stuck on routing

k_armstrong · ‎11-26-2012

I'm relativey new to Cisco products, but not networking itself.

I have two devices, as laid out below:

Internet

^

|

Cisco ASA 8.2 <---> Cisco 2811

The inside interface of the ASA is 192.168.0.5. I have a cable connected to the 2811, and on FE0/0, I have the IP of 192.168.0.19 assigned to it. I can ping between the devices (from the devices) themselves just fine.

The 2811 is a hand me down that we got from another organization tha already had VLAN's configured on it. I am not allowed to modify any other interface besides FE0/0 due to the equipment that is connected to the other interfaces.

What I am trying to do is get the networks that are attached to the 2811 to be able to communicate with my 192.168.0.0/24 network behind the ASA. I set up some static routes, modified the ACL to allow all IP traffic (since I couldn't get anything else to work) on the 2811, yet I am still having problems.

Here are my configs for your perusal (security stuff cleared out of course):

The ASA:

[code]

Result of the command: "show run"

: Saved

:

ASA Version 8.2(5)

!

hostname cctiforest

domain-name catcomtec2

enable password STUFF encrypted

passwd STUFF encrypted

names

name 10.255.3.0 P25Net1 description P25Net1

name 10.255.2.0 P25Net3 description P25Net3

name 10.255.0.0 P25NetAll

!

interface Ethernet0/0

switchport access vlan 2

!

interface Ethernet0/1

!

interface Ethernet0/2

!

interface Ethernet0/3

!

interface Ethernet0/4

!

interface Ethernet0/5

!

interface Ethernet0/6

!

interface Ethernet0/7

!

interface Vlan1

nameif inside

security-level 100

ip address 192.168.0.5 255.255.255.0

!

interface Vlan2

nameif outside

security-level 0

ip address X.X.X.X 255.0.0.0

!

ftp mode passive

clock timezone EST -5

clock summer-time EDT recurring

dns domain-lookup inside

dns domain-lookup outside

dns server-group DefaultDNS

name-server 192.168.0.30

name-server X.X.X.X

domain-name catcomtec2

same-security-traffic permit inter-interface

same-security-traffic permit intra-interface

object-group service TCP-GoldSync tcp

description GoldSync Service

port-object eq 5993

access-list outside_cryptomap_20 extended permit ip 192.168.0.0 255.255.255.0 192.168.1.0 255.255.255.0

access-list polnat extended permit ip 192.168.0.0 255.255.255.0 192.168.20.0 255.255.255.0

access-list 101 extended permit icmp any any

access-list 101 extended permit tcp any interface outside object-group TCP-GoldSync

access-list NoNat extended permit ip 192.168.0.0 255.255.255.0 192.168.1.0 255.255.255.0

access-list NoNat extended permit ip 192.168.0.0 255.255.255.0 192.168.100.128 255.255.255.224

access-list NoNat extended permit ip 192.168.1.0 255.255.255.0 192.168.100.128 255.255.255.224

access-list NoNat extended permit ip any 192.168.0.128 255.255.255.224

access-list NoNat remark exempt main network NAT to P25Net1

access-list NoNat extended permit ip 192.168.0.0 255.255.255.0 P25Net1 255.255.255.0

access-list NoNat extended permit ip 192.168.0.0 255.255.255.0 P25Net3 255.255.255.0

access-list NoNat extended permit ip 192.168.0.0 255.255.255.0 P25NetAll 255.255.255.0

access-list remote_VPN_splitTunnelAcl standard permit any

access-list DefaultRAGroup_splitTunnelAcl standard permit any

access-list Split_Tunnel remark Allow inbound VPN Traffic to Forest network

access-list Split_Tunnel standard permit 192.168.0.0 255.255.255.0

access-list Split_Tunnel remark Allow inbound VPN Traffic to Blacksburg network

access-list Split_Tunnel standard permit 192.168.1.0 255.255.255.0

access-list outside_cryptomap_1 extended permit ip 192.168.0.0 255.255.255.0 192.168.1.0 255.255.255.0

