Solved

Cisco ASA can route via the management interface only?

Posted on 2010-09-01
17
2,613 Views
Last Modified: 2012-06-27
I am trying to get my asa to talk to my router, but they will only communicate if I have the asa connected to the router via the management interface. If I connect the router to g0/0 i get 0 traffic.

LAN <--> ASA <--> Border Router <--> Internet

Why does it work great when I use the management interface, but not g0/0 ?

Just to note, I have g0/0 off, but it is supposed to have the exact same settings m0/0 has (hope that makes sense)


ASA Config:
ASA Version 8.2(2) 
!
hostname asa01
domain-name xxxxxxxxxx.net
enable password  encrypted
passwd encrypted
names
dns-guard
!
interface GigabitEthernet0/0
 shutdown
 no nameif
 security-level 0
 ip address 192.168.1.1 255.255.255.252 
!
interface GigabitEthernet0/1
 nameif Inside
 security-level 100
 ip address 172.31.1.1 255.255.255.224 
!
interface GigabitEthernet0/2
 nameif WiFi
 security-level 75
 ip address 172.31.2.1 255.255.255.224 
!
interface GigabitEthernet0/3
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Management0/0
 nameif Outside
 security-level 0
 ip address 10.0.0.2 255.255.255.252 
!
ftp mode passive
dns domain-lookup Inside
dns server-group DefaultDNS
 name-server 172.31.1.5
 name-server 172.31.1.10
 domain-name xxxxxxxxxx.net
same-security-traffic permit intra-interface
access-list Inside_access_in extended permit ip any any 
access-list WiFi_access_in extended permit ip any any 
pager lines 24
logging enable
logging asdm informational
mtu Outside 1500
mtu WiFi 1500
mtu Inside 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm history enable
arp timeout 14400
access-group WiFi_access_in in interface WiFi
access-group Inside_access_in in interface Inside
!
router eigrp 1
 network 10.0.0.0 255.255.255.252
 network 172.31.1.0 255.255.255.224
 network 172.31.2.0 255.255.255.224
 network 172.31.3.0 255.255.255.252
!
route Outside 0.0.0.0 0.0.0.0 10.0.0.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
aaa authentication ssh console LOCAL 
http server enable
http 172.31.1.0 255.255.255.224 Inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
telnet timeout 5
ssh 172.31.1.0 255.255.255.224 Inside
ssh timeout 30
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
username password encrypted privilege 15
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum client auto
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map 
  inspect ftp 
  inspect h323 h225 
  inspect h323 ras 
  inspect rsh 
  inspect rtsp 
  inspect esmtp 
  inspect sqlnet 
  inspect skinny  
  inspect sunrpc 
  inspect xdmcp 
  inspect sip  
  inspect netbios 
  inspect tftp 
  inspect ip-options 
!
service-policy global_policy global
prompt hostname context 
Cryptochecksum:
: end
asdm history enable

