Link to home
Start Free TrialLog in
Avatar of bkana
bkanaFlag for United States of America

asked on

ASA 5505 connecting 2 internal seperate networks

We recently changed locations and aquired a new circuit from our provider. They also connected our remote branch office to our main office through MPLS. Now, as I understand it, the branch office basically connects back to the main office through our providers network (MPLS). We have a new router at the branch office which has a gateway of 192.168.1.225. The clients in that office have IP's of 192.168.1.96 - 100, using the gateway of 192.168.1.225.

The main office network is 192.168.0.0 (Gateway of 192.168.0.1)

At this end (Main office), I also have a new Cisco 2900 provided by the ISP, with port 0/0 for the outside connection (connected to the 0 port on my ASA 5505). The ASA's port 1 obviously runnung into my network hub. The provider tells me that port 0/1 on the 2900 is or should be used to connect the branch office back to here and has an IP of 192.168.0.225, as that's how the provider provisioned it. So, I plug that into the ASA's Ethernet port 0/2. And I'm assuming they have a route setup either on the 2900 or the router in the bracnh office so that 192.168.1.225 can reach me here at 192.168.0.0.

THere is already a static route setup on the ASA: (192.168.1.0 255.255.255.255 192.168.0.225 1). As soon as I plug in the cable, the IP phones at the branch office work, but they can't access the internet or any resources in the main office. My questions are:

1. Shouldn't I be able to just go straight from the 0/1 port on the Cisco 2900 to my hub. At first I was plugging right into the ASA, but i don't think I need to do that, why go from the branch office through my ASA to access resources and then back out the ASA for internet. If they're already coming from 192.168.1.225, through the MPLS network, then they should go right to my network and then back out the ASA.

0r

2. They have to route through the ASA frist, in which case, do I need to setup another VLAN for that branch network in conjunction with a static route? I can ping the router and hosts in the branch office through the ASA only!

Below is sanitized config:

Result of the command: "show running-config"

