Go Premium for a chance to win a PS4. Enter to Win

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 3048
  • Last Modified:

Cisco ASA can route via the management interface only?

I am trying to get my asa to talk to my router, but they will only communicate if I have the asa connected to the router via the management interface. If I connect the router to g0/0 i get 0 traffic.

LAN <--> ASA <--> Border Router <--> Internet

Why does it work great when I use the management interface, but not g0/0 ?

Just to note, I have g0/0 off, but it is supposed to have the exact same settings m0/0 has (hope that makes sense)


ASA Config:
ASA Version 8.2(2) 
!
hostname asa01
domain-name xxxxxxxxxx.net
enable password  encrypted
passwd encrypted
names
dns-guard
!
interface GigabitEthernet0/0
 shutdown
 no nameif
 security-level 0
 ip address 192.168.1.1 255.255.255.252 
!
interface GigabitEthernet0/1
 nameif Inside
 security-level 100
 ip address 172.31.1.1 255.255.255.224 
!
interface GigabitEthernet0/2
 nameif WiFi
 security-level 75
 ip address 172.31.2.1 255.255.255.224 
!
interface GigabitEthernet0/3
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Management0/0
 nameif Outside
 security-level 0
 ip address 10.0.0.2 255.255.255.252 
!
ftp mode passive
dns domain-lookup Inside
dns server-group DefaultDNS
 name-server 172.31.1.5
 name-server 172.31.1.10
 domain-name xxxxxxxxxx.net
same-security-traffic permit intra-interface
access-list Inside_access_in extended permit ip any any 
access-list WiFi_access_in extended permit ip any any 
pager lines 24
logging enable
logging asdm informational
mtu Outside 1500
mtu WiFi 1500
mtu Inside 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm history enable
arp timeout 14400
access-group WiFi_access_in in interface WiFi
access-group Inside_access_in in interface Inside
!
router eigrp 1
 network 10.0.0.0 255.255.255.252
 network 172.31.1.0 255.255.255.224
 network 172.31.2.0 255.255.255.224
 network 172.31.3.0 255.255.255.252
!
route Outside 0.0.0.0 0.0.0.0 10.0.0.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
aaa authentication ssh console LOCAL 
http server enable
http 172.31.1.0 255.255.255.224 Inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
telnet timeout 5
ssh 172.31.1.0 255.255.255.224 Inside
ssh timeout 30
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
username password encrypted privilege 15
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum client auto
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map 
  inspect ftp 
  inspect h323 h225 
  inspect h323 ras 
  inspect rsh 
  inspect rtsp 
  inspect esmtp 
  inspect sqlnet 
  inspect skinny  
  inspect sunrpc 
  inspect xdmcp 
  inspect sip  
  inspect netbios 
  inspect tftp 
  inspect ip-options 
!
service-policy global_policy global
prompt hostname context 
Cryptochecksum:
: end
asdm history enable

Open in new window


2821 Config:
version 15.0
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname isr01
!
boot-start-marker
boot-end-marker
!
security authentication failure rate 3 log
security passwords min-length 6
logging buffered 51200
logging console critical
enable secret 5
!
aaa new-model
!
!
aaa authentication login local_authen local
aaa authorization exec local_author local 
!
!
!
!
!
aaa session-id common
!
!
!
!
dot11 syslog
no ip source-route
!
!
ip cef
!
!
no ip bootp server
ip name-server 208.67.222.222
ip name-server 208.67.220.220
ip port-map user-xbox port udp 3074
ip port-map user-stb port tcp from 35000 to 35002 
no ipv6 cef
!
multilink bundle-name authenticated
!
!
!
!
!
!
!
!
!
!
voice-card 0
!
!
crypto pki trustpoint TP-self-signed-666243818
 enrollment selfsigned
 subject-name cn=IOS-Self-Signed-Certificate-666243818
 revocation-check none
 rsakeypair TP-self-signed-666243818
!
!
!
!
archive
 log config
  hidekeys
username privilege 15 secret 5
!
redundancy
!
!
ip tcp synwait-time 10
ip ssh time-out 60
ip ssh authentication-retries 2
! 
!
!
!
!
!
!
!
interface Null0
 no ip unreachables
!
interface GigabitEthernet0/0
 description $ETH-WAN$
 ip address dhcp client-id GigabitEthernet0/0
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip flow ingress
 ip nat outside
 ip virtual-reassembly
 duplex auto
 speed auto
 no mop enabled
 !
!
interface GigabitEthernet0/1
 description $ETH-LAN$
 ip address 10.0.0.1 255.255.255.252
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip flow ingress
 ip nat inside
 ip virtual-reassembly
 duplex auto
 speed auto
 no mop enabled
 !
!
interface FastEthernet0/2/0
 shutdown
 !
!
interface FastEthernet0/2/1
 shutdown
 !
!
interface FastEthernet0/2/2
 shutdown
 !
!
interface FastEthernet0/2/3
 shutdown
 !
!
interface Vlan1
 no ip address
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip flow ingress
 ip virtual-reassembly
 !
!
!
router eigrp 1
 network 10.0.0.0 0.0.0.3
 auto-summary
!
no ip classless
ip forward-protocol nd
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
!
!
ip dns server
ip dns spoofing
no ip nat service sip tcp port 5060
no ip nat service sip udp port 5060
ip nat inside source list 1 interface GigabitEthernet0/0 overload
ip route 172.31.1.0 255.255.255.224 172.31.1.1
!
logging trap debugging
access-list 1 permit 172.31.1.0 0.0.0.31
access-list 1 permit 172.31.2.0 0.0.0.31
access-list 1 permit 172.31.3.0 0.0.0.3
access-list 1 permit 10.0.0.0 0.0.0.3
access-list 100 permit ip 172.31.1.0 0.0.0.31 any
access-list 100 deny   ip any any
no cdp run