Open in new window


2821 Config:
version 15.0
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname isr01
!
boot-start-marker
boot-end-marker
!
security authentication failure rate 3 log
security passwords min-length 6
logging buffered 51200
logging console critical
enable secret 5
!
aaa new-model
!
!
aaa authentication login local_authen local
aaa authorization exec local_author local 
!
!
!
!
!
aaa session-id common
!
!
!
!
dot11 syslog
no ip source-route
!
!
ip cef
!
!
no ip bootp server
ip name-server 208.67.222.222
ip name-server 208.67.220.220
ip port-map user-xbox port udp 3074
ip port-map user-stb port tcp from 35000 to 35002 
no ipv6 cef
!
multilink bundle-name authenticated
!
!
!
!
!
!
!
!
!
!
voice-card 0
!
!
crypto pki trustpoint TP-self-signed-666243818
 enrollment selfsigned
 subject-name cn=IOS-Self-Signed-Certificate-666243818
 revocation-check none
 rsakeypair TP-self-signed-666243818
!
!
!
!
archive
 log config
  hidekeys
username privilege 15 secret 5
!
redundancy
!
!
ip tcp synwait-time 10
ip ssh time-out 60
ip ssh authentication-retries 2
! 
!
!
!
!
!
!
!
interface Null0
 no ip unreachables
!
interface GigabitEthernet0/0
 description $ETH-WAN$
 ip address dhcp client-id GigabitEthernet0/0
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip flow ingress
 ip nat outside
 ip virtual-reassembly
 duplex auto
 speed auto
 no mop enabled
 !
!
interface GigabitEthernet0/1
 description $ETH-LAN$
 ip address 10.0.0.1 255.255.255.252
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip flow ingress
 ip nat inside
 ip virtual-reassembly
 duplex auto
 speed auto
 no mop enabled
 !
!
interface FastEthernet0/2/0
 shutdown
 !
!
interface FastEthernet0/2/1
 shutdown
 !
!
interface FastEthernet0/2/2
 shutdown
 !
!
interface FastEthernet0/2/3
 shutdown
 !
!
interface Vlan1
 no ip address
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip flow ingress
 ip virtual-reassembly
 !
!
!
router eigrp 1
 network 10.0.0.0 0.0.0.3
 auto-summary
!
no ip classless
ip forward-protocol nd
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
!
!
ip dns server
ip dns spoofing
no ip nat service sip tcp port 5060
no ip nat service sip udp port 5060
ip nat inside source list 1 interface GigabitEthernet0/0 overload
ip route 172.31.1.0 255.255.255.224 172.31.1.1
!
logging trap debugging
access-list 1 permit 172.31.1.0 0.0.0.31
access-list 1 permit 172.31.2.0 0.0.0.31
access-list 1 permit 172.31.3.0 0.0.0.3
access-list 1 permit 10.0.0.0 0.0.0.3
access-list 100 permit ip 172.31.1.0 0.0.0.31 any
access-list 100 deny   ip any any
no cdp run

!
!
!
!
!
!
control-plane
 !
!
!
!
mgcp fax t38 ecm
mgcp behavior g729-variants static-pt
!
!
!
!
!
gatekeeper
 shutdown
!
banner login 
*************************************
*-This network is for test purposes-*
*-Unauthorized access is prohibited-*
*-Please logout now if you are not--*
*--------an authorized user---------*
*************************************


!
line con 0
 login authentication local_authen
 transport output telnet
line aux 0
 login authentication local_authen
 transport output telnet
line vty 0 4
 access-class 100 in
 authorization exec local_author
 login authentication local_authen
 transport input telnet ssh
line vty 5 15
 access-class 100 in
 authorization exec local_author
 login authentication local_authen
 transport input telnet ssh
!
scheduler allocate 20000 1000
end

Open in new window

0
Comment
Question by:djroketboy
  • 7
  • 7
  • 2
  • +1
17 Comments
 
LVL 15

Expert Comment

by:bkepford
ID: 33580916
Your gig 0/0 is shutdown and the nameif is not set to outside. Do a "no nameif" on your management interface and then you should be able to use the following on your gig0/0 interface. See commands below.

interface Management0/0
no nameif Outside

interface GigabitEthernet0/0
 no shutdown
 nameif Outside
0
 

Author Comment

by:djroketboy
ID: 33581017
Sorry yeah, i thought i made that clear in my post, the config i posted is "as working" with the management interface.  When i turn on g0/0 , name it "Outside" all traffic stops, switch the wire in the back. I get 0 connectivity between g0/0 and the router.

