• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1235
  • Last Modified:

Cisco ASA 5520 - help configuring routes between interfaces

I need to setup my ASA to route between 2 of the interfaces - all traffic. I have 2 T1s coming into each building - 1 for Internet and the other is a "dry pair" Point-to-Point T1 dedicated to VoIP services. I can currently ping across the P2P T1 no problem. I need the pix to recognize traffic OUTBOUND to the P2P T1 and send it across the correct interface. I'm sure this is a route issue, I've never done static routing between interfaces in PIX or ASA before.

The interfaces on the ASA 5520:
gige0/0 - outside
gige0/1 - inside - 10.0.2.0/24
gige0/3 - PhoneP2P - this int is connected to the Point-to-Point T1 which I'm running VoIP services to a remote office.  IP Address: 10.1.2.20

The Avaya IP office system is behind the ASA and has an address on the 10.0.2.0 ("inside") subnet.

WAN/LAN Setup:

Cisco 1800 Series router - 2 T1 WICs
Serial 0/0 - Internet connection from ISP
Serial 0/1 - Point to Point "dry pair" T1 - IP Address: 10.1.3.2
Eth 0/0 - Connected to ASA5520 (gige0/0 "outside")
Eth 0/1 - Connected to HP Managed Gig switch (switch has connection to PIX gige0/3 "PhoneP2P). IP Address: 10.1.2.1

Other side of the P2P T1 - Cisco 1800 Series Router - 2 T1 WICs
Serial 0/0 - Internet from ISP
Serial 0/1 - P2P T1 - IP Address: 10.1.3.1
Eth 0/0 - Connected to a second ASA 5520
Eth 0/1 - Connected to HP switch. IP Address: 10.1.1.254


The router are working correctly, and if connected to either of the 10.1.X.X networks, I can ping across the P2P T1 successfully. The problem is that the Avaya system is on the 10.0.2.X network and cannot physically "see" the 10.1.2.X network. By connecting the 10.1.2.X network to GigE0/3 on the ASA5520, I'm hoping to add the necessary routes and access lists so that 10.0.2.24 and 10.0.2.25 can see and be accessed by any IP address on the Point2Point network (10.1.1.X or 10.1.2.X - either side of the P2P T1)

When traffic comes in from the remote location over the P2P T1, I need the PIX to recognize that traffic and return it out of gige0/3 (PhoneP2P).

If I didn't explain clearly, please post and I will clarify what I can.

Here's the PIX config:

Highlands-ASA(config)# sh run
: Saved
:
ASA Version 7.2(2)
!
hostname Highlands-ASA
domain-name highlands.local
enable password vI.Krs5K43tUsYJT encrypted
names
dns-guard
!
interface GigabitEthernet0/0
 speed 10
 duplex half
 nameif outside
 security-level 0
 ip address 66.xxx.xxx.xxx 255.255.255.252
!
interface GigabitEthernet0/1
 speed 100
 duplex full
 nameif inside
 security-level 100
 ip address 10.0.2.1 255.255.255.0
!
interface GigabitEthernet0/2
 shutdown
 nameif RTP
 security-level 100
 ip address 192.168.253.212 255.255.255.0
!
interface GigabitEthernet0/3
 speed 100
 duplex full
 nameif PhoneP2P
 security-level 50
 ip address 10.1.2.20 255.255.255.0
!
interface Management0/0
 nameif management
 security-level 100
 ip address 192.168.1.1 255.255.255.0
 management-only
!
passwd vI.Krs5K43tUsYJT encrypted
boot system disk0:/asa722-k8.bin
ftp mode passive
dns server-group DefaultDNS
 domain-name highlands.local
same-security-traffic permit inter-interface
access-list 101 extended permit ip host xxx.xxx.xxx.xxx host xxx.xxx.xxx.xxx
access-list 101 extended permit tcp any host xxx.xxx.xxx.xxx eq 3389
access-list 101 extended permit tcp any host xxx.xxx.xxx.xxx eq 3389
access-list 101 extended permit tcp any host xxx.xxx.xxx.xxx eq lpd
access-list 101 extended permit tcp any host xxx.xxx.xxx.xxx eq ftp
access-list 101 extended permit tcp any host xxx.xxx.xxx.xxx eq www
access-list 101 extended permit tcp any host xxx.xxx.xxx.xxx eq https
access-list 101 extended permit tcp any host xxx.xxx.xxx.xxx eq 3389
access-list 101 extended permit tcp any host xxx.xxx.xxx.xxx eq ftp
access-list 101 extended permit tcp any host xxx.xxx.xxx.xxx eq 4500
access-list 101 extended permit tcp any host xxx.xxx.xxx.xxx eq 4501
access-list 101 extended permit tcp any host xxx.xxx.xxx.xxx eq 4503
access-list 101 extended permit tcp any host xxx.xxx.xxx.xxx eq 3389
access-list 101 extended permit tcp any host xxx.xxx.xxx.xxx eq smtp
access-list 101 extended permit tcp any host xxx.xxx.xxx.xxx eq 8888
access-list 101 extended permit tcp any host xxx.xxx.xxx.xxx eq 8889
access-list 101 extended permit tcp any host xxx.xxx.xxx.xxx eq www
access-list 101 extended permit tcp any host xxx.xxx.xxx.xxx eq 9012
access-list 101 extended permit tcp any host xxx.xxx.xxx.xxx eq 4502
access-list 101 extended permit tcp any host xxx.xxx.xxx.xxx eq www
access-list 101 extended permit icmp any any
access-list 101 extended permit tcp any host xxx.xxx.xxx.xxx eq 3389
access-list no_nat extended permit ip 10.0.2.0 255.255.255.0 10.0.35.0 255.255.255.0
access-list no_nat extended permit ip 10.0.2.0 255.255.255.0 10.0.95.0 255.255.255.0
access-list no_nat extended permit ip 10.0.2.0 255.255.255.0 10.0.40.0 255.255.255.0
access-list no_nat extended permit ip 10.0.2.0 255.255.255.0 10.0.150.0 255.255.255.0
access-list no_nat extended permit ip 10.0.2.0 255.255.255.0 host 10.0.250.88
access-list no_nat extended permit ip 10.0.2.0 255.255.255.0 host 10.0.250.89
access-list no_nat extended permit ip 10.0.2.0 255.255.255.0 host 10.0.250.90
access-list no_nat extended permit ip 10.0.2.0 255.255.255.0 10.0.60.0 255.255.255.0
access-list no_nat extended permit ip 10.0.2.0 255.255.255.0 10.0.200.0 255.255.255.0
access-list MMorgan extended permit ip 10.0.2.0 255.255.255.0 10.0.35.0 255.255.255.0
access-list Jarnot extended permit ip 10.0.2.0 255.255.255.0 10.0.95.0 255.255.255.0
access-list Edwards extended permit ip 10.0.2.0 255.255.255.0 10.0.40.0 255.255.255.0
access-list Ridgepoint extended permit ip 10.0.2.0 255.255.255.0 10.0.150.0 255.255.255.0
access-list CoLo extended permit ip 10.0.2.0 255.255.255.0 host 10.0.250.88
access-list CoLo extended permit ip 10.0.2.0 255.255.255.0 host 10.0.250.89
access-list CoLo extended permit ip 10.0.2.0 255.255.255.0 host 10.0.250.90
access-list Oxford extended permit ip 10.0.2.0 255.255.255.0 10.0.60.0 255.255.255.0
access-list BCLanding extended permit ip 10.0.2.0 255.255.255.0 10.0.200.0 255.255.255.0
pager lines 24
logging monitor debugging
logging asdm informational
mtu outside 1500
mtu inside 1500
mtu RTP 1500
mtu management 1500
mtu PhoneP2P 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-522.bin
no asdm history enable
arp timeout 14400
global (outside) 1 xxx.xxx.xxx.xxx
nat (inside) 0 access-list no_nat
nat (inside) 1 10.0.2.0 255.255.255.0
static (inside,outside) tcp xxx.xxx.xxx.xxx 3389 10.0.2.10 3389 netmask 255.255.255.255
static (inside,outside) tcp xxx.xxx.xxx.xxx 3389 10.0.2.48 3389 netmask 255.255.255.255
static (inside,outside) tcp xxx.xxx.xxx.xxx lpd 10.0.2.48 lpd netmask 255.255.255.255
static (inside,outside) tcp xxx.xxx.xxx.xxx ftp 10.0.2.48 ftp netmask 255.255.255.255
