Problems configuring static route on ASA 5505

Posted on 2008-10-26
Medium Priority
Last Modified: 2010-05-18
I have been trying to switch from Netgear router to an ASA 5505 for over a week now and I have to admit defeat.  I am a novice at configuring a Cisco devices but I thought the graphical interface would be simple enough to do considering my network is simple (or so I thought!)  We have a network of around 40 computers on a subnet of 10.1.1.X netmask  The ASA is the default gateway at  We do not have a DMZ yet so there is only inside and outside.  Our external interface on the ASA is at with a netmask of

Here is the configuration:
We do not have a DMZ yet, just inside and outside
Internal network: 10.1.1.X netmask  
External Network: with a netmask of
Only the one public IP address.
ASA inside address:
ASA outside address:
Mail server and OWA server at
HTTPS is forwarded from outside to
SMTP is forwarded from outside to AND limited to Postini servers.

All of the above appears to be working fine.  On the old Netgear is was pretty stright forward and I got it going on the ASA though I may have gotten it working in spite of myself..  

The problem is that we have a vendor that connects to our network via a T-1 and router and prints reports to an internal networked printer (  The internal address of the router is  and the vendors subnet is  On the netgear there was simply a static route and it worked fine.  On the ASA I added a static route on the inside interface and then (based on posing a question in an earlier post) also turned on same inerface routing on the ASA.  I have tinkered with NAT and ACL but I can't seem to get it to work.  I'm mostly shooting in the dark here.  Here is my configuration: (I did not save my failures to FLASH so this does not include the new route.)

Result of the command: "show configuration"
: Saved
: Written by enable_15 at 05:49:22.653 UTC Tue Oct 21 2008
ASA Version 7.2(4)
hostname ciscoasa
domain-name widget
enable password blah blah encrypted
passwd blah blah encrypted
interface Vlan1
 nameif inside
 security-level 100
 ip address
interface Vlan2
 nameif outside
 security-level 0
 ip address
interface Ethernet0/0
 switchport access vlan 2
interface Ethernet0/1
interface Ethernet0/2
interface Ethernet0/3
interface Ethernet0/4
interface Ethernet0/5
interface Ethernet0/6
interface Ethernet0/7
ftp mode passive
dns server-group DefaultDNS
 domain-name Wedge
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
access-list outside_access_in extended permit tcp any interface outside eq https
access-list outside_access_in remark Postini
access-list outside_access_in extended permit tcp interface outside eq smtp
access-list outside_access_in remark Global Relay
access-list outside_access_in extended permit tcp interface outside eq 993
access-list outside_access_in remark Global Relay
access-list outside_access_in extended permit tcp interface outside eq 993
access-list outside_access_in remark Global Relay
access-list outside_access_in extended permit tcp interface outside eq 993
access-list outside_access_in remark Global Relay
access-list outside_access_in extended permit tcp interface outside eq 993
access-list inside_access_in extended permit ip any any
pager lines 24
logging asdm informational
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-524.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1
static (inside,outside) tcp interface https https netmask
static (inside,outside) tcp interface smtp smtp netmask
static (inside,outside) tcp interface 993 993 netmask
access-group inside_access_in in interface inside
access-group outside_access_in in interface outside
route outside 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
http server enable
http inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
telnet inside
telnet inside
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd auto_config outside
dhcpd address inside

class-map inspection_default
 match default-inspection-traffic
policy-map type inspect dns preset_dns_map
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
service-policy global_policy global
prompt hostname context

I plan to add the route using this command:
route inside 1

I thought this was all I needed but "no go."  Do I need to configure an ACL and or NAT?  If so, how (my other attempts failed.)  I am approaching a deadline so any help is appreciated!

Question by:mikerich61
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
LVL 28

Expert Comment

ID: 22809838
What exactly doesn't work?  Is it the printing?  I can understand why the vendor would not be able to ping anything on your network (I'll explain below), but they should be able to send a print job to the printer.

You're not going to be able to do this because the ASA does not behave like a true router.  It will not take a packet received on its inside interface and redirect it to another router because it will not perform ICMP redirects.  If you want bidirectional traffic flow between your inside network and the vendor's, you'll either have to assign static routes to ALL devices on your network that points traffic for to the router at, or you'll have to put in your own internal router and point all of your internal network devices to this new router as their default gateway.  Then, you can put in a static route on that router similar to what you were planning on doing in the ASA and your traffic will make it to the vendor's.

The point to all of this is that the ASA is not a router...

Expert Comment

ID: 22810587
Another solution could be giving you vendor Mobile VPN access so that they can connect and print whenever is necessary.
The downside would obviously be that they would have access to your entire LAN at that point.
LVL 79

Accepted Solution

lrmoore earned 2000 total points
ID: 22811435
Set the networked printer's default route to instead of the ASA
I don't think the printer needs Internet access anyway, does it?
NEW Veeam Agent for Microsoft Windows

Backup and recover physical and cloud-based servers and workstations, as well as endpoint devices that belong to remote users. Avoid downtime and data loss quickly and easily for Windows-based physical or public cloud-based workloads!


Author Comment

ID: 22811845
This may reflect my lack of understanding but I don't see why the vendor needs a route on the ASA at all.  There is already a vendor supplied router that has an IP address of on our network.  Seems like that router could get back and forth to the printer no problem.  Yet the old netgear had a static route added and printing starts up as soon as I put in back in the network.  Maybe the vendor router config is a problem?  As for routing on the ASA, I thought it would in software after version 7.
LVL 28

Expert Comment

ID: 22827953
I think I would do what lrmoore suggested and check the default gateway set on the network printer.  If it is the inside ASA interface, try setting it to the vendor's router interface at and see if printing works.  I've seen Sonicwall firewalls behave in the same manner as the way you describe the Netgear behaving, but the ASA won't perform this type of traffic routing.

Author Closing Comment

ID: 31510155
I changed the gateway IP on the printers and it worked!  Thanks for the help!

Featured Post

 [eBook] Windows Nano Server

Download this FREE eBook and learn all you need to get started with Windows Nano Server, including deployment options, remote management
and troubleshooting tips and tricks

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Quality of Service (QoS) options are nearly endless when it comes to networks today. This article is merely one example of how it can be handled in a hub-n-spoke design using a 3-tier configuration.
Powerful tools can do wonders, but only in the right hands.  Nowhere is this more obvious than with the cloud.
Both in life and business – not all partnerships are created equal. As the demand for cloud services increases, so do the number of self-proclaimed cloud partners. Asking the right questions up front in the partnership, will enable both parties …
Both in life and business – not all partnerships are created equal. Spend 30 short minutes with us to learn:   • Key questions to ask when considering a partnership to accelerate your business into the cloud • Pitfalls and mistakes other partners…
Suggested Courses
Course of the Month15 days, 17 hours left to enroll

741 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question