?
Solved

STATIC ROUTES NOT WORKING, ECT

Posted on 2008-10-12
7
Medium Priority
?
1,188 Views
Last Modified: 2010-04-21
I am trying to configure a cisco asa 5505 for a client. I am replacing a Netgear VPN firewall router. Here is the breakdown. I have a Cisco 1800 series router that handles 2 T-1 lines. The address of  this router is 192.168.1.1. The T-1's connect to the following networks: T-1 (1)=192.168.2.0 T-1 (2)=192.168.3.0
The cisco ASA has an address of 192.168.1.2.

The problems:

1. I enter my static IP address into the interface outside (75.14x.xx.53 255.255.255.252) the internet does not work. I looked at the routing table and for some reason the ASA wants to use 75.14x.xx.52 as its gateway to get out, which is not right. The gateway should be 75.14x.xx.54. So what I did to correct this for now is enter a static route from inside to outside, 0.0.0.0 0.0.0.0 to 75.14x.xx.54,Metric 1, and the internet is working.

2. I enter two more static routes above the route listed above for the T-1 router.
192.168.2.0 255.255.255.0 to 192.168.1.1 Metric 2
192.168.3.0 255.255.255.0 to 192.168.1.1 Metric 2
But when I try to ping those networks, I get timed out. They are not reachable. I can ping 192.168.1.1 however, so I know the ASA is not routing that traffic.

When I hook the netgear backup, it works fine. I have internet, I can ping the two other networks, and life is good. So what the heck am I missing here? I have done this many times on the PIX 501, but this is my first time using the ASA. Seems simple enough, but nothing is working right. Help!
hostname ciscoasa
domain-name default.domain.invalid
enable password loBtodYmsNR4kOrd encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface Vlan1
 nameif inside
 security-level 100
 ip address 192.168.1.2 255.255.255.0 
 ospf cost 10
!
interface Vlan2
 nameif outside
 security-level 0
 ip address 75.14x.xx.53 255.255.255.252 
 ospf cost 10
!
interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
ftp mode passive
dns domain-lookup outside
dns domain-lookup inside
dns server-group DefaultDNS
 domain-name default.domain.invalid
access-list inside_access_in extended permit ip any 192.168.2.0 255.255.255.0 
access-list inside_access_in extended permit ip any 192.168.3.0 255.255.255.0 
pager lines 24
logging asdm informational
mtu outside 1500
mtu inside 1500
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-524.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
access-group inside_access_in in interface inside
route outside 0.0.0.0 0.0.0.0 75.146.69.54 1
route inside 192.168.2.0 255.255.255.0 192.168.1.1 2
route inside 192.168.3.0 255.255.255.0 192.168.1.1 2
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
client-update enable
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd auto_config outside
!
dhcpd address 192.168.1.3-192.168.1.254 inside
dhcpd enable inside
!
 
username proactivens password O2XbuQ6RADsPaA7Y encrypted privilege 15
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map 
  inspect ftp 
  inspect h323 h225 
  inspect h323 ras 
  inspect rsh 
  inspect rtsp 
  inspect esmtp 
  inspect sqlnet 
  inspect skinny 
  inspect sunrpc 
  inspect xdmcp 
  inspect sip 
  inspect netbios 
  inspect tftp 
!
service-policy global_policy global
prompt hostname context 
Cryptochecksum:6d01df8bbe44b54c8711d833a1edf880
: end

Open in new window

0
Comment
Question by:PROACTIVENS
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 3
7 Comments
 
LVL 43

Expert Comment

by:JFrederick29
ID: 22697941
Your access-list is formatted incorrectly for outbound traffic.  i would remove the access-list though as traffic is implicitly permitted inside to outside.

conf t
no access-group inside_access_in in interface inside

Everything else looks correct.
0
 

Author Comment

by:PROACTIVENS
ID: 22698018
Still not working. I added those entries to the ACL thinking the asa was dropping the packets sent to those networks. I read somewhere that the asa and pix firewalls are notoriously bad at routing traffic in and out of the same interface. Is that the case? I have a hard time believing that a netgear device does a better job than a device such as the asa at routing traffic from 192.168.1.2 to 192.168.1.1.
0
 
LVL 43

Expert Comment

by:JFrederick29
ID: 22698247
Okay, so do you have Internet access from the 192.168.2.0 and 192.168.3.0 subnets?  but only internal traffic routing is not working?  If so, what is the default gateway for the 192.168.1.0/24 clients?  The ASA or the router?  If the ASA, change it to the router and make sure the router has a default route via the ASA (should already).
0
Free Backup Tool for VMware and Hyper-V

Restore full virtual machine or individual guest files from 19 common file systems directly from the backup file. Schedule VM backups with PowerShell scripts. Set desired time, lean back and let the script to notify you via email upon completion.  

