Advertisement

02.28.2008 at 06:35AM PST, ID: 23200322
[x]
Attachment Details
[x]
The Solution Rating System

With so many solutions, how can you tell which solutions are most likely to help you and which ones are not? To provide you with a tool to use, we rate our solutions based on various elements that most accurately determine if a solution is a quality solution. To explain what factors affect the solution rating, here are the elements we take into consideration when formulating our solution rating.

  • The Grade of the Solution
  • The Zone Rank of the Expert Providing the Solution
  • The Number of Author and Expert Comments
  • The Number of Experts Contributing
  • The Feedback of the Community

Your Input Matters
Because of the way the system is set up, the most important variable in this equation is you. As a member of Experts Exchange, you are able to cast your vote on the quality of the solutions in regard to how complete, accurate, helpful and easy to understand each solution is. When you provide your feedback, each rating is adjusted accordingly. So, if you see a solution that has a poor rating that you think is a good solution, let us know by rating it. As you do, the rating will be adjusted and will become more accurate for other members of our site.

If you have any suggestions that you would like to make for our rating system, please ask a question in the Suggestions Zone of Community Support.

Thank you!
9.8

Cisco ASA 5510 inside lan routing

Asked by phil435 in Cisco PIX Firewall, Virtual Private Networking (VPN), Network Operations

I have a cisco ASA5510 that I cannot get to route on our inside network. I understand that the ASA is not a router but I have been told my scenario will work and it is probably something simple such as a ACL or something. I am a begineer to Cisco stuff so here goes. My internal lan has 4 subnets which I will call 192.168.2.x 192.168.3.x 192.168.4.x 192.168.5.x. The asa is on the 192.168.2.x subnet (192.168.2.246). I have a 3com 3300 series router (192.168.2.250) that contains the VLAN to the 192.168.4 and 192.168.5 subnets and connects directly via fiber to another 3com router offsite which has the 192.168.3 subnet VLAN. If a client default gateway is the 192.168.2.250 router they can see all of the subnets fine. When I switch it to the ASA as the default gateway they can see the subnet their on (192.168.2.x) but nothing else besides the internet. The intersting thing is that the VPN clients can see the whole network. Why would this work for the VPN clients but not for the internal clients that have their default gateways set to the ASA? Below is the ASA setup:


ASA Version 7.0(7)
!
hostname ******
domain-name default.domain.invalid
enable password ******* encrypted
names
dns-guard
!
interface Ethernet0/0
 nameif outside
 security-level 0
 ip address 7#.##.##.### #.#.#.#
!
interface Ethernet0/1
 nameif inside
 security-level 100
 ip address 192.168.2.246 255.255.255.0
!
interface Ethernet0/2
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Ethernet0/3
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Management0/0
 nameif management
 security-level 100
 ip address 192.168.1.1 255.255.255.0
 management-only
!
passwd ###### encrypted
ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring 1 Sun Apr 2:00 last Sun Oct 2:00
access-list 100 extended permit tcp any interface outside eq ####
access-list inside_nat0_outbound extended permit ip any 192.168.20.0 255.255.255.224
access-list ##_splitTunnelAcl standard permit 192.168.2.0 255.255.255.0
access-list ##_splitTunnelAcl standard permit 192.168.3.0 255.255.255.0
access-list ##_splitTunnelAcl standard permit 192.168.4.0 255.255.255.0
access-list ##_splitTunnelAcl standard permit 192.168.5.0 255.255.255.0
pager lines 24
logging asdm informational
mtu outside 1500
mtu inside 1500
mtu management 1500
ip local pool remotevpn 192.168.20.10-192.168.20.19 mask 255.255.255.0
no failover
icmp permit any inside
icmp permit any echo-reply inside
icmp permit any echo inside
icmp permit 192.168.3.0 255.255.255.0 inside
icmp permit 192.168.4.0 255.255.255.0 inside
asdm image disk0:/asdm-507.bin
no asdm history enable
arp timeout 14400
global (outside) 10 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 10 0.0.0.0 0.0.0.0
static (inside,outside) tcp interface 5# 192.168.2.# # netmask 255.255.255.255
access-group 100 in interface outside
rip inside passive version 2
route outside 0.0.0.0 0.0.0.0 7#.##.##.### 1
route inside 192.168.3.0 255.255.255.0 192.168.2.250 1
route inside 192.168.4.0 255.255.255.0 192.168.2.250 1
route inside 192.168.5.0 255.255.255.0 192.168.2.250 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00
timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
group-policy ##### internal
group-policy ##### attributes
 wins-server value 192.168.2.x 192.168.2.x
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value ####_splitTunnelAcl
 webvpn
username #### password ##### encrypted privilege 0
username #### attributes
 vpn-group-policy #####

