troubleshooting Question

Cisco ASA 5520 - help configuring routes between interfaces

Avatar of RTPIT
RTPIT asked on
Software FirewallsHardware FirewallsCisco
4 Comments1 Solution1305 ViewsLast Modified:
I need to setup my ASA to route between 2 of the interfaces - all traffic. I have 2 T1s coming into each building - 1 for Internet and the other is a "dry pair" Point-to-Point T1 dedicated to VoIP services. I can currently ping across the P2P T1 no problem. I need the pix to recognize traffic OUTBOUND to the P2P T1 and send it across the correct interface. I'm sure this is a route issue, I've never done static routing between interfaces in PIX or ASA before.

The interfaces on the ASA 5520:
gige0/0 - outside
gige0/1 - inside - 10.0.2.0/24
gige0/3 - PhoneP2P - this int is connected to the Point-to-Point T1 which I'm running VoIP services to a remote office.  IP Address: 10.1.2.20

The Avaya IP office system is behind the ASA and has an address on the 10.0.2.0 ("inside") subnet.

WAN/LAN Setup:

Cisco 1800 Series router - 2 T1 WICs
Serial 0/0 - Internet connection from ISP
Serial 0/1 - Point to Point "dry pair" T1 - IP Address: 10.1.3.2
Eth 0/0 - Connected to ASA5520 (gige0/0 "outside")
Eth 0/1 - Connected to HP Managed Gig switch (switch has connection to PIX gige0/3 "PhoneP2P). IP Address: 10.1.2.1

Other side of the P2P T1 - Cisco 1800 Series Router - 2 T1 WICs
Serial 0/0 - Internet from ISP
Serial 0/1 - P2P T1 - IP Address: 10.1.3.1
Eth 0/0 - Connected to a second ASA 5520
Eth 0/1 - Connected to HP switch. IP Address: 10.1.1.254


The router are working correctly, and if connected to either of the 10.1.X.X networks, I can ping across the P2P T1 successfully. The problem is that the Avaya system is on the 10.0.2.X network and cannot physically "see" the 10.1.2.X network. By connecting the 10.1.2.X network to GigE0/3 on the ASA5520, I'm hoping to add the necessary routes and access lists so that 10.0.2.24 and 10.0.2.25 can see and be accessed by any IP address on the Point2Point network (10.1.1.X or 10.1.2.X - either side of the P2P T1)

When traffic comes in from the remote location over the P2P T1, I need the PIX to recognize that traffic and return it out of gige0/3 (PhoneP2P).

If I didn't explain clearly, please post and I will clarify what I can.

Here's the PIX config:

