[x]
Posted via EE Mobile

Search, ask, and monitor your questions on the go with EE Mobile. Visit Experts Exchange from your mobile device and never be out of touch again.
Question
[x]
Attachment Details
[x]
The Solution Rating System

With so many solutions, how can you tell which solutions are most likely to help you and which ones are not? To provide you with a tool to use, we rate our solutions based on various elements that most accurately determine if a solution is a quality solution. To explain what factors affect the solution rating, here are the elements we take into consideration when formulating our solution rating.

  • The Grade of the Solution
  • The Zone Rank of the Expert Providing the Solution
  • The Number of Author and Expert Comments
  • The Number of Experts Contributing
  • The Feedback of the Community

Your Input Matters
Because of the way the system is set up, the most important variable in this equation is you. As a member of Experts Exchange, you are able to cast your vote on the quality of the solutions in regard to how complete, accurate, helpful and easy to understand each solution is. When you provide your feedback, each rating is adjusted accordingly. So, if you see a solution that has a poor rating that you think is a good solution, let us know by rating it. As you do, the rating will be adjusted and will become more accurate for other members of our site.

If you have any suggestions that you would like to make for our rating system, please ask a question in the Suggestions Zone of Community Support.

Thank you!
8.6

Routing between two networks on a CISCO ASA 5505

Asked by auroratc in Networking Hardware Firewalls, Miscellaneous Networking, Network Routers

Tags: Cisco, ASA, ASA 5505, Routing

I have a Cisco ASA 5505 with the necessary licensing and capabilities of multiple VLANS and I am trying to use it to route two different networks.  I have the VLAN setup up and have set the security level set to 100 (same as the internal network) and have selected the option to route within same security networks.  The two networks (192.168.10.0/24 and 192.168.50.0/24) are not talking to each other (can't ping between them) so I need some help getting this working.  In addition there are two hosts on each of the two networks that I am trying to route that cannot talk to each other so I need some help configuring the access-lists.  Every time I try to insert a rule, it shuts off internet access to the entire organization.  Config is posted in the code segment. 
1:
2:
3:
4:
5:
6:
7:
8:
9:
10:
11:
12:
13:
14:
15:
16:
17:
18:
19:
20:
21:
22:
23:
24:
25:
26:
27:
28:
29:
30:
31:
32:
33:
34:
35:
36:
37:
38:
39:
40:
41:
42:
43:
44:
45:
46:
47:
48:
49:
50:
51:
52:
53:
54:
55:
56:
57:
58:
59:
60:
61:
62:
63:
64:
65:
66:
67:
68:
69:
70:
71:
72:
73:
74:
75:
76:
77:
78:
79:
80:
81:
82:
83:
84:
85:
86:
87:
88:
89:
90:
91:
92:
93:
94:
95:
96:
97:
98:
99:
100:
101:
102:
103:
104:
105:
106:
107:
108:
109:
110:
111:
112:
113:
114:
115:
116:
117:
118:
119:
120:
121:
122:
123:
124:
125:
126:
127:
128:
129:
130:
131:
132:
133:
134:
135:
136:
137:
138:
139:
140:
141:
142:
143:
144:
145:
146:
147:
148:
149:
150:
151:
152:
153:
154:
155:
156:
157:
158:
159:
160:
161:
162:
163:
164:
165:
166:
167:
168:
169:
170:
171:
172:
173:
174:
175:
176:
177:
178:
179:
180:
181:
182:
183:
184:
185:
186:
187:
188:
189:
190:
191:
192:
193:
194:
195:
196:
197:
198:
199:
200:
201:
202:
203:
204:
205:
206:
207:
208:
209:
210:
211:
212:
213:
214:
215:
216:
217:
218:
219:
220:
221:
222:
223:
224:
225:
226:
227:
228:
229:
230:
231:
232:
233:
234:
235:

ASA Version 8.0(3)
!
hostname CCFM-ASA5505
domain-name ********
enable password **************** encrypted
names
name 192.168.10.7 CCFM-Win2003-Server description Radius server
name 192.168.10.10 ******!
interface Vlan1
 nameif inside
 security-level 100
 ip address 192.168.10.1 255.255.255.0
!
interface Vlan2
 nameif outside
 security-level 0
 ip address ******** 255.255.255.252
!
interface Vlan3
 nameif dmz
 security-level 50
 ip address 10.0.0.1 255.255.255.0
!
interface Vlan13
 description Backup interface to CableOne
 nameif CableOne
 security-level 0
 ip address ************** 255.255.255.0
!
interface Vlan23
 nameif MOZART
 security-level 100
 ip address 192.168.50.253 255.255.255.0
!
interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
 switchport access vlan 13
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
 switchport access vlan 23
!
passwd 2KFQnbNIdI.2KYOU encrypted
boot system disk0:/asa803-k8.bin
ftp mode passive
clock timezone MST -7
clock summer-time MDT recurring
dns server-group DefaultDNS
 domain-name ccfm.local
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object-group service IntergyRemote tcp
 port-object range 60000 60004
access-list CCFMVPN-Split-Tunnel standard permit 192.168.5.0 255.255.255.0
access-list CCFMVPN-Split-Tunnel standard permit 192.168.10.0 255.255.255.0
access-list Default-VPN-Group-Filter extended permit ip 192.168.10.0 255.255.255
.0 192.168.5.0 255.255.255.0
access-list Default-VPN-Group-Filter extended permit ip 192.168.5.0 255.255.255.
0 192.168.10.0 255.255.255.0
access-list Default-VPN-Group-Filter extended permit ip 192.168.5.0 255.255.255.
0 any
access-list Default-VPN-Group-Filter extended deny ip any any
access-list inside_nat0_outbound extended permit ip any 192.168.5.0 255.255.255.
0
access-list outside_access_in extended permit tcp any any eq https
access-list outside_access_in extended permit tcp any any eq www
access-list outside_access_in extended permit tcp any any eq 8089
access-list outside_access_in extended permit tcp any any eq 8000
access-list outside_access_in extended permit tcp any any eq 8443
access-list http-list2 extended permit tcp any any
!
tcp-map mss-map
  exceed-mss allow
!
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
mtu dmz 1500
mtu CableOne 1500
mtu MOZART 1500
ip local pool VPNpool 192.168.5.1-192.168.5.25 mask 255.255.255.0
ip local pool SSLVPNPool 192.168.6.1-192.168.6.10 mask 255.255.255.0
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-603.bin
asdm location CCFM-Win2003-Server 255.255.255.255 inside
asdm location ******** 255.255.255.255 inside
asdm location 192.168.10.9 255.255.255.255 inside
asdm location 192.168.50.7 255.255.255.255 inside
no asdm history enable
arp timeout 14400
global (outside) 1 interface
global (CableOne) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) tcp interface https CCFM-Win2003-Server https netmask 25
5.255.255.255
static (inside,outside) tcp interface www CCFM-Win2003-Server www netmask 255.25
5.255.255
static (inside,outside) tcp interface 8089 192.168.10.240 8089 netmask 255.255.2
55.255
static (inside,outside) tcp interface 8000 192.168.10.240 8000 netmask 255.255.2
55.255
static (inside,outside) tcp interface 8443 CCFM-Win2003-Server 8443 netmask 255.
255.255.255
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 209.161.27.45 1 track 100
route CableOne 0.0.0.0 0.0.0.0 24.117.110.1 254
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
aaa-server CCFMAAA protocol radius
 max-failed-attempts 5
aaa-server CCFMAAA host CCFM-Win2003-Server
 key 3isgoingonvacation
 radius-common-pw ******
 acl-netmask-convert auto-detect
aaa authentication enable console LOCAL
aaa authentication ssh console LOCAL
aaa authentication telnet console LOCAL
filter java except 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0
http server enable
http 192.168.10.0 255.255.255.0 inside
http 192.168.5.0 255.255.255.0 inside
snmp-server host inside 192.168.10.50 poll community *********
snmp-server location *************************************
no snmp-server contact
snmp-server community ****************************
snmp-server enable traps snmp authentication linkup linkdown coldstart
sla monitor 1
 type echo protocol ipIcmpEcho 209.161.27.45 interface outside
 num-packets 3
sla monitor schedule 1 life forever start-time now
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-3DES-SH
A
crypto dynamic-map outside_dyn_map 20 set pfs
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 5
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
crypto isakmp policy 10
 authentication pre-share
 encryption des
 hash sha
 group 2
 lifetime 86400
!
track 100 rtr 1 reachability
telnet 0.0.0.0 0.0.0.0 inside
telnet timeout 5
ssh 192.168.10.0 255.255.255.0 inside
ssh 192.168.5.0 255.255.255.0 inside
ssh 209.161.35.213 255.255.255.255 outside
ssh 209.151.55.40 255.255.255.255 outside
ssh 63.228.179.89 255.255.255.255 outside
ssh timeout 5
console timeout 20
dhcpd address 192.168.10.30-192.168.10.125 inside
dhcpd dns 192.168.10.9 209.161.1.2 interface inside
dhcpd wins 192.168.10.9 interface inside
dhcpd lease 129600 interface inside
dhcpd ping_timeout 100 interface inside
dhcpd domain ccfm.local interface inside
dhcpd update dns both interface inside
dhcpd enable inside
!
 