: Saved
:
ASA Version 8.2(2)
!
hostname ciscoasa
domain-name audiology.org
enable password ulzaQiFnKVzDwUmW encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface Vlan1
 nameif inside
 security-level 100
 ip address 192.168.0.1 255.255.255.0
 ospf cost 10
!
interface Vlan2
 nameif outside
 security-level 0
 ip address 1.2.3.4 255.255.255.240
 ospf cost 10
!
interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
boot system disk0:/asa822-k8.bin
ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
dns server-group DefaultDNS
 domain-name audiology.org
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
access-list inside_access_in extended permit tcp host 192.168.0.8 any eq smtp
access-list inside_access_in extended deny tcp any any eq smtp
access-list inside_access_in extended permit udp any any
access-list inside_access_in extended permit tcp any any eq https
access-list inside_access_in extended permit tcp any any eq www
access-list inside_access_in remark port to protech
access-list inside_access_in extended permit tcp any any eq 15864
access-list inside_access_in remark Tight VNC to calprogrp
access-list inside_access_in extended permit tcp any any eq 5900
access-list inside_access_in remark BlackBerry Server access from AAAEXCH
access-list inside_access_in extended permit tcp host 192.168.0.10 any eq 3101
access-list inside_access_in remark BlackBerry Server Access for WSVR2-2K8R2
access-list inside_access_in extended permit tcp host 192.168.0.9 any eq 3101
access-list inside_access_in extended permit tcp any any eq ftp
access-list inside_access_in remark Congress Web Site for Kate
access-list inside_access_in extended permit tcp any any eq 4433
access-list inside_access_in extended permit tcp 192.168.0.0 255.255.255.0 any eq 1433
access-list inside_access_in extended permit tcp any any eq sqlnet
access-list inside_access_in extended permit tcp any any eq 50000
access-list inside_access_in extended deny ip 192.168.0.0 255.255.255.0 host 92.241.184.190
access-list inside_access_in extended permit tcp any any eq 667
access-list inside_access_in remark Access to MagnetMail
access-list inside_access_in extended permit ip any host 64.27.100.172
access-list inside_access_in extended permit tcp any any eq 3389
access-list inside_access_in extended permit icmp any any echo-reply
access-list inside_access_in extended permit ip any any inactive
access-list Audiology_VPN_splitTunnelAcl standard permit 192.168.0.0 255.255.255.0
access-list outside_access_in extended permit tcp any host 1.2.3.10 eq smtp
access-list outside_access_in extended permit tcp any host 1.2.3.10 eq https
access-list outside_access_in remark Hacking Service
access-list outside_access_in extended deny tcp any 192.168.0.0 255.255.255.0 eq 4245
access-list outside_access_in remark Deny Access to this IP found on the AAAEX10
access-list outside_access_in extended deny ip host 184.191.175.58 192.168.0.0 255.255.255.0
access-list outside_access_in remark Hacking Service
access-list outside_access_in extended deny tcp any 192.168.0.0 255.255.255.0 eq 4242
access-list outside_access_in extended deny ip host 92.241.184.190 192.168.0.0 255.255.255.0
access-list outside_access_in extended deny ip host 92.241.184.164 192.168.0.0 255.255.255.0
access-list outside_access_in remark Deny Facebook
access-list outside_access_in extended deny ip host 69.63.176.12 192.168.0.0 255.255.255.0
