Help with new configuration of Cisco ASA 5510
Hi there,
Please could someone help me with this new configuration of this ASA 5510,
it is setup as below:
{Internal Router}--------> ASA5510 ---------->VRF ---------->ASA5520 --------->{External Router}
with multiple IP's ?????? (working) (working) (working)
LAN IP:
172.21.160.1
the thing is that my Internal router has multiple branches terminating on it with about 18 different ranges, I can get the ASA 5510 to work with the Internal Router's default lan ip range, however to get to the other ip ranges, I just cant get to to work.
This is the current config
interface Ethernet0/0
description
nameif inside
security-level 100
ip address 172.21.160.8 255.255.254.0
!
interface Ethernet0/1
description
nameif outside
security-level 0
ip address 172.18.246.99 255.255.255.248
!
interface Ethernet0/2
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
nameif management
security-level 100
ip address 192.168.1.1 255.255.255.0
management-only
!
passwd 7Ypa4.0G/CbNFQQb encrypted
ftp mode passive
access-list out-in extended permit tcp any host 172.21.160.7 eq 3389
access-list out-in extended permit tcp any any eq telnet
access-list out-in extended permit ip any any
pager lines 22222
logging asdm informational
mtu inside 1500
mtu outside 1500
mtu management 1500
asdm image disk0:/asdm-507.bin
no asdm history enable
arp timeout 14400
static (inside,outside) 172.21.160.0 172.21.160.0 netmask 255.255.254.0
access-group out-in in interface outside
route outside 0.0.0.0 0.0.0.0 172.18.246.97 1
route outside 192.168.69.0 255.255.255.0 172.18.246.97 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00
timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
http server enable
http 172.21.160.102 255.255.255.255 inside
http 192.168.1.0 255.255.255.0 management
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
telnet 172.21.160.102 255.255.255.255 inside
telnet 172.21.160.71 255.255.255.255 inside
telnet timeout 60
ssh timeout 5
console timeout 0
dhcpd address 192.168.1.2-192.168.1.254 management
dhcpd lease 3600
dhcpd ping_timeout 50
dhcpd enable management
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map global_policy
class inspection_default
inspect dns maximum-length 512
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
!
service-policy global_policy global
Cryptochecksum:7a762fb420d
: end
WirelessLink(config)#
Please if someone could help because I am about to put out my hair......
Please could someone help me with this new configuration of this ASA 5510,
it is setup as below:
{Internal Router}--------> ASA5510 ---------->VRF ---------->ASA5520 --------->{External Router}
with multiple IP's ?????? (working) (working) (working)
LAN IP:
172.21.160.1
the thing is that my Internal router has multiple branches terminating on it with about 18 different ranges, I can get the ASA 5510 to work with the Internal Router's default lan ip range, however to get to the other ip ranges, I just cant get to to work.
This is the current config
interface Ethernet0/0
description
nameif inside
security-level 100
ip address 172.21.160.8 255.255.254.0
!
interface Ethernet0/1
description
nameif outside
security-level 0
ip address 172.18.246.99 255.255.255.248
!
interface Ethernet0/2
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
nameif management
security-level 100
ip address 192.168.1.1 255.255.255.0
management-only
!
passwd 7Ypa4.0G/CbNFQQb encrypted
ftp mode passive
access-list out-in extended permit tcp any host 172.21.160.7 eq 3389
access-list out-in extended permit tcp any any eq telnet
access-list out-in extended permit ip any any
pager lines 22222
logging asdm informational
mtu inside 1500
mtu outside 1500
mtu management 1500
asdm image disk0:/asdm-507.bin
no asdm history enable
arp timeout 14400
static (inside,outside) 172.21.160.0 172.21.160.0 netmask 255.255.254.0
access-group out-in in interface outside
route outside 0.0.0.0 0.0.0.0 172.18.246.97 1
route outside 192.168.69.0 255.255.255.0 172.18.246.97 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00
timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
http server enable
http 172.21.160.102 255.255.255.255 inside
http 192.168.1.0 255.255.255.0 management
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
telnet 172.21.160.102 255.255.255.255 inside
telnet 172.21.160.71 255.255.255.255 inside
telnet timeout 60
ssh timeout 5
console timeout 0
dhcpd address 192.168.1.2-192.168.1.254 management
dhcpd lease 3600
dhcpd ping_timeout 50
dhcpd enable management
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map global_policy
class inspection_default
inspect dns maximum-length 512
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
!
service-policy global_policy global
Cryptochecksum:7a762fb420d
: end
WirelessLink(config)#
Please if someone could help because I am about to put out my hair......
ASKER
Hi,
I have tried that and I still can't get it to work.
Regards,
I have tried that and I still can't get it to work.
Regards,
From your asa 5510, are you able to access the networks behind the router using a ping command for example ? If not, the problem is a routing problem and static routes should resolve it...
After a successfull ping from the asa 5510 to the networks behind your routers, we can continue to troubleshoot your problem. But we have first to have this ping working !
For sure, without the static routes, the solution will not work !
regards,
Olivier
After a successfull ping from the asa 5510 to the networks behind your routers, we can continue to troubleshoot your problem. But we have first to have this ping working !
For sure, without the static routes, the solution will not work !
regards,
Olivier
ASKER
Hi,
Yes I can ping it from the asa but from my pc (which is on the 172.21.160.xxx range) i can't even ping it or anything else.
