• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 2548
  • Last Modified:

Cisco ASA 5505 static route problem

I just replaced an old linksys wrt54G router/wireless access point with a new ASA 5505 for a new client.

Everything is working fine except I am unable to get it to route to a remote subnet that is connect through a Point-to-Point T1 with a pair of Cisco 1721 routers

The network is setup like this

Main office 10.1.60.0/24
main office Cisco 1721 10.1.60.254

remote office 10.1.61.0/24
remote office Cisco 1721 10.1.61.1

ASA 5505 Local IP 10.1.60.1

The computers in the office all have a default gateway of 10.1.60.1
If I statically create the route on the workstations "route add 10.1.61.0 mask 255.255.255.0 10.1.60.254" An individual workstation is able to connect to the remote subnet

I am also able to ping the remote subnet from the ASA.

The only thing I cannot get to work is for the ASA to route the request to the Cisco 1721 properly. The remote office is completely down at this point as their Phones and internet access all come from the main office.  Any help would be greatly appreciated.

Here is the current running config.

ciscoasa# show run
: Saved
:
ASA Version 7.2(4)
!
hostname ciscoasa
domain-name ******************
enable password rafexqUfMM0XEGAi encrypted
passwd rafexqUfMM0XEGAi encrypted
names
!
interface Vlan1
 nameif inside
 security-level 100
 ip address 10.1.60.1 255.255.255.0
!
interface Vlan2
 nameif outside
 security-level 0
 ip address ************** 255.255.255.252
!
interface Vlan3
 no forward interface Vlan1
 nameif dmz
 security-level 50
 ip address dhcp
!
interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
ftp mode passive
dns server-group DefaultDNS
 domain-name ******************
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
access-list inside_nat0_outbound extended permit ip 10.1.60.0 255.255.255.0 10.1.61.0 255.255.255.0
access-list outside_access_in_1 extended permit tcp any host ************** eq 3389
access-list outside_access_in_1 extended permit tcp any host ************** eq telnet
access-list outside_access_in_1 extended permit icmp any any
pager lines 24
logging asdm informational
mtu inside 1500
mtu outside 1500
mtu dmz 1500
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-524.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) tcp interface 3389 10.1.60.10 3389 netmask 255.255.255.255
access-group outside_access_in_1 in interface outside
route inside 10.1.61.0 255.255.255.0 10.1.60.254 1
route outside 0.0.0.0 0.0.0.0 ************** 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
http server enable
http 10.1.60.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
telnet 10.1.60.0 255.255.255.0 inside
telnet 0.0.0.0 0.0.0.0 outside
telnet timeout 10
ssh 10.1.60.0 255.255.255.0 inside
ssh 0.0.0.0 0.0.0.0 outside
ssh timeout 10
console timeout 0
dhcpd auto_config outside
!

username ******** password EqL7qWUK0pIRfrNh encrypted privilege 15
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
  inspect pptp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:70fbf9b609c48562465540fd3dd8cfa6
: end
0
NewDawn
Asked:
NewDawn
  • 2
  • 2
2 Solutions
 
klinko2kCommented:
The default route on the ASA is pointing to some public IP

route outside 0.0.0.0 0.0.0.0 ************** 1

not the next hop router that can reach that specific subnet (next hop 10.1.60.254)

Thus, the asa is sending all traffic it receives to the public IP, and not to the correct router.

if you add this statement to the asa, it may work.

ip route 10.1.61.0 255.255.255.0 10.1.60.24

This is not best practice though.  The ASA should be between the router and the internet, and your clients should point their default gateway at the router.  

Either way, this definitely makes sense why your clients can't get to that subnet when pointed at the asa, but can when pointed at the edge routers.

0
 
NewDawnAuthor Commented:
I agree that the client should separate any routing from the firewall, but considering what this is replacing this is a big step in the right direction.

I tried adding the command to the ASA and it is failing.  If I understand it correctly (and I am obviously missing something because it is not working) these two commands are supposed to make it so that the ASA will disregard NAT on that subnet.

nat (inside) 0 access-list inside_nat0_outbound
access-list inside_nat0_outbound extended permit ip 10.1.60.0 255.255.255.0 10.1.61.0 255.255.255.0

Then since it is not NAT'ing it should send it to the only route available.

route inside 10.1.61.0 255.255.255.0 10.1.60.254 1

that one.  

And yes, any of the ********** ip addresses have been replaced for security purposes.  
0
 
klinko2kCommented:
I have encountered a similar scenario in the past.  The ASA is not going to do what you want it to do, because it is not a router.  Think of it as more of a l2 pass-through with l3+ capabilities.  That is why I added the statement "it may work."  I did not notice the route inside statement before.

You are correct with that no nat access list.  That is what excludes that traffic from being handled by NAT.

You are going to need to put a router between the asa and the internet if you want this to work.  The ASA just can't do it.
0
 
Cyclops3590Commented:
this won't work by Cisco firewall design.  Packets can't go in and out the same interface.  What you are trying to do is have the workstations use the ASA as the default gateway.  Then have the ASA forward packets it received on its inside interface, back out its inside interface to the 1721 router; which is illegal on a Cisco firewall.

What you need to do is configure the 1721 router at 10.1.60.254 as the default gateway.  And then have a default route on it be the ASA inside of 10.1.60.1.
If you you only want the 60 network to use the ASA as the default gateway you can use a route-map as well.
0
 
NewDawnAuthor Commented:
I was hoping that would not be the case, but oh well.  I will have to run password recovery on the Cisco 1721 (they lost the password)  but I will get that going and make it work.  Thanks for you help guys.

Klinko2k was the first with the answer so I will award him the majority of the points.
0

Featured Post

Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

  • 2
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now