access-list outside_access_in remark Deny Facebook 6
access-list outside_access_in extended deny ip host 69.63.176.11 192.168.0.0 255.255.255.0
access-list outside_access_in remark Deny Facebook
access-list outside_access_in extended deny ip host 69.63.178.11 192.168.0.0 255.255.255.0
access-list outside_access_in remark Deny Facebook 2
access-list outside_access_in extended deny ip host 69.63.178.12 192.168.0.0 255.255.255.0
access-list outside_access_in remark Deny Facebook 5
access-list outside_access_in extended deny ip host 69.63.178.14 192.168.0.0 255.255.255.0
access-list outside_access_in remark Deny Facebook 4
access-list outside_access_in extended deny ip host 69.63.178.13 192.168.0.0 255.255.255.0
access-list outside_access_in extended deny ip host 203.93.111.240 192.168.0.0 255.255.255.0
access-list outside_access_in extended deny ip host 112.137.162.147 192.168.0.0 255.255.255.0
access-list outside_access_in remark Deny Facebook 3
access-list outside_access_in extended deny ip host 69.63.179.27 192.168.0.0 255.255.255.0
access-list outside_access_in remark FTP for AAADCSVR4 (JoyAnna)
access-list outside_access_in extended permit tcp any host 1.2.3.9 eq ftp
access-list outside_access_in remark HTTP access to temp AUDNOW13 site
access-list outside_access_in extended permit tcp any host 1.2.3..9 eq www inactive
access-list outside_access_in remark RDP for Bkana
access-list outside_access_in extended permit tcp any host 1.2.3.12 eq 3389
access-list outside_access_in extended permit tcp any host 1.2.3.5 eq 3389
access-list outside_access_in remark Web Portal/AAACRM4M
access-list outside_access_in extended permit tcp any host 1.2.3.4 eq https
access-list outside_access_in remark RDP for Web Portal and Web Site uploads
access-list outside_access_in extended permit tcp any host 1.2.3.4 eq 3389
access-list outside_access_in remark Web Portal/AAACRM4M
access-list outside_access_in extended permit tcp any host 1.2.3.4 eq www
access-list outside_access_in extended permit icmp any any echo-reply
access-list outside_access_in extended permit icmp any any time-exceeded
access-list inside_nat0_outbound extended permit ip any 192.168.50.0 255.255.255.240
access-list inside_nat0_outbound extended permit ip any 192.168.100.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip any 192.168.25.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip any 192.168.60.0 255.255.255.0
access-list outside_20_cryptomap standard permit 192.168.0.0 255.255.255.0
access-list clientgroup_VPN_splitTunnelACL standard permit host 98.129.60.99
access-list clientgroup_VPN_splitTunnelACL standard permit 192.168.0.0 255.255.255.0
pager lines 24
logging enable
logging trap debugging
logging asdm debugging
logging queue 150
mtu inside 1500
mtu outside 1500
ip local pool vpnippool 192.168.50.1-192.168.50.10 mask 255.255.255.0
ip local pool webpool 192.168.60.1-192.168.60.10 mask 255.255.255.0
ip local pool AAAIPPOOL 192.168.0.161-192.168.0.190 mask 255.255.255.0
ip local pool SSLClientPool 192.168.25.1-192.168.25.50 mask 255.255.255.0
ip local pool AAAPOOL 192.168.100.1-192.168.100.50 mask 255.255.255.0
ip verify reverse-path interface outside
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-625-53.bin
no asdm history enable
arp timeout 14400
global (outside) 1 1.2.3.10 netmask 255.0.0.0
global (outside) 2 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 2 192.168.0.217 255.255.255.255
