• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 410
  • Last Modified:

ASA 5520 routing

We are trying to setup an ASA 5520 to route traffic from our wireless network (192.168.10.0) to our internet. I am pretty new to network administration and not really sure I need to deal with this. I have create a static nat from 192.168.10.10 to 157.116.123.172 but I still cannot see the 157 network. I also created a route from 10.10 to our firewall which is also on the 157.116.123 network. Any help would be much appreciated. The guy that worked with the issues of connecting it to our 192.168.37.0 network is now gone. Here is the link to the issue that he posted.

http://www.experts-exchange.com/Security/Software_Firewalls/Enterprise_Firewalls/Cisco_PIX_Firewall/Q_24402768.html
0
MVLIS
Asked:
MVLIS
  • 11
  • 5
1 Solution
 
Istvan KalmarCommented:
Hi,

Plese show the config which is running now...
0
 
MVLISAuthor Commented:
Result of the command: "show running-config"

: Saved
:
ASA Version 8.0(5)
!
hostname ciscoasa
domain-name mvl.kmmfg.com
enable password sy9BBdr/2YBb9r9l encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
name 192.168.36.0 InternalMVL-network
name 192.168.38.168 SeanC
name 157.116.123.100 AS400
name 157.116.123.102 AS400HA
name 157.116.123.185 test
name 192.168.38.183 Mobile01
name 157.116.123.242 CribMaster
name 157.116.123.250 Firewall description Firewall
name 192.168.37.88 RGAScanComputer
!
interface GigabitEthernet0/0
 shutdown
 nameif Embarq
 security-level 100
 ip address 65.40.186.250 255.255.255.128
!
interface GigabitEthernet0/1
 nameif internalMVL
 security-level 75
 ip address 192.168.39.15 255.255.252.0
!
interface GigabitEthernet0/2
 nameif InternalWireless
 security-level 75
 ip address 192.168.10.1 255.255.255.0
!
interface GigabitEthernet0/3
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Management0/0
 nameif management
 security-level 100
 ip address 157.116.123.70 255.255.255.0
 management-only
!
boot system disk0:/asa831-k8.bin
boot system disk0:/asa821-k8.bin
ftp mode passive
clock timezone CST -6
clock summer-time CDT recurring
dns server-group DefaultDNS
 domain-name mvl.kmmfg.com
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
access-list internalMVL_nat0_outbound extended permit ip InternalMVL-network 255.255.255.248 any
access-list InternalWireless_nat_outbound extended permit ip any any
access-list InternalWireless_nat_outbound extended permit ip host 192.168.10.10 any
access-list internalMVL_nat_outbound extended permit ip host 192.168.10.0 any
access-list internalMVL_access_in extended permit ip any any
access-list InternalWireless_access_in extended permit ip any any
pager lines 24
logging enable
logging asdm informational
mtu Embarq 1500
mtu internalMVL 1500
mtu InternalWireless 1500
mtu management 1500
ip local pool 192.168.39.40 192.168.39.50
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/ASDM-633.bin
no asdm history enable
arp timeout 14400
global (Embarq) 101 interface
global (internalMVL) 1 157.116.130.172 netmask 255.255.0.0
nat (internalMVL) 0 access-list internalMVL_nat0_outbound outside
nat (internalMVL) 1 access-list internalMVL_nat_outbound
nat (InternalWireless) 1 access-list InternalWireless_nat_outbound
nat (InternalWireless) 1 192.168.10.0 255.255.255.0
nat (management) 101 0.0.0.0 0.0.0.0
static (InternalWireless,internalMVL) 192.168.37.75 192.168.10.11 netmask 255.255.255.255
static (internalMVL,InternalWireless) 192.168.10.15 CribMaster netmask 255.255.255.255
static (internalMVL,InternalWireless) 192.168.10.16 Mobile01 netmask 255.255.255.255
access-group internalMVL_access_in in interface internalMVL
access-group InternalWireless_access_in in interface InternalWireless
route Embarq 0.0.0.0 0.0.0.0 65.40.186.241 1
route InternalWireless 192.168.10.10 255.255.255.255 157.116.123.131 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 0.0.0.0 0.0.0.0 management
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto isakmp enable internalMVL
crypto isakmp enable InternalWireless
crypto isakmp policy 5
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
crypto isakmp policy 10
 authentication pre-share
 encryption des
 hash sha
 group 2
 lifetime 86400
telnet 0.0.0.0 0.0.0.0 Embarq
telnet 0.0.0.0 0.0.0.0 management
telnet 157.116.123.58 255.255.255.255 management
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 management
ssh 157.116.123.58 255.255.255.255 management
ssh timeout 5
console timeout 0
threat-detection basic-threat
threat-detection statistics
threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
username admin password 37vnicbs41Qv0fJp encrypted
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny  
  inspect sunrpc
  inspect xdmcp
  inspect sip  
  inspect netbios
  inspect tftp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:2e5704c1a17b7787c525fca479b8349a
: end
0
 
