PROACTIVENS
asked on
STATIC ROUTES NOT WORKING, ECT
I am trying to configure a cisco asa 5505 for a client. I am replacing a Netgear VPN firewall router. Here is the breakdown. I have a Cisco 1800 series router that handles 2 T-1 lines. The address of this router is 192.168.1.1. The T-1's connect to the following networks: T-1 (1)=192.168.2.0 T-1 (2)=192.168.3.0
The cisco ASA has an address of 192.168.1.2.
The problems:
1. I enter my static IP address into the interface outside (75.14x.xx.53 255.255.255.252) the internet does not work. I looked at the routing table and for some reason the ASA wants to use 75.14x.xx.52 as its gateway to get out, which is not right. The gateway should be 75.14x.xx.54. So what I did to correct this for now is enter a static route from inside to outside, 0.0.0.0 0.0.0.0 to 75.14x.xx.54,Metric 1, and the internet is working.
2. I enter two more static routes above the route listed above for the T-1 router.
192.168.2.0 255.255.255.0 to 192.168.1.1 Metric 2
192.168.3.0 255.255.255.0 to 192.168.1.1 Metric 2
But when I try to ping those networks, I get timed out. They are not reachable. I can ping 192.168.1.1 however, so I know the ASA is not routing that traffic.
When I hook the netgear backup, it works fine. I have internet, I can ping the two other networks, and life is good. So what the heck am I missing here? I have done this many times on the PIX 501, but this is my first time using the ASA. Seems simple enough, but nothing is working right. Help!
The cisco ASA has an address of 192.168.1.2.
The problems:
1. I enter my static IP address into the interface outside (75.14x.xx.53 255.255.255.252) the internet does not work. I looked at the routing table and for some reason the ASA wants to use 75.14x.xx.52 as its gateway to get out, which is not right. The gateway should be 75.14x.xx.54. So what I did to correct this for now is enter a static route from inside to outside, 0.0.0.0 0.0.0.0 to 75.14x.xx.54,Metric 1, and the internet is working.
2. I enter two more static routes above the route listed above for the T-1 router.
192.168.2.0 255.255.255.0 to 192.168.1.1 Metric 2
192.168.3.0 255.255.255.0 to 192.168.1.1 Metric 2
But when I try to ping those networks, I get timed out. They are not reachable. I can ping 192.168.1.1 however, so I know the ASA is not routing that traffic.
When I hook the netgear backup, it works fine. I have internet, I can ping the two other networks, and life is good. So what the heck am I missing here? I have done this many times on the PIX 501, but this is my first time using the ASA. Seems simple enough, but nothing is working right. Help!
hostname ciscoasa
domain-name default.domain.invalid
enable password loBtodYmsNR4kOrd encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface Vlan1
nameif inside
security-level 100
ip address 192.168.1.2 255.255.255.0
ospf cost 10
!
interface Vlan2
nameif outside
security-level 0
ip address 75.14x.xx.53 255.255.255.252
ospf cost 10
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
ftp mode passive
dns domain-lookup outside
dns domain-lookup inside
dns server-group DefaultDNS
domain-name default.domain.invalid
access-list inside_access_in extended permit ip any 192.168.2.0 255.255.255.0
access-list inside_access_in extended permit ip any 192.168.3.0 255.255.255.0
pager lines 24
logging asdm informational
mtu outside 1500
mtu inside 1500
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-524.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
access-group inside_access_in in interface inside
route outside 0.0.0.0 0.0.0.0 75.146.69.54 1
route inside 192.168.2.0 255.255.255.0 192.168.1.1 2
route inside 192.168.3.0 255.255.255.0 192.168.1.1 2
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
client-update enable
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd auto_config outside
!
dhcpd address 192.168.1.3-192.168.1.254 inside
dhcpd enable inside
!
username proactivens password O2XbuQ6RADsPaA7Y encrypted privilege 15
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:6d01df8bbe44b54c8711d833a1edf880
: end
ASKER
Still not working. I added those entries to the ACL thinking the asa was dropping the packets sent to those networks. I read somewhere that the asa and pix firewalls are notoriously bad at routing traffic in and out of the same interface. Is that the case? I have a hard time believing that a netgear device does a better job than a device such as the asa at routing traffic from 192.168.1.2 to 192.168.1.1.
Okay, so do you have Internet access from the 192.168.2.0 and 192.168.3.0 subnets? but only internal traffic routing is not working? If so, what is the default gateway for the 192.168.1.0/24 clients? The ASA or the router? If the ASA, change it to the router and make sure the router has a default route via the ASA (should already).
ASKER
Maybe I didnt explain myself correctly. I have no connectivity to the 192.168.2.0 and 192.168.3.0 networks. The ASA is not routing the traffic to 192.168.1.1, which is a cisco 1800 T1 router. I am connected to the .2 and .3 networks via T1.
I created 2 static routes to make the ASA (192.168.1.2) route any traffic to those networks through the Cisco 1800 (192.168.1.1)
route inside 192.168.2.0 255.255.255.0 192.168.1.1 2
route inside 192.168.3.0 255.255.255.0 192.168.1.1 2
Those routes are not working at all. I hook the cheap $100 netgear vpn router back up and it works fine. The netgear also is configured with 2 static route statements, same as above, and it is working.
I created 2 static routes to make the ASA (192.168.1.2) route any traffic to those networks through the Cisco 1800 (192.168.1.1)
route inside 192.168.2.0 255.255.255.0 192.168.1.1 2
route inside 192.168.3.0 255.255.255.0 192.168.1.1 2
Those routes are not working at all. I hook the cheap $100 netgear vpn router back up and it works fine. The netgear also is configured with 2 static route statements, same as above, and it is working.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Thanks for the advice. I had a feeling this was going to be the case. I was thinking about doing that, but the cisco router was put in place by another company, and no one knows the password. So I am going to have to go through the password recovery steps to unlock the router. Which is fine, I just didnt want to do it if I didnt have too. Thanks for the feedback.
conf t
no access-group inside_access_in in interface inside
Everything else looks correct.