nat (inside) 2 192.168.0.219 255.255.255.255
nat (inside) 2 192.168.0.229 255.255.255.255
nat (inside) 1 0.0.0.0 0.0.0.0
nat (outside) 1 192.168.60.0 255.255.255.0
static (inside,outside) tcp 1.2.3.10 smtp 192.168.0.8 smtp netmask 255.255.255.255
static (inside,outside) tcp 1.2.3.10 https 192.168.0.10 https netmask 255.255.255.255
static (inside,outside) tcp 1.2.3.12 3389 192.168.0.221 3389 netmask 255.255.255.255
static (inside,inside) tcp 1.2.3.5 3389 192.168.0.22 3389 netmask 255.255.255.255
static (inside,outside) tcp 1.2.3.4 www 192.168.0.11 www netmask 255.255.255.255
static (inside,outside) tcp 1.2.3.4 3389 192.168.0.11 3389 netmask 255.255.255.255
static (inside,outside) tcp 1.2.3.4 https 192.168.0.11 https netmask 255.255.255.255
static (inside,outside) tcp 1.2.3.9 ftp 192.168.0.8 ftp netmask 255.255.255.255
access-group inside_access_in in interface inside
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 216.64.78.1 1
route inside 192.168.1.0 255.255.255.0 192.168.0.225 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
aaa-server NTWRKSVRS protocol ldap
aaa-server NTWRKSVRS (inside) host 192.168.0.8
 ldap-base-dn DC=audiology,DC=org
 ldap-scope subtree
 ldap-naming-attribute sAMAccountName
 ldap-login-password *****
 ldap-login-dn CN=tss,CN=Users,DC=audiology,DC=org
 server-type microsoft
nac-policy DfltGrpPolicy-nac-framework-create nac-framework
 reval-period 36000
 sq-period 300
aaa authorization command LOCAL
http server enable
http 192.168.0.0 255.255.255.0 inside
http 192.168.50.0 255.255.255.255 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map outside_dyn_map 20 set pfs
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 40 set pfs
crypto dynamic-map outside_dyn_map 40 set transform-set ESP-AES-128-SHA
crypto map outside_map 20 set pfs
crypto map outside_map 20 set transform-set ESP-DES-SHA
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
crypto ca trustpoint ASDM_TrustPoint0
 enrollment self
 subject-name CN=ciscoasa.audiology.org
 keypair sslvpnkeypair
 crl configure
crypto ca server
 shutdown
crypto ca certificate chain ASDM_TrustPoint0
 certificate 7564 696f6c6f 67792e6f 72673081 9f300d06 092a8648
    86f70d01 01010500 03818d00 30818902 818100a0 8b90b08f bbfaf555 4b19f899
    6b04b4b1 ec7b07f8 3ba2504d bb5b54bb 3450bfed 80607843 13a6f146 79472b79
    2e08f1f7 ef32fb77 cf33f0b5 55982455 ef74c3b2 c054efff c58d3698 2bb5e44d
    e6f148b2 81aa2fa0 d317175f 2b8364cd 3c8b0290 12f0a01f 06c6af47 7a7d70cc
    975a3567 9b2e7f24 0d88bcb8 daaf1f7d d0e74d02 03010001 300d0609 2a864886
    f70d0101 05050003 8181005d 269ebb82 ad21cb8c fd5ce3ce bbc51073 370cdd5a
    bccf01e3 b993caf4 b2582663 f18248ed 3634e670 c2c4dd72 abeabbe1 406293a8
    48085355 55885f72 cb78a10e 4d6c1267 ad0fc28e e883e002 6ea9af97 6d722868
    537966f4 de71bd98 f07ba491 7929e460 17062837 5570ce10 b2aba39e 0b1c9e83
    6176373b 33b7204c f92bb6
  quit
crypto isakmp enable outside
crypto isakmp policy 10
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
crypto isakmp policy 20
 authentication pre-share
 encryption 3des
 hash md5
 group 2
 lifetime 86400
client-update enable
telnet 192.168.0.0 255.255.255.0 inside
telnet timeout 5
ssh timeout 5
console timeout 0
management-access inside
dhcpd auto_config outside vpnclient-wins-override
!
dhcpd address 192.168.0.2-192.168.0.129 inside
!

