Go Premium for a chance to win a PS4. Enter to Win

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 383
  • Last Modified:

Help with new configuration of Cisco ASA 5510

Hi there,

Please could someone help me with this new configuration of this ASA 5510,
it is setup as below:

           {Internal Router}--------> ASA5510 ---------->VRF ---------->ASA5520 --------->{External Router}
           with multiple IP's               ??????               (working)           (working)                   (working)
           LAN IP:                          
          172.21.160.1                    
the thing is that my Internal router has multiple branches terminating on it with about 18 different ranges, I can get the ASA 5510 to work with the Internal Router's default lan ip range, however to get to the other ip ranges, I just cant get to to work.

This is the current config

interface Ethernet0/0
 description
 nameif inside
 security-level 100
 ip address 172.21.160.8 255.255.254.0
!
interface Ethernet0/1
 description
 nameif outside
 security-level 0
 ip address 172.18.246.99 255.255.255.248
!
interface Ethernet0/2
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Management0/0
 nameif management
 security-level 100
 ip address 192.168.1.1 255.255.255.0
 management-only
!
passwd 7Ypa4.0G/CbNFQQb encrypted
ftp mode passive
access-list out-in extended permit tcp any host 172.21.160.7 eq 3389
access-list out-in extended permit tcp any any eq telnet
access-list out-in extended permit ip any any
pager lines 22222
logging asdm informational
mtu inside 1500
mtu outside 1500
mtu management 1500
asdm image disk0:/asdm-507.bin
no asdm history enable
arp timeout 14400
static (inside,outside) 172.21.160.0 172.21.160.0 netmask 255.255.254.0
access-group out-in in interface outside
route outside 0.0.0.0 0.0.0.0 172.18.246.97 1
route outside 192.168.69.0 255.255.255.0 172.18.246.97 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00
timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
http server enable
http 172.21.160.102 255.255.255.255 inside
http 192.168.1.0 255.255.255.0 management
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
telnet 172.21.160.102 255.255.255.255 inside
telnet 172.21.160.71 255.255.255.255 inside
telnet timeout 60
ssh timeout 5
console timeout 0
dhcpd address 192.168.1.2-192.168.1.254 management
dhcpd lease 3600
dhcpd ping_timeout 50
dhcpd enable management
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map global_policy
 class inspection_default
  inspect dns maximum-length 512
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
!
service-policy global_policy global
Cryptochecksum:7a762fb420dbb984de8a2618948d9de8
: end
WirelessLink(config)#


Please if someone could help because I am about to put out my hair......
0
avineshp
Asked:
avineshp
  • 4
  • 2
1 Solution
 
olivierbreuerCommented:
Hello,

I see in your config some routes to connect to internet, but no routes to connect to the 18 different ranges using the ip address of the router as the gateway.

So, If you don't have routes, the firewall will send all requests to the default one witch is outside.

Please do the following :

route inside x.x.x.x y.y.y.y 172.21.160.1 1

Where x.x.x.x are the networks defined behind your router
y.y.y.y are the respective subnet masks.

If you are able to do a summarization of your networks, do it.Otherwise you will have to define 18 routes on your firewall to have everything working .

Regards,

Olivier
0
 
avineshpAuthor Commented:
Hi,

I have tried that and I still can't get it to work.

Regards,
0
 
olivierbreuerCommented:
From your asa 5510, are you  able to access the networks behind the router using a ping command for example ? If not, the problem is a routing problem and static routes should resolve it...

After a successfull ping from the asa 5510 to the networks behind your routers, we can continue to troubleshoot your problem. But we have first to have this ping working !

For sure, without the static routes, the solution will not work !

regards,

Olivier
0
Prepare for an Exciting Career in Cybersecurity

Help prevent cyber-threats and provide solutions to safeguard our global digital economy. Earn your MS in Cybersecurity. WGU’s MSCSIA degree program curriculum features two internationally recognized certifications from the EC-Council at no additional time or cost.

 
avineshpAuthor Commented:
Hi,

Yes I can ping it from the asa but from my pc (which is on the 172.21.160.xxx range) i can't even ping it or anything else.

Regards,
0
 
avineshpAuthor Commented:
Hi,

just want to put up the current config, where i have routed 2 of the other networks and where i tried pinging it from asa5510

!
interface Ethernet0/0
 description
 nameif inside
 security-level 100
 ip address 172.21.160.8 255.255.254.0
!
interface Ethernet0/1
 description
 nameif outside
 security-level 0
 ip address 172.18.246.99 255.255.255.248
!
interface Ethernet0/2
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Management0/0
 nameif management
 security-level 100
 ip address 192.168.1.1 255.255.255.0
 management-only
!
passwd 7Ypa4.0G/CbNFQQb encrypted
ftp mode passive
access-list out-in extended permit tcp any host 172.21.160.7 eq 3389
access-list out-in extended permit tcp any host 172.21.160.102 eq echo
access-list out-in extended permit tcp any host 172.21.160.102 eq 3389
access-list out-in extended permit ip any host 172.21.160.102
pager lines 22222
logging asdm informational
mtu inside 1500
mtu outside 1500
mtu management 1500
asdm image disk0:/asdm-507.bin
no asdm history enable
arp timeout 14400
static (inside,outside) 172.21.160.0 172.21.160.0 netmask 255.255.254.0
access-group out-in in interface outside
route inside 192.168.122.0 255.255.255.0 172.21.160.1 1
route inside 172.18.128.0 255.255.254.0 172.21.160.1 1
route outside 0.0.0.0 0.0.0.0 172.18.246.97 1
route outside 192.168.69.0 255.255.255.0 172.18.246.97 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00
timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
http server enable
http 172.21.160.102 255.255.255.255 inside
http 192.168.1.0 255.255.255.0 management
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
telnet 172.21.160.102 255.255.255.255 inside
telnet 172.21.160.71 255.255.255.255 inside
telnet timeout 60
ssh timeout 5
console timeout 0
dhcpd address 192.168.1.2-192.168.1.254 management
dhcpd lease 3600
dhcpd ping_timeout 50
dhcpd enable management
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map global_policy
 class inspection_default
  inspect dns maximum-length 512
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
!
service-policy global_policy global
Cryptochecksum:7581acc5bfb2da5a9c27fe25ca6c7d21
: end




PING:
WirelessLink(config)# ping 172.18.129.20
Sending 5, 100-byte ICMP Echos to 172.18.129.20, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/6/10 ms
WirelessLink(config)#

so it works from the asa but not from the pc on the inside ip range (172.21.160.xxx)

Regards,
0
 
avineshpAuthor Commented:
I managed to sort it out, I just bought a new cisco router.... now it works
0

Featured Post

Free Tool: Subnet Calculator

The subnet calculator helps you design networks by taking an IP address and network mask and returning information such as network, broadcast address, and host range.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

  • 4
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now