threat-detection basic-threat
threat-detection statistics access-list
ntp server 64.202.112.65 source outside prefer
webvpn
 port 8080
 enable outside
 svc image disk0:/anyconnect-win-2.1.0148-k9.pkg 1
 svc image disk0:/anyconnect-macosx-i386-2.1.0148-k9.pkg 2
 svc image disk0:/anyconnect-macosx-powerpc-2.1.0148-k9.pkg 3
 svc image disk0:/anyconnect-linux-2.1.0148-k9.pkg 4
group-policy CCFMVPNGroup internal
group-policy CCFMVPNGroup attributes
 vpn-filter value Default-VPN-Group-Filter
 vpn-tunnel-protocol IPSec
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value CCFMVPN-Split-Tunnel
 default-domain value ccfm.local
group-policy DfltGrpPolicy attributes
 banner value ********
 banner value Unauthorized Access Is Strictly Prohibited!!!!
 dns-server value 192.168.10.7
 vpn-tunnel-protocol IPSec svc
username ccfmadmin password ****************encrypted privilege 15
username ccfmpix password ********************* encrypted privilege 15
username auroratc password ******************** encrypted privilege 15
tunnel-group CCFMVPN type remote-access
tunnel-group CCFMVPN general-attributes
 address-pool VPNpool
 authentication-server-group CCFMAAA LOCAL
 default-group-policy CCFMVPNGroup
tunnel-group CCFMVPN ipsec-attributes
 pre-shared-key *
!
class-map http-map1
 match access-list http-list2
!
!
policy-map http-map1
 class http-map1
  set connection advanced-options mss-map
!
service-policy http-map1 interface outside
prompt hostname context
Cryptochecksum:6a33db1353716cf713467358633cf743
CCFM-ASA5505#
 
Related Solutions
Keywords: Routing between two networks on a CI…
Title
1 Adding Server 2008 Web Edition to …
 
Loading Advertisement...
 
[+][-]08/18/09 01:26 PM, ID: 25127299Expert Comment

At Experts Exchange, members can ask their questions to thousands of technology professionals, also known as Experts. Experts compete and collaborate to answer those questions by leaving comments like this one.

Start your 30-day free trial to view this Expert Comment or ask the Experts your question.

 
[+][-]08/18/09 01:35 PM, ID: 25127385Expert Comment

At Experts Exchange, members can ask their questions to thousands of technology professionals, also known as Experts. Experts compete and collaborate to answer those questions by leaving comments like this one.

Start your 30-day free trial to view this Expert Comment or ask the Experts your question.

 
[+][-]08/18/09 02:42 PM, ID: 25127965Expert Comment

At Experts Exchange, members can ask their questions to thousands of technology professionals, also known as Experts. Experts compete and collaborate to answer those questions by leaving comments like this one.

Start your 30-day free trial to view this Expert Comment or ask the Experts your question.