Nothing else changes, ACL's stay, routes stay....
0
 
LVL 15

Expert Comment

by:bkepford
ID: 33581047
oh and also

interface Management0/0
 no ip address
interface GigabitEthernet0/0
 ip address 10.0.0.2 255.255.255.252

0
 
LVL 15

Expert Comment

by:bkepford
ID: 33581060
Did you do a no nameif outside on the management you are only allowed one outside intereface.
0
 

Author Comment

by:djroketboy
ID: 33581089
Yes, this is what i do:

conf t
int m0/0
no nameif
no ip address
shut
int g0/0
no ip address
ip address 10.0.0.2 255.255.255.252
nameif Outside
shut
no shut

then i go and switch the cable in the back of the asa, to go from g0/1 on the router to g0/0 on the asa.
0
 
LVL 15

Expert Comment

by:bkepford
ID: 33581120
Tell me what you do when you hook up the gig0/0 interface. The changes that I would make are as followes

interface Management0/0
 no nameif
 no ip address
 security-level 100
!
interface GigabitEthernet0/0
 nameif outside
 security-level 0
 ip address 10.0.0.2 255.255.255.252
 no shutdown

0
 
LVL 15

Expert Comment

by:bkepford
ID: 33581142
Are using a cross over cable?
0
 

Author Comment

by:djroketboy
ID: 33581163
no, do I need to make one?

I'm currently disconnected and posting from my phone.

I will post new configuration in a minute.
0
How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

 
LVL 15

Expert Comment

by:bkepford
ID: 33581198
Yes, the management interface is probaly setup to attach directly to a PC. The Gig interfaces are made to plug into switches. You can either connect the gig port directly to a router via a cross over cable or connect both of them to the same switch(or vlan).
0
 

Author Comment

by:djroketboy
ID: 33581370
made a cross over cable, tested it and still no data flow.

here is my config with g0/0 active.

[code]

ASA Version 8.2(2)
!
hostname asa01
domain-name xxxxxxxxxx.net
enable password encrypted
passwd encrypted
names
name 172.31.1.10 Syndrome
name 172.31.1.5 Mirage
name 172.31.3.2 Xbox
dns-guard
!
interface GigabitEthernet0/0
 nameif Outside
 security-level 0
 ip address 10.0.0.2 255.255.255.252
!
interface GigabitEthernet0/1
 nameif Inside
 security-level 100
 ip address 172.31.1.1 255.255.255.224
!
interface GigabitEthernet0/2
 nameif WiFi
 security-level 75
 ip address 172.31.2.1 255.255.255.224
!
interface GigabitEthernet0/3
 nameif Xbox
 security-level 25
 ip address 172.31.3.1 255.255.255.252
!
interface Management0/0
 shutdown
 no nameif
 security-level 100
 no ip address
!
ftp mode passive
dns domain-lookup Inside
dns server-group DefaultDNS
 name-server Mirage
 name-server Syndrome
 domain-name xxxxxxxxxx.net
same-security-traffic permit intra-interface
object-group service XboxLive-Out_tcp tcp
 port-object eq 3074
 port-object eq domain
 port-object eq www
 port-object eq https
object-group service XboxLive-Out_upd udp
 port-object eq 3074
 port-object eq 88
 port-object eq domain
object-group service XboxLive-In_tcp tcp
 port-object eq 3074
object-group service XboxLive-In_udp udp
 port-object eq 3074
object-group icmp-type XboxLive_icmp
 icmp-object unreachable
 icmp-object source-quench
 icmp-object time-exceeded
access-list Inside_access_in extended permit ip any any
access-list WiFi_access_in extended permit ip any any
access-list Outside_access_in extended permit udp any any object-group XboxLive-In_udp
access-list Outside_access_in extended permit icmp any any object-group XboxLive_icmp
access-list Xbox_access_in extended permit udp any any object-group XboxLive-Out_upd
access-list Xbox_access_in extended permit tcp any any object-group XboxLive-Out_tcp
access-list Xbox_access_in extended permit udp any object-group XboxLive-In_udp any
pager lines 24
logging enable
logging asdm informational
mtu Outside 1500
mtu WiFi 1500
mtu Inside 1500
mtu Xbox 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm history enable
arp timeout 14400
access-group WiFi_access_in in interface WiFi
access-group Inside_access_in in interface Inside
access-group Xbox_access_in in interface Xbox
!
router eigrp 1
 network 10.0.0.0 255.255.255.252
 network 172.31.1.0 255.255.255.224
 network 172.31.2.0 255.255.255.224
 network 172.31.3.0 255.255.255.252
!
route Outside 0.0.0.0 0.0.0.0 10.0.0.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
aaa authentication ssh console LOCAL
http server enable
http 172.31.1.0 255.255.255.224 Inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
telnet timeout 5
ssh 172.31.1.0 255.255.255.224 Inside
ssh timeout 30
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
username password encrypted privilege 15
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum client auto
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny  
  inspect sunrpc
  inspect xdmcp
  inspect sip  
  inspect netbios
  inspect tftp
  inspect ip-options
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:
: end
asdm history enable
[/code]
0
 

