Why Experts Exchange?

Experts Exchange always has the answer, or at the least points me in the correct direction! It is like having another employee that is extremely experienced.

Jim Murphy
Programmer at Smart IT Solutions

When asked, what has been your best career decision?

Deciding to stick with EE.

Mohamed Asif
Technical Department Head

Being involved with EE helped me to grow personally and professionally.

Carl Webster
CTP, Sr Infrastructure Consultant
Ask ANY Question

Connect with Certified Experts to gain insight and support on specific technology challenges including:

Troubleshooting
Research
Professional Opinions
Ask a Question
Did You Know?

We've partnered with two important charities to provide clean water and computer science education to those who need it most. READ MORE

troubleshooting Question

Ensuring correct addition of NAT and Route statements

Avatar of djhath
djhathFlag for United States of America asked on
Cisco
1 Comment1 Solution838 ViewsLast Modified:
We are adding a VoIP phone system to our network.  We have an existing 192.168.1.1 LAN scope, and will be using 192.168.3.x for the phone system.

Routing will be done via a Layer-3 Enterasys switch, which will have a LAN IP of 192.168.1.2 (firewall is 192.168.1.1) and will serve as the new default gateway.  

I have to make a couple of modifications to the firewall (config attached) based on parameters required by the VoIP vendor, described as the following:

1. You will need to add a static IP route to the Cisco firewall: 192.168.3.0 255.255.255.0 via 192.168.1.2

Based on the syntax of the Route statement I currently see in my firewall, I believe the correct command will be:

route inside 192.168.3.0 255.255.255.0 192.168.1.2 1

...is this correct?

2. You will need to enable outbound Internet access from the 192.168.3.0 subnet (probably a NAT rule and possibly access rule).

I interpret the relevant nat statement (nat (Inside) 10 0.0.0.0 0.0.0.0) to mean that it's allowing everything internet access, though I could be wrong.  I think that, because the Inside_nat0_outbound 'access list' has a reference to the .5.x pool of IPs, which is served to VPN clients.  So, I didn't think that had relevance in this case.

Does the nat statement, as it exists, suffice for the 192.168.3.0 internet access requirement?