static (inside,outside) tcp xxx.xxx.xxx.xxx www 10.0.2.48 www netmask 255.255.255.255
static (inside,outside) tcp xxx.xxx.xxx.xxx https 10.0.2.48 https netmask 255.255.255.255
static (inside,outside) tcp xxx.xxx.xxx.xxx 3389 10.0.2.11 3389 netmask 255.255.255.255
static (inside,outside) tcp xxx.xxx.xxx.xxx ftp 10.0.2.11 ftp netmask 255.255.255.255
static (inside,outside) tcp xxx.xxx.xxx.xxx 4500 10.0.2.20 3389 netmask 255.255.255.255
static (inside,outside) tcp xxx.xxx.xxx.xxx 4501 10.0.2.21 3389 netmask 255.255.255.255
static (inside,outside) tcp xxx.xxx.xxx.xxx 4503 10.0.2.251 3389 netmask 255.255.255.255
static (inside,outside) tcp xxx.xxx.xxx.xxx 3389 10.0.2.18 3389 netmask 255.255.255.255
static (inside,outside) tcp xxx.xxx.xxx.xxx smtp 10.0.2.18 smtp netmask 255.255.255.255
static (inside,outside) tcp xxx.xxx.xxx.xxx 8888 10.0.2.200 8888 netmask 255.255.255.255
static (inside,outside) tcp xxx.xxx.xxx.xxx 8889 10.0.2.200 8889 netmask 255.255.255.255
static (inside,outside) tcp xxx.xxx.xxx.xxx www 10.0.2.200 www netmask 255.255.255.255
static (inside,outside) tcp xxx.xxx.xxx.xxx 8888 10.0.2.201 8888 netmask 255.255.255.255
static (inside,outside) tcp xxx.xxx.xxx.xxx 8889 10.0.2.201 8889 netmask 255.255.255.255
static (inside,outside) tcp xxx.xxx.xxx.xxx www 10.0.2.201 www netmask 255.255.255.255
static (inside,outside) tcp xxx.xxx.xxx.xxx 9012 10.0.2.201 9012 netmask 255.255.255.255
static (inside,outside) tcp xxx.xxx.xxx.xxx 4502 10.0.2.5 3389 netmask 255.255.255.255
static (inside,outside) tcp xxx.xxx.xxx.xxx 3389 10.0.2.99 3389 netmask 255.255.255.255
access-group 101 in interface outside
route outside 0.0.0.0 0.0.0.0 66.xxx.xxx.xxx 1
route PhoneP2P 10.1.1.0 255.255.255.0 10.1.2.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
http server enable
http 192.168.1.0 255.255.255.0 management
http 192.168.253.75 255.255.255.255 RTP
http xxx.xxx.xxx.xxx 255.255.255.255 outside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set VPNSet esp-3des esp-md5-hmac
crypto map EWRMap 10 match address Edwards
crypto map EWRMap 10 set peer xxx.xxx.xxx.xxx
crypto map EWRMap 10 set transform-set VPNSet
crypto map EWRMap 20 match address MMorgan
crypto map EWRMap 20 set peer xxx.xxx.xxx.xxx
crypto map EWRMap 20 set transform-set VPNSet
crypto map EWRMap 30 match address CoLo
crypto map EWRMap 30 set peer xxx.xxx.xxx.xxx
crypto map EWRMap 30 set transform-set VPNSet
crypto map EWRMap 40 match address Jarnot
crypto map EWRMap 40 set peer xxx.xxx.xxx.xxx
crypto map EWRMap 40 set transform-set VPNSet
crypto map EWRMap 50 match address Ridgepoint
crypto map EWRMap 50 set peer xxx.xxx.xxx.xxx
crypto map EWRMap 50 set transform-set VPNSet
crypto map EWRMap 60 match address Oxford
crypto map EWRMap 60 set peer xxx.xxx.xxx.xxx
crypto map EWRMap 60 set transform-set VPNSet
crypto map EWRMap 70 match address BCLanding
crypto map EWRMap 70 set peer xxx.xxx.xxx.xxx
crypto map EWRMap 70 set transform-set VPNSet
crypto map EWRMap interface outside
crypto isakmp identity address
crypto isakmp enable outside
crypto isakmp policy 1
 authentication pre-share
 encryption 3des
 hash md5
 group 1
 lifetime 1000
crypto isakmp nat-traversal  20
tunnel-group xxx.xxx.xxx.xxx type ipsec-l2l
tunnel-group xxx.xxx.xxx.xxx ipsec-attributes
 pre-shared-key *
tunnel-group xxx.xxx.xxx.xxx type ipsec-l2l
tunnel-group xxx.xxx.xxx.xxx ipsec-attributes
 pre-shared-key *
tunnel-group xxx.xxx.xxx.xxx type ipsec-l2l
tunnel-group xxx.xxx.xxx.xxx ipsec-attributes
 pre-shared-key *
tunnel-group xxx.xxx.xxx.xxx type ipsec-l2l
tunnel-group xxx.xxx.xxx.xxx ipsec-attributes
 pre-shared-key *
tunnel-group xxx.xxx.xxx.xxx type ipsec-l2l
tunnel-group xxx.xxx.xxx.xxx ipsec-attributes
 pre-shared-key *
tunnel-group xxx.xxx.xxx.xxx type ipsec-l2l
tunnel-group xxx.xxx.xxx.xxx ipsec-attributes
 pre-shared-key *
tunnel-group xxx.xxx.xxx.xxx type ipsec-l2l
tunnel-group xxx.xxx.xxx.xxx ipsec-attributes
 pre-shared-key *
telnet 10.0.2.0 255.255.255.0 inside
telnet timeout 5
ssh xxx.xxx.xxx.xxx 255.255.255.255 outside
ssh xxx.xxx.xxx.xxx 255.255.255.255 outside
ssh xxx.xxx.xxx.xxx 255.255.255.255 outside
ssh xxx.xxx.xxx.xxx 255.255.255.255 RTP
ssh timeout 30
console timeout 0
management-access inside
dhcpd address 10.0.2.100-10.0.2.201 inside
dhcpd dns xxx.xxx.xxx.xxx xxx.xxx.xxx.xxx interface inside
dhcpd lease 86400 interface inside
dhcpd domain xxxx.xxx interface inside
!
dhcpd address 192.168.1.2-192.168.1.254 management
dhcpd enable management
!
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map global_policy
 class inspection_default
!
service-policy global_policy global
tftp-server RTP 192.168.253.75 asdm-522.bin
prompt hostname context
Cryptochecksum:bca9281325e71653bea71ca861e5fe79
: end


