Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

Help with new configuration of Cisco ASA 5510

Posted on 2008-10-14
6
Medium Priority
?
382 Views
Last Modified: 2010-04-09
Hi there,

Please could someone help me with this new configuration of this ASA 5510,
it is setup as below:

           {Internal Router}--------> ASA5510 ---------->VRF ---------->ASA5520 --------->{External Router}
           with multiple IP's               ??????               (working)           (working)                   (working)
           LAN IP:                          
          172.21.160.1                    
the thing is that my Internal router has multiple branches terminating on it with about 18 different ranges, I can get the ASA 5510 to work with the Internal Router's default lan ip range, however to get to the other ip ranges, I just cant get to to work.

This is the current config

interface Ethernet0/0
 description
 nameif inside
 security-level 100
 ip address 172.21.160.8 255.255.254.0
!
interface Ethernet0/1
 description
 nameif outside
 security-level 0
 ip address 172.18.246.99 255.255.255.248
!
interface Ethernet0/2
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Management0/0
 nameif management
 security-level 100
 ip address 192.168.1.1 255.255.255.0
 management-only
!
passwd 7Ypa4.0G/CbNFQQb encrypted
ftp mode passive
access-list out-in extended permit tcp any host 172.21.160.7 eq 3389
access-list out-in extended permit tcp any any eq telnet
access-list out-in extended permit ip any any
pager lines 22222
logging asdm informational
mtu inside 1500
mtu outside 1500
mtu management 1500
asdm image disk0:/asdm-507.bin
no asdm history enable
arp timeout 14400
static (inside,outside) 172.21.160.0 172.21.160.0 netmask 255.255.254.0
access-group out-in in interface outside
route outside 0.0.0.0 0.0.0.0 172.18.246.97 1
route outside 192.168.69.0 255.255.255.0 172.18.246.97 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00
timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
http server enable
http 172.21.160.102 255.255.255.255 inside
http 192.168.1.0 255.255.255.0 management
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
telnet 172.21.160.102 255.255.255.255 inside
telnet 172.21.160.71 255.255.255.255 inside
telnet timeout 60
ssh timeout 5
console timeout 0
dhcpd address 192.168.1.2-192.168.1.254 management
dhcpd lease 3600
dhcpd ping_timeout 50
dhcpd enable management
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map global_policy
 class inspection_default
  inspect dns maximum-length 512
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
!
service-policy global_policy global
Cryptochecksum:7a762fb420dbb984de8a2618948d9de8
: end
WirelessLink(config)#


Please if someone could help because I am about to put out my hair......
0
Comment
Question by:avineshp
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 2
6 Comments
 
LVL 2

Expert Comment

by:olivierbreuer
ID: 22718630
Hello,

I see in your config some routes to connect to internet, but no routes to connect to the 18 different ranges using the ip address of the router as the gateway.

So, If you don't have routes, the firewall will send all requests to the default one witch is outside.

Please do the following :

route inside x.x.x.x y.y.y.y 172.21.160.1 1

Where x.x.x.x are the networks defined behind your router
y.y.y.y are the respective subnet masks.

If you are able to do a summarization of your networks, do it.Otherwise you will have to define 18 routes on your firewall to have everything working .

Regards,

Olivier
0
 
LVL 2

Author Comment

by:avineshp
ID: 22722372
Hi,

I have tried that and I still can't get it to work.

Regards,
0
 
LVL 2

Expert Comment

by:olivierbreuer
ID: 22722463
From your asa 5510, are you  able to access the networks behind the router using a ping command for example ? If not, the problem is a routing problem and static routes should resolve it...

After a successfull ping from the asa 5510 to the networks behind your routers, we can continue to troubleshoot your problem. But we have first to have this ping working !

For sure, without the static routes, the solution will not work !

regards,

Olivier
0
Concerto's Cloud Advisory Services

Want to avoid the missteps to gaining all the benefits of the cloud? Learn more about the different assessment options from our Cloud Advisory team.

 
LVL 2

Author Comment

by:avineshp
ID: 22722822
Hi,

Yes I can ping it from the asa but from my pc (which is on the 172.21.160.xxx range) i can't even ping it or anything else.

Regards,
0
 
LVL 2

Author Comment

by:avineshp
ID: 22723228
Hi,

just want to put up the current config, where i have routed 2 of the other networks and where i tried pinging it from asa5510

!
interface Ethernet0/0
 description
 nameif inside
 security-level 100
 ip address 172.21.160.8 255.255.254.0
!
interface Ethernet0/1
 description
 nameif outside
 security-level 0
 ip address 172.18.246.99 255.255.255.248
!
interface Ethernet0/2
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Management0/0
 nameif management
 security-level 100
 ip address 192.168.1.1 255.255.255.0
 management-only
!
passwd 7Ypa4.0G/CbNFQQb encrypted
ftp mode passive
access-list out-in extended permit tcp any host 172.21.160.7 eq 3389
access-list out-in extended permit tcp any host 172.21.160.102 eq echo
access-list out-in extended permit tcp any host 172.21.160.102 eq 3389
access-list out-in extended permit ip any host 172.21.160.102
pager lines 22222
logging asdm informational
mtu inside 1500
mtu outside 1500
mtu management 1500
asdm image disk0:/asdm-507.bin
no asdm history enable
arp timeout 14400
static (inside,outside) 172.21.160.0 172.21.160.0 netmask 255.255.254.0
access-group out-in in interface outside
route inside 192.168.122.0 255.255.255.0 172.21.160.1 1
route inside 172.18.128.0 255.255.254.0 172.21.160.1 1
route outside 0.0.0.0 0.0.0.0 172.18.246.97 1
route outside 192.168.69.0 255.255.255.0 172.18.246.97 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00
timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
http server enable
http 172.21.160.102 255.255.255.255 inside
http 192.168.1.0 255.255.255.0 management
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
telnet 172.21.160.102 255.255.255.255 inside
telnet 172.21.160.71 255.255.255.255 inside
telnet timeout 60
ssh timeout 5
console timeout 0
dhcpd address 192.168.1.2-192.168.1.254 management
dhcpd lease 3600
dhcpd ping_timeout 50
dhcpd enable management
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map global_policy
 class inspection_default
  inspect dns maximum-length 512
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
!
service-policy global_policy global
Cryptochecksum:7581acc5bfb2da5a9c27fe25ca6c7d21
: end




PING:
WirelessLink(config)# ping 172.18.129.20
Sending 5, 100-byte ICMP Echos to 172.18.129.20, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/6/10 ms
WirelessLink(config)#

so it works from the asa but not from the pc on the inside ip range (172.21.160.xxx)

Regards,
0
 
LVL 2

Accepted Solution

by:
avineshp earned 0 total points
ID: 23053862
I managed to sort it out, I just bought a new cisco router.... now it works
0

Featured Post

Free Tool: Port Scanner

Check which ports are open to the outside world. Helps make sure that your firewall rules are working as intended.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This past year has been one of great growth and performance for OnPage. We have added many features and integrations to the product, making 2016 an awesome year. We see these steps forward as the basis for future growth.
This article explains the fundamentals of industrial networking which ultimately is the backbone network which is providing communications for process devices like robots and other not so interesting stuff.
Both in life and business – not all partnerships are created equal. As the demand for cloud services increases, so do the number of self-proclaimed cloud partners. Asking the right questions up front in the partnership, will enable both parties …
Both in life and business – not all partnerships are created equal. Spend 30 short minutes with us to learn:   • Key questions to ask when considering a partnership to accelerate your business into the cloud • Pitfalls and mistakes other partners…

670 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question