NewDawn
asked on
Cisco ASA 5505 static route problem
I just replaced an old linksys wrt54G router/wireless access point with a new ASA 5505 for a new client.
Everything is working fine except I am unable to get it to route to a remote subnet that is connect through a Point-to-Point T1 with a pair of Cisco 1721 routers
The network is setup like this
Main office 10.1.60.0/24
main office Cisco 1721 10.1.60.254
remote office 10.1.61.0/24
remote office Cisco 1721 10.1.61.1
ASA 5505 Local IP 10.1.60.1
The computers in the office all have a default gateway of 10.1.60.1
If I statically create the route on the workstations "route add 10.1.61.0 mask 255.255.255.0 10.1.60.254" An individual workstation is able to connect to the remote subnet
I am also able to ping the remote subnet from the ASA.
The only thing I cannot get to work is for the ASA to route the request to the Cisco 1721 properly. The remote office is completely down at this point as their Phones and internet access all come from the main office. Any help would be greatly appreciated.
Here is the current running config.
ciscoasa# show run
: Saved
:
ASA Version 7.2(4)
!
hostname ciscoasa
domain-name ******************
enable password rafexqUfMM0XEGAi encrypted
passwd rafexqUfMM0XEGAi encrypted
names
!
interface Vlan1
nameif inside
security-level 100
ip address 10.1.60.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address ************** 255.255.255.252
!
interface Vlan3
no forward interface Vlan1
nameif dmz
security-level 50
ip address dhcp
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
ftp mode passive
dns server-group DefaultDNS
domain-name ******************
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
access-list inside_nat0_outbound extended permit ip 10.1.60.0 255.255.255.0 10.1.61.0 255.255.255.0
access-list outside_access_in_1 extended permit tcp any host ************** eq 3389
access-list outside_access_in_1 extended permit tcp any host ************** eq telnet
access-list outside_access_in_1 extended permit icmp any any
pager lines 24
logging asdm informational
mtu inside 1500
mtu outside 1500
mtu dmz 1500
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-524.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) tcp interface 3389 10.1.60.10 3389 netmask 255.255.255.255
access-group outside_access_in_1 in interface outside
route inside 10.1.61.0 255.255.255.0 10.1.60.254 1
route outside 0.0.0.0 0.0.0.0 ************** 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
http server enable
http 10.1.60.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
telnet 10.1.60.0 255.255.255.0 inside
telnet 0.0.0.0 0.0.0.0 outside
telnet timeout 10
ssh 10.1.60.0 255.255.255.0 inside
ssh 0.0.0.0 0.0.0.0 outside
ssh timeout 10
console timeout 0
dhcpd auto_config outside
!
username ******** password EqL7qWUK0pIRfrNh encrypted privilege 15
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect pptp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:70fbf9b609c
: end
Everything is working fine except I am unable to get it to route to a remote subnet that is connect through a Point-to-Point T1 with a pair of Cisco 1721 routers
The network is setup like this
Main office 10.1.60.0/24
main office Cisco 1721 10.1.60.254
remote office 10.1.61.0/24
remote office Cisco 1721 10.1.61.1
ASA 5505 Local IP 10.1.60.1
The computers in the office all have a default gateway of 10.1.60.1
If I statically create the route on the workstations "route add 10.1.61.0 mask 255.255.255.0 10.1.60.254" An individual workstation is able to connect to the remote subnet
I am also able to ping the remote subnet from the ASA.
The only thing I cannot get to work is for the ASA to route the request to the Cisco 1721 properly. The remote office is completely down at this point as their Phones and internet access all come from the main office. Any help would be greatly appreciated.
Here is the current running config.
ciscoasa# show run
: Saved
:
ASA Version 7.2(4)
!
hostname ciscoasa
domain-name ******************
enable password rafexqUfMM0XEGAi encrypted
passwd rafexqUfMM0XEGAi encrypted
names
!
interface Vlan1
nameif inside
security-level 100
ip address 10.1.60.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address ************** 255.255.255.252
!
interface Vlan3
no forward interface Vlan1
nameif dmz
security-level 50
ip address dhcp
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
ftp mode passive
dns server-group DefaultDNS
domain-name ******************
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
access-list inside_nat0_outbound extended permit ip 10.1.60.0 255.255.255.0 10.1.61.0 255.255.255.0
access-list outside_access_in_1 extended permit tcp any host ************** eq 3389
access-list outside_access_in_1 extended permit tcp any host ************** eq telnet
access-list outside_access_in_1 extended permit icmp any any
pager lines 24
logging asdm informational
mtu inside 1500
mtu outside 1500
mtu dmz 1500
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-524.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) tcp interface 3389 10.1.60.10 3389 netmask 255.255.255.255
access-group outside_access_in_1 in interface outside
route inside 10.1.61.0 255.255.255.0 10.1.60.254 1
route outside 0.0.0.0 0.0.0.0 ************** 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
http server enable
http 10.1.60.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
telnet 10.1.60.0 255.255.255.0 inside
telnet 0.0.0.0 0.0.0.0 outside
telnet timeout 10
ssh 10.1.60.0 255.255.255.0 inside
ssh 0.0.0.0 0.0.0.0 outside
ssh timeout 10
console timeout 0
dhcpd auto_config outside
!
username ******** password EqL7qWUK0pIRfrNh encrypted privilege 15
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect pptp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:70fbf9b609c
: end
ASKER
I agree that the client should separate any routing from the firewall, but considering what this is replacing this is a big step in the right direction.
I tried adding the command to the ASA and it is failing. If I understand it correctly (and I am obviously missing something because it is not working) these two commands are supposed to make it so that the ASA will disregard NAT on that subnet.
nat (inside) 0 access-list inside_nat0_outbound
access-list inside_nat0_outbound extended permit ip 10.1.60.0 255.255.255.0 10.1.61.0 255.255.255.0
Then since it is not NAT'ing it should send it to the only route available.
route inside 10.1.61.0 255.255.255.0 10.1.60.254 1
that one.
And yes, any of the ********** ip addresses have been replaced for security purposes.
I tried adding the command to the ASA and it is failing. If I understand it correctly (and I am obviously missing something because it is not working) these two commands are supposed to make it so that the ASA will disregard NAT on that subnet.
nat (inside) 0 access-list inside_nat0_outbound
access-list inside_nat0_outbound extended permit ip 10.1.60.0 255.255.255.0 10.1.61.0 255.255.255.0
Then since it is not NAT'ing it should send it to the only route available.
route inside 10.1.61.0 255.255.255.0 10.1.60.254 1
that one.
And yes, any of the ********** ip addresses have been replaced for security purposes.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
I was hoping that would not be the case, but oh well. I will have to run password recovery on the Cisco 1721 (they lost the password) but I will get that going and make it work. Thanks for you help guys.
Klinko2k was the first with the answer so I will award him the majority of the points.
Klinko2k was the first with the answer so I will award him the majority of the points.
route outside 0.0.0.0 0.0.0.0 ************** 1
not the next hop router that can reach that specific subnet (next hop 10.1.60.254)
Thus, the asa is sending all traffic it receives to the public IP, and not to the correct router.
if you add this statement to the asa, it may work.
ip route 10.1.61.0 255.255.255.0 10.1.60.24
This is not best practice though. The ASA should be between the router and the internet, and your clients should point their default gateway at the router.
Either way, this definitely makes sense why your clients can't get to that subnet when pointed at the asa, but can when pointed at the edge routers.