Solved

Help with new configuration of Cisco ASA 5510

Posted on 2008-10-14
6
372 Views
Last Modified: 2010-04-09
Hi there,

Please could someone help me with this new configuration of this ASA 5510,
it is setup as below:

           {Internal Router}--------> ASA5510 ---------->VRF ---------->ASA5520 --------->{External Router}
           with multiple IP's               ??????               (working)           (working)                   (working)
           LAN IP:                          
          172.21.160.1                    
the thing is that my Internal router has multiple branches terminating on it with about 18 different ranges, I can get the ASA 5510 to work with the Internal Router's default lan ip range, however to get to the other ip ranges, I just cant get to to work.

This is the current config

interface Ethernet0/0
 description
 nameif inside
 security-level 100
 ip address 172.21.160.8 255.255.254.0
!
interface Ethernet0/1
 description
 nameif outside
 security-level 0
 ip address 172.18.246.99 255.255.255.248
!
interface Ethernet0/2
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Management0/0
 nameif management
 security-level 100
 ip address 192.168.1.1 255.255.255.0
 management-only
!
passwd 7Ypa4.0G/CbNFQQb encrypted
ftp mode passive
access-list out-in extended permit tcp any host 172.21.160.7 eq 3389
access-list out-in extended permit tcp any any eq telnet
access-list out-in extended permit ip any any
pager lines 22222
logging asdm informational
mtu inside 1500
mtu outside 1500
mtu management 1500
asdm image disk0:/asdm-507.bin
no asdm history enable
arp timeout 14400
static (inside,outside) 172.21.160.0 172.21.160.0 netmask 255.255.254.0
access-group out-in in interface outside
route outside 0.0.0.0 0.0.0.0 172.18.246.97 1
route outside 192.168.69.0 255.255.255.0 172.18.246.97 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00
timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
http server enable
http 172.21.160.102 255.255.255.255 inside
http 192.168.1.0 255.255.255.0 management
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
telnet 172.21.160.102 255.255.255.255 inside
telnet 172.21.160.71 255.255.255.255 inside
telnet timeout 60
ssh timeout 5
console timeout 0
dhcpd address 192.168.1.2-192.168.1.254 management
dhcpd lease 3600
dhcpd ping_timeout 50
dhcpd enable management
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map global_policy
 class inspection_default
  inspect dns maximum-length 512
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
!
service-policy global_policy global
Cryptochecksum:7a762fb420dbb984de8a2618948d9de8
: end
WirelessLink(config)#


Please if someone could help because I am about to put out my hair......
0
Comment
Question by:avineshp
  • 4
  • 2
6 Comments
 
LVL 2

Expert Comment

by:olivierbreuer
ID: 22718630
Hello,

I see in your config some routes to connect to internet, but no routes to connect to the 18 different ranges using the ip address of the router as the gateway.

So, If you don't have routes, the firewall will send all requests to the default one witch is outside.

Please do the following :

route inside x.x.x.x y.y.y.y 172.21.160.1 1

Where x.x.x.x are the networks defined behind your router
y.y.y.y are the respective subnet masks.

If you are able to do a summarization of your networks, do it.Otherwise you will have to define 18 routes on your firewall to have everything working .

Regards,

Olivier
0
 
LVL 2

Author Comment

by:avineshp
ID: 22722372
Hi,

I have tried that and I still can't get it to work.

Regards,
0
 
LVL 2

Expert Comment

by:olivierbreuer
ID: 22722463
From your asa 5510, are you  able to access the networks behind the router using a ping command for example ? If not, the problem is a routing problem and static routes should resolve it...

After a successfull ping from the asa 5510 to the networks behind your routers, we can continue to troubleshoot your problem. But we have first to have this ping working !

For sure, without the static routes, the solution will not work !

regards,

Olivier
0
Highfive + Dolby Voice = No More Audio Complaints!

Poor audio quality is one of the top reasons people don’t use video conferencing. Get the crispest, clearest audio powered by Dolby Voice in every meeting. Highfive and Dolby Voice deliver the best video conferencing and audio experience for every meeting and every room.