Author Comment

by:djroketboy
ID: 33581897
I just found this, while googling. http://www.experts-exchange.com/Hardware/Networking_Hardware/Cables/Q_24493861.html

So a regular cable will work, there has to be something i'm missing?
0
 
LVL 7

Expert Comment

by:rcombis
ID: 33582027
Cable should be fine.

In your initial config as the saw that the router and the ASA had different IP subnets that you want to connect them to.

ASA
interface GigabitEthernet0/0
 shutdown
 no nameif
 security-level 0
 ip address 192.168.1.1 255.255.255.252

interface Management0/0
 nameif Outside
 security-level 0
 ip address 10.0.0.2 255.255.255.252

Router

interface GigabitEthernet0/1
 description $ETH-LAN$
 ip address 10.0.0.1 255.255.255.252
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip flow ingress
 ip nat inside
 ip virtual-reassembly
 duplex auto
 speed auto
 no mop enabled


One is on 192.168.x.x and one on 10.x.x.x

Maybe I misread but just my 2 cents!


0
 

Author Comment

by:djroketboy
ID: 33582133
Yeah, ignore the first ASA config, the updated one is what I should have posted the first time. I'm new at asking for help, normally I can just figure it out, but this has me really stumped.

I have even wiped the ASA and started from scratch, but no matter what i've tried g0/0 will not pass traffic to the router.

I have even tested removing the router, making g0/0 DHCP (from my isp), turning on NAT, and the ASA passes traffic just fine over g0/0.
0
 
LVL 8

Expert Comment

by:Saineolai
ID: 33582403
Are you seeing any packets inbound and outbound on the interface statistics when you have them connected together?

What mac addresses are you seeing on each device in the arp caches?
0
 
LVL 7

Expert Comment

by:rcombis
ID: 33582634
When you plug the cable in are the interface lights blinking?  I am not at office to look at my ASA, to be sure, but I think when you plug in it should indicate that there is a physical connection on both devices.
0
 

Accepted Solution

by:
djroketboy earned 0 total points
ID: 33583036
I think i have it solved!  I have it connected with ASA g0/0 to Router g0/1 (the way I want), now its working.

Saineolai, you led me in the right direction, i was cloning the mac address of the ASA on the router (int g0/0) because I have FiOS and they are weird about releasing IPs. I removed the mac clone on the router and cleared the arp cache on the ASA. I reconnected ASA g0/0 to Router g0/1. Now traffic is flowing over the ASA.
0
 
LVL 15

Expert Comment

by:bkepford
ID: 33587055
That would do it glad you got it worked out. I am sure that it would confuse the ASA to be forwarding to a MAC address that it thought was directly attached.
0

Featured Post

6 Surprising Benefits of Threat Intelligence

All sorts of threat intelligence is available on the web. Intelligence you can learn from, and use to anticipate and prepare for future attacks.

Join & Write a Comment

Suggested Solutions

Title # Comments Views Activity
CISCO refresh sheets 2 35
IPv6 Address reservation on Cisco router 3 30
Cisco iWAN 8 47
Cisco Air AP 6 31
There are two basic ways to configure a static route for Cisco IOS devices. I've written this article to highlight a case study comparing the configuration of a static route using the next-hop IP and the configuration of a static route using an outg…
If you are thinking of adopting cloud services, or just curious as to what ‘the cloud’ can offer then the leader according to Gartner for Infrastructure as a Service (IaaS) is Amazon Web Services (AWS).  When I started using AWS I was completely new…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

747 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now