[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now

x
?
Solved

Cisco Equipment - What Am I Missing?

Posted on 2009-02-20
8
Medium Priority
?
314 Views
Last Modified: 2012-06-27
I have the following Cisco network setup: router -> asa -> switch.  The ASA provides DHCP for the internal network.  My client computer can't see the router, what am I missing?  Please help.  The config files and visio attached for your review.  Thanks.
EE-Post-ASA.txt
EE-Post-Router.txt
EE-Post-Visio.pdf
0
Comment
Question by:Silly013
  • 3
  • 2
  • 2
  • +1
8 Comments
 
LVL 5

Assisted Solution

by:ionut_mir
ionut_mir earned 600 total points
ID: 23699501
From the router configuration appears that tha router doesn't have a route to 192.168.74.0 network.
Add a route:

Router(config)#ip route 192.168.74.0 255.255.255.0 192.168.73.2

Also, even if I don't see any line stating this, I believe that the firewall will block icmp packets. So after you configure the route, check on the firewall this issue. You can use the asdm, it's easier :)
0
 
LVL 5

Assisted Solution

by:devangshroff
devangshroff earned 600 total points
ID: 23699627
Hi,

The big mistake u did , is thatu have give ip address ti management port .
Plz do this.

interface Ethernet0/1
 
 inside
  security-level 100
  ip address

and

route outside 0 0 0 0 0 0 0 0 ip address of router
0
 
LVL 3

Accepted Solution

by:
ciscoguy69 earned 800 total points
ID: 23700472
You are missing the fact that you have the only inside interface marked as "Management Only". Using this config you will only get to the FW as a "Management Only" interface only takes traffic intended for the device, it does not pass. Remove the Management Only by doing a "interface Management0/0""no management-only" from config mode. You are using this as a gateway and as such it will need at a minimum, a default route to the router. Do this from config mode by adding "route outside 0.0.0.0 0.0.0.0 192.168.73.1". You will also need to add a return route on the router "ip route 192.168.74.0 255.255.255.0 192.168.73.2" from config mode. Is there a reason you have the outside interface on the ASA at the same security level as your inside? I would set it to 0 and control ports from access lists. By setting it to 100 you in essence make it the same as your inside interface.


   
0
Get quick recovery of individual SharePoint items

Free tool – Veeam Explorer for Microsoft SharePoint, enables fast, easy restores of SharePoint sites, documents, libraries and lists — all with no agents to manage and no additional licenses to buy.

 
LVL 3

Expert Comment

by:ciscoguy69
ID: 23700490
The firewall will by default block ICMP (ping) both to and through, depending on your need, you can add that to the access list either through ASDM or cli based on comfort level. If you need help with that, just let me know.
0
 
LVL 2

Author Comment

by:Silly013
ID: 23703589
@ionut_mir: I did as suggested (seems to work, explanation below)
@devangshroff: I did want to use the management port as the inside interface.  I set up route outside as suggested (seems to work, explanation below)
@ciscoguy69: I did as suggested (seems to work, explanation below)
Okay, here's my explanation to why I did what I did:
I'm an absolute rookie when it comes to these Cisco stuff, I'm learning :)  So I followed your suggestions and it seems to work, meaning that I am now able to telnet to the router from a client (after lowering the security level on the outside interface of the ASA to 0).  I still can't ping to it, I guess because ICMP is blocked, but I'm not sure if I should unblock it.  I only want to turn on certain ports to be accessed from and to the internet.
For instance, I want to allow terminal service to a server on the internal network, I would do:
On router: ip nat inside source static tcp "inside IP" 3389 "public IP" 3389
On ASA: permit tcp any any eq 3389
Is it right?
0
 
LVL 5

Expert Comment

by:ionut_mir
ID: 23703956
Yes, that should work.
0
 
LVL 3

Expert Comment

by:ciscoguy69
ID: 23705474
Yes, that will work or you could just do a permit for the specific host on port 3389 on the ASA that way you are not just relying on NAT for security.
0
 
LVL 2

Author Closing Comment

by:Silly013
ID: 31549533
Thank you!
0

Featured Post

New Tabletop Appliances Blow Competitors Away!

WatchGuard’s new T15, T35 and T55 tabletop UTMs provide the highest-performing security inspection in their class, allowing users at small offices, home offices and distributed enterprises to experience blazing-fast Internet speeds without sacrificing enterprise-grade security.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Before I go to far, let's explain HA (High Availability) and why you should consider it.  High availability is the mechanism used to provide redundancy to any service at the same site and appears as a single service to the users of that service.  As…
A 2007 NCSA Cyber Security survey revealed that a mere 4% of the population has a full understanding of firewalls. As business owner, you should be part of that 4% that has a full understanding.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

872 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question