threat-detection basic-threat
threat-detection statistics port
threat-detection statistics protocol
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
tftp-server inside 192.168.0.3 /tftp
ssl trust-point ASDM_TrustPoint0 outside
webvpn
 enable outside
 svc image disk0:/anyconnect-win-2.4.1012-k9.pkg 1
 svc image disk0:/anyconnect-dart-win-2.4.1012-k9.pkg 2
 svc image disk0:/anyconnect-macosx-i386-2.4.1012-k9.pkg 3
 svc enable
 tunnel-group-list enable
group-policy SSLClientPolicy internal
group-policy SSLClientPolicy attributes
 dns-server value 192.168.0.240
 vpn-tunnel-protocol l2tp-ipsec svc
 default-domain value audiology
 address-pools value SSLClientPool
group-policy DfltGrpPolicy attributes
 banner value Welcome to the Audiology Domain.
 dns-server value 192.168.0.240
 vpn-simultaneous-logins 10
 vpn-tunnel-protocol IPSec l2tp-ipsec svc
 ipsec-udp enable
 default-domain value audiology
 nac-settings value DfltGrpPolicy-nac-framework-create
 address-pools value AAAPOOL
 webvpn
  svc keepalive none
  svc dpd-interval client none
  svc dpd-interval gateway none
  svc compression deflate
  svc ask none default svc
  customization value DfltCustomization
group-policy Audiology_VPN internal
group-policy Audiology_VPN attributes
 dns-server value 192.168.0.240
 vpn-tunnel-protocol IPSec l2tp-ipsec svc
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value Audiology_VPN_splitTunnelAcl
 default-domain value audiology
 webvpn
  svc ask none default svc
group-policy vpnphone internal
group-policy vpnphone attributes
 dns-server value 192.168.0.240
 vpn-tunnel-protocol IPSec l2tp-ipsec
 default-domain value audiology.org
 address-pools value vpnippool
group-policy clientgroup internal
group-policy clientgroup attributes
 dns-server value 192.168.0.240
 vpn-tunnel-protocol IPSec l2tp-ipsec svc
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value clientgroup_VPN_splitTunnelACL
 address-pools value webpool
 webvpn
  svc keep-installer installed
  svc ask none default svc
username ssandhu password seufOosICJUVacRN encrypted privilege 5
username ssandhu attributes
 vpn-group-policy Audiology_VPN
username ccarey password hkzviXSwo/dzb7dz encrypted privilege 5
username ccarey attributes
 vpn-group-policy Audiology_VPN
username ssebastian password cRTSAQvSR1uUboYQ encrypted privilege 5
username ssebastian attributes
 vpn-group-policy Audiology_VPN
username ssullivan password Or36GnjdWqlUJJRu encrypted privilege 5
username ssullivan attributes
 vpn-group-policy Audiology_VPN
username deba password XUd41fq/C/TjFgfj encrypted privilege 5
username deba attributes
 vpn-group-policy vpnphone
 vpn-tunnel-protocol IPSec
username edwards password VMXSNPSW0HV4O0cv encrypted privilege 5
username edwards attributes
 vpn-group-policy Audiology_VPN
username rsifuentes password aqJUgnzg.dfA8o9z encrypted privilege 5
username rsifuentes attributes
 vpn-group-policy Audiology_VPN
username pazouqha password DU7z.RNPJKFsln2i encrypted privilege 5
username pazouqha attributes
 vpn-group-policy Audiology_VPN
username aburke password /NPa1tiXBaGOUeG7 encrypted privilege 5
username aburke attributes
 vpn-group-policy Audiology_VPN
username abenham password Ui/TXyR4iz.Nm2Oe encrypted privilege 6
username abenham attributes
 vpn-group-policy Audiology_VPN
username cgallow password cxuXh2CnVa2e5tEm encrypted privilege 5
username cgallow attributes
 vpn-group-policy Audiology_VPN
username lyonkers password 0GBHQTdxHCMx3HFC encrypted privilege 5
username lyonkers attributes
 vpn-group-policy Audiology_VPN
username dabel password wLSkDun.YwKsAUJt encrypted privilege 5
username dabel attributes
 vpn-group-policy Audiology_VPN
username kmurphy password IlNy9p4SMyv7T/Sc encrypted privilege 5
username kmurphy attributes
 vpn-group-policy Audiology_VPN
username tbrazell password 05gnhCY2EWMXLG8A encrypted privilege 5
username tbrazell attributes
 vpn-group-policy Audiology_VPN
username tconte password iRHacxgQVU.WcpEe encrypted privilege 5
username tconte attributes
 vpn-group-policy Audiology_VPN
username sduty password Epb3K3ZfUSo9m04g encrypted privilege 5
username sduty attributes
 vpn-group-policy Audiology_VPN
username kculver password L2v7uYSr3CyfUsWt encrypted privilege 5
username kculver attributes
 vpn-group-policy Audiology_VPN
username meggano password 3/LzBzM.c3NO9PjK encrypted privilege 5
username meggano attributes
 vpn-group-policy Audiology_VPN
username skelley password fLQvCBmxMLbGw02J encrypted privilege 5
username skelley attributes
 vpn-group-policy Audiology_VPN
username bkana password cY7LQDRflLqXm18t encrypted privilege 15
username bkana attributes
 vpn-group-policy Audiology_VPN
username kbrown password 7LuT1QL/7oAYbSs9 encrypted privilege 5
username kbrown attributes
 vpn-group-policy Audiology_VPN
username kbudhathoki password xE1hvb6QKBkElha2 encrypted privilege 5
username kbudhathoki attributes
 vpn-group-policy Audiology_VPN
username sotta password kWf0WtIQWWL/mFWH encrypted privilege 5
username sotta attributes
 vpn-group-policy Audiology_VPN
username amiedema password mGKqpTC.fdKmd5ns encrypted privilege 5
username amiedema attributes
 vpn-group-policy Audiology_VPN
username nbisbee password l3kVh/oSMNR7I5Q2 encrypted privilege 5
username nbisbee attributes
