• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 859
  • Last Modified:

Help with Cisco ASA 5505

Hello,

In my LAN I am using two different networks, 192.168.1.0/24 and 10.0.0.0/8.  I purchased an ASA to allow access to the Internet for all my networks.  On the ASA, I am using 192.168.0.0/24 network.  So far, I have been unable to configure the ASA to allow the internal networks to access the Internet.  My current configuration is attached.

Below is my addressing scheme of my network (if that would help):

ISP
XXX.XXX.XXX.XXX
|
|
\|/
ASA
192.168.0.X/24  ---> Both internal and Internet pingable from here
|
|
\|/
2811 Router
192.168.1.X/24  --->  ISP gateway and internal pingable here.
|
|
|----> 192.168.1.0/24 ---> Production network
|
|
|----> 2811 router ---> 10.0.0.0/8 ---> Test lab
ASA-Config-2012-09-01.txt
0
pzeitham
Asked:
pzeitham
1 Solution
 
danieldiasCommented:
You dont have a route...........configure your Vlan2 interface as per the below

interface Vlan2
 nameif outside
 security-level 0
 ip address dhcp setroute
0
 
pzeithamAuthor Commented:
Thanks for the catch.  I have added that to my config and the problem is still there.
0
 
danieldiasCommented:
Can you post a show route and show xlate?

Also Are you actually using OSPF? If not I would remove the config.
0
Evaluating UTMs? Here's what you need to know!

Evaluating a UTM appliance and vendor can prove to be an overwhelming exercise.  How can you make sure that you're getting the security that your organization needs without breaking the bank? Check out our UTM Buyer's Guide for more information on what you should be looking for!

 
danieldiasCommented:
Can you also confirm the ASA is a 5505 and what code you are running on it?

Did you purchase with the base license or a security plus license?

Are you natting the 10.0.0.0/8 traffic on the 2811 to the 192.168.1.0 network?
0
 
pzeithamAuthor Commented:
Hello,

Here is the requested output.  An updated copy of the config is attached.

I have a base license and the version is below.

Cisco Adaptive Security Appliance Software Version 8.4(3)
Device Manager Version 6.4(7)

Compiled on Fri 06-Jan-12 10:24 by builders
System image file is "disk0:/asa843-k8.bin"
Config file at boot was "startup-config"

No, I am not NATing on the 2811.


show route

Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP
       i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
       * - candidate default, U - per-user static route, o - ODR
       P - periodic downloaded static route

Gateway of last resort is 98.223.140.1 to network 0.0.0.0

C    98.223.140.0 255.255.252.0 is directly connected, outside
O    10.1.11.0 255.255.255.0 [110/12] via 192.168.0.1, 0:02:55, inside
O    10.1.10.0 255.255.255.0 [110/12] via 192.168.0.1, 0:02:55, inside
O    10.1.1.8 255.255.255.252 [110/141] via 192.168.0.1, 0:02:55, inside
O    10.1.12.0 255.255.255.0 [110/12] via 192.168.0.1, 0:02:55, inside
O    10.1.1.0 255.255.255.252 [110/76] via 192.168.0.1, 0:02:55, inside
O    10.1.1.4 255.255.255.252 [110/76] via 192.168.0.1, 0:02:55, inside
O    10.1.254.1 255.255.255.255 [110/12] via 192.168.0.1, 0:02:55, inside
O    10.1.254.2 255.255.255.255 [110/77] via 192.168.0.1, 0:02:55, inside
C    192.168.0.0 255.255.255.0 is directly connected, inside
O    192.168.1.0 255.255.255.0 [110/11] via 192.168.0.1, 0:02:55, inside
d*   0.0.0.0 0.0.0.0 [1/0] via 98.223.140.1, outside



show xlate
2 in use, 3 most used
Flags: D - DNS, i - dynamic, r - portmap, s - static, I - identity, T - twice
       e - extended
TCP PAT from inside:192.168.1.7X 443-443 to outside:98.223.14X.XXX 443-443
    flags sr idle 0:03:17 timeout 0:00:00
TCP PAT from inside:192.168.1.7X 25-25 to outside:98.223.14X.XXX 25-25
    flags sr idle 0:03:17 timeout 0:00:00
ASA-Config-2012-09-01-12-52
0
 
lrmooreCommented:
What is the default route on the 2811 router?
0
 
lruiz52Commented:
Please post sanitized config of the 2811 router.
0
 
pzeithamAuthor Commented:
I have not set one.  The router is using OSPF.

#show ip route
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
       ia - IS-IS inter area, * - candidate default, U - per-user static route
       o - ODR, P - periodic downloaded static route

Gateway of last resort is not set

     98.0.0.0/22 is subnetted, 1 subnets
O       98.223.140.0 [110/11] via 192.168.0.2, 00:00:20, FastEthernet0/1
     10.0.0.0/8 is variably subnetted, 8 subnets, 3 masks
O       10.1.11.0/24 [110/2] via 192.168.1.5, 00:00:20, FastEthernet0/0
O       10.1.10.0/24 [110/2] via 192.168.1.5, 00:00:20, FastEthernet0/0
O       10.1.1.8/30 [110/131] via 192.168.1.5, 00:00:20, FastEthernet0/0
O       10.1.12.0/24 [110/2] via 192.168.1.5, 00:00:20, FastEthernet0/0
O       10.1.1.0/30 [110/66] via 192.168.1.5, 00:00:21, FastEthernet0/0
O       10.1.1.4/30 [110/66] via 192.168.1.5, 00:00:21, FastEthernet0/0
O       10.1.254.1/32 [110/2] via 192.168.1.5, 00:00:21, FastEthernet0/0
O       10.1.254.2/32 [110/67] via 192.168.1.5, 00:00:21, FastEthernet0/0
C    192.168.0.0/24 is directly connected, FastEthernet0/1
C    192.168.1.0/24 is directly connected, FastEthernet0/0
2811-router-config-2012-09-02
0
 
danieldiasCommented:
On the ASA under the OSPF process ass:

default-information originate always
0
 
pzeithamAuthor Commented:
Thank you very much!!
0

Featured Post

What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now