Istvan KalmarCommented:
Hi,

this is a mgmt interface using olny to mgmt access, you need to move this addres to another interface!
0
Windows Server 2016: All you need to know

Learn about Hyper-V features that increase functionality and usability of Microsoft Windows Server 2016. Also, throughout this eBook, you’ll find some basic PowerShell examples that will help you leverage the scripts in your environments!

 
MVLISAuthor Commented:
So I need to put an ip address of 157 scheme on another interface and then create another rule for it?
0
 
MVLISAuthor Commented:
It says that this ip address 157.116.123.253/255.255.255.0 can not overlap with the subnet of the interface management.  I tried different subnets but get the same error. Anyway around this?
0
 
Istvan KalmarCommented:
157.116.123.253/24 overlaps  157.116.123.70/24
0
 
MVLISAuthor Commented:
Can I just uncheck dedicate this interface to management only for the 157.116.123.70? And if I do what that cause any issues?
0
 
Istvan KalmarCommented:
you need:

no nat (InternalWireless) 1 access-list InternalWireless_nat_outbound
nat (InternalWireless) 0 access-list InternalWireless_nat_outbound
0
 
MVLISAuthor Commented:
Result of the command: "show running-config"

: Saved
:
ASA Version 8.0(5)
!
hostname ciscoasa
domain-name mvl.kmmfg.com
enable password sy9BBdr/2YBb9r9l encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
name 192.168.36.0 InternalMVL-network
name 192.168.38.168 SeanC
name 157.116.123.100 AS400
name 157.116.123.102 AS400HA
name 157.116.123.185 test
name 192.168.38.183 Mobile01
name 157.116.123.242 CribMaster
name 157.116.123.250 Firewall description Firewall
name 192.168.37.88 RGAScanComputer
!
interface GigabitEthernet0/0
 shutdown
 nameif Embarq
 security-level 100
 ip address 65.40.186.250 255.255.255.128
!
interface GigabitEthernet0/1
 nameif internalMVL
 security-level 75
 ip address 192.168.39.15 255.255.252.0
!
interface GigabitEthernet0/2
 nameif InternalWireless
 security-level 75
 ip address 192.168.10.1 255.255.255.0
!
interface GigabitEthernet0/3
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Management0/0
 nameif management
 security-level 100
 ip address 157.116.123.70 255.255.255.0
 management-only
!
boot system disk0:/asa831-k8.bin
boot system disk0:/asa821-k8.bin
ftp mode passive
clock timezone CST -6
clock summer-time CDT recurring
dns server-group DefaultDNS
 domain-name mvl.kmmfg.com
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
access-list internalMVL_nat0_outbound extended permit ip InternalMVL-network 255.255.255.248 any
access-list InternalWireless_nat_outbound extended permit ip any any
access-list InternalWireless_nat_outbound extended permit ip host 192.168.10.10 any
access-list internalMVL_nat_outbound extended permit ip host 192.168.10.0 any
access-list internalMVL_access_in extended permit ip any any
access-list InternalWireless_access_in extended permit ip any any
pager lines 24
logging enable
logging asdm informational
mtu Embarq 1500
mtu internalMVL 1500
mtu InternalWireless 1500
mtu management 1500
ip local pool 192.168.39.40 192.168.39.50
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/ASDM-633.bin
no asdm history enable
arp timeout 14400
global (Embarq) 101 interface
global (internalMVL) 1 157.116.130.172 netmask 255.255.0.0
nat (internalMVL) 0 access-list internalMVL_nat0_outbound outside
nat (internalMVL) 1 access-list internalMVL_nat_outbound
nat (InternalWireless) 0 access-list InternalWireless_nat_outbound
nat (InternalWireless) 1 192.168.10.0 255.255.255.0
nat (management) 101 0.0.0.0 0.0.0.0
static (InternalWireless,internalMVL) 192.168.37.75 192.168.10.11 netmask 255.255.255.255
static (internalMVL,InternalWireless) 192.168.10.15 CribMaster netmask 255.255.255.255
static (internalMVL,InternalWireless) 192.168.10.16 Mobile01 netmask 255.255.255.255
access-group internalMVL_access_in in interface internalMVL
access-group InternalWireless_access_in in interface InternalWireless
route Embarq 0.0.0.0 0.0.0.0 65.40.186.241 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 0.0.0.0 0.0.0.0 management
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto isakmp enable internalMVL
crypto isakmp enable InternalWireless
crypto isakmp policy 5
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
crypto isakmp policy 10
 authentication pre-share
 encryption des
 hash sha
 group 2
 lifetime 86400
telnet 0.0.0.0 0.0.0.0 Embarq
telnet 0.0.0.0 0.0.0.0 management
telnet 157.116.123.58 255.255.255.255 management
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 management
ssh 157.116.123.58 255.255.255.255 management
ssh timeout 5
console timeout 0
threat-detection basic-threat
threat-detection statistics
threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
username admin password 37vnicbs41Qv0fJp encrypted
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny  
  inspect sunrpc
  inspect xdmcp
  inspect sip  
  inspect netbios
  inspect tftp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:2e5704c1a17b7787c525fca479b8349a
: end
0
 
MVLISAuthor Commented:
I think I am still have the issue of connecting to the 157.116.123 network. But maybe it did work. How would the 192.168.10.10 look on that network with the above change. Because I will have to add them to our internet firewall.  Which is looking for a address on the 157.116.123.*** network.
0
 
MVLISAuthor Commented:
4      Oct 17 2011      15:15:04            192.168.10.10      1034      157.116.123.130      53      Through-the-device packet to/from management-only network is denied: udp src InternalWireless:192.168.10.10/1034 dst management:157.116.123.130/53

this is what I see in the log. 157.116.123.131 is our dns server. So I see that it is trying to get there but is being blocked by the asa.
0
 
Istvan KalmarCommented:
you need to move it to another leg....

Is your priviedr route private address?
0
 
MVLISAuthor Commented:
Yes, they do but we have our own dns server that routes for us also so I thought I would try it.

This is what I get when I changed the dns.
6      Oct 18 2011      07:10:27            192.168.10.10      1034                  Failed to locate egress interface for UDP from InternalWireless:192.168.10.10/1034 to 65.164.201.148/53
0
 
MVLISAuthor Commented:
For got to mention that the 65.164.201.148 is an outside address/internet. But it is not one of our outside static addresses that was given to us by our provider. Not sure what it is.
0
 
MVLISAuthor Commented:
It looks like its an embarq address.
0
 
royitCommented:
From my understaing,

interface 0/0 is your internet interface

interface 0/2 is your Wireless interface

All you need is NAT & global statement

nat  (InternalWireless) 2 <Wireless Subnet>
global ( Embarq) 2 interface
0
 
MVLISAuthor Commented:
Sorry for the miss understanding but interface 0/0 cannot be used for security reasons. They want this device to go through our firewall of 157.116.123.250 and then out. I have already added device to our internet firewall to allow them to get through.
0

Featured Post

Exciting career futures for women in IT

Education has the power to transform lives and open the door to new career opportunities. By earning an IT degree from WGU, you can become a highly skilled IT professional. Get the credentials and certifications you need to become a leader in this rewarding field.  

  • 11
  • 5
Tackle projects and never again get stuck behind a technical roadblock.
Join Now