Highlands-ASA(config)# sh run
: Saved
:
ASA Version 7.2(2)
!
hostname Highlands-ASA
domain-name highlands.local
enable password vI.Krs5K43tUsYJT encrypted
names
dns-guard
!
interface GigabitEthernet0/0
 speed 10
 duplex half
 nameif outside
 security-level 0
 ip address 66.xxx.xxx.xxx 255.255.255.252
!
interface GigabitEthernet0/1
 speed 100
 duplex full
 nameif inside
 security-level 100
 ip address 10.0.2.1 255.255.255.0
!
interface GigabitEthernet0/2
 shutdown
 nameif RTP
 security-level 100
 ip address 192.168.253.212 255.255.255.0
!
interface GigabitEthernet0/3
 speed 100
 duplex full
 nameif PhoneP2P
 security-level 50
 ip address 10.1.2.20 255.255.255.0
!
interface Management0/0
 nameif management
 security-level 100
 ip address 192.168.1.1 255.255.255.0
 management-only
!
passwd vI.Krs5K43tUsYJT encrypted
boot system disk0:/asa722-k8.bin
ftp mode passive
dns server-group DefaultDNS
 domain-name highlands.local
same-security-traffic permit inter-interface
access-list 101 extended permit ip host xxx.xxx.xxx.xxx host xxx.xxx.xxx.xxx
access-list 101 extended permit tcp any host xxx.xxx.xxx.xxx eq 3389
access-list 101 extended permit tcp any host xxx.xxx.xxx.xxx eq 3389
access-list 101 extended permit tcp any host xxx.xxx.xxx.xxx eq lpd
access-list 101 extended permit tcp any host xxx.xxx.xxx.xxx eq ftp
access-list 101 extended permit tcp any host xxx.xxx.xxx.xxx eq www
access-list 101 extended permit tcp any host xxx.xxx.xxx.xxx eq https
access-list 101 extended permit tcp any host xxx.xxx.xxx.xxx eq 3389
access-list 101 extended permit tcp any host xxx.xxx.xxx.xxx eq ftp
access-list 101 extended permit tcp any host xxx.xxx.xxx.xxx eq 4500
access-list 101 extended permit tcp any host xxx.xxx.xxx.xxx eq 4501
access-list 101 extended permit tcp any host xxx.xxx.xxx.xxx eq 4503
access-list 101 extended permit tcp any host xxx.xxx.xxx.xxx eq 3389
access-list 101 extended permit tcp any host xxx.xxx.xxx.xxx eq smtp
access-list 101 extended permit tcp any host xxx.xxx.xxx.xxx eq 8888
access-list 101 extended permit tcp any host xxx.xxx.xxx.xxx eq 8889
access-list 101 extended permit tcp any host xxx.xxx.xxx.xxx eq www
access-list 101 extended permit tcp any host xxx.xxx.xxx.xxx eq 9012
access-list 101 extended permit tcp any host xxx.xxx.xxx.xxx eq 4502
access-list 101 extended permit tcp any host xxx.xxx.xxx.xxx eq www
access-list 101 extended permit icmp any any
access-list 101 extended permit tcp any host xxx.xxx.xxx.xxx eq 3389
access-list no_nat extended permit ip 10.0.2.0 255.255.255.0 10.0.35.0 255.255.255.0
access-list no_nat extended permit ip 10.0.2.0 255.255.255.0 10.0.95.0 255.255.255.0
access-list no_nat extended permit ip 10.0.2.0 255.255.255.0 10.0.40.0 255.255.255.0
access-list no_nat extended permit ip 10.0.2.0 255.255.255.0 10.0.150.0 255.255.255.0
access-list no_nat extended permit ip 10.0.2.0 255.255.255.0 host 10.0.250.88
access-list no_nat extended permit ip 10.0.2.0 255.255.255.0 host 10.0.250.89
access-list no_nat extended permit ip 10.0.2.0 255.255.255.0 host 10.0.250.90
access-list no_nat extended permit ip 10.0.2.0 255.255.255.0 10.0.60.0 255.255.255.0
access-list no_nat extended permit ip 10.0.2.0 255.255.255.0 10.0.200.0 255.255.255.0
access-list MMorgan extended permit ip 10.0.2.0 255.255.255.0 10.0.35.0 255.255.255.0
access-list Jarnot extended permit ip 10.0.2.0 255.255.255.0 10.0.95.0 255.255.255.0
