?
Solved

Network between two ASA 5550

Posted on 2011-10-15
31
Medium Priority
?
693 Views
Last Modified: 2012-05-12
Hello

Please I have two ASA 5550 each one in building the internet bandwidth is low so I can not connect the two ASA by internet. I connect the two ASA 5550 by wireless connection so now in each ASA I have three port used

1- outside for internet (its work now)

building one ASA outside IP address is
IP  X.X.240.98
Mask 255.255.255.240
GW X.X.240.97

Building two ASA Outside IP address is
IP  X.X.240.146
Mask 255.255.255.240
GW X.X.240.145

2- Inside for inside network (its work now)

building one ASA inside IP address is
IP address 192.168.0.1    (network 192.168.0.0)
Mask 255.255.255.0

Building two ASA inside IP address is
IP address 172.16.0.1    (network 172.16.0.0)
Mask 255.255.255.0

3- Loop (used to connect between ASA)

building one ASA Loop IP address is
IP address 200.200.200.1    
Mask 255.255.255.0

Building two ASA inside IP address is
IP address 200.200.200.2
Mask 255.255.255.0

Please my problem now how I can made network 192.168.0.0 to connect to network 172.16.0.0

I mean I need to made connection between two network
Please what I need to do (what configuration I need in each ASA to do that)

Regards

Two-ASA.jpg
0
Comment
Question by:nasemabdullaa
  • 15
  • 10
  • 4
  • +2
31 Comments
 
LVL 10

Accepted Solution

by:
ienaxxx earned 668 total points
ID: 36975029
i think you should simply make two static routes and adjust acls.

Something like routing versus the second build. Network pointing to the second build. asa, configuring the first.
Then make proper acls in the second build. Asa to allow the first build. Network to access the inside.

Then do the opposite to allow the 2nd build. Net to access the first.

Hth.
0
 

Author Comment

by:nasemabdullaa
ID: 36975043
Hello

Thank you for your reply
Please can you explain more (do I need to add static route in inside interface or in loop interface)

also what ACL I need to add

Regards
0
 
LVL 37

Expert Comment

by:ArneLovius
ID: 36976047
if the wireless connection is a public connection, then I would build a VPN between the two ASA devices and setup suitable NAT0 rules for the traffic.

If the connection is private, then I would use routers rather than the ASAs..

0
A Cyber Security RX to Protect Your Organization

Join us on December 13th for a webinar to learn how medical providers can defend against malware with a cyber security "Rx" that supports a healthy technology adoption plan for every healthcare organization.

 

Author Comment

by:nasemabdullaa
ID: 36976066
Hello
Please I have ASA 5550 and I need to do that with ASA

Please can you advice me on VPN for ASA ( I need to know what IP I use in VPN I have three network
192.168.0.0, 172.16.0.0 and between ASA 200.200.200.0)


Regards
0
 
LVL 37

Expert Comment

by:ArneLovius
ID: 36976218
you have not said if the wireless connection is public or private

are the ASA 5505 or 5550 ?
0
 
LVL 5

Expert Comment

by:mlchelp
ID: 36976294
just run the site to site vpn wizard in ADSM on both sides, its very easy and straight forward on one side make the pier address 200.200.200.1 and the other 200.200.200.2 and then pick the inside subnets 192.168.0.0 172.16.0.0 make sure the encryption settings match and the pre shared key is the same on both sides, this will take care of everything, no need for routes etc.
0
 
LVL 37

Expert Comment

by:ArneLovius
ID: 36976349
@mlchelp

you will also need a NAT 0 statement on each side.
0
 
LVL 5

Expert Comment

by:mlchelp
ID: 36976362
the wizzard adds it for you.
0
 

Author Comment

by:nasemabdullaa
ID: 36977650
Hello

Thank you for all reply
>>>are the ASA 5505 or 5550
Please ASA is 5550

>>>
you have not said if the wireless connection is public or private
Please all user from network one need to enter to network two and the oposit. also I have static NAT in each ASA because I have connection to SQL from outisde to the SQL

>>>you will also need a NAT 0 statement on each side.
please can you explain more

Please any advice

Regards
0
 
LVL 37

Expert Comment

by:ArneLovius
ID: 36980994
if you posted a suitably sanitised copy of the existing config for each device it would be useful
0
 

