Cisco Equipment - What Am I Missing?

I have the following Cisco network setup: router -> asa -> switch.  The ASA provides DHCP for the internal network.  My client computer can't see the router, what am I missing?  Please help.  The config files and visio attached for your review.  Thanks.
EE-Post-ASA.txt
EE-Post-Router.txt
EE-Post-Visio.pdf
LVL 2
Silly013Asked:
Who is Participating?
 
ciscoguy69Commented:
You are missing the fact that you have the only inside interface marked as "Management Only". Using this config you will only get to the FW as a "Management Only" interface only takes traffic intended for the device, it does not pass. Remove the Management Only by doing a "interface Management0/0""no management-only" from config mode. You are using this as a gateway and as such it will need at a minimum, a default route to the router. Do this from config mode by adding "route outside 0.0.0.0 0.0.0.0 192.168.73.1". You will also need to add a return route on the router "ip route 192.168.74.0 255.255.255.0 192.168.73.2" from config mode. Is there a reason you have the outside interface on the ASA at the same security level as your inside? I would set it to 0 and control ports from access lists. By setting it to 100 you in essence make it the same as your inside interface.


   
0
 
ionut_mirCommented:
From the router configuration appears that tha router doesn't have a route to 192.168.74.0 network.
Add a route:

Router(config)#ip route 192.168.74.0 255.255.255.0 192.168.73.2

Also, even if I don't see any line stating this, I believe that the firewall will block icmp packets. So after you configure the route, check on the firewall this issue. You can use the asdm, it's easier :)
0
 
devangshroffCommented:
Hi,

The big mistake u did , is thatu have give ip address ti management port .
Plz do this.

interface Ethernet0/1
 
 inside
  security-level 100
  ip address

and

route outside 0 0 0 0 0 0 0 0 ip address of router
0
Protect Your Employees from Wi-Fi Threats

As Wi-Fi growth and popularity continues to climb, not everyone understands the risks that come with connecting to public Wi-Fi or even offering Wi-Fi to employees, visitors and guests. Download the resource kit to make sure your safe wherever business takes you!

 
ciscoguy69Commented:
The firewall will by default block ICMP (ping) both to and through, depending on your need, you can add that to the access list either through ASDM or cli based on comfort level. If you need help with that, just let me know.
0
 
Silly013Author Commented:
@ionut_mir: I did as suggested (seems to work, explanation below)
@devangshroff: I did want to use the management port as the inside interface.  I set up route outside as suggested (seems to work, explanation below)
@ciscoguy69: I did as suggested (seems to work, explanation below)
Okay, here's my explanation to why I did what I did:
I'm an absolute rookie when it comes to these Cisco stuff, I'm learning :)  So I followed your suggestions and it seems to work, meaning that I am now able to telnet to the router from a client (after lowering the security level on the outside interface of the ASA to 0).  I still can't ping to it, I guess because ICMP is blocked, but I'm not sure if I should unblock it.  I only want to turn on certain ports to be accessed from and to the internet.
For instance, I want to allow terminal service to a server on the internal network, I would do:
On router: ip nat inside source static tcp "inside IP" 3389 "public IP" 3389
On ASA: permit tcp any any eq 3389
Is it right?
0
 
ionut_mirCommented:
Yes, that should work.
0
 
ciscoguy69Commented:
Yes, that will work or you could just do a permit for the specific host on port 3389 on the ASA that way you are not just relying on NAT for security.
0
 
Silly013Author Commented:
Thank you!
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.