!
!
!
!
!
!
control-plane
 !
!
!
!
mgcp fax t38 ecm
mgcp behavior g729-variants static-pt
!
!
!
!
!
gatekeeper
 shutdown
!
banner login 
*************************************
*-This network is for test purposes-*
*-Unauthorized access is prohibited-*
*-Please logout now if you are not--*
*--------an authorized user---------*
*************************************


!
line con 0
 login authentication local_authen
 transport output telnet
line aux 0
 login authentication local_authen
 transport output telnet
line vty 0 4
 access-class 100 in
 authorization exec local_author
 login authentication local_authen
 transport input telnet ssh
line vty 5 15
 access-class 100 in
 authorization exec local_author
 login authentication local_authen
 transport input telnet ssh
!
scheduler allocate 20000 1000
end

Open in new window

0
djroketboy
Asked:
djroketboy
  • 7
  • 7
  • 2
  • +1
1 Solution
 
bkepfordCommented:
Your gig 0/0 is shutdown and the nameif is not set to outside. Do a "no nameif" on your management interface and then you should be able to use the following on your gig0/0 interface. See commands below.

interface Management0/0
no nameif Outside

interface GigabitEthernet0/0
 no shutdown
 nameif Outside
0
 
djroketboyAuthor Commented:
Sorry yeah, i thought i made that clear in my post, the config i posted is "as working" with the management interface.  When i turn on g0/0 , name it "Outside" all traffic stops, switch the wire in the back. I get 0 connectivity between g0/0 and the router.

Nothing else changes, ACL's stay, routes stay....
0
 
bkepfordCommented:
oh and also

interface Management0/0
 no ip address
interface GigabitEthernet0/0
 ip address 10.0.0.2 255.255.255.252

0
Get Certified for a Job in Cybersecurity

Want an exciting career in an emerging field? Earn your MS in Cybersecurity and get certified in ethical hacking or computer forensic investigation. WGU’s MSCSIA degree program was designed to meet the most recent U.S. Department of Homeland Security (DHS) and NSA guidelines.  

 
bkepfordCommented:
Did you do a no nameif outside on the management you are only allowed one outside intereface.
0
 
djroketboyAuthor Commented:
Yes, this is what i do:

conf t
int m0/0
no nameif
no ip address
shut
int g0/0
no ip address
ip address 10.0.0.2 255.255.255.252
nameif Outside
shut
no shut

then i go and switch the cable in the back of the asa, to go from g0/1 on the router to g0/0 on the asa.
0
 
bkepfordCommented:
Tell me what you do when you hook up the gig0/0 interface. The changes that I would make are as followes

interface Management0/0
 no nameif
 no ip address
 security-level 100
!
interface GigabitEthernet0/0
 nameif outside
 security-level 0
 ip address 10.0.0.2 255.255.255.252
 no shutdown

0
 
bkepfordCommented:
Are using a cross over cable?
0
 
djroketboyAuthor Commented:
no, do I need to make one?

I'm currently disconnected and posting from my phone.

I will post new configuration in a minute.
0
 
bkepfordCommented:
Yes, the management interface is probaly setup to attach directly to a PC. The Gig interfaces are made to plug into switches. You can either connect the gig port directly to a router via a cross over cable or connect both of them to the same switch(or vlan).
0
 
djroketboyAuthor Commented:
made a cross over cable, tested it and still no data flow.

here is my config with g0/0 active.

[code]

