Solved

Problems configuring static route on ASA 5505

Posted on 2008-10-26
6
888 Views
Last Modified: 2010-05-18
I have been trying to switch from Netgear router to an ASA 5505 for over a week now and I have to admit defeat.  I am a novice at configuring a Cisco devices but I thought the graphical interface would be simple enough to do considering my network is simple (or so I thought!)  We have a network of around 40 computers on a subnet of 10.1.1.X netmask 255.255.255.0.  The ASA is the default gateway at 10.1.1.1.  We do not have a DMZ yet so there is only inside and outside.  Our external interface on the ASA is at 74.217.175.64 with a netmask of 255.255.255.252

Here is the configuration:
We do not have a DMZ yet, just inside and outside
Internal network: 10.1.1.X netmask 255.255.255.0  
External Network: 74.217.175.64 with a netmask of 255.255.255.252
Only the one public IP address.
ASA inside address: 10.1.1.1
ASA outside address: 74.217.175.64
Mail server and OWA server at 10.1.1.18
HTTPS is forwarded from outside to 10.1.1.18
SMTP is forwarded from outside to 10.1.1.18 AND limited to Postini servers.

All of the above appears to be working fine.  On the old Netgear is was pretty stright forward and I got it going on the ASA though I may have gotten it working in spite of myself..  

The problem is that we have a vendor that connects to our network via a T-1 and router and prints reports to an internal networked printer (10.1.1.35).  The internal address of the router is 10.1.1.12  and the vendors subnet is 192.108.240.0/255.255.255.0  On the netgear there was simply a static route and it worked fine.  On the ASA I added a static route on the inside interface and then (based on posing a question in an earlier post) also turned on same inerface routing on the ASA.  I have tinkered with NAT and ACL but I can't seem to get it to work.  I'm mostly shooting in the dark here.  Here is my configuration: (I did not save my failures to FLASH so this does not include the new route.)

Result of the command: "show configuration"
: Saved
: Written by enable_15 at 05:49:22.653 UTC Tue Oct 21 2008
!
ASA Version 7.2(4)
!
hostname ciscoasa
domain-name widget
enable password blah blah encrypted
passwd blah blah encrypted
names
!
interface Vlan1
 nameif inside
 security-level 100
 ip address 10.1.1.1 255.255.255.0
!
interface Vlan2
 nameif outside
 security-level 0
 ip address 74.217.175.64 255.255.255.252
!
interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
ftp mode passive
dns server-group DefaultDNS
 domain-name Wedge
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
access-list outside_access_in extended permit tcp any interface outside eq https
access-list outside_access_in remark Postini
access-list outside_access_in extended permit tcp 64.18.0.0 255.255.240.0 interface outside eq smtp
access-list outside_access_in remark Global Relay
access-list outside_access_in extended permit tcp 208.81.212.0 255.255.255.0 interface outside eq 993
access-list outside_access_in remark Global Relay
access-list outside_access_in extended permit tcp 216.18.71.64 255.255.255.192 interface outside eq 993
access-list outside_access_in remark Global Relay
access-list outside_access_in extended permit tcp 204.92.126.0 255.255.255.0 interface outside eq 993
access-list outside_access_in remark Global Relay
access-list outside_access_in extended permit tcp 204.92.49.0 255.255.255.0 interface outside eq 993
access-list inside_access_in extended permit ip any any
pager lines 24
logging asdm informational
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-524.bin
no asdm history enable
arp timeout 14400
nat-control
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) tcp interface https 10.1.1.18 https netmask 255.255.255.255
static (inside,outside) tcp interface smtp 10.1.1.18 smtp netmask 255.255.255.255
static (inside,outside) tcp interface 993 10.1.1.18 993 netmask 255.255.255.255
access-group inside_access_in in interface inside
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 74.217.175.63 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
http server enable
http 10.1.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
telnet 10.1.1.73 255.255.255.255 inside
telnet 10.1.1.237 255.255.255.255 inside
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd auto_config outside
!
dhcpd address 10.1.1.2-10.1.1.129 inside
!

!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
!
service-policy global_policy global
prompt hostname context

I plan to add the route using this command:
route inside 192.108.240.0 255.255.255.0 10.1.1.12 1

I thought this was all I needed but "no go."  Do I need to configure an ACL and or NAT?  If so, how (my other attempts failed.)  I am approaching a deadline so any help is appreciated!

0
Comment
Question by:mikerich61
6 Comments
 
LVL 28

Expert Comment

by:batry_boy
ID: 22809838
What exactly doesn't work?  Is it the printing?  I can understand why the vendor would not be able to ping anything on your network (I'll explain below), but they should be able to send a print job to the printer.

You're not going to be able to do this because the ASA does not behave like a true router.  It will not take a packet received on its inside interface and redirect it to another router because it will not perform ICMP redirects.  If you want bidirectional traffic flow between your inside network and the vendor's, you'll either have to assign static routes to ALL devices on your network that points traffic for 192.108.240.0 to the router at 10.1.1.12, or you'll have to put in your own internal router and point all of your internal network devices to this new router as their default gateway.  Then, you can put in a static route on that router similar to what you were planning on doing in the ASA and your traffic will make it to the vendor's.

The point to all of this is that the ASA is not a router...
0
 
LVL 8

Expert Comment

by:Jay_Gridley
ID: 22810587
Another solution could be giving you vendor Mobile VPN access so that they can connect and print whenever is necessary.
The downside would obviously be that they would have access to your entire LAN at that point.
0
 
LVL 79

Accepted Solution

by:
lrmoore earned 500 total points
ID: 22811435
Set the networked printer's default route to 10.1.1.12 instead of the ASA
Done.
I don't think the printer needs Internet access anyway, does it?
0
Free Trending Threat Insights Every Day

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

 

Author Comment

by:mikerich61
ID: 22811845
This may reflect my lack of understanding but I don't see why the vendor needs a route on the ASA at all.  There is already a vendor supplied router that has an IP address of 10.1.1.12 on our network.  Seems like that router could get back and forth to the 10.1.1.35 printer no problem.  Yet the old netgear had a static route added and printing starts up as soon as I put in back in the network.  Maybe the vendor router config is a problem?  As for routing on the ASA, I thought it would in software after version 7.
0
 
LVL 28

Expert Comment

by:batry_boy
ID: 22827953
I think I would do what lrmoore suggested and check the default gateway set on the network printer.  If it is the inside ASA interface, try setting it to the vendor's router interface at 10.1.1.12 and see if printing works.  I've seen Sonicwall firewalls behave in the same manner as the way you describe the Netgear behaving, but the ASA won't perform this type of traffic routing.
0
 

Author Closing Comment

by:mikerich61
ID: 31510155
I changed the gateway IP on the printers and it worked!  Thanks for the help!
0

Featured Post

Maximize Your Threat Intelligence Reporting

Reporting is one of the most important and least talked about aspects of a world-class threat intelligence program. Here’s how to do it right.

Join & Write a Comment

We sought a budget ($5,000) firewall solution that would provide all the performance we needed with no single point of failure.  Hosting a SAAS web application in our datacenter, it was critical that we find a way to keep connectivity up and inbound…
Quality of Service (QoS) options are nearly endless when it comes to networks today. This article is merely one example of how it can be handled in a hub-n-spoke design using a 3-tier configuration.
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.
You have products, that come in variants and want to set different prices for them? Watch this micro tutorial that describes how to configure prices for Magento super attributes. Assigning simple products to configurable: We assigned simple products…

705 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

21 Experts available now in Live!

Get 1:1 Help Now