Author Comment

by:nasemabdullaa
ID: 36985199
ASA Version 7.2(3)                  
! 
hostname ciscoasa                 
domain-name default.domain.invalid                                  
enable password X.y0JGA9o6phmjQ6 encrypted                                          
names     
! 
interface Ethernet0/0                     
 nameif outside               
 security-level 0                 
 ip address 82.205.240.98 255.255.255.240                                         
! 
interface Ethernet0/1                     
 nameif inside              
 security-level 100                   
 ip address 172.16.0.1 255.255.255.0                                    
! 
interface Ethernet0/2                     
 nameif LOOP            
 security-level 0                 
 ip address 200.200.200.1 255.255.255.0                                       
! 
interface Ethernet0/3                     
 shutdown         
 no nameif          
 no security-level                  
 no ip address              
! 
interface Management0/0                       
 nameif management                  
 security-level 100                   
 ip address 192.168.1.1 255.255.255.0                                     
 management-only                
! 
passwd X.y0JGA9o6phmjQ6 encrypted                                 
ftp mode passive                
dns server-group DefaultDNS                           
 domain-name default.domain.invalid                                   
same-security-traffic permit inter-interface                                            
same-security-traffic permit intra-interface                                            
access-list outside_in extended permit tcp any host 82.205.240.102 eq 1433                                                                          
access-list LOOP_access_in extended permit ip any any                                                     
access-list LOOP_1_cryptomap extended permit ip 172.16.0.0 255.255.255.0 192.168                                                                                
.0.0 255.255.255.0                  
access-list inside_nat0_outbound extended permit ip 172.16.0.0 255.255.255.0 192                                                                                
.168.0.0 255.255.255.0                      
pager lines 24              
logging enable              
logging asdm informational                          
mtu outside 1500                
mtu inside 1500               
mtu management 1500                   
mtu LOOP 1500             
icmp unreachable rate-limit 1 burst-size 1                                          
asdm image disk0:/asdm-523.bin                              
no asdm history enable                      
arp timeout 14400                 
global (outside) 1 inte                      
nat (inside) 0 access-list inside_nat0_outbound                                               
nat (inside) 1 0.0.0.0 0.0.0.0                              
static (inside,outside) 82.205.240.102 172.16.0.4 netmask 255.255.255.255                                                                         
access-group outside_in in interface outside                                            
access-group LOOP_access_in in interface LOOP                                             
route outside 0.0.0.0 0.0.0.0 82.205.240.97 1                                             
timeout xlate 3:00:00                     
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02                                                                 
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00                                                                              
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip                                                          
timeout uauth 0:05:00 absolute                              
http server enable                  
http 172.16.0.0 255.255.255.0 inside                                    
http 192.168.1.0 255.255.255.0 management                                         
no snmp-server location                       
no snmp-server contact                      
snmp-server enable traps snmp authentication linkup linkdown coldstart                                                                      
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac                                                           
crypto map LOOP_map 1 match address LOOP_1_cryptomap                                                    
crypto map LOOP_map 1 set pfs                             
crypto map LOOP_map 1 set peer 200.200.200.2                                            
crypto map LOOP_map 1 set transform-set ESP-DES-SHA                                                   
crypto map LOOP_map interface L                              
crypto isakmp enable LOOP                         
crypto isakmp policy 10                       
 authentication pre-share                         
 encryption des               
 hash sha         
 group 2        
 lifetime 86400               
telnet 172.16.0.0 255.255.255.0 inside                                      
telnet timeout 5                
ssh timeout 5             
console timeout 0                 
dhcpd dns 172.16.0.3 82.205.224.9                                 
! 
dhcpd address 172.16.0.20-172.16.0.120 inside                                             
dhcpd enable inside                   
! 
dhcpd address 192.168.1.2-192.168.1.254 management                                                  
dhcpd enable management                       
! 
! 
class-map inspection_default                            
 match default-inspection-traffic                                 
! 
! 
policy-map type inspect dns preset_dns_map                                          
 parameters           
  message-length maximum 512                            
policy-map global_policy                        
 class inspection_default                         
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
!
service-policy global_policy global
username nasem password M2PQQZooHuN7Zwvm encrypted
tunnel-group 200.200.200.2 type ipsec-l2l
tunnel-group 200.200.200.2 ipsec-attributes
 pre-shared-key *
prompt hostname context
Cryptochecksum:595f65ff592ffd221c22bef0c4aa8f9c
: end