Regards,
Yes I can ping it from the asa but from my pc (which is on the 172.21.160.xxx range) i can't even ping it or anything else.
Regards,
ASKER
Hi,
just want to put up the current config, where i have routed 2 of the other networks and where i tried pinging it from asa5510
!
interface Ethernet0/0
description
nameif inside
security-level 100
ip address 172.21.160.8 255.255.254.0
!
interface Ethernet0/1
description
nameif outside
security-level 0
ip address 172.18.246.99 255.255.255.248
!
interface Ethernet0/2
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
nameif management
security-level 100
ip address 192.168.1.1 255.255.255.0
management-only
!
passwd 7Ypa4.0G/CbNFQQb encrypted
ftp mode passive
access-list out-in extended permit tcp any host 172.21.160.7 eq 3389
access-list out-in extended permit tcp any host 172.21.160.102 eq echo
access-list out-in extended permit tcp any host 172.21.160.102 eq 3389
access-list out-in extended permit ip any host 172.21.160.102
pager lines 22222
logging asdm informational
mtu inside 1500
mtu outside 1500
mtu management 1500
asdm image disk0:/asdm-507.bin
no asdm history enable
arp timeout 14400
static (inside,outside) 172.21.160.0 172.21.160.0 netmask 255.255.254.0
access-group out-in in interface outside
route inside 192.168.122.0 255.255.255.0 172.21.160.1 1
route inside 172.18.128.0 255.255.254.0 172.21.160.1 1
route outside 0.0.0.0 0.0.0.0 172.18.246.97 1
route outside 192.168.69.0 255.255.255.0 172.18.246.97 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00
timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
http server enable
http 172.21.160.102 255.255.255.255 inside
http 192.168.1.0 255.255.255.0 management
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
telnet 172.21.160.102 255.255.255.255 inside
telnet 172.21.160.71 255.255.255.255 inside
telnet timeout 60
ssh timeout 5
console timeout 0
dhcpd address 192.168.1.2-192.168.1.254 management
dhcpd lease 3600
dhcpd ping_timeout 50
dhcpd enable management
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map global_policy
class inspection_default
inspect dns maximum-length 512
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
!
service-policy global_policy global
Cryptochecksum:7581acc5bfb
: end
PING:
WirelessLink(config)# ping 172.18.129.20
Sending 5, 100-byte ICMP Echos to 172.18.129.20, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/6/10 ms
WirelessLink(config)#
so it works from the asa but not from the pc on the inside ip range (172.21.160.xxx)
Regards,
just want to put up the current config, where i have routed 2 of the other networks and where i tried pinging it from asa5510
!
interface Ethernet0/0
description
nameif inside
security-level 100
ip address 172.21.160.8 255.255.254.0
!
interface Ethernet0/1
description
nameif outside
security-level 0
ip address 172.18.246.99 255.255.255.248
!
interface Ethernet0/2
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
nameif management
security-level 100
ip address 192.168.1.1 255.255.255.0
management-only
!
passwd 7Ypa4.0G/CbNFQQb encrypted
ftp mode passive
access-list out-in extended permit tcp any host 172.21.160.7 eq 3389
access-list out-in extended permit tcp any host 172.21.160.102 eq echo
access-list out-in extended permit tcp any host 172.21.160.102 eq 3389
access-list out-in extended permit ip any host 172.21.160.102
pager lines 22222
logging asdm informational
mtu inside 1500
mtu outside 1500
mtu management 1500
asdm image disk0:/asdm-507.bin
no asdm history enable
arp timeout 14400
static (inside,outside) 172.21.160.0 172.21.160.0 netmask 255.255.254.0
access-group out-in in interface outside
route inside 192.168.122.0 255.255.255.0 172.21.160.1 1
route inside 172.18.128.0 255.255.254.0 172.21.160.1 1
route outside 0.0.0.0 0.0.0.0 172.18.246.97 1
route outside 192.168.69.0 255.255.255.0 172.18.246.97 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00
timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
http server enable
http 172.21.160.102 255.255.255.255 inside
http 192.168.1.0 255.255.255.0 management
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
telnet 172.21.160.102 255.255.255.255 inside
telnet 172.21.160.71 255.255.255.255 inside
telnet timeout 60
ssh timeout 5
console timeout 0
dhcpd address 192.168.1.2-192.168.1.254 management
dhcpd lease 3600
dhcpd ping_timeout 50
dhcpd enable management
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map global_policy
class inspection_default
inspect dns maximum-length 512
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
!
service-policy global_policy global
Cryptochecksum:7581acc5bfb
: end
PING:
WirelessLink(config)# ping 172.18.129.20
Sending 5, 100-byte ICMP Echos to 172.18.129.20, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/6/10 ms
WirelessLink(config)#
so it works from the asa but not from the pc on the inside ip range (172.21.160.xxx)
Regards,
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
I see in your config some routes to connect to internet, but no routes to connect to the 18 different ranges using the ip address of the router as the gateway.
So, If you don't have routes, the firewall will send all requests to the default one witch is outside.
Please do the following :
route inside x.x.x.x y.y.y.y 172.21.160.1 1
Where x.x.x.x are the networks defined behind your router
y.y.y.y are the respective subnet masks.
If you are able to do a summarization of your networks, do it.Otherwise you will have to define 18 routes on your firewall to have everything working .
Regards,
Olivier