access-list Edwards extended permit ip 10.0.2.0 255.255.255.0 10.0.40.0 255.255.255.0
access-list Ridgepoint extended permit ip 10.0.2.0 255.255.255.0 10.0.150.0 255.255.255.0
access-list CoLo extended permit ip 10.0.2.0 255.255.255.0 host 10.0.250.88
access-list CoLo extended permit ip 10.0.2.0 255.255.255.0 host 10.0.250.89
access-list CoLo extended permit ip 10.0.2.0 255.255.255.0 host 10.0.250.90
access-list Oxford extended permit ip 10.0.2.0 255.255.255.0 10.0.60.0 255.255.255.0
access-list BCLanding extended permit ip 10.0.2.0 255.255.255.0 10.0.200.0 255.255.255.0
pager lines 24
logging monitor debugging
logging asdm informational
mtu outside 1500
mtu inside 1500
mtu RTP 1500
mtu management 1500
mtu PhoneP2P 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-522.bin
no asdm history enable
arp timeout 14400
global (outside) 1 xxx.xxx.xxx.xxx
nat (inside) 0 access-list no_nat
nat (inside) 1 10.0.2.0 255.255.255.0
static (inside,outside) tcp xxx.xxx.xxx.xxx 3389 10.0.2.10 3389 netmask 255.255.255.255
static (inside,outside) tcp xxx.xxx.xxx.xxx 3389 10.0.2.48 3389 netmask 255.255.255.255
static (inside,outside) tcp xxx.xxx.xxx.xxx lpd 10.0.2.48 lpd netmask 255.255.255.255
static (inside,outside) tcp xxx.xxx.xxx.xxx ftp 10.0.2.48 ftp netmask 255.255.255.255
static (inside,outside) tcp xxx.xxx.xxx.xxx www 10.0.2.48 www netmask 255.255.255.255
static (inside,outside) tcp xxx.xxx.xxx.xxx https 10.0.2.48 https netmask 255.255.255.255
static (inside,outside) tcp xxx.xxx.xxx.xxx 3389 10.0.2.11 3389 netmask 255.255.255.255
static (inside,outside) tcp xxx.xxx.xxx.xxx ftp 10.0.2.11 ftp netmask 255.255.255.255
static (inside,outside) tcp xxx.xxx.xxx.xxx 4500 10.0.2.20 3389 netmask 255.255.255.255
static (inside,outside) tcp xxx.xxx.xxx.xxx 4501 10.0.2.21 3389 netmask 255.255.255.255
static (inside,outside) tcp xxx.xxx.xxx.xxx 4503 10.0.2.251 3389 netmask 255.255.255.255
static (inside,outside) tcp xxx.xxx.xxx.xxx 3389 10.0.2.18 3389 netmask 255.255.255.255
static (inside,outside) tcp xxx.xxx.xxx.xxx smtp 10.0.2.18 smtp netmask 255.255.255.255
static (inside,outside) tcp xxx.xxx.xxx.xxx 8888 10.0.2.200 8888 netmask 255.255.255.255
static (inside,outside) tcp xxx.xxx.xxx.xxx 8889 10.0.2.200 8889 netmask 255.255.255.255
static (inside,outside) tcp xxx.xxx.xxx.xxx www 10.0.2.200 www netmask 255.255.255.255
static (inside,outside) tcp xxx.xxx.xxx.xxx 8888 10.0.2.201 8888 netmask 255.255.255.255
static (inside,outside) tcp xxx.xxx.xxx.xxx 8889 10.0.2.201 8889 netmask 255.255.255.255
static (inside,outside) tcp xxx.xxx.xxx.xxx www 10.0.2.201 www netmask 255.255.255.255
static (inside,outside) tcp xxx.xxx.xxx.xxx 9012 10.0.2.201 9012 netmask 255.255.255.255
static (inside,outside) tcp xxx.xxx.xxx.xxx 4502 10.0.2.5 3389 netmask 255.255.255.255
static (inside,outside) tcp xxx.xxx.xxx.xxx 3389 10.0.2.99 3389 netmask 255.255.255.255
access-group 101 in interface outside
route outside 0.0.0.0 0.0.0.0 66.xxx.xxx.xxx 1
route PhoneP2P 10.1.1.0 255.255.255.0 10.1.2.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
http server enable
http 192.168.1.0 255.255.255.0 management
http 192.168.253.75 255.255.255.255 RTP
http xxx.xxx.xxx.xxx 255.255.255.255 outside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set VPNSet esp-3des esp-md5-hmac
crypto map EWRMap 10 match address Edwards
