the next hop on the ASA for the inside networks, it has no idea where 192.168.1.0/24 is at the moment since it's not a connected interface nor is there a valid next hop for that network to be the next hop. You also haven't added routes in the ASA for 192.168.3.0/24 or 192.168.4.0/24 which will need to be done as well.

That tracked route isn't actually tracking anything as well you need to have your ip sla (track 1 is referencing sla 1 which doesn't exist) configured my assumption would that it's routing out of your cellular backup route, you can look at the route table to verify

The to get to the internet you will need to configure the NATs on the ASA along with access list for the outside to permit those other NATs to send traffic which the ASA will then route to the router.

HTH

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card