 
LVL 2

Author Comment

by:avineshp
ID: 22722822
Hi,

Yes I can ping it from the asa but from my pc (which is on the 172.21.160.xxx range) i can't even ping it or anything else.

Regards,
0
 
LVL 2

Author Comment

by:avineshp
ID: 22723228
Hi,

just want to put up the current config, where i have routed 2 of the other networks and where i tried pinging it from asa5510

!
interface Ethernet0/0
 description
 nameif inside
 security-level 100
 ip address 172.21.160.8 255.255.254.0
!
interface Ethernet0/1
 description
 nameif outside
 security-level 0
 ip address 172.18.246.99 255.255.255.248
!
interface Ethernet0/2
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Management0/0
 nameif management
 security-level 100
 ip address 192.168.1.1 255.255.255.0
 management-only
!
passwd 7Ypa4.0G/CbNFQQb encrypted
ftp mode passive
access-list out-in extended permit tcp any host 172.21.160.7 eq 3389
access-list out-in extended permit tcp any host 172.21.160.102 eq echo
access-list out-in extended permit tcp any host 172.21.160.102 eq 3389
access-list out-in extended permit ip any host 172.21.160.102
pager lines 22222
logging asdm informational
mtu inside 1500
mtu outside 1500
mtu management 1500
asdm image disk0:/asdm-507.bin
no asdm history enable
arp timeout 14400
static (inside,outside) 172.21.160.0 172.21.160.0 netmask 255.255.254.0
access-group out-in in interface outside
route inside 192.168.122.0 255.255.255.0 172.21.160.1 1
route inside 172.18.128.0 255.255.254.0 172.21.160.1 1
route outside 0.0.0.0 0.0.0.0 172.18.246.97 1
route outside 192.168.69.0 255.255.255.0 172.18.246.97 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00
timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
http server enable
http 172.21.160.102 255.255.255.255 inside
http 192.168.1.0 255.255.255.0 management
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
telnet 172.21.160.102 255.255.255.255 inside
telnet 172.21.160.71 255.255.255.255 inside
telnet timeout 60
ssh timeout 5
console timeout 0
dhcpd address 192.168.1.2-192.168.1.254 management
dhcpd lease 3600
dhcpd ping_timeout 50
dhcpd enable management
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map global_policy
 class inspection_default
  inspect dns maximum-length 512
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
!
service-policy global_policy global
Cryptochecksum:7581acc5bfb2da5a9c27fe25ca6c7d21
: end




PING:
WirelessLink(config)# ping 172.18.129.20
Sending 5, 100-byte ICMP Echos to 172.18.129.20, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/6/10 ms
WirelessLink(config)#

so it works from the asa but not from the pc on the inside ip range (172.21.160.xxx)

Regards,
0
 
LVL 2

Accepted Solution

by:
avineshp earned 0 total points
ID: 23053862
I managed to sort it out, I just bought a new cisco router.... now it works
0

Featured Post

Maximize Your Threat Intelligence Reporting

Reporting is one of the most important and least talked about aspects of a world-class threat intelligence program. Here’s how to do it right.

Join & Write a Comment

Suggested Solutions

Title # Comments Views Activity
Cisco ACS mixed versions 8 53
Cisco ASA -- weird connection issue 6 48
Quick cusco 2091 setup 5 22
OSPF Cost 2 12
This article assumes you have at least one Cisco ASA or PIX configured with working internet and a non-dynamic, public, address on the outside interface. If you need instructions on how to enable your device for internet, or basic configuration info…
Have you experienced traffic destined through a Cisco ASA firewall disappears and you do not know if the traffic stops in the firewall or somewhere else? The solution is the capture feature. This feature was released in 6.2(1) and works in all firew…
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
Polish reports in Access so they look terrific. Take yourself to another level. Equations, Back Color, Alternate Back Color. Write easy VBA Code. Tighten space to use less pages. Launch report from a menu, considering criteria only when it is filled…

757 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

18 Experts available now in Live!

Get 1:1 Help Now