crypto map EWRMap 10 set peer xxx.xxx.xxx.xxx
crypto map EWRMap 10 set transform-set VPNSet
crypto map EWRMap 20 match address MMorgan
crypto map EWRMap 20 set peer xxx.xxx.xxx.xxx
crypto map EWRMap 20 set transform-set VPNSet
crypto map EWRMap 30 match address CoLo
crypto map EWRMap 30 set peer xxx.xxx.xxx.xxx
crypto map EWRMap 30 set transform-set VPNSet
crypto map EWRMap 40 match address Jarnot
crypto map EWRMap 40 set peer xxx.xxx.xxx.xxx
crypto map EWRMap 40 set transform-set VPNSet
crypto map EWRMap 50 match address Ridgepoint
crypto map EWRMap 50 set peer xxx.xxx.xxx.xxx
crypto map EWRMap 50 set transform-set VPNSet
crypto map EWRMap 60 match address Oxford
crypto map EWRMap 60 set peer xxx.xxx.xxx.xxx
crypto map EWRMap 60 set transform-set VPNSet
crypto map EWRMap 70 match address BCLanding
crypto map EWRMap 70 set peer xxx.xxx.xxx.xxx
crypto map EWRMap 70 set transform-set VPNSet
crypto map EWRMap interface outside
crypto isakmp identity address
crypto isakmp enable outside
crypto isakmp policy 1
 authentication pre-share
 encryption 3des
 hash md5
 group 1
 lifetime 1000
crypto isakmp nat-traversal  20
tunnel-group xxx.xxx.xxx.xxx type ipsec-l2l
tunnel-group xxx.xxx.xxx.xxx ipsec-attributes
 pre-shared-key *
tunnel-group xxx.xxx.xxx.xxx type ipsec-l2l
tunnel-group xxx.xxx.xxx.xxx ipsec-attributes
 pre-shared-key *
tunnel-group xxx.xxx.xxx.xxx type ipsec-l2l
tunnel-group xxx.xxx.xxx.xxx ipsec-attributes
 pre-shared-key *
tunnel-group xxx.xxx.xxx.xxx type ipsec-l2l
tunnel-group xxx.xxx.xxx.xxx ipsec-attributes
 pre-shared-key *
tunnel-group xxx.xxx.xxx.xxx type ipsec-l2l
tunnel-group xxx.xxx.xxx.xxx ipsec-attributes
 pre-shared-key *
tunnel-group xxx.xxx.xxx.xxx type ipsec-l2l
tunnel-group xxx.xxx.xxx.xxx ipsec-attributes
 pre-shared-key *
tunnel-group xxx.xxx.xxx.xxx type ipsec-l2l
tunnel-group xxx.xxx.xxx.xxx ipsec-attributes
 pre-shared-key *
telnet 10.0.2.0 255.255.255.0 inside
telnet timeout 5
ssh xxx.xxx.xxx.xxx 255.255.255.255 outside
ssh xxx.xxx.xxx.xxx 255.255.255.255 outside
ssh xxx.xxx.xxx.xxx 255.255.255.255 outside
ssh xxx.xxx.xxx.xxx 255.255.255.255 RTP
ssh timeout 30
console timeout 0
management-access inside
dhcpd address 10.0.2.100-10.0.2.201 inside
dhcpd dns xxx.xxx.xxx.xxx xxx.xxx.xxx.xxx interface inside
dhcpd lease 86400 interface inside
dhcpd domain xxxx.xxx interface inside
!
dhcpd address 192.168.1.2-192.168.1.254 management
dhcpd enable management
!
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map global_policy
 class inspection_default
!
service-policy global_policy global
tftp-server RTP 192.168.253.75 asdm-522.bin
prompt hostname context
Cryptochecksum:bca9281325e71653bea71ca861e5fe79
: end


 
ASKER CERTIFIED SOLUTION
chicka616

Our community of experts have been thoroughly vetted for their expertise and industry experience.

Join our community to see this answer!
Unlock 1 Answer and 4 Comments.
Start Free Trial
Learn from the best

Network and collaborate with thousands of CTOs, CISOs, and IT Pros rooting for you and your success.

Andrew Hancock - VMware vExpert
See if this solution works for you by signing up for a 7 day free trial.
Unlock 1 Answer and 4 Comments.
Try for 7 days

”The time we save is the biggest benefit of E-E to our team. What could take multiple guys 2 hours or more each to find is accessed in around 15 minutes on Experts Exchange.

-Mike Kapnisakis, Warner Bros