Open in new window

User Access Verification

Password:
Password:
ciscoasa> en
Password: ************
ciscoasa# show run
: Saved
:
ASA Version 7.2(2)
!
hostname ciscoasa
domain-name default.domain.invalid
enable password X.y0JGA9o6phmjQ6 encrypted
names
!
interface GigabitEthernet0/0
 nameif outside
 security-level 0
 ip address 82.205.240.146 255.255.255.224
!
interface GigabitEthernet0/1
 nameif inside
 security-level 100
 ip address 192.168.0.1 255.255.255.0
!
interface GigabitEthernet0/2
 nameif LOOP
 security-level 0
 ip address 200.200.200.2 255.255.255.0
!
interface GigabitEthernet0/3
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Management0/0
 nameif management
 security-level 100
 ip address 192.168.1.1 255.255.255.0
 management-only
!
passwd 2KFQnbNIdI.2KYOU encrypted
ftp mode passive
dns server-group DefaultDNS
 domain-name default.domain.invalid
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
access-list outside_in extended permit tcp any host 82.205.240.148 eq 1433
access-list LOOP_access_in extended permit ip any any
access-list LOOP_20_cryptomap extended permit ip 192.168.0.0 255.255.255.0 172.1
6.0.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 192.168.0.0 255.255.255.0 17
2.16.0.0 255.255.255.0
pager lines 24
logging asdm informational
mtu outside 1500
mtu inside 1500
mtu management 1500
mtu LOOP 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-522.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) 82.205.240.148 192.168.0.201 netmask 255.255.255.255
access-group outside_in in interface outside
access-group LOOP_access_in in interface LOOP
route outside 0.0.0.0 0.0.0.0 82.205.240.145 1
route inside 172.16.0.0 255.255.255.0 192.168.0.211 1
route inside 172.16.10.0 255.255.255.0 192.168.0.211 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
username nasem password M2PQQZooHuN7Zwvm encrypted privilege 15
http server enable
http 192.168.0.0 255.255.255.0 inside
http 192.168.1.0 255.255.255.0 management
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto map LOOP_map 20 match address LOOP_20_cryptomap
crypto map LOOP_map 20 set pfs
crypto map LOOP_map 20 set peer 200.200.200.1
crypto map LOOP_map 20 set transform-set ESP-DES-SHA
crypto map LOOP_map interface LOOP
crypto isakmp enable LOOP
crypto isakmp policy 10
 authentication pre-share
 encryption des
 hash sha
 group 2
 lifetime 86400
tunnel-group 200.200.200.1 type ipsec-l2l
tunnel-group 200.200.200.1 ipsec-attributes
 pre-shared-key *
telnet 192.168.0.0 255.255.255.0 inside
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd dns 192.168.0.3 82.205.224.9
!
dhcpd address 192.168.0.20-192.168.0.120 inside
dhcpd enable inside
!
dhcpd address 192.168.1.2-192.168.1.254 management
dhcpd enable management
!
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:ffd989d943227b2c69c586ff5434895b
: end
ciscoasa#

Open in new window


Dear EE

Please in attached the configuration in both side

The VPN not working and the led in ASA not working ists still no light for VPN

Please any help

Regards
0
 

Author Comment

by:nasemabdullaa
ID: 36990465
Dear EE

Please any help


Regards
0
 
LVL 5

Expert Comment

by:mlchelp
ID: 36990561
nasemabdullaa

is this a private wireless connection, you still have not answered that question, if it private then dump the vpn and just add a static route on each end.
on the 200.2 router do this
no route inside 172.16.0.0 255.255.255.0 192.168.0.211 1
route loop 172.16.0.0 255.255.255.0 200.200.200.1 1
on the 200.1 router do this
route loop 192.168.1.0 255.255.255.0 200.200.200.2 1




0
 
LVL 5

Expert Comment

by:mlchelp
ID: 36990577
oops, got it backwards, do this

on the 200.2 router do this
no route inside 172.16.0.0 255.255.255.0 192.168.0.211 1
route loop 192.168.1.0 255.255.255 200.200.200.1 1
on the 200.1 router do this
route loop 172.16.0.0 255.255.255.0 200.200.200.2 1


0
 

Author Comment

by:nasemabdullaa
ID: 36990591
Hello

Thank you so much for your reply.