pager lines 24

logging enable

logging asdm warnings

mtu inside 1492

mtu outside 1492

ip local pool ccti_pool 192.168.100.130-192.168.100.145 mask 255.255.255.0

icmp unreachable rate-limit 1 burst-size 1

icmp permit any inside

icmp permit any outside

no asdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 0 access-list NoNat

nat (inside) 1 0.0.0.0 0.0.0.0

static (inside,outside) tcp interface 5993 192.168.0.30 5993 netmask 255.255.255.255

access-group 101 in interface outside

route outside 0.0.0.0 0.0.0.0 206.248.243.97 1

route inside P25NetAll 255.255.0.0 192.168.0.19 1

route inside P25NetAll 255.255.255.0 192.168.0.19 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

timeout floating-conn 0:00:00

dynamic-access-policy-record DfltAccessPolicy

aaa-server ccti_auth_server protocol radius

aaa-server ccti_auth_server (inside) host 192.168.0.30

timeout 5

key *****

nac-policy DfltGrpPolicy-nac-framework-create nac-framework

reval-period 36000

sq-period 300

http server enable

http 0.0.0.0 0.0.0.0 outside

http 0.0.0.0 0.0.0.0 inside

snmp-server host inside 192.168.0.111 community *****

no snmp-server location

no snmp-server contact

snmp-server community *****

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac

crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac

crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac

crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac

crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac

crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac

crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac

crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac

crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5

crypto map outside_map 1 match address outside_cryptomap_1

crypto map outside_map 1 set pfs

crypto map outside_map 1 set peer X.X.X.X

crypto map outside_map 1 set transform-set ESP-3DES-SHA

crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP

crypto map outside_map interface outside

crypto ca trustpoint LOCAL-CA-SERVER

keypair LOCAL-CA-SERVER

crl configure

crypto ca server

lifetime certificate 3650

crypto ca certificate map DefaultCertificateMap 10

crypto ca certificate chain LOCAL-CA-SERVER

certificate ca 01

STUFF

quit

crypto isakmp enable outside

crypto isakmp policy 10

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

vpn-addr-assign local reuse-delay 1

telnet timeout 5

ssh 192.168.0.5 255.255.255.255 inside

ssh timeout 5

console timeout 0

dhcpd auto_config outside

!

dhcpd address 192.168.0.51-192.168.0.150 inside

dhcpd dns 192.168.0.30 X.X.X.X interface inside

dhcpd domain catcomtec2 interface inside

dhcpd update dns both override interface inside

dhcpd enable inside

!