 

Author Comment

by:PROACTIVENS
ID: 22698586
Maybe I didnt explain myself correctly. I have no connectivity to the 192.168.2.0 and 192.168.3.0 networks. The ASA is not routing the traffic to 192.168.1.1, which is a cisco 1800 T1 router. I am connected to the .2 and .3 networks via T1.

I created 2 static routes to make the ASA (192.168.1.2) route any traffic to those networks through the Cisco 1800 (192.168.1.1)
route inside 192.168.2.0 255.255.255.0 192.168.1.1 2
route inside 192.168.3.0 255.255.255.0 192.168.1.1 2

Those routes are not working at all. I hook the cheap $100 netgear vpn router back up and it works fine. The netgear also is configured with 2 static route statements, same as above, and it is working.
0
 
LVL 43

Assisted Solution

by:JFrederick29
JFrederick29 earned 800 total points
ID: 22698621
The ASA config looks fine as long as you removed the inside access-list.  How are you testing?  Ping?

Add this to allow ICMP:

conf t
access-list outside_access_in extended permit icmp any any echo-reply
access-list outside_access_in extended permit icmp any any unreachable
access-list outside_access_in extended permit icmp any any time-exceeded
access-group outside_access_in in interface outside

After adding that can you ping your ISP's router (75.146.69.54)?

From a command prompt on one of the remote workstations, can you do this:

ping www.google.com
ping 72.14.205.104
telnet 72.14.205.104 80

What do you have configured on the clients for DNS servers?  For the remotes not using DHCP from the ASA, you need to specify your ISP's DNS servers (you can't use the ASA address like you could the Netgear)...

But again, unlike with the Netgear, you need to configure the 192.168.1.0/24 clients with a default gateway of the router (NOT the ASA).  The ASA will not allow traffic flow in this manner when connecting to the remote sites.
0
 
LVL 10

Accepted Solution

by:
cstosgale earned 1200 total points
ID: 22698764
I have seen this problem before. The problem is because you are asking the ASA to route clients on the 192.168.1.x subnet back to a router on the same interface. What the ASA would need to do is send the client an ICMP redirect. However, the ASA is not a router, and won't do this, as mentioned in this solution:-

http://www.experts-exchange.com/Security/Software_Firewalls/Enterprise_Firewalls/Cisco_PIX_Firewall/Q_23253832.html

In an ideal topology, you would have a layer 3 switch acting as the router on your LAN with a default route to the ASA. The ASA then goes to this for all internal subnets. Of course no network is ideal!

However, you have a decent cisco router here that may be able to help you out. All you should need to do is set the default gateway on the LAN to the IP of the 1800 series router and the default route of this router to be the ASA. This means that this router will route between your subnets and the ASA will only be contacted for internet facing traffic.

You will still need your static routes in as the ASA will need to know how to get back to the remote subnets.

As I expect changing the default gateway on your LAN is going to be a pain, you can simply add a secondary address on the 1800 series router of the current netgear router and set up a new IP for the ASA. Then set the default route on the router to the new ASA IP.
0
 

Author Closing Comment

by:PROACTIVENS
ID: 31505442
Thanks for the advice. I had a feeling this was going to be the case. I was thinking about doing that, but the cisco router was put in place by another company, and no one knows the password. So I am going to have to go through the password recovery steps to unlock the router. Which is fine, I just didnt want to do it if I didnt have too. Thanks for the feedback.
0

Featured Post

VIDEO: THE CONCERTO CLOUD FOR HEALTHCARE

Modern healthcare requires a modern cloud. View this brief video to understand how the Concerto Cloud for Healthcare can help your organization.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

How to set-up an On Demand, IPSec, Site to SIte, VPN from a Draytek Vigor Router to a Cyberoam UTM Appliance. A concise guide to the settings required on both devices
During and after that shift to cloud, one area that still poses a struggle for many organizations is what to do with their department file shares.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Both in life and business – not all partnerships are created equal. As the demand for cloud services increases, so do the number of self-proclaimed cloud partners. Asking the right questions up front in the partnership, will enable both parties …
Suggested Courses

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question