Please I want to connect the two network together ( I have SQL connection from site A to site B) and the connection use internal IP address

I mean all comuter from site A need to connect to site B using IP address 192.168.0.201
Plesae I do not know if you mean by private this

Please can you exlain mean

Regards
Nasem
0
 

Author Comment

by:nasemabdullaa
ID: 36990594
Hello

>>>private wireless connection
Please I need the two network to be able to see each other

Plesae can you explain what do you mean by private wireless connection

Regards
0
 
LVL 5

Expert Comment

by:mlchelp
ID: 36990596
Private means is the loop wireless conection used by uo only or is it used by the public?
0
 
LVL 5

Expert Comment

by:mlchelp
ID: 36990601
explain the loop conection are you using two wireless bridges?
0
 
LVL 5

Expert Comment

by:mlchelp
ID: 36990604
is it used by your company only?
0
 

Author Comment

by:nasemabdullaa
ID: 36990609
Hello

Please its just to connect between two building just for my company and no one other from outside Building A and be will conect to this wirless (Just A and B building)

Please now just I need to do is to remove VPN and add the route above and If I add it it will work?

Regards
0
 

Author Comment

by:nasemabdullaa
ID: 36990622
Hello
>>>explain the loop conection are you using two wireless bridges

Please I use two microtick wirless

Regards
0
 
LVL 5

Assisted Solution

by:mlchelp
mlchelp earned 664 total points
ID: 36990625
yes. make sure you remove these as well on 202

access-list LOOP_access_in extended permit ip any any
access-list LOOP_20_cryptomap extended permit ip 192.168.0.0 255.255.255.0 172.1
6.0.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 192.168.0.0 255.255.255.0 17
2.16.0.0 255.255.255.0

on 201

access-list LOOP_access_in extended permit ip any any                                                    
access-list LOOP_1_cryptomap extended permit ip 172.16.0.0 255.255.255.0 192.168                                                                                
.0.0 255.255.255.0                  
access-list inside_nat0_outbound extended permit ip 172.16.0.0 255.255.255.0 192                                                                                
.168.0.0 255.255.255.0
0
 

Author Comment

by:nasemabdullaa
ID: 36990637
Hello

Please I will rest ASA to factory default and made the new configuratin (To remove VPN) Then I will add the rout

Regards
Nasem
0
 
LVL 5

Expert Comment

by:mlchelp
ID: 36990701
post the config again when your done. remember to hide the public ip's
0
 

Author Comment

by:nasemabdullaa
ID: 36990787
Hello

>>>on the 200.2 router do this
route loop 192.168.1.0 255.255.255 200.200.200.1 1
>>>on the 200.1 router do this
route loop 172.16.0.0 255.255.255.0 200.200.200.2 1

Please when I try to add abovr route I get
Cannot add route, connected route exists

Below sh route
C    200.200.200.0 255.255.255.0 is directly connected, LOOP
C    172.16.0.0 255.255.255.0 is directly connected, inside
C    82.205.240.96 255.255.255.240 is directly connected, outside
S*   0.0.0.0 0.0.0.0 [1/0] via 82.205.240.97, outside


Please any help

0
 

Author Comment

by:nasemabdullaa
ID: 36991034
ciscoasa# sh run
: Saved
:
ASA Version 7.2(2)
!
hostname ciscoasa
enable password X.y0JGA9o6phmjQ6 encrypted
names
!
interface GigabitEthernet0/0
 nameif outside
 security-level 0
 ip address 82.205.240.146 255.255.255.224
!
interface GigabitEthernet0/1
 nameif inside
 security-level 100
 ip address 192.168.0.1 255.255.255.0
!
interface GigabitEthernet0/2
 nameif LOOP
 security-level 0
 ip address 200.200.200.2 255.255.255.0
!
interface GigabitEthernet0/3
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Management0/0
 nameif management
 security-level 100
 ip address 192.168.1.1 255.255.255.0
 management-only
!
passwd X.y0JGA9o6phmjQ6 encrypted
ftp mode passive
access-list outside_in extended permit tcp any host 82.205.240.148 eq 1433
pager lines 24
logging asdm informational
mtu management 1500
mtu outside 1500
mtu inside 1500
mtu LOOP 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) 82.205.240.148 192.168.0.201 netmask 255.255.255.255
access-group outside_in in interface outside
route outside 0.0.0.0 0.0.0.0 82.205.240.145 1
route LOOP 172.16.0.0 255.255.255.0 200.200.200.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
username admin password iVNFW4yy7AEuRtxE encrypted privilege 15
http server enable
http 192.168.0.0 255.255.255.0 inside
http 192.168.1.0 255.255.255.0 management
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd dns 192.168.0.3 82.205.224.9
!
dhcpd address 192.168.1.2-192.168.1.254 management
dhcpd enable management
!
dhcpd address 192.168.0.20-192.168.0.150 inside
dhcpd enable inside
!
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:a8426070394933a0ae74b57a1e4b125c
: end
ciscoasa# sh route

Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP
       i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
       * - candidate default, U - per-user static route, o - ODR
       P - periodic downloaded static route

Gateway of last resort is 82.205.240.145 to network 0.0.0.0

C    200.200.200.0 255.255.255.0 is directly connected, LOOP
S    172.16.0.0 255.255.255.0 [1/0] via 200.200.200.1, LOOP
C    82.205.240.128 255.255.255.224 is directly connected, outside
C    192.168.0.0 255.255.255.0 is directly connected, inside
S*   0.0.0.0 0.0.0.0 [1/0] via 82.205.240.145, outside
ciscoasa#

Open in new window

User Access Verification LOOP 192.168.0.0 255.25

Password:.200.200.
Type help or '?' for a list of available commands.                         
ciscoasa(config)#  route
ciscoasa> en.0.0 255.255
Password: ************                      
ciscoasa# sh runcess-list LOOP_1
: Savedap 
cis
:a
ASA Version 7.2(3)0.0 255.255.255.0 
!c
hostname ciscoasa             
Bui
domain-name default.domain.invalid            
Cryptochecksum: c1a1f
enable password X.y0JGA9o6phmjQ6 encryptedutbound extended permit ip 172.16.0.0 

25
nameses co
!e
interface Ethernet0/0ytes/sec)            
 nameif outside               
 security-level 0oasa# conf t     
 ip address 82.205.240.98 255.255.255.240P 192.168.0.0 255.255.255.0 200.200.200.1
!m
interface Ethernet0/1                  
mt
 nameif inside              
 security-level 100            
mtu LO
 ip address 172.16.0.1 255.255.255.0500                   
icmp unreacha
!e
interface Ethernet0/2ze 1                 
 nameif LOOP            
 security-level 0/a               
!n
interface Management0/00.0.0                  
 nameif management (inside,outside) 
 security-level 1006.0.4 netmask 255.2
 ip address 192.168.1.1 255.255.255.0                                     
 management-onlyroup outside_in 
! 
passwd X.y0JGA9o6phmjQ6 encrypted                           
acces
ftp mode passivess_in in interfa
dns server-group DefaultDNS                        
ro
 domain-name default.domain.invalid40.97 1                            
pager lines 24  
timeout xla
logging asdm informational    
timeout conn 1:00:00 
mtu management 1500udp 0:02:00 icmp 0:
mtu outside 1500                
mtu inside 1500               
mtu LOOP 1500 sunrpc 0:10:
icmp unreachable rate-limit 1 burst-size 1gcp-pat                                   
asdm image disk0:               
route LOOP 192.168.0.0 255.255.255.0 200.200.200.2 1ttp 172.16.0.0 255.255.255.0 inside                 
timeout xlate 3:00:00 snmp-server location
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02  
snmp-server enable traps snmp authentication linkup linkdown c
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac                   
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00P_1_cryptomap                                                    
crypto map LO
timeout uauth 0:05:00 absolute              
crypto map LOOP
http server enable.200.200.2        
http 172.16.0.0 255.2              
     
 authentication pre-share                    
telnet 172.16.0.0 255.255.255.0 insideash sha         
 group 2        
 lif
telnet timeout 5         
telnet
ssh timeout 55.255.255.0 i
console timeout 0                 
dhcpd dns 172.16.0.3 82.205.224.9       
ssh timeout 5            
!c
dhcpd address 192.168.1.2-192.168.1.254 management0.3 82.205.224.9                                 

dhcpd enable management0.20-172.16.0.120 insid
! 
dhcpd address 172.16.0.20-172.16.0.150 insidecpd enable inside                   
! 
dhcpd
dhcpd enable inside-192.168.1.254 mana
!m
!t
class-map inspection_default                     
dhcpd 
 match default-inspection-traffic      
! 
! 
class-map inspection
!e
!u
policy-map type inspect d    
                  
  inspect rshreset_dns_map
  inspect rtsp             

  inspect esmtp          
!
service-policy global_policy global
username admin password iVNFW4yy7AEuRtxE encrypted privilege 15
prompt hostname context
Cryptochecksum:fb670a2282bcb4a41316ae27ab867b89
: end
ciscoasa# sh route

Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP
       i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
       * - candidate default, U - per-user static route, o - ODR
       P - periodic downloaded static route

Gateway of last resort is 82.205.240.97 to network 0.0.0.0

C    200.200.200.0 255.255.255.0 is directly connected, LOOP
C    172.16.0.0 255.255.255.0 is directly connected, inside
C    82.205.240.96 255.255.255.240 is directly connected, outside
S    192.168.0.0 255.255.255.0 [1/0] via 200.200.200.2, LOOP
S*   0.0.0.0 0.0.0.0 [1/0] via 82.205.240.97, outside
ciscoasa#

Open in new window


Please I add the route but it’s not working please any help I do all suggestion but it’s still not work

I attached the sh run and sh route for both side

Please any help
0
 

Author Comment

by:nasemabdullaa
ID: 36991351
Hello EE

Please any help?

Regards
0
 
LVL 5

Expert Comment

by:mlchelp
ID: 36994299
provide a regular show run for 200.2, you have the route right but it looks like the config on  200.2 is wrong
0
 

Author Comment

by:nasemabdullaa
ID: 36997668
Hello

Thank you for your reply
Please below Sh run for both ASA

Any help

Regards

ASA1 200.1
 
User Access Verification                        

Password:         
Type help or '?' for a list of available commands.                                                  
ciscoasa> en            
Password:         
Invalid password                
Password: ************                      
ciscoasa# sh run                
: Saved       
: 
ASA Version 7.2(3)                  
! 
hostname ciscoasa                 
domain-name default.domain.invalid                                  
enable password X.y0JGA9o6phmjQ6 encrypted                                          
names     
! 
interface Ethernet0/0                     
 nameif outside               
 security-level 0                 
 ip address 82.205.240.98 255.255.255.240                                         
! 
interface Ethernet0/1                     
 nameif inside              
 security-level 100                   
 ip address 172.16.0.1 255.255.255.0                                    
! 
interface Ethernet0/2                     
 nameif LOOP            
 security-level 0                 
 ip address 200.200.200.1 255.255.255.0                                       
! 
interface Ethernet0/3                     
 shutdown         
 no nameif          
 no security-level                  
 no ip address              
! 
interface Management0/0                       
 nameif management                  
 security-level 100                   
 ip address 192.168.1.1 255.255.255.0                                     
 management-only                
! 
passwd X.y0JGA9o6phmjQ6 encrypted                                 
ftp mode passive                
dns server-group DefaultDNS                           
 domain-name default.domain.invalid                                   
access-list site_to_site_nat extended permit ip 172.16.0.0 255.255.255.0 192.168                                                                                
.0.0 255.255.255.0                  
pager lines 24              
logging asdm informati                    
mtu management 1500                   
mtu outside 1500                
mtu inside 1500               
mtu LOOP 1500             
icmp unreachable rate-limit 1 burst-size 1                                          
asdm image disk0:/asdm-523.bin                              
no asdm history enable                      
arp timeout 14400                 
global (outside) 1 interface                            
nat (inside) 0 access-list site_to_site_nat                                           
nat (inside) 1 0.0.0.0 0.0.0.0                              
access-group site_to_site_nat in interface LOOP                                               
route outside 0.0.0.0 0.0.0.0 82.205.240.97 1                                             
route LOOP 192.168.0.0 255.255.255.0 200.200.200.2 1                                                    
timeout xlate 3:00:00                     
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02                                                               
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00                                                                              
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00                                                                               
timeout uauth 0:05:00 absolute                              
http server enable                  
http 172.16.0.0 255.255.255.0 inside                                    
http 192.168.1.0 255.255.255.0 management                                         
no snmp-server location                       
no snmp-server contact                      
snmp-server enable traps snmp authentication linkup linkdown coldstart                                                                      
telnet 172.16.0.0 255.255.255.0 inside                                      
telnet timeout 5                
ssh timeout 5             
console timeout 0                 
dhcpd dns 172.16.0.3 82.2                       
! 
dhcpd address 192.168.1.2-192.168.1.254 management                                                  
dhcpd enable management                       
! 
dhcpd address 172.16.0.20-172.16.0.150 inside                                             
dhcpd enable inside                   
! 
! 
class-map inspection_default                            
 match default-inspection-traffic                                 
! 
! 
policy-map type inspect dns preset_dns_map                                          
 parameters           
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
!
service-policy global_policy global
username admin password iVNFW4yy7AEuRtxE encrypted privilege 15
prompt hostname context
Cryptochecksum:30ebeb4657696f76b04e0cf200f6ea6d
: end
ciscoasa#