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

webvpn

enable outside

svc image disk0:/anyconnect-win-2.5.2014-k9.pkg 1

svc profiles AnnyConnectProfile disk0:/annyconnectprofile.xml

svc enable

certificate-group-map DefaultCertificateMap 10 AnyConnectRemote

group-policy cctivpn internal

group-policy cctivpn attributes

wins-server none

dns-server value 192.168.0.30 X.X.X.X

vpn-tunnel-protocol IPSec svc webvpn

split-tunnel-policy tunnelspecified

split-tunnel-network-list value Split_Tunnel

default-domain value STUFF

group-policy SSLUsers internal

group-policy SSLUsers attributes

wins-server none

dns-server value 192.168.0.30 X.X.X.X

vpn-tunnel-protocol svc webvpn

default-domain value catcomtec2

group-policy DefaultRAGroup internal

group-policy DefaultRAGroup attributes

dns-server value 192.168.0.30

vpn-tunnel-protocol l2tp-ipsec

split-tunnel-policy tunnelspecified

split-tunnel-network-list value DefaultRAGroup_splitTunnelAcl

group-policy DfltGrpPolicy attributes

vpn-simultaneous-logins 10

nac-settings value DfltGrpPolicy-nac-framework-create

webvpn

svc keepalive none

svc dpd-interval client none

svc dpd-interval gateway none

svc compression deflate

group-policy remote_VPN internal

group-policy remote_VPN attributes

dns-server value 192.168.0.30 X.X.X.X

split-tunnel-policy tunnelspecified

split-tunnel-network-list value DefaultRAGroup_splitTunnelAcl

default-domain value STUFF

username ME password STUFF encrypted

username cisco password STUFF encrypted

tunnel-group DefaultRAGroup general-attributes

authentication-server-group (inside) ccti_auth_server

tunnel-group DefaultRAGroup ipsec-attributes

pre-shared-key *****

tunnel-group X.X.X.X type ipsec-l2l

tunnel-group X.X.X.X ipsec-attributes

pre-shared-key *****

tunnel-group cctivpn type remote-access

tunnel-group cctivpn general-attributes

address-pool ccti_pool

authentication-server-group ccti_auth_server

accounting-server-group ccti_auth_server

default-group-policy cctivpn

tunnel-group cctivpn ipsec-attributes

pre-shared-key *****

radius-sdi-xauth

tunnel-group AnyConnectRemote type remote-access

tunnel-group AnyConnectRemote general-attributes

address-pool ccti_pool

authentication-server-group ccti_auth_server LOCAL

accounting-server-group ccti_auth_server

default-group-policy cctivpn

tunnel-group AnyConnectRemote webvpn-attributes

radius-reject-message

!

class-map inspection_default

match default-inspection-traffic

!

policy-map type inspect dns preset_dns_map

parameters

message-length maximum client auto

message-length maximum 512

policy-map global_policy

class inspection_default

inspect dns preset_dns_map

inspect ftp

inspect h323 h225

inspect h323 ras

inspect rsh

inspect rtsp

inspect esmtp

inspect sqlnet

inspect skinny

inspect sunrpc

inspect xdmcp

inspect sip

inspect netbios

inspect tftp

inspect ip-options

!

service-policy global_policy global

prompt hostname context

no call-home reporting anonymous

: end

[/code]

And the 2811

[code]

Username: admin

Password:

Username: admin

Password:

S6_bss1r1>en

Password:

S6_bss1r1#sh run

Building configuration...

Current configuration : 8965 bytes

!

! Last configuration change at 12:10:54 EDT Mon Nov 26 2012 by admin

! NVRAM config last updated at 12:10:57 EDT Mon Nov 26 2012 by admin

!

version 12.4

service tcp-keepalives-in

service tcp-keepalives-out

service timestamps debug datetime msec localtime show-timezone

service timestamps log datetime msec localtime show-timezone

service password-encryption

service sequence-numbers

!

hostname S6_bss1r1

!

boot-start-marker

boot-end-marker

!

logging buffered 64000

enable secret 5 STUFF

!

aaa new-model

!

aaa authentication login local_auth local

!

aaa session-id common

clock timezone EDT -5

clock summer-time EDT recurring

dot11 syslog

no ip source-route

no ip gratuitous-arps

!

ip cef

no ip dhcp use vrf connected

ip dhcp excluded-address 10.255.2.85 10.255.2.86

!

ip dhcp pool tech_pool

network 10.255.2.80 255.255.255.248

default-router 10.255.2.86

domain-name STUFF

lease 0 0 15

!

no ip bootp server

no ip domain lookup

!

multilink bundle-name authenticated

!

voice-card 0

no dspfarm

!

key chain rt-auth-key

key 1

key-string 7 STUFF

!

username admin secret 5 STUFF

archive

log config

hidekeys

!

ip ftp source-interface Loopback0

!

class-map match-any ingress-radio

match access-group 100

match access-group 101

class-map match-any egress-audio

match ip dscp ef

!

policy-map setToS

class ingress-radio

set ip dscp ef

policy-map GREIPSecToS

class egress-audio

priority percent 75

class class-default

fair-queue

!

interface Loopback0

description bss1r1v012_2009-06-24

ip address 10.255.3.1 255.255.255.255

no ip redirects

no ip unreachables

no ip proxy-arp

no ip mroute-cache

!

interface FastEthernet0/0

description BSS2 Redundant Link

ip address 192.168.0.19 255.255.255.0

no ip redirects

no ip proxy-arp

no ip mroute-cache

duplex full

speed 100

no mop enabled

!