aaa authentication ssh console LOCAL
aaa authentication http console LOCAL
http server enable
http 192.168.2.0 255.255.255.0 inside
http 192.168.1.0 255.255.255.0 management
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
isakmp enable outside
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash sha
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
isakmp nat-traversal  10
tunnel-group #### type ipsec-ra
tunnel-group #### general-attributes
 address-pool remotevpn
 default-group-policy ######
tunnel-group #### ipsec-attributes
 pre-shared-key *
telnet 192.168.2.x 255.255.255.255 inside
telnet timeout 5
ssh ###### 255.255.255.#### outside
ssh 192.168.2.0 255.255.255.0 inside
ssh timeout 5
console timeout 0
dhcpd address 192.168.2.192.168.2.119 inside
dhcpd address 192.168.1.2-192.168.1.254 management
dhcpd dns #### #######
dhcpd lease 3600
dhcpd ping_timeout 50
dhcpd enable management
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map global_policy
 class inspection_default
  inspect dns maximum-length 512
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
!
service-policy global_policy global
Cryptochecksum:89b41cfd8e6e393055000c26dec5715e
: end
#####ASA#Start Free Trial
[+][-]02.28.2008 at 06:43AM PST, ID: 21004153

At Experts Exchange, members can ask their questions to thousands of technology professionals, also known as Experts. Experts compete and collaborate to answer those questions by leaving comments like this one.

Start your 7-day free trial to view this Expert Comment or ask the Experts your question.

 
[+][-]02.28.2008 at 06:51AM PST, ID: 21004231

Often, when Experts are collaborating with members who have asked questions, they will request additional information about the problem. Askers respond with an author comment like this one.

Start your 7-day free trial to view this Author Comment or ask the Experts your question.

 
[+][-]02.28.2008 at 06:55AM PST, ID: 21004270

Often, when Experts are collaborating with members who have asked questions, they will request additional information about the problem. Askers respond with an author comment like this one.

Start your 7-day free trial to view this Author Comment or ask the Experts your question.

 
[+][-]02.28.2008 at 03:30PM PST, ID: 21009360

View this solution now by starting your 7-day free trial. Setting up your free trial is quick, easy, and secure. We will return you to this solution, unlocked, when you're done.

 

About this solution

Zones: Cisco PIX Firewall, Virtual Private Networking (VPN), Network Operations
Sign Up Now!
Solution Provided By: batry_boy
Participating Experts: 2
Solution Grade: A
 
 
[+][-]02.28.2008 at 03:44PM PST, ID: 21009426

Often, when Experts are collaborating with members who have asked questions, they will request additional information about the problem. Askers respond with an author comment like this one.

Start your 7-day free trial to view this Author Comment or ask the Experts your question.

 
[+][-]02.28.2008 at 03:46PM PST, ID: 21009438

At Experts Exchange, members can ask their questions to thousands of technology professionals, also known as Experts. Experts compete and collaborate to answer those questions by leaving comments like this one.

Start your 7-day free trial to view this Expert Comment or ask the Experts your question.

 
 
Loading Advertisement...
20080716-EE-VQP-32 / EE_QW_2_20070628