Go Premium for a chance to win a PS4. Enter to Win

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 886
  • Last Modified:

New Cisco ASA 5505 Config - Routing or Port issue?

Ok, this may seem like a dumb question but for some reason I can't figure it out.

We have a client who has a new MPLS network - 3 sites (More Details below). The primary site which is also the site that all the others use to access the internet needs a new ASA 5505 setup. For the life of me, I can't get the routing / config right.

Site A - 192.168.100.0. Router address is 192.168.100.1. MPLS Router (to access the other sites) is 192.168.100.254
Site B - 192.168.2.0 Router address (for internet / mpls) is 192.168.2.254
Site C - 192.168.3.0 Router address (for internet / mpls) is 192.168.3.254

From what I understand - the MPLS provider DOES have a static route setup for the .2 and .3 subnet which defaults traffic to go to 100.1. Don't know what that means but that's what they told me.

I've included the current config - The two routes I've added were required for the sites A and B to access the internet.
RBALOU-CONFIG.txt
0
hwgtech
Asked:
hwgtech
  • 6
  • 4
  • 3
1 Solution
 
pclinuxguruCommented:
"he MPLS provider DOES have a static route setup for the .2 and .3 subnet which defaults traffic to go to 100.1"

Just means that 192.168.2&3.0 is routing from the MPLS to the router at Site A.

What exactly is not working?
0
 
hwgtechAuthor Commented:
Ok thanks - what is not working is I can't get from 100 to 2 and 100 to 3. I can get to the internet from 2 and 3, but not to 100.
0
 
pclinuxguruCommented:
Try changing your routes to this.

route inside 192.168.2.0 255.255.255.0 192.168.2.254 1
route inside 192.168.3.0 255.255.255.0 192.168.3.254 1

Don't forget to remove the old ones:
route inside 192.168.2.0 255.255.255.0 192.168.100.254 1
route inside 192.168.3.0 255.255.255.0 192.168.100.254 1
0
New Tabletop Appliances Blow Competitors Away!

WatchGuard’s new T15, T35 and T55 tabletop UTMs provide the highest-performing security inspection in their class, allowing users at small offices, home offices and distributed enterprises to experience blazing-fast Internet speeds without sacrificing enterprise-grade security.

 
hwgtechAuthor Commented:
I'll give it a shot. Do I need to do anything in terms of access rules / firewall config to allow these sites to communicate?
0
 
pclinuxguruCommented:
Not that I can see.

On a side note. Most people x out their real Outside  IP's in configs. If you concerned about it you may want to contact a moderator and see if they can remove the attachment.
0
 
Ernie BeekCommented:
While I was at it I had a look at the config.

route inside 192.168.2.0 255.255.255.0 192.168.100.254
route inside 192.168.3.0 255.255.255.0 192.168.100.254


Is correct (you're telling the firewall how to get to those networks).

For now, I would disable the inside access list till we get it working: no access-group inside_access_in in interface inside

I can't get from 100 to 2 and 100 to 3. I can get to the internet from 2 and 3, but not to 100
That definitely is a routing issue. The default gateway for the three networks is the ASA which doesn't route back. So the clients on the three subnets need to be told how to get to the other networks (not through the default gateway).
For site A that would be:
route add 192.168.2.0 mask 255.255.255.0 192.168.100.254
route add 192.168.3.0 mask 255.255.255.0 192.168.100.254


Site B:
route add 192.168.3.0 mask 255.255.255.0 192.168.2.254
route add 192.168.100.0 mask 255.255.255.0 192.168.2.254


Site C:
route add 192.168.2.0 mask 255.255.255.0 192.168.3.254
route add 192.168.100.0 mask 255.255.255.0 192.168.3.254


Using windows commands here:)

In DHCP you would use option 121 (classless static routes) to add that. The thing is that this isn't working in the ASA dhcp server: https://supportforums.cisco.com/thread/2051427 and I don't know if you have any DHCP at the other sites.
So you'll need to add the routes manually on the workstations or use an other DHCP server (have any windows servers on your network?)
0
 
hwgtechAuthor Commented:
DHCP for 2 and 3 is being provided by the MPLS host (Windstream) on the locations routers.

Just to clarify, you are saying to make the route changes that pclinuxguru said AND make the changes on the 100 network to DHCP? We are currently using DHCP on the ASA but can easily turn it on on one of the internal servers.
0
 
Ernie BeekCommented:
No, the routes that are currently in your ASA are correct (otherwise site B and C wouldn't have internet access).
So you just need to tell the machines on your networks how to get to the other sites using a gateway other than the default (the route adds I posted if you'd do it manually). I would think it should be enough to add the routes at site A (since the MPLS provider manages the others). To test you could add the two routes manually on a machine to see if you can then access the other sites.
0
 
hwgtechAuthor Commented:
Ok, I moved DHCP to the Windows server, added the classless routes and .100 is able to access 2 and 3 but 3 /2 are not able to access anything on 100. I can ping 100.254 from 2 and 3 and 100.1 from 2 and 3 but nothing else inside (printers, server, etc.)
0
 
Ernie BeekCommented:
Ok, so this looks like it has to do with the routing on the MPLS routers. In my opinion there are two options:
1)Ask your MPLS provider to adjust the routing so 2 and 3 can also access 100 (should be easiest way).
2)Configure the ASA to route back the traffic from 2 and 3 to 100. This is not preferred though, you use the ASA as a router (which it isn't) and it might give you some issues (though it doesn't have to).
0
 
hwgtechAuthor Commented:
Since I was able to route traffic from 100 to 2 and 3 using DHCP, how will devices that have static IPs (Phone Systems, servers) access those remote networks?

I'll definitely have Windstream update the local sites, just want to make sure I'm covering all my basis. Thanks for the help!
0
 
Ernie BeekCommented:
My pleasure :)

On devices with static ip's you'll have to add that route manually (like said before) if possible. Servers shouldn't be a problem, not sure about the phone system (don't know what it is ;)
0
 
hwgtechAuthor Commented:
Ok, so I think my only option after spending the last 2 weeks on the phone with Windstream is to allow the FW to be a router as well. They have the remote sites 2 / 3 setup with a default route of 100.1. They can change it, but I don't know where else we would put it, besides sending it to the server, but then if the server is down, internet will be down across the board. Any thoughts on options or if I do need to setup the ASA as a router how to do that?
0

Featured Post

Choose an Exciting Career in Cybersecurity

Help prevent cyber-threats and provide solutions to safeguard our global digital economy. Earn your MS in Cybersecurity. WGU’s MSCSIA degree program was designed in collaboration with national intelligence organizations and IT industry leaders.

  • 6
  • 4
  • 3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now