• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 3867
  • Last Modified:

Cisco ASA 5510 new config - routing issue?

I'm setting up an ASA 5510 in a lab environment, but I'm having some trouble getting the networks to talk to each other.  Here's the basic setup:


Computer 1                          ASA5510 "public"      ASA5510 "dmz"                             Computer 2
10.52.135.221/27 ------------  10.52.135.218/27     10.94.158.250/25  ------------------  10.94.158.180/25

Currently I can ping from the 10.52.135.218 interface (public) to the 10.52.135.221 computer, but if I try to ping from the 10.94.158.250 interface (dmz) to the 10.52.135.218 (public) interface I get a message in the log saying:

"No route to 10.52.135.218 from 10.94.158.250"

Here's the config:

interface Ethernet0/0
 description Public network (Internet) in Site A
 nameif public
 security-level 0
 ip address 10.52.135.218 255.255.255.224
!
interface Ethernet0/1
 description DMZ network in Site A
 nameif dmz
 security-level 25
 ip address 10.94.158.250 255.255.255.128
!
interface Ethernet0/2
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Ethernet0/3
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Management0/0
 nameif management
 security-level 100
 ip address 192.168.0.161 255.255.255.0
 management-only
!
ftp mode passive
clock timezone CST -6
clock summer-time CDT recurring
access-list public_access_in remark Allow any ICMP to DMZ
access-list public_access_in extended permit icmp interface public interface dmz
mtu management 1500
mtu dmz 1500
mtu public 1500
no failover
monitor-interface management
monitor-interface dmz
monitor-interface public
icmp permit any dmz
icmp permit any public
access-group public_access_in in interface public
route public 0.0.0.0 0.0.0.0 10.52.135.221 1
: end

 Can anyone tell me what I'm doing wrong?
0
ScottTFrazer
Asked:
ScottTFrazer
  • 3
  • 3
2 Solutions
 
Cyclops3590Commented:
first off, your public_access_in acl doesn't make any sense
you are saying to accept any icmp packet with a src ip of 10.52.135.218 and a dst ip of 10.94.158.250
do this

access-list public_access_in extended permit icmp any interface public
no access-list public_access_in extended permit icmp interface public interface dmz

also when you get that error, what is the exact command you are running on the asa
0
 
ScottTFrazerAuthor Commented:
Access list entries now look like this:

access-list public_access_in remark Allow any ICMP to DMZ
access-list public_access_in extended permit icmp any interface public

The ping commands:
sitea# ping dmz 10.52.135.218
Sending 5, 100-byte ICMP Echos to 10.52.135.218, timeout is 2 seconds:
?????
Success rate is 0 percent (0/5)
sitea# ping public 10.52.135.218
Sending 5, 100-byte ICMP Echos to 10.52.135.218, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms
0
 
Cyclops3590Commented:
ok, I understand.  this will never work because it is how Cisco designs its security device: packets cannot go in and out the same interface (or out and in).  This would require the icmp packet to go out the dmz interface, back in the dmz interface and to the public interface.  although the packet goes out the dmz, when it comes back the ASA drops the packet because it violates its security model.

This would be the same if you ping the public interface ip on the ASA from the dmz host.
Try ping the public host from the dmz host with your config, that should work because it follows the Cisco's security model
0
Ultimate Tool Kit for Technology Solution Provider

Broken down into practical pointers and step-by-step instructions, the IT Service Excellence Tool Kit delivers expert advice for technology solution providers. Get your free copy now.

 
ScottTFrazerAuthor Commented:
Unfortunately, I get the same result with a host on that network:

sitea# ping public 10.52.135.221
Sending 5, 100-byte ICMP Echos to 10.52.135.221, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms
sitea# ping dmz 10.52.135.221
Sending 5, 100-byte ICMP Echos to 10.52.135.221, timeout is 2 seconds:
?????
Success rate is 0 percent (0/5)

It seems like this device isn't really acting as a router?  All of the configuration guides I can find keep expecting me to NAT the DMZ, but I really would prefer to not do that.
0
 
Cyclops3590Commented:
oops, sorry about that, I should have caught that
add these two lines
global (public) 10 interface
nat (dmz) 10 0 0
0
 
lrmooreCommented:
With ASA you can use this command:
 no nat control
This will keep you from having to set up any NAT.

sitea# ping dmz 10.52.135.218
???
sitea# ping public 10.52.135.218
!!!!

The keyword "dmz" and "public" are not the source interfaces, they are the destination interfaces. You will never be able to ping an ip on the public interface range by sending it out the dmz interface. It's simply not there.
0
 
ScottTFrazerAuthor Commented:
That's where my big problem was.  I was expecting the ping command to behave more like on a router where you can specify the source of the ping.

Thanks for the help guys.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Ultimate Tool Kit for Technology Solution Provider

Broken down into practical pointers and step-by-step instructions, the IT Service Excellence Tool Kit delivers expert advice for technology solution providers. Get your free copy now.

  • 3
  • 3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now