?
Solved

Cisco ASA 5510 new config - routing issue?

Posted on 2006-06-01
7
Medium Priority
?
3,846 Views
Last Modified: 2012-05-05
I'm setting up an ASA 5510 in a lab environment, but I'm having some trouble getting the networks to talk to each other.  Here's the basic setup:


Computer 1                          ASA5510 "public"      ASA5510 "dmz"                             Computer 2
10.52.135.221/27 ------------  10.52.135.218/27     10.94.158.250/25  ------------------  10.94.158.180/25

Currently I can ping from the 10.52.135.218 interface (public) to the 10.52.135.221 computer, but if I try to ping from the 10.94.158.250 interface (dmz) to the 10.52.135.218 (public) interface I get a message in the log saying:

"No route to 10.52.135.218 from 10.94.158.250"

Here's the config:

interface Ethernet0/0
 description Public network (Internet) in Site A
 nameif public
 security-level 0
 ip address 10.52.135.218 255.255.255.224
!
interface Ethernet0/1
 description DMZ network in Site A
 nameif dmz
 security-level 25
 ip address 10.94.158.250 255.255.255.128
!
interface Ethernet0/2
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Ethernet0/3
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Management0/0
 nameif management
 security-level 100
 ip address 192.168.0.161 255.255.255.0
 management-only
!
ftp mode passive
clock timezone CST -6
clock summer-time CDT recurring
access-list public_access_in remark Allow any ICMP to DMZ
access-list public_access_in extended permit icmp interface public interface dmz
mtu management 1500
mtu dmz 1500
mtu public 1500
no failover
monitor-interface management
monitor-interface dmz
monitor-interface public
icmp permit any dmz
icmp permit any public
access-group public_access_in in interface public
route public 0.0.0.0 0.0.0.0 10.52.135.221 1
: end

 Can anyone tell me what I'm doing wrong?
0
Comment
Question by:ScottTFrazer
  • 3
  • 3
7 Comments
 
LVL 25

Expert Comment

by:Cyclops3590
ID: 16808990
first off, your public_access_in acl doesn't make any sense
you are saying to accept any icmp packet with a src ip of 10.52.135.218 and a dst ip of 10.94.158.250
do this

access-list public_access_in extended permit icmp any interface public
no access-list public_access_in extended permit icmp interface public interface dmz

also when you get that error, what is the exact command you are running on the asa
0
 

Author Comment

by:ScottTFrazer
ID: 16809091
Access list entries now look like this:

access-list public_access_in remark Allow any ICMP to DMZ
access-list public_access_in extended permit icmp any interface public

The ping commands:
sitea# ping dmz 10.52.135.218
Sending 5, 100-byte ICMP Echos to 10.52.135.218, timeout is 2 seconds:
?????
Success rate is 0 percent (0/5)
sitea# ping public 10.52.135.218
Sending 5, 100-byte ICMP Echos to 10.52.135.218, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms
0
 
LVL 25

Accepted Solution

by:
Cyclops3590 earned 1200 total points
ID: 16809302
ok, I understand.  this will never work because it is how Cisco designs its security device: packets cannot go in and out the same interface (or out and in).  This would require the icmp packet to go out the dmz interface, back in the dmz interface and to the public interface.  although the packet goes out the dmz, when it comes back the ASA drops the packet because it violates its security model.

This would be the same if you ping the public interface ip on the ASA from the dmz host.
Try ping the public host from the dmz host with your config, that should work because it follows the Cisco's security model
0
Concerto's Cloud Advisory Services

Want to avoid the missteps to gaining all the benefits of the cloud? Learn more about the different assessment options from our Cloud Advisory team.

 

Author Comment

by:ScottTFrazer
ID: 16809355
Unfortunately, I get the same result with a host on that network:

sitea# ping public 10.52.135.221
Sending 5, 100-byte ICMP Echos to 10.52.135.221, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms
sitea# ping dmz 10.52.135.221
Sending 5, 100-byte ICMP Echos to 10.52.135.221, timeout is 2 seconds:
?????
Success rate is 0 percent (0/5)

It seems like this device isn't really acting as a router?  All of the configuration guides I can find keep expecting me to NAT the DMZ, but I really would prefer to not do that.
0
 
LVL 25

Expert Comment

by:Cyclops3590
ID: 16809411
oops, sorry about that, I should have caught that
add these two lines
global (public) 10 interface
nat (dmz) 10 0 0
0
 
LVL 79

Assisted Solution

by:lrmoore
lrmoore earned 800 total points
ID: 16816027
With ASA you can use this command:
 no nat control
This will keep you from having to set up any NAT.

sitea# ping dmz 10.52.135.218
???
sitea# ping public 10.52.135.218
!!!!

The keyword "dmz" and "public" are not the source interfaces, they are the destination interfaces. You will never be able to ping an ip on the public interface range by sending it out the dmz interface. It's simply not there.
0
 

Author Comment

by:ScottTFrazer
ID: 16817274
That's where my big problem was.  I was expecting the ping command to behave more like on a router where you can specify the source of the ping.

Thanks for the help guys.
0

Featured Post

Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

While it is possible to put two routes in place with the secondary having a higher metric, this may not always work. In the event of a failure that does not bring down the physical interface on the router the primary route is not removed. There is a…
In the world of WAN, QoS is a pretty important topic for most, if not all, networks. Some WAN technologies have QoS mechanisms built in, but others, such as some L2 WAN's, don't have QoS control in the provider cloud.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

807 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question