12-06-2011 12:45 AM - edited 03-07-2019 03:45 AM
Dear all,
I would appreciate your help with configuring ASA!
At first ASA was configured with inside (192.168.1.0 /24) and outside (NAT, VPN). Default gateway 192.168.1.1.
Recently new network has been added (172.0.0.0 /24) with default gateway 172.0.0.254. This network accesses the Internet via "OTHER ROUTER".
ASA has been configured with statis route 172.0.0.0 255.255.255.0 192.168.1.2. However, two networks are not able to communicate.
Could you please check this out and help me understanding the case? Thanks a lot!
12-06-2011 01:40 AM
Hi Sandra,
I think the other network is under another interface (dmz) is that right?
If yes did you configured NAT properly and allowed from inside to dmz?
Please rate the helpfull posts.
Regards,
Naidu.
12-06-2011 02:07 AM
Hi!
Thank you for your reply.
The other network (172.0.0.0 /24) is not directly connected to ASA. Both ASA and "OTHER ROUTER" are connected to same switch. Have been searching for solution and played around with NAT between two networks (NAT Exempt) but this solves only case with portmap error within log.
Have pasted ASA configuration below, please check when you have time.
interface Vlan1
nameif inside
security-level 100
ip address 192.168.1.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address X.X.X.X 255.255.255.248
no ftp mode passive
!
same-security-traffic permit inter-interface
object-group network DM_INLINE_NETWORK_1
network-object host X.X.X.X
network-object host X.X.X.X
object-group network DM_INLINE_NETWORK_2
network-object host X.X.X.X
network-object host X.X.X.X
object-group network DM_INLINE_NETWORK_3
network-object hostX.X.X.X
network-object host X.X.X.X
access-list outside_access_in remark Permit traffic from network.com and network.com
access-list outside_access_in extended permit ip object-group DM_INLINE_NETWORK_1 host X.X.X.X
access-list outside_access_in remark Permit traffic from network.com and network.com
access-list outside_access_in extended permit tcp object-group DM_INLINE_NETWORK_2 host X.X.X.X
access-list outside_access_in remark Permit traffic from network.com and network.com
access-list outside_access_in extended permit udp object-group DM_INLINE_NETWORK_3 host X.X.X.X
access-list outside_access_in remark Permit traffic from network.com and network.com
access-list outside_access_in remark Permit traffic from network.com and network.com
access-list outside_access_in remark Permit traffic from network.com and network.com
access-list VPN_access remark VPN access
access-list VPN_access extended permit ip any 192.168.1.0 255.255.255.0
access-list VPN_access remark VPN access
access-list VPN_access extended permit tcp any 192.168.1.0 255.255.255.0
access-list VPN_access remark VPN access
access-list VPN_access extended permit udp any 192.168.1.0 255.255.255.0
access-list VPN_access remark VPN access
access-list VPN_access extended permit icmp any 192.168.1.0 255.255.255.0
access-list inside_access_in extended permit ip any any
access-list inside_nat0_outbound_2 extended permit ip 192.168.1.0 255.255.255.0 172.0.0.0 255.255.255.0
access-list inside_nat0_outbound_2 extended permit ip 172.0.0.0 255.255.255.0 192.168.1.0 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-523.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound_2
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) x.x.x.x 192.168.1.14 netmask 255.255.255.255
access-group inside_access_in in interface inside
access-group outside_access_in in interface outside
route inside 0.0.0.0 0.0.0.0 192.168.1.1 tunneled
route inside 172.0.0.0 255.255.255.0 192.168.1.2 1
route outside 0.0.0.0 0.0.0.0 x.x.x.x
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
aaa authorization command LOCAL
http server enable
http 192.168.1.0 255.255.255.0 inside
http x.x.x.x 255.255.255.0 outside
http x.x.x.x 255.255.255.0 outside
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect ftp
inspect icmp
inspect dns preset_dns_map
inspect h323 h225
inspect h323 ras
inspect rsh
inspect skinny
inspect esmtp
inspect sqlnet
inspect tftp
inspect rtsp
class class_sip_tcp
inspect sip
12-06-2011 01:51 AM
Hi
Could you please provide the routing table of both asa and the router.
