Route forwarding thru ASA 5510

We have a ASA 5510 on our network we use as our gateway to the internet, Now we have added another network with a router between us and it (cisco 1812). we can access their network when we add a static route on the machine to pint the 10.1.1.1 network to our router 10.0.0.2.
I dont want to keep adding static routes on the machine. I want the Pix to handle it.
I added a static route to the pix and that doesnt seem to work.
Can anyone help me see what I am missing.

ASA Version 8.2(1)
!
hostname ciscoasa
enable password xxxx encrypted
passwd xxxx encrypted
names
!
interface Ethernet0/0
 nameif Outside
 security-level 0
 ip address xx.xx.151.106 255.255.255.252
!
interface Ethernet0/1
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Ethernet0/2
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Ethernet0/3
 nameif Inside
 security-level 100
 ip address 10.0.0.245 255.255.255.0
!
interface Management0/0
 nameif management
 security-level 100
 ip address 192.168.1.1 255.255.255.0
 management-only
!
ftp mode passive
clock timezone CST -6
clock summer-time CDT recurring
pager lines 24
logging asdm informational
mtu management 1500
mtu Inside 1500
mtu Outside 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
nat-control
global (Outside) 1 interface
nat (Inside) 1 10.0.0.0 255.255.255.0
route Outside 0.0.0.0 0.0.0.0 75.76.151.105 1
route Inside 10.1.1.0 255.255.255.0 10.0.0.2 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 192.168.1.0 255.255.255.0 management
http 10.0.0.0 255.255.255.0 Inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
telnet 10.0.0.0 255.255.255.0 Inside
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd address 192.168.1.2-192.168.1.254 management
dhcpd enable management
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
username xxxxxx password xxxx encrypted privilege 15
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
!
service-policy global_policy global
prompt hostname context
: end
ParadiseFoundAsked:
Who is Participating?
 
Ken BooneConnect With a Mentor Network ConsultantCommented:
so I think its like this:

ASA Inside Interface 10.0.0.245
    |
    |
10.0.0.x network
    |
    |
1841 router 10.0.0.2 interface
1841 router 10.1.1.x interface
   |
   |
10.1.1.x network

If my drawing is correct then this is what needs to happen:

#1) all users on 10.1.1.x network have default gateway of 10.1.1x interface on 1841 route
#2) 1841 router has default route pointing to 10.0.0.245 interface of ASA
#3)  ASA needs static route to 10.1.1.x pointing to 10.0.0.x interface of 1841 router
   (looks like you got this)
#4)  if the 10.1.1.x network needs to get to the internet you need to allow them to nat:
nat (inside) 1 10.1.1.0 255.255.255.0

That should do it.
0
 
Ernie BeekExpertCommented:
Well the ASA is a firewall, not a router.
Don't you use dhcp on your network? You could easily let the dhcp server hand out that route.
0
 
Cheever000Commented:
This is the good old same-security-traffic permit intra interface command it lets the traffic turn around at the interface, otherwise it will not be able to re-route the traffic back through the same subnet, this is a standard issue with ASA and hairpin routing, that command should make that work for you.

0
 
Cheever000Connect With a Mentor Commented:
To add on here is an article explaining the use of same-security-permit intra-interface commands

http://www.cisco.com/en/US/products/ps6120/products_tech_note09186a0080734db7.shtml
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.