 
0
RTPIT
Asked:
RTPIT
  • 2
  • 2
1 Solution
 
chicka616Commented:
Can you post a network diagram? Things seem unclear, especially when you describe 10.1.2.1 and 10.1.2.20 (how are they connected exactly?).
Is 10.1.2.1 the HP switch or gige0/3 on ASA?
What is 10.0.2.24?
What is 10.0.2.25?
      Do they have default gateway to 10.0.2.1?
Can 10.1.2.1 ping 10.0.2.1? and vice versa?
On PIX 10.1.2.1 did you create static route of 10.0.2.0/24 pointing to gateway address of gige0/3 10.1.2.20? (If this question doesn't make sense, then I am unclear still, hence question #1).
0
 
RTPITAuthor Commented:
Location 1:

----T1 Internet from ISP---->Serial 0/0 Cisco 1800---->Eth 0/0 Cisco 1800---->ASA 5520 Eth 0/0 (outside)---->ASA 5520 Eth 0/1 (inside, 10.0.2.1)---->HP Switch #1---->User Network 10.0.2.X. IP Office system: 10.0.2.24 - .25

----T1 Point2Point---->Serial 0/1 Cisco 1800 (10.1.3.2)---->Eth 0/1 Cisco 1800 (10.1.2.1)---->HP Switch #2---->ASA 5520 Eth 0/3 (10.1.2.20)

Location 2:

----T1 Internet from ISP---->Serial 0/0 Cisco 1800---->Eth 0/0 Cisco 1800---->ASA 5520 Eth 0/0 (outside)---->ASA 5520 Eth 0/1 (inside, 10.0.200.1)---->HP Switch #1---->User Network 10.0.200.X

----T1 Point2Point---->Serial 0/1 Cisco 1800 (10.1.3.1)---->Eth 0/1 Cisco 1800 (10.1.1.254)---->HP Switch #2


Note: at Location 2, the User Network (10.0.200.X) does not need to see across the P2P T1.

As long as the P2P network, 10.1.1.X can see across to 10.1.2.X (which it now can) and then through Eth 0/3 on the ASA (10.1.2.20) see through to the User Network (10.0.2.X) at Location 1 to access 10.0.2.24 - .25 (the Avaya IP office system) then all should work.

Hope this helps clarify.
0
 
chicka616Commented:
1. Ensure that Avaya systems 10.0.2.24 & .25 have a gateway to 10.0.2.1
2. Try adding the translation: static (inside, PhoneP2P) 10.0.2.0 10.0.2.0 netmask 255.255.255.255
We basically want to create a dynamic translation for Avaya traffic to pass between eth0/1 and eth0/3 on ASA while keeping its source address unchanged.

See how that goes.
0
 
RTPITAuthor Commented:
OK - changed the Eth0/1 on the Cisco 1800 series to an address on the User Network (10.0.2.X) and added static routes to the phone system. Bypassed the ASA altogether.

Opened a Cisco TAC case and they kicked me up a level before I figured out that I should be letting the router do the work.

Points awarded for the help.
0

Featured Post

 The Evil-ution of Network Security Threats

What are the hacks that forever changed the security industry? To answer that question, we created an exciting new eBook that takes you on a trip through hacking history. It explores the top hacks from the 80s to 2010s, why they mattered, and how the security industry responded.

  • 2
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now