Thanks
Vipin
12-06-2011 02:11 AM
ASA Routing table:
Gateway of last resort is x.x.x.x to network 0.0.0.0
C x.x.x.x 255.255.255.248 is directly connected, outside
C 192.168.1.0 255.255.255.0 is directly connected, inside
C 127.0.0.0 255.255.255.0 is directly connected, _internal_loopback
S 172.0.0.0 255.255.255.0 [1/0] via 192.168.1.2, inside
S* 0.0.0.0 0.0.0.0 [1/0] via x.x.x.x, outside
S 0.0.0.0 0.0.0.0 [255/0] via 192.168.1.1, inside tunneled
Unfortunately, have no access to "OTHER ROUTER", but I am sure it should look like:
- both networks directly connected
- and default route 0.0.0.0 0.0.0.0 via external port
Thanks!
12-06-2011 02:18 AM
Maybe an interesting info:
Host 172.0.0.10 with def gw 172.0.0.254 is able to ping both IPs: 192.168.1.1(ASA) and 192.168.1.2 (ROUTER) but is not allowed to communicate with any other machine in ASA internal network.
12-06-2011 02:24 AM
Hi
could you please try to rach host in 172.x.x.x network after removing NAT0. i think it is not necessary.
thanks
vipin
12-06-2011 02:26 AM
Hi Vipin Raj,
Without this Exempt I had a portmap error within log; I think this configuration is new (and obviously) does not help but I am sure networks are not able communicate with our without this commands.
12-06-2011 02:37 AM
Hi Sandra,
from the host in 192.168.1.0 network, are you able to reach 192.168.1.2?
thanks
vipin
12-06-2011 02:21 AM
Hi,
I think you are able to reach/ping the router ip 192.168.1.2, right? bcz it is like directly connected.
are you sure the NAT0 is needed?
access-list inside_nat0_outbound_2 extended permit ip 192.168.1.0 255.255.255.0 172.0.0.0 255.255.255.0
access-list inside_nat0_outbound_2 extended permit ip 172.0.0.0 255.255.255.0 192.168.1.0 255.255.255.0
because both 192.168.x.x and 172.x.x.x network are inside of the office, right?
thanks
vipin
12-06-2011 02:14 AM
Hi Sandra,
Where is this new network 172.0.0.0 /24 configured (defined) is there any vlan in another router/switch?
Did you tell the device (where you have defined this new network) to reach 192.168.1.0 /24 through the gateway like...
ip route 192.168.1.0 255.255.255.0 172.0.0.254 --->This needs to be configured on the device where this new network defined.
Please rate the helpfull posts.
Regards,
Naidu.
12-06-2011 02:23 AM
Hi Latchum,
172.0.0.0 /24 is defined on "OTHER ROUTER" and there are no VLANs defined.
Do you really think this is necessary: ip route 192.168.1.0 255.255.255.0 172.0.0.254 ? ?
192.168.1.0 /24 and 172.0.0.0 /24 are network directly connected to "OTHER ROUTER".
Thanks!
12-06-2011 02:27 AM
Hi,
yes, if it is directly connected,there is no need of the static route.can you try after removing NAT0 commands?
thanks
vipin
12-06-2011 02:40 AM
Hi,
NAT has been removed with following error now (communication still not available):
NAT in Rules Table is the one that is happening on outside interface. So, every package that enters into 192.168.1.1 is directly forwarded to outside and to NAT process. With above configuration I am saying if two networks are communicating NAT is not needed.
So, removing this NAT configuration - does not solve the case
12-06-2011 03:07 AM
Hi,
The nat 0 is not needed here as traffic shouldn't be natted as the remote subnet is reachable through Inside interface.
you must add this command:
same-security-traffic permit intra-interface
as well as put a static(inside, inside) to enable hairpinning.
Regards.
Alain
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide