• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 900
  • Last Modified:

Problems configuring static route on ASA 5505

I have been trying to switch from Netgear router to an ASA 5505 for over a week now and I have to admit defeat.  I am a novice at configuring a Cisco devices but I thought the graphical interface would be simple enough to do considering my network is simple (or so I thought!)  We have a network of around 40 computers on a subnet of 10.1.1.X netmask  The ASA is the default gateway at  We do not have a DMZ yet so there is only inside and outside.  Our external interface on the ASA is at with a netmask of

Here is the configuration:
We do not have a DMZ yet, just inside and outside
Internal network: 10.1.1.X netmask  
External Network: with a netmask of
Only the one public IP address.
ASA inside address:
ASA outside address:
Mail server and OWA server at
HTTPS is forwarded from outside to
SMTP is forwarded from outside to AND limited to Postini servers.

All of the above appears to be working fine.  On the old Netgear is was pretty stright forward and I got it going on the ASA though I may have gotten it working in spite of myself..  

The problem is that we have a vendor that connects to our network via a T-1 and router and prints reports to an internal networked printer (  The internal address of the router is  and the vendors subnet is  On the netgear there was simply a static route and it worked fine.  On the ASA I added a static route on the inside interface and then (based on posing a question in an earlier post) also turned on same inerface routing on the ASA.  I have tinkered with NAT and ACL but I can't seem to get it to work.  I'm mostly shooting in the dark here.  Here is my configuration: (I did not save my failures to FLASH so this does not include the new route.)

Result of the command: "show configuration"
: Saved
: Written by enable_15 at 05:49:22.653 UTC Tue Oct 21 2008
ASA Version 7.2(4)
hostname ciscoasa
domain-name widget
enable password blah blah encrypted
passwd blah blah encrypted
interface Vlan1
 nameif inside
 security-level 100
 ip address
interface Vlan2
 nameif outside
 security-level 0
 ip address
interface Ethernet0/0
 switchport access vlan 2
interface Ethernet0/1
interface Ethernet0/2
interface Ethernet0/3
interface Ethernet0/4
interface Ethernet0/5
interface Ethernet0/6
interface Ethernet0/7
ftp mode passive
dns server-group DefaultDNS
 domain-name Wedge
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
access-list outside_access_in extended permit tcp any interface outside eq https
access-list outside_access_in remark Postini
access-list outside_access_in extended permit tcp interface outside eq smtp
access-list outside_access_in remark Global Relay
access-list outside_access_in extended permit tcp interface outside eq 993
access-list outside_access_in remark Global Relay
access-list outside_access_in extended permit tcp interface outside eq 993
access-list outside_access_in remark Global Relay
access-list outside_access_in extended permit tcp interface outside eq 993
access-list outside_access_in remark Global Relay
access-list outside_access_in extended permit tcp interface outside eq 993
access-list inside_access_in extended permit ip any any
pager lines 24
logging asdm informational
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-524.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1
static (inside,outside) tcp interface https https netmask
static (inside,outside) tcp interface smtp smtp netmask
static (inside,outside) tcp interface 993 993 netmask
access-group inside_access_in in interface inside
access-group outside_access_in in interface outside
route outside 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
http server enable
http inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
telnet inside
telnet inside
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd auto_config outside
dhcpd address inside

class-map inspection_default
 match default-inspection-traffic
policy-map type inspect dns preset_dns_map
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
service-policy global_policy global
prompt hostname context

I plan to add the route using this command:
route inside 1

I thought this was all I needed but "no go."  Do I need to configure an ACL and or NAT?  If so, how (my other attempts failed.)  I am approaching a deadline so any help is appreciated!

1 Solution
What exactly doesn't work?  Is it the printing?  I can understand why the vendor would not be able to ping anything on your network (I'll explain below), but they should be able to send a print job to the printer.

You're not going to be able to do this because the ASA does not behave like a true router.  It will not take a packet received on its inside interface and redirect it to another router because it will not perform ICMP redirects.  If you want bidirectional traffic flow between your inside network and the vendor's, you'll either have to assign static routes to ALL devices on your network that points traffic for to the router at, or you'll have to put in your own internal router and point all of your internal network devices to this new router as their default gateway.  Then, you can put in a static route on that router similar to what you were planning on doing in the ASA and your traffic will make it to the vendor's.

The point to all of this is that the ASA is not a router...
Another solution could be giving you vendor Mobile VPN access so that they can connect and print whenever is necessary.
The downside would obviously be that they would have access to your entire LAN at that point.
Set the networked printer's default route to instead of the ASA
I don't think the printer needs Internet access anyway, does it?
Who's Defending Your Organization from Threats?

Protecting against advanced threats requires an IT dream team – a well-oiled machine of people and solutions working together to defend your organization. Download our resource kit today to learn more about the tools you need to build you IT Dream Team!

mikerich61Author Commented:
This may reflect my lack of understanding but I don't see why the vendor needs a route on the ASA at all.  There is already a vendor supplied router that has an IP address of on our network.  Seems like that router could get back and forth to the printer no problem.  Yet the old netgear had a static route added and printing starts up as soon as I put in back in the network.  Maybe the vendor router config is a problem?  As for routing on the ASA, I thought it would in software after version 7.
I think I would do what lrmoore suggested and check the default gateway set on the network printer.  If it is the inside ASA interface, try setting it to the vendor's router interface at and see if printing works.  I've seen Sonicwall firewalls behave in the same manner as the way you describe the Netgear behaving, but the ASA won't perform this type of traffic routing.
mikerich61Author Commented:
I changed the gateway IP on the printers and it worked!  Thanks for the help!

Featured Post

The Lifecycle Approach to Managing Security Policy

Managing application connectivity and security policies can be achieved more effectively when following a framework that automates repeatable processes and ensures that the right activities are performed in the right order.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now