Open in new window



ASA2 200.2

 
ciscoasa(config)# exit
ciscoasa# sh run
: Saved
:
ASA Version 7.2(2)
!
hostname ciscoasa
domain-name default.domain.invalid
enable password X.y0JGA9o6phmjQ6 encrypted
names
!
interface GigabitEthernet0/0
 nameif outside
 security-level 0
 ip address 82.205.240.146 255.255.255.224
!
interface GigabitEthernet0/1
 nameif inside
 security-level 100
 ip address 192.168.0.1 255.255.255.0
!
interface GigabitEthernet0/2
 nameif LOOP
 security-level 0
 ip address 200.200.200.2 255.255.255.0
!
interface GigabitEthernet0/3
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Management0/0
 nameif management
 security-level 100
 ip address 192.168.1.1 255.255.255.0
 management-only
!
passwd X.y0JGA9o6phmjQ6 encrypted
ftp mode passive
dns server-group DefaultDNS
 domain-name default.domain.invalid
access-list outside_in extended permit tcp any host 82.205.240.148 eq 1433
access-list site_to_site_nat extended permit ip 192.168.0.0 255.255.255.0 172.16
.0.0 255.255.255.0
pager lines 24
logging asdm informational
mtu management 1500
mtu outside 1500
mtu inside 1500
mtu LOOP 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-522.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list site_to_site_nat
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) 82.205.240.148 192.168.0.201 netmask 255.255.255.255
access-group outside_in in interface outside
access-group site_to_site_nat in interface LOOP
route outside 0.0.0.0 0.0.0.0 82.205.240.145 1
route LOOP 172.16.0.0 255.255.255.0 200.200.200.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
username admin password iVNFW4yy7AEuRtxE encrypted privilege 15
http server enable
http 192.168.0.0 255.255.255.0 inside
http 192.168.1.0 255.255.255.0 management
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd dns 192.168.0.3 82.205.224.9
!
dhcpd address 192.168.1.2-192.168.1.254 management
dhcpd enable management
!
dhcpd address 192.168.0.20-192.168.0.150 inside
dhcpd enable inside
!
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:a0a8a8237e47dfe3d3d83adccd052964
: end
ciscoasa#

Open in new window

0
 

Author Comment

by:nasemabdullaa
ID: 36997675
Hello EE

Please any help

Regards
0
 
LVL 5

Assisted Solution

by:Feroz Ahmed
Feroz Ahmed earned 668 total points
ID: 37116812
Hi ,

The configuration should be as below to communicate between 2 inside interfaces :

ASA(Config -t)#
ASA(Config -t)#access-list 101 permit icmp any any echo-reply  (For Communication from Inside to OutSide Network)
ASA(Config -t)#access-group 101 in interface outside
ASA(Config -t)#access-group 101 in interface ASA inside        (Once you configure this you should be able to ping from 192.168.0.0 to 172.16.0.0) network.)
0

Featured Post

Automating Your MSP Business

The road to profitability.
Delivering superior services is key to ensuring customer satisfaction and the consequent long-term relationships that enable MSPs to lock in predictable, recurring revenue. What's the best way to deliver superior service? One word: automation.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article explains the fundamentals of industrial networking which ultimately is the backbone network which is providing communications for process devices like robots and other not so interesting stuff.
In this article, the configuration steps in Zabbix to monitor devices via SNMP will be discussed with some real examples on Cisco Router/Switch, Catalyst Switch, NAS Synology device.
Both in life and business – not all partnerships are created equal. As the demand for cloud services increases, so do the number of self-proclaimed cloud partners. Asking the right questions up front in the partnership, will enable both parties …
When cloud platforms entered the scene, users and companies jumped on board to take advantage of the many benefits, like the ability to work and connect with company information from various locations. What many didn't foresee was the increased risk…
Suggested Courses
Course of the Month15 days, 10 hours left to enroll

850 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question