interface FastEthernet0/0.711

description WAN_To_bss1r2 Redundant

encapsulation dot1Q 711

ip address 10.255.3.213 255.255.255.252

no ip redirects

no ip unreachables

no ip proxy-arp

no ip mroute-cache

!

interface FastEthernet0/1

description Trunk_to_WAS_or_r1s1u1sas

no ip address

duplex auto

speed auto

service-policy output GREIPSecToS

!

interface FastEthernet0/1.2

description Peripheral_VLAN

encapsulation dot1Q 2

ip address 10.255.2.78 255.255.255.240

no ip redirects

no ip unreachables

no ip proxy-arp

no ip mroute-cache

!

interface FastEthernet0/1.5

description Technician_VLAN

encapsulation dot1Q 5

ip address 10.255.2.86 255.255.255.248

no ip redirects

no ip unreachables

no ip proxy-arp

no ip mroute-cache

!

interface FastEthernet0/1.6

description Console_VLAN

encapsulation dot1Q 6

ip address 10.255.0.94 255.255.255.224

no ip redirects

no ip unreachables

no ip proxy-arp

no ip mroute-cache

!

interface FastEthernet0/1.100

description Traffic

encapsulation dot1Q 100

ip address 10.255.0.62 255.255.255.192

no ip redirects

no ip unreachables

no ip proxy-arp

no ip mroute-cache

service-policy input setToS

!

interface FastEthernet0/1.101

description Loghost

encapsulation dot1Q 101

ip address 10.255.1.62 255.255.255.192

no ip redirects

no ip unreachables

no ip proxy-arp

no ip mroute-cache

!

interface FastEthernet0/1.106

description UAC_Interop

encapsulation dot1Q 106

ip address 10.255.1.158 255.255.255.240

no ip redirects

no ip unreachables

no ip proxy-arp

no ip mroute-cache

!

interface FastEthernet0/1.150

description UAS_or_Cold_Stby

encapsulation dot1Q 150

ip address 10.255.2.254 255.255.255.240

no ip redirects

no ip unreachables

no ip proxy-arp

no ip mroute-cache

!

interface FastEthernet0/1.200

description Backbone_Mgmt_VLAN

encapsulation dot1Q 200 native

ip address 10.255.2.110 255.255.255.240

no ip redirects

no ip unreachables

no ip proxy-arp

no ip mroute-cache

!

interface FastEthernet0/1.300

description Management_VLAN

encapsulation dot1Q 300

ip address 10.255.2.62 255.255.255.192

no ip redirects

no ip unreachables

no ip proxy-arp

no ip mroute-cache

!

interface FastEthernet0/1.701

description to_r1s1u1sas

encapsulation dot1Q 701

ip address 10.255.3.221 255.255.255.252

no ip redirects

no ip unreachables

no ip proxy-arp

no ip mroute-cache

!

interface FastEthernet0/1.707

description to_r1s2u1sas

encapsulation dot1Q 707

ip address 10.255.3.173 255.255.255.252

no ip redirects

no ip unreachables

no ip proxy-arp

no ip mroute-cache

!

interface FastEthernet0/1.708

description to_r1s3u1sas

encapsulation dot1Q 708

ip address 10.255.3.165 255.255.255.252

no ip redirects

no ip unreachables

no ip proxy-arp

no ip mroute-cache

!

interface FastEthernet0/1.710

description to_BSS2

encapsulation dot1Q 710

ip address 10.255.3.229 255.255.255.252

no ip redirects

no ip unreachables

no ip proxy-arp

no ip mroute-cache

!

interface FastEthernet0/1.713

description to_r1s3u1sas

encapsulation dot1Q 713

ip address 10.255.3.205 255.255.255.252

no ip redirects

no ip unreachables

no ip proxy-arp

no ip mroute-cache

!

interface FastEthernet0/1.715

description to_r1s4u1sas

encapsulation dot1Q 715

ip address 10.255.3.197 255.255.255.252

no ip redirects

no ip unreachables

no ip proxy-arp

no ip mroute-cache

!