 
[+][-]08/18/09 04:51 PM, ID: 25128591Author Comment

Often, when Experts are collaborating with members who have asked questions, they will request additional information about the problem. Askers respond with an author comment like this one.

Start your 30-day free trial to view this Author Comment or ask the Experts your question.

 
[+][-]08/18/09 04:53 PM, ID: 25128600Author Comment

Often, when Experts are collaborating with members who have asked questions, they will request additional information about the problem. Askers respond with an author comment like this one.

Start your 30-day free trial to view this Author Comment or ask the Experts your question.

 
[+][-]08/18/09 06:33 PM, ID: 25129047Expert Comment

At Experts Exchange, members can ask their questions to thousands of technology professionals, also known as Experts. Experts compete and collaborate to answer those questions by leaving comments like this one.

Start your 30-day free trial to view this Expert Comment or ask the Experts your question.

 
[+][-]08/18/09 07:07 PM, ID: 25129162Author Comment

Often, when Experts are collaborating with members who have asked questions, they will request additional information about the problem. Askers respond with an author comment like this one.

Start your 30-day free trial to view this Author Comment or ask the Experts your question.

 
[+][-]08/18/09 07:43 PM, ID: 25129295Expert Comment

At Experts Exchange, members can ask their questions to thousands of technology professionals, also known as Experts. Experts compete and collaborate to answer those questions by leaving comments like this one.

Start your 30-day free trial to view this Expert Comment or ask the Experts your question.

 
[+][-]08/18/09 07:45 PM, ID: 25129298Expert Comment

At Experts Exchange, members can ask their questions to thousands of technology professionals, also known as Experts. Experts compete and collaborate to answer those questions by leaving comments like this one.

Start your 30-day free trial to view this Expert Comment or ask the Experts your question.

 
[+][-]08/18/09 07:53 PM, ID: 25129325Author Comment

Often, when Experts are collaborating with members who have asked questions, they will request additional information about the problem. Askers respond with an author comment like this one.

Start your 30-day free trial to view this Author Comment or ask the Experts your question.

 
[+][-]08/18/09 07:59 PM, ID: 25129342Accepted Solution

View this solution now by starting your 30-day free trial. Setting up your free trial is quick, easy, and secure. We will return you to this solution, unlocked, when you're done.

About this solution

Zones: Networking Hardware Firewalls, Miscellaneous Networking, Network Routers
Tags: Cisco, ASA, ASA 5505, Routing
Sign Up Now!
Solution Provided By: Quori
Participating Experts: 2
Solution Grade: A
 
[+][-]08/18/09 08:01 PM, ID: 25129343Expert Comment

At Experts Exchange, members can ask their questions to thousands of technology professionals, also known as Experts. Experts compete and collaborate to answer those questions by leaving comments like this one.

Start your 30-day free trial to view this Expert Comment or ask the Experts your question.

 
[+][-]08/18/09 09:06 PM, ID: 25129545Author Comment

Often, when Experts are collaborating with members who have asked questions, they will request additional information about the problem. Askers respond with an author comment like this one.

Start your 30-day free trial to view this Author Comment or ask the Experts your question.

 
[+][-]08/18/09 09:14 PM, ID: 25129569Expert Comment

At Experts Exchange, members can ask their questions to thousands of technology professionals, also known as Experts. Experts compete and collaborate to answer those questions by leaving comments like this one.

Start your 30-day free trial to view this Expert Comment or ask the Experts your question.

 
[+][-]08/18/09 10:52 PM, ID: 25129889Author Comment

Often, when Experts are collaborating with members who have asked questions, they will request additional information about the problem. Askers respond with an author comment like this one.

Start your 30-day free trial to view this Author Comment or ask the Experts your question.

 
[+][-]08/18/09 10:55 PM, ID: 25129901Expert Comment

At Experts Exchange, members can ask their questions to thousands of technology professionals, also known as Experts. Experts compete and collaborate to answer those questions by leaving comments like this one.

Start your 30-day free trial to view this Expert Comment or ask the Experts your question.

 
 
Loading Advertisement...
20091021-EE-VQP-81 - Hierarchy / EE_QW_3_20080625