Solved

Help with new configuration of Cisco ASA 5510

Posted on 2008-10-14
6
375 Views
Last Modified: 2010-04-09
Hi there,

Please could someone help me with this new configuration of this ASA 5510,
it is setup as below:

           {Internal Router}--------> ASA5510 ---------->VRF ---------->ASA5520 --------->{External Router}
           with multiple IP's               ??????               (working)           (working)                   (working)
           LAN IP:                          
          172.21.160.1                    
the thing is that my Internal router has multiple branches terminating on it with about 18 different ranges, I can get the ASA 5510 to work with the Internal Router's default lan ip range, however to get to the other ip ranges, I just cant get to to work.

This is the current config

interface Ethernet0/0
 description
 nameif inside
 security-level 100
 ip address 172.21.160.8 255.255.254.0
!
interface Ethernet0/1
 description
 nameif outside
 security-level 0
 ip address 172.18.246.99 255.255.255.248
!
interface Ethernet0/2
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Management0/0
 nameif management
 security-level 100
 ip address 192.168.1.1 255.255.255.0
 management-only
!
passwd 7Ypa4.0G/CbNFQQb encrypted
ftp mode passive
access-list out-in extended permit tcp any host 172.21.160.7 eq 3389
access-list out-in extended permit tcp any any eq telnet
access-list out-in extended permit ip any any
pager lines 22222
logging asdm informational
mtu inside 1500
mtu outside 1500
mtu management 1500
asdm image disk0:/asdm-507.bin
no asdm history enable
arp timeout 14400
static (inside,outside) 172.21.160.0 172.21.160.0 netmask 255.255.254.0
access-group out-in in interface outside
route outside 0.0.0.0 0.0.0.0 172.18.246.97 1
route outside 192.168.69.0 255.255.255.0 172.18.246.97 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00
timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
http server enable
http 172.21.160.102 255.255.255.255 inside
http 192.168.1.0 255.255.255.0 management
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
telnet 172.21.160.102 255.255.255.255 inside
telnet 172.21.160.71 255.255.255.255 inside
telnet timeout 60
ssh timeout 5
console timeout 0
dhcpd address 192.168.1.2-192.168.1.254 management
dhcpd lease 3600
dhcpd ping_timeout 50
dhcpd enable management
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map global_policy
 class inspection_default
  inspect dns maximum-length 512
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
!
service-policy global_policy global
Cryptochecksum:7a762fb420dbb984de8a2618948d9de8
: end
WirelessLink(config)#


Please if someone could help because I am about to put out my hair......
0
Comment
Question by:avineshp
  • 4
  • 2
6 Comments
 
LVL 2

Expert Comment

by:olivierbreuer
ID: 22718630
Hello,

I see in your config some routes to connect to internet, but no routes to connect to the 18 different ranges using the ip address of the router as the gateway.

So, If you don't have routes, the firewall will send all requests to the default one witch is outside.

Please do the following :

route inside x.x.x.x y.y.y.y 172.21.160.1 1

Where x.x.x.x are the networks defined behind your router
y.y.y.y are the respective subnet masks.

If you are able to do a summarization of your networks, do it.Otherwise you will have to define 18 routes on your firewall to have everything working .

Regards,

Olivier
0
 
LVL 2

Author Comment

by:avineshp
ID: 22722372
Hi,

I have tried that and I still can't get it to work.

Regards,
0
 
LVL 2

Expert Comment

by:olivierbreuer
ID: 22722463
From your asa 5510, are you  able to access the networks behind the router using a ping command for example ? If not, the problem is a routing problem and static routes should resolve it...

After a successfull ping from the asa 5510 to the networks behind your routers, we can continue to troubleshoot your problem. But we have first to have this ping working !

For sure, without the static routes, the solution will not work !

regards,

Olivier
0
Windows Server 2016: All you need to know

Learn about Hyper-V features that increase functionality and usability of Microsoft Windows Server 2016. Also, throughout this eBook, you’ll find some basic PowerShell examples that will help you leverage the scripts in your environments!

 
LVL 2

Author Comment

by:avineshp
ID: 22722822
Hi,

Yes I can ping it from the asa but from my pc (which is on the 172.21.160.xxx range) i can't even ping it or anything else.

Regards,
0
 
LVL 2

Author Comment

by:avineshp
ID: 22723228
Hi,

just want to put up the current config, where i have routed 2 of the other networks and where i tried pinging it from asa5510

!
interface Ethernet0/0
 description
 nameif inside
 security-level 100
 ip address 172.21.160.8 255.255.254.0
!
interface Ethernet0/1
 description
 nameif outside
 security-level 0
 ip address 172.18.246.99 255.255.255.248
!
interface Ethernet0/2
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Management0/0
 nameif management
 security-level 100
 ip address 192.168.1.1 255.255.255.0
 management-only
!
passwd 7Ypa4.0G/CbNFQQb encrypted
ftp mode passive
access-list out-in extended permit tcp any host 172.21.160.7 eq 3389
access-list out-in extended permit tcp any host 172.21.160.102 eq echo
access-list out-in extended permit tcp any host 172.21.160.102 eq 3389
access-list out-in extended permit ip any host 172.21.160.102
pager lines 22222
logging asdm informational
mtu inside 1500
mtu outside 1500
mtu management 1500
asdm image disk0:/asdm-507.bin
no asdm history enable
arp timeout 14400
static (inside,outside) 172.21.160.0 172.21.160.0 netmask 255.255.254.0
access-group out-in in interface outside
route inside 192.168.122.0 255.255.255.0 172.21.160.1 1
route inside 172.18.128.0 255.255.254.0 172.21.160.1 1
route outside 0.0.0.0 0.0.0.0 172.18.246.97 1
route outside 192.168.69.0 255.255.255.0 172.18.246.97 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00
timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
http server enable
http 172.21.160.102 255.255.255.255 inside
http 192.168.1.0 255.255.255.0 management
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
telnet 172.21.160.102 255.255.255.255 inside
telnet 172.21.160.71 255.255.255.255 inside
telnet timeout 60
ssh timeout 5
console timeout 0
dhcpd address 192.168.1.2-192.168.1.254 management
dhcpd lease 3600
dhcpd ping_timeout 50
dhcpd enable management
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map global_policy
 class inspection_default
  inspect dns maximum-length 512
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
!
service-policy global_policy global
Cryptochecksum:7581acc5bfb2da5a9c27fe25ca6c7d21
: end




PING:
WirelessLink(config)# ping 172.18.129.20
Sending 5, 100-byte ICMP Echos to 172.18.129.20, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/6/10 ms
WirelessLink(config)#

so it works from the asa but not from the pc on the inside ip range (172.21.160.xxx)

Regards,
0
 
LVL 2

Accepted Solution

by:
avineshp earned 0 total points
ID: 23053862
I managed to sort it out, I just bought a new cisco router.... now it works
0

Featured Post

What is SQL Server and how does it work?

The purpose of this paper is to provide you background on SQL Server. It’s your self-study guide for learning fundamentals. It includes both the history of SQL and its technical basics. Concepts and definitions will form the solid foundation of your future DBA expertise.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
anyconnect password change 2 37
Radius setup on a Cisco Switch with Server 2012 23 80
WAN Site Edge Routers 15 56
ISP Change 14 51
Cisco Pix/ASA hairpinning The term, hairpinning, comes from the fact that the traffic comes from one source into a router or similar device, makes a U-turn, and goes back the same way it came. Visualize this and you will see something that looks …
I recently attended Cisco Live! in Las Vegas, a conference that boasted over 28,000 techies in attendance, and a week of hands-on learning hosted by a solid partner with which Concerto goes to market.  Every year, Cisco displays cutting-edge technol…
Both in life and business – not all partnerships are created equal. As the demand for cloud services increases, so do the number of self-proclaimed cloud partners. Asking the right questions up front in the partnership, will enable both parties …
As a trusted technology advisor to your customers you are likely getting the daily question of, ‘should I put this in the cloud?’ As customer demands for cloud services increases, companies will see a shift from traditional buying patterns to new…

810 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question