interface FastEthernet0/1.717

description to_r1s5u1sas

encapsulation dot1Q 717

ip address 10.255.3.189 255.255.255.252

no ip redirects

no ip unreachables

no ip proxy-arp

no ip mroute-cache

!

interface FastEthernet0/1.719

description to_r1s6u1sas

encapsulation dot1Q 719

ip address 10.255.3.181 255.255.255.252

no ip redirects

no ip unreachables

no ip proxy-arp

no ip mroute-cache

!

router mobile

!

router eigrp 10

redistribute static metric 1536 200 255 1 512

redistribute mobile

passive-interface FastEthernet0/1.2

passive-interface FastEthernet0/1.5

passive-interface FastEthernet0/1.6

passive-interface FastEthernet0/1.100

passive-interface FastEthernet0/1.101

passive-interface FastEthernet0/1.106

passive-interface FastEthernet0/1.150

passive-interface FastEthernet0/1.200

passive-interface FastEthernet0/1.300

passive-interface Loopback0

network 10.0.0.0

no auto-summary

eigrp router-id 10.255.3.1

!

ip forward-protocol nd

ip route 0.0.0.0 0.0.0.0 192.168.0.5

ip route 0.0.0.0 0.0.0.0 Null0 253 name Trash_Unknown_Traffic

!

no ip http server

no ip http secure-server

ip mobile home-agent address 10.255.3.1 lifetime 65535

ip mobile bindupdate maximum 2 retry 2

ip mobile bindupdate acknowledge

ip mobile virtual-network 10.255.16.0 255.255.248.0

!

ip access-list standard V1D@v!da

ip access-list standard vIdAr0R$

!

logging source-interface Loopback0

access-list 10 permit 10.255.0.0 0.0.15.255

access-list 15 permit 10.255.0.0 0.0.15.255 log

access-list 100 permit udp any any eq 11800

access-list 100 permit udp any eq 11800 any

access-list 100 permit udp any any eq 11200

access-list 100 permit udp any eq 11200 any

access-list 101 permit udp any any range 11801 12000

access-list 101 permit udp any range 11801 12000 any

access-list 150 permit ip any any

snmp-server community macom RO

snmp-server community vida RW

snmp-server trap-source Loopback0

snmp-server enable traps snmp authentication linkdown linkup coldstart warmstart

snmp-server enable traps tty

snmp-server enable traps envmon

snmp-server enable traps config

snmp-server enable traps ipmulticast

snmp-server host 10.255.0.10 macom

!

control-plane

!

line con 0

session-timeout 9

exec-timeout 5 0

logging synchronous

login authentication local_auth

history size 100

transport output telnet

line aux 0

no exec

transport preferred none

transport output none

line vty 0 4

session-timeout 30000

access-class 15 in

exec-timeout 5 0

logging synchronous

login authentication local_auth

history size 100

transport preferred telnet

transport input telnet

transport output all

!

scheduler allocate 20000 1000

ntp source Loopback0

ntp master

!

end

S6_bss1r1#

[/code]

Any help would be appreciated.

Richard Burts · ‎11-26-2012

Kenneth

Perhaps there are parts of your situation that I am not understanding. You say that your objective is:

What I am trying to do is get the networks that are attached to the 2811 to be able to communicate with my 192.168.0.0/24 network

Since the 1921.168.0.0 network is a directly connected network on the router Fast0/0 it should be the case that the devices connected to the router should communicate with 192.168.0.0 with no problem - and would not need the ASA for the communication to work.

Perhaps you can give us some clarification about the issue - perhaps some specifics of what communication you want to occur that does not occur. Is there a specific device connected to the router that can not communicate with some device in the 192.168.0.0 network?

HTH

Rick

HTH

Rick

k_armstrong · ‎11-26-2012

Sure thing. Basically what I need to make happen is that the developers on the 192.168.0.0/24 network need to be able to remotely access the equipment that is connected to the 2811 router. The fe0/0 interface was given to us to attach to our network, while the fe0/1 (and all of its sub interfaces) are preconfigured with vlans that are attached to various devices. We can ping 192.168.0.19 without issue, I just can't ping over to anything configured behind that 2811 router.