ASA Version 8.2(2)
!
hostname asa01
domain-name xxxxxxxxxx.net
enable password encrypted
passwd encrypted
names
name 172.31.1.10 Syndrome
name 172.31.1.5 Mirage
name 172.31.3.2 Xbox
dns-guard
!
interface GigabitEthernet0/0
 nameif Outside
 security-level 0
 ip address 10.0.0.2 255.255.255.252
!
interface GigabitEthernet0/1
 nameif Inside
 security-level 100
 ip address 172.31.1.1 255.255.255.224
!
interface GigabitEthernet0/2
 nameif WiFi
 security-level 75
 ip address 172.31.2.1 255.255.255.224
!
interface GigabitEthernet0/3
 nameif Xbox
 security-level 25
 ip address 172.31.3.1 255.255.255.252
!
interface Management0/0
 shutdown
 no nameif
 security-level 100
 no ip address
!
ftp mode passive
dns domain-lookup Inside
dns server-group DefaultDNS
 name-server Mirage
 name-server Syndrome
 domain-name xxxxxxxxxx.net
same-security-traffic permit intra-interface
object-group service XboxLive-Out_tcp tcp
 port-object eq 3074
 port-object eq domain
 port-object eq www
 port-object eq https
object-group service XboxLive-Out_upd udp
 port-object eq 3074
 port-object eq 88
 port-object eq domain
object-group service XboxLive-In_tcp tcp
 port-object eq 3074
object-group service XboxLive-In_udp udp
 port-object eq 3074
object-group icmp-type XboxLive_icmp
 icmp-object unreachable
 icmp-object source-quench
 icmp-object time-exceeded
access-list Inside_access_in extended permit ip any any
access-list WiFi_access_in extended permit ip any any
access-list Outside_access_in extended permit udp any any object-group XboxLive-In_udp
access-list Outside_access_in extended permit icmp any any object-group XboxLive_icmp
access-list Xbox_access_in extended permit udp any any object-group XboxLive-Out_upd
access-list Xbox_access_in extended permit tcp any any object-group XboxLive-Out_tcp
access-list Xbox_access_in extended permit udp any object-group XboxLive-In_udp any
pager lines 24
logging enable
logging asdm informational
mtu Outside 1500
mtu WiFi 1500
mtu Inside 1500
mtu Xbox 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm history enable
arp timeout 14400
access-group WiFi_access_in in interface WiFi
access-group Inside_access_in in interface Inside
access-group Xbox_access_in in interface Xbox
!
router eigrp 1
 network 10.0.0.0 255.255.255.252
 network 172.31.1.0 255.255.255.224
 network 172.31.2.0 255.255.255.224
 network 172.31.3.0 255.255.255.252
!
route Outside 0.0.0.0 0.0.0.0 10.0.0.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
aaa authentication ssh console LOCAL
http server enable
http 172.31.1.0 255.255.255.224 Inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
telnet timeout 5
ssh 172.31.1.0 255.255.255.224 Inside
ssh timeout 30
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
username password encrypted privilege 15
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum client auto
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny  
  inspect sunrpc
  inspect xdmcp
  inspect sip  
  inspect netbios
  inspect tftp
  inspect ip-options
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:
: end
asdm history enable
[/code]
0
 
djroketboyAuthor Commented:
I just found this, while googling. http://www.experts-exchange.com/Hardware/Networking_Hardware/Cables/Q_24493861.html

So a regular cable will work, there has to be something i'm missing?
0
 
rcombisCommented:
Cable should be fine.

In your initial config as the saw that the router and the ASA had different IP subnets that you want to connect them to.

ASA
interface GigabitEthernet0/0
 shutdown
 no nameif
 security-level 0
 ip address 192.168.1.1 255.255.255.252

interface Management0/0
 nameif Outside
 security-level 0
 ip address 10.0.0.2 255.255.255.252

Router

interface GigabitEthernet0/1
 description $ETH-LAN$
 ip address 10.0.0.1 255.255.255.252
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip flow ingress
 ip nat inside
 ip virtual-reassembly
 duplex auto
 speed auto
 no mop enabled


One is on 192.168.x.x and one on 10.x.x.x

Maybe I misread but just my 2 cents!


0
 
djroketboyAuthor Commented:
Yeah, ignore the first ASA config, the updated one is what I should have posted the first time. I'm new at asking for help, normally I can just figure it out, but this has me really stumped.

I have even wiped the ASA and started from scratch, but no matter what i've tried g0/0 will not pass traffic to the router.

I have even tested removing the router, making g0/0 DHCP (from my isp), turning on NAT, and the ASA passes traffic just fine over g0/0.
0
 
SaineolaiCommented:
Are you seeing any packets inbound and outbound on the interface statistics when you have them connected together?

What mac addresses are you seeing on each device in the arp caches?
0
 
rcombisCommented:
When you plug the cable in are the interface lights blinking?  I am not at office to look at my ASA, to be sure, but I think when you plug in it should indicate that there is a physical connection on both devices.
0
 
djroketboyAuthor Commented:
I think i have it solved!  I have it connected with ASA g0/0 to Router g0/1 (the way I want), now its working.

Saineolai, you led me in the right direction, i was cloning the mac address of the ASA on the router (int g0/0) because I have FiOS and they are weird about releasing IPs. I removed the mac clone on the router and cleared the arp cache on the ASA. I reconnected ASA g0/0 to Router g0/1. Now traffic is flowing over the ASA.
0
 
bkepfordCommented:
That would do it glad you got it worked out. I am sure that it would confuse the ASA to be forwarding to a MAC address that it thought was directly attached.
0

Featured Post

Concerto Cloud for Software Providers & ISVs

Can Concerto Cloud Services help you focus on evolving your application offerings, while delivering the best cloud experience to your customers? From DevOps to revenue models and customer support, the answer is yes!

Learn how Concerto can help you.

  • 7
  • 7
  • 2
  • +1
Tackle projects and never again get stuck behind a technical roadblock.
Join Now