ASA Version 7.2(4) 
!
hostname ciscoasa
domain-name intranet.ceadvisors.com
enable password encrypted
passwd encrypted
names
name 64.18.0.0 Postini
name 216.148.212.0 RMON description All Covered RMON
name 192.168.1.13 CEADC1 description CEA Domain Controller
name 192.168.1.12 CEAEXCH1 description CEA Exchange Server
name 192.168.1.11 CEAVPN description Bigtime App Server
dns-guard
!
interface Ethernet0/0
 nameif Outside
 security-level 0
 ip address X.X.X.X 255.255.255.240 
!
interface Ethernet0/1
 nameif Inside
 security-level 100
 ip address 192.168.1.1 255.255.255.0 
!
interface Ethernet0/2
 nameif Guest
 security-level 10
 ip address 192.168.10.1 255.255.255.0 
!
interface Ethernet0/3
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Management0/0
 description Management Interface
 nameif management
 security-level 100
 ip address 192.168.0.1 255.255.255.0 
 management-only
!
boot system disk0:/asa724-k8.bin
ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
dns domain-lookup Inside
dns server-group DefaultDNS
 name-server CEAEXCH1
 name-server CEADC1
 domain-name intranet.ceadvisors.com
access-list Inside_nat0_outbound extended permit ip any 192.168.5.0 255.255.255.192 
access-list CEA_splitTunnelAcl standard permit 192.168.1.0 255.255.255.0 
access-list outside-access-in extended permit tcp any host X.X.X.X eq www 
access-list outside-access-in extended permit tcp any host X.X.X.X eq https 
access-list outside-access-in extended permit tcp any host X.X.X.X eq www 
access-list outside-access-in extended permit tcp any host X.X.X.X eq https 
access-list outside-access-in extended permit icmp any any inactive 
access-list outside-access-in extended permit tcp RMON 255.255.255.0 host X.X.X.X eq smtp 
access-list outside-access-in extended permit tcp Postini 255.255.0.0 host X.X.X.X eq smtp 
access-list outside-access-in extended permit udp any any eq isakmp 
pager lines 24
logging enable
mtu Outside 1500
mtu Inside 1500
mtu Guest 1500
mtu management 1500
ip local pool CEA_VPN_Pool 192.168.5.10-192.168.5.50 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
icmp permit any Outside
asdm image disk0:/asdm-524.bin
no asdm history enable
arp timeout 14400
global (Outside) 10 interface
global (Guest) 20 interface
nat (Inside) 0 access-list Inside_nat0_outbound
nat (Inside) 10 0.0.0.0 0.0.0.0
nat (Guest) 10 0.0.0.0 0.0.0.0
nat (management) 10 0.0.0.0 0.0.0.0
static (Inside,Outside) X.X.X.X CEAVPN netmask 255.255.255.255 
static (Inside,Outside) X.X.X.X CEAEXCH1 netmask 255.255.255.255 
static (Inside,Outside) X.X.X.X CEADC1 netmask 255.255.255.255 
access-group outside-access-in in interface Outside
route Outside 0.0.0.0 0.0.0.0 X.X.X.X 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
aaa-server CEADC1 protocol radius
aaa-server CEADC1 (Inside) host CEADC1
 timeout 5
 key 
aaa-server CEAEXCH1 protocol radius
aaa-server CEAEXCH1 (Inside) host CEAEXCH1
 timeout 5
 key 
aaa authentication enable console LOCAL 
http server enable
http 10.10.10.0 255.255.255.0 management
http 192.168.1.0 255.255.255.0 Inside
http redirect Outside 80
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac 
crypto dynamic-map Outside_dyn_map 20 set transform-set ESP-3DES-SHA
crypto map Outside_map 65535 ipsec-isakmp dynamic Outside_dyn_map
crypto map Outside_map interface Outside
crypto isakmp identity address 
crypto isakmp enable Outside
crypto isakmp policy 10
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
crypto isakmp nat-traversal  20
telnet 192.168.1.0 255.255.255.255 Inside
telnet 192.168.1.0 255.255.255.0 Inside
telnet timeout 5
console timeout 0
management-access management
dhcpd dns 4.2.2.1
!
webvpn
 enable Outside
 customization DfltCustomization
  title text Concentric Energy Advisors WebVPN
  logout-message text Your Session has been terminated.
  logo none
 url-list CEA_Servers "User Directories" cifs://ceafs1/userhome 1
 url-list CEA_Servers "Z: Drive" cifs://ceafs1/ceadata 2
 url-list CEA_Servers "Bigtime" http://bigtime.ceadvisors.com 3
 url-list CEA_Servers "Web Mail" https://mail.ceadvisors.com 4
group-policy DfltGrpPolicy attributes
 banner none
 wins-server none
 dns-server none
 dhcp-network-scope none
 vpn-access-hours none
 vpn-simultaneous-logins 3
 vpn-idle-timeout 30
 vpn-session-timeout none
 vpn-filter none
 vpn-tunnel-protocol IPSec webvpn
 password-storage disable
 ip-comp disable
 re-xauth disable
 group-lock none
 pfs disable
 ipsec-udp disable
 ipsec-udp-port 10000
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value CEA_splitTunnelAcl
 default-domain value intranet.ceadvisors.com
 split-dns none
 intercept-dhcp 255.255.255.255 disable
 secure-unit-authentication disable
 user-authentication disable
 user-authentication-idle-timeout 30
 ip-phone-bypass disable
 leap-bypass disable
 nem disable
 backup-servers keep-client-config
 msie-proxy server none
 msie-proxy method no-modify
 msie-proxy except-list none
 msie-proxy local-bypass disable
 nac disable
 nac-sq-period 300
 nac-reval-period 36000
 nac-default-acl none
 address-pools none
 smartcard-removal-disconnect enable
 client-firewall none
 client-access-rule none
 webvpn
  functions http-proxy
  html-content-filter none
  homepage none
  keep-alive-ignore 4
  http-comp gzip
  filter none
  url-list value CEA_Servers
  customization value DfltCustomization
  port-forward none
  port-forward-name value Application Access
  sso-server none
  deny-message value Login was successful, but because certain criteria have not been met or due to some specific group policy, you do not have permission to use any of the VPN features. Contact your IT administrator for more information
  svc none
  svc keep-installer installed
  svc keepalive none
  svc rekey time none
  svc rekey method none
  svc dpd-interval client none
  svc dpd-interval gateway none
  svc compression deflate
group-policy CEA internal
group-policy CEA attributes
 dns-server value 192.168.1.12 192.168.1.13
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value CEA_splitTunnelAcl
 default-domain value intranet.ceadvisors.com
 webvpn
  functions file-access file-browsing
username password encrypted privilege 15
tunnel-group DefaultRAGroup ipsec-attributes
 isakmp keepalive threshold 10 retry 2
tunnel-group DefaultWEBVPNGroup general-attributes
 authentication-server-group CEAEXCH1
 default-group-policy CEA
 authorization-dn-attributes use-entire-name
tunnel-group DefaultWEBVPNGroup webvpn-attributes
 nbns-server CEADC1 master timeout 2 retry 2
tunnel-group CEA type ipsec-ra
tunnel-group CEA general-attributes
 address-pool CEA_VPN_Pool
 authentication-server-group CEAEXCH1
 default-group-policy CEA
tunnel-group CEA ipsec-attributes
 pre-shared-key *
 isakmp keepalive threshold 10 retry 2
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns migrated_dns_map_1
 parameters
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns migrated_dns_map_1 
  inspect ftp 
  inspect h323 h225 
  inspect h323 ras 
  inspect rsh 
  inspect rtsp 
  inspect esmtp 
  inspect sqlnet 
  inspect skinny 
  inspect sunrpc 
  inspect xdmcp 
  inspect sip 
  inspect netbios 
  inspect tftp 
!
service-policy global_policy global
smtp-server 192.168.1.12
prompt hostname context 
Cryptochecksum:106538e4e01dd91674055fb89f020f6c
: end
asdm image disk0:/asdm-524.bin
asdm location 192.168.5.0 255.255.255.192 Outside
no asdm history enable
ASKER CERTIFIED SOLUTION
Avatar of Nothing_Changed
Nothing_ChangedFlag of United States of America image

Our community of experts have been thoroughly vetted for their expertise and industry experience.

Commented:
This problem has been solved!
Unlock 1 Answer and 1 Comment.
See Answers