To test out my work, I have been using the ping command from the 2811 to source an IP on that router (10.255.3.213 for instance) to ping over to my inside interface on the ASA (192.168.0.5). However, I have been unsuccessful in doing so.

I believe that I am missing something (a route for the vlans? A NAT setting on the 2811?) to make this happen.

k_armstrong · ‎11-27-2012

Ok, I narrowed things down a bit.

I modified my setup for testing like so:

laptop (192.168.0.18) --> switch --> 2811 Router

I can ping the 2811 router and the IP's on the interfaces on the vlans that are on this router, so this router is fine. What appears to be the problem is the ASA is not letting me pass traffic to the router when I have a system connected to it.

I did a packet trace from the ASA itself:

Result of the command: "packet-tracer input inside rawip 192.168.0.5 0 10.255.3.1 detailed"

Phase: 1

Type: ACCESS-LIST

Subtype:

Result: ALLOW

Config:

Implicit Rule

Additional Information:

Forward Flow based lookup yields rule:

in id=0xc9599d40, priority=1, domain=permit, deny=false

hits=478993860, user_data=0x0, cs_id=0x0, l3_type=0x8

src mac=0000.0000.0000, mask=0000.0000.0000

dst mac=0000.0000.0000, mask=0100.0000.0000

Phase: 2

Type: ROUTE-LOOKUP

Subtype: input

Result: ALLOW

Config:

Additional Information:

in P25NetAll 255.255.0.0 inside

Phase: 3

Type: ACCESS-LIST

Subtype:

Result: DROP

Config:

Implicit Rule

Additional Information:

Forward Flow based lookup yields rule:

in id=0xc95355d0, priority=500, domain=permit, deny=true

hits=4, user_data=0x6, cs_id=0x0, reverse, flags=0x0, protocol=0

src ip=192.168.0.5, mask=255.255.255.255, port=0

dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0

Result:

input-interface: inside

input-status: up

input-line-status: up

output-interface: inside

output-status: up

output-line-status: up

Action: drop

Drop-reason: (acl-drop) Flow is denied by configured rule

However, I have this line in my access-list:

access-list NoNat line 5 extended permit ip 192.168.0.0 255.255.255.0 P25NetAll 255.255.0.0 (hitcnt=0) 0x4f45d901

Where P25NetAll is covering the 10.255.0.0, 10.255.1.0, 10.255.2.0, and 10.255.3.0 networks.

So what am I missing?

k_armstrong · ‎11-27-2012

Here is a screenie of my ASA inside IPV4 incoming rules. When I use the graphical packet tracer, I see that this is where the blocking is occuring.

However, if I try to add a rule that allows traffic to pass to the 2811, it replaces this first implicit rule.

Richard Burts · ‎11-27-2012

Kenneth

The additional information that you posted is interesting. And I am glad that you are narrowing the focus to find the problem is the access list. I believe that the issue is that there are two entries in the access list. The first entry permits any traffic that arrives on the inside interface and will be forwarded to a less secure interface. The second entry denies all other traffic.

I believe that part of the issue is that the traffic is received on the inside interface and will be forwarded back out the same interface. Since it is not to a less secure interface it is not permitted by the first entry and so is denied by the second entry.

One solution would be to insert a rule between those two rules that would permit traffic being forwarded back out the same interface.

I believe that there may be another alternative to consider and that it might be less complex to implement. It looks like the devices in the 192.168.0 network are configured with the ASA as their default gateway. I would suggest that you think about configuring them to use the 2811 as their default gateway. This would allow them to access the 10.255 networks without going through the ASA and would use the ASA as the next hop for any destination that was not in the 10.255 networks.

I also notice something in the output that puzzles me. I looked at the output in the section that has the access list deny. And I noticed something unexpected about what it lists as the destination address

dst ip=0.0.0.0, mask=0.0.0.0,

I am not sure how to interpret this.

HTH

Rick

HTH

Rick

benjammin · ‎11-27-2012

did you change the config from the original post before doing the packet-tracer? I see the following in original config.

access-list NoNat extended permit ip 192.168.0.0 255.255.255.0 P25Net1 255.255.255.0

access-list NoNat extended permit ip 192.168.0.0 255.255.255.0 P25Net3 255.255.255.0

access-list NoNat extended permit ip 192.168.0.0 255.255.255.0 P25NetAll 255.255.255.0

Do you have access to syslog debugging? Can you obtain the logs from a connection attempt?

k_armstrong · ‎11-27-2012

Actually, a colleage suggested that I just create another vlan to tie that 2811 in to and leave it there (since supposedly the vlans would route between themselves).

So I set up another vlan (called P25) and set it up on interface 0/1 on the ASA:

!

interface Vlan3

no forward interface Vlan2

nameif P25

security-level 50

ip address 192.168.15.1 255.255.255.0

!

...

!

interface Ethernet0/1

switchport access vlan 3

!

I changed the IP on the 2811 to 192.168.15.2, and then I then added a static route for the networks on the 2811:

route inside P25NetAll 255.255.0.0 192.168.15.2 1

I thought that would work, but I couldn't ping 192.168.15.1 from the 192.168.0.0 network. Looking things up online, it was suggested that the intra interfaces were setup to allow traffic to pass through:

same-security-traffic permit inter-interface

same-security-traffic permit intra-interface

That still didn't work, so I had made sure that my access lists were ok:

access-list polnat extended permit ip 192.168.0.0 255.255.255.0 192.168.20.0 255.255.255.0

access-list 101 extended permit icmp any any

access-list 101 extended permit tcp any interface outside object-group TCP-GoldSync

access-list NoNat extended permit ip 192.168.0.0 255.255.255.0 192.168.1.0 255.255.255.0

access-list NoNat extended permit ip 192.168.0.0 255.255.255.0 192.168.100.128 255.255.255.224

access-list NoNat extended permit ip 192.168.1.0 255.255.255.0 192.168.100.128 255.255.255.224

access-list NoNat extended permit ip any 192.168.0.128 255.255.255.224

access-list NoNat extended permit ip 192.168.0.0 255.255.255.0 P25NetAll 255.255.0.0

access-list NoNat extended permit ip 192.168.0.0 255.255.255.0 192.168.15.0 255.255.255.0

access-list NoNat extended permit ip 192.168.15.0 255.255.255.0 192.168.0.0 255.255.255.0

access-list inside_access_in extended permit ip 192.168.0.0 255.255.255.0 any

access-list inside_access_in extended permit ip 192.168.1.0 255.255.255.0 any

access-list inside_access_in extended permit ip 192.168.100.128 255.255.255.224 any

access-list inside_access_in extended permit ip 192.168.20.0 255.255.255.0 any

access-list inside_access_in extended permit ip 192.168.3.0 255.255.255.0 any

access-list P25_access_in extended permit ip 192.168.0.0 255.255.255.0 192.168.15.0 255.255.255.0

access-list P25_access_in extended permit ip 192.168.1.0 255.255.255.0 192.168.15.0 255.255.255.0

access-list P25_access_in extended permit ip 192.168.3.0 255.255.255.0 192.168.15.0 255.255.255.0

That still didn't resolve it, then I found that I should make sure that there is no NAT'ting between the vlans:

nat (inside) 0 access-list NoNat

nat (inside) 1 0.0.0.0 0.0.0.0

static (inside,P25) 192.168.0.0 192.168.0.0 netmask 255.255.255.0

static (P25,inside) 192.168.15.0 192.168.15.0 netmask 255.255.255.0

And yet I'm still stuck.

k_armstrong · ‎11-27-2012

@Richard Burts: I tried your idea of making the 2811 the default gateway, and that does work. However, I can't run with that in production since the ASA is also our VPN concentrator. If I can't get the routing to work properly on the ASA to talk to this 2811, then the VPN guys won't be able to work through the 2811 either.