 vpn-group-policy Audiology_VPN
username marco password MPVAtQgiWJ9tqgGc encrypted privilege 5
username marco attributes
 vpn-group-policy clientgroup
username jwilson password yhQDuki0An31.NuN encrypted privilege 5
username jwilson attributes
 vpn-group-policy Audiology_VPN
username msinden password 2ZsWE7kvAK/kGB2m encrypted privilege 5
username msinden attributes
 vpn-group-policy Audiology_VPN
username mbovo password /eF0H3C5G4uTJRmw encrypted privilege 5
username mbovo attributes
 vpn-group-policy Audiology_VPN
username kthomas password uRkdY0JH8UEfiNcr encrypted privilege 5
username kthomas attributes
 vpn-group-policy Audiology_VPN
tunnel-group DefaultRAGroup general-attributes
 default-group-policy Audiology_VPN
tunnel-group DefaultWEBVPNGroup general-attributes
 address-pool AAAPOOL
tunnel-group Audiology_VPN type remote-access
tunnel-group Audiology_VPN general-attributes
 address-pool AAAPOOL
 default-group-policy Audiology_VPN
tunnel-group Audiology_VPN ipsec-attributes
 pre-shared-key *****
tunnel-group Audiology_VPN ppp-attributes
 authentication ms-chap-v2
tunnel-group vpnphone type remote-access
tunnel-group vpnphone general-attributes
 address-pool vpnippool
 default-group-policy vpnphone
tunnel-group vpnphone ipsec-attributes
 pre-shared-key *****
tunnel-group vpnphone ppp-attributes
 authentication ms-chap-v2
tunnel-group SSLClientProfile type remote-access
tunnel-group SSLClientProfile general-attributes
 default-group-policy SSLClientPolicy
tunnel-group SSLClientProfile webvpn-attributes
 group-alias SSLVPNClient enable
tunnel-group webgroup type remote-access
tunnel-group webgroup general-attributes
 address-pool webpool
 default-group-policy clientgroup
tunnel-group webgroup webvpn-attributes
 group-alias webgroup_users enable
tunnel-group webgroup ipsec-attributes
 pre-shared-key *****
tunnel-group-map default-group DefaultL2LGroup
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum 1024
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect sqlnet
  inspect skinny  
  inspect sunrpc
  inspect xdmcp
  inspect sip  
  inspect netbios
  inspect tftp
  inspect icmp
  inspect pptp
  inspect ip-options
policy-map asa_global_fw_policy
 class inspection_default
  inspect ftp
!
service-policy global_policy global
privilege cmd level 3 mode exec command perfmon
privilege cmd level 3 mode exec command ping
privilege cmd level 3 mode exec command who
privilege cmd level 3 mode exec command logging
privilege cmd level 3 mode exec command failover
privilege show level 5 mode exec command running-config
privilege show level 3 mode exec command reload
privilege show level 3 mode exec command mode
privilege show level 3 mode exec command firewall
privilege show level 3 mode exec command interface
privilege show level 3 mode exec command clock
privilege show level 3 mode exec command dns-hosts
privilege show level 3 mode exec command access-list
privilege show level 3 mode exec command logging
privilege show level 3 mode exec command ip
privilege show level 3 mode exec command failover
privilege show level 3 mode exec command asdm
privilege show level 3 mode exec command arp
privilege show level 3 mode exec command route
privilege show level 3 mode exec command ospf
privilege show level 3 mode exec command aaa-server
privilege show level 3 mode exec command aaa
privilege show level 3 mode exec command crypto
privilege show level 3 mode exec command vpn-sessiondb
privilege show level 3 mode exec command ssh
privilege show level 3 mode exec command dhcpd
privilege show level 3 mode exec command vpn
privilege show level 3 mode exec command blocks
privilege show level 3 mode exec command uauth
privilege show level 3 mode configure command interface
privilege show level 3 mode configure command clock
privilege show level 3 mode configure command access-list
privilege show level 3 mode configure command logging
privilege show level 3 mode configure command ip
privilege show level 3 mode configure command failover
privilege show level 5 mode configure command asdm
privilege show level 3 mode configure command arp
privilege show level 3 mode configure command route
privilege show level 3 mode configure command aaa-server
privilege show level 3 mode configure command aaa
privilege show level 3 mode configure command crypto
privilege show level 3 mode configure command ssh
privilege show level 3 mode configure command dhcpd
privilege show level 5 mode configure command privilege
privilege clear level 3 mode exec command dns-hosts
privilege clear level 3 mode exec command logging
privilege clear level 3 mode exec command arp
privilege clear level 3 mode exec command aaa-server
privilege clear level 3 mode exec command crypto
privilege cmd level 3 mode configure command failover
privilege clear level 3 mode configure command logging
privilege clear level 3 mode configure command arp
privilege clear level 3 mode configure command crypto
privilege clear level 3 mode configure command aaa-server
prompt hostname context
call-home
 profile CiscoTAC-1
  no active
  destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
  destination address email callhome@cisco.com
  destination transport-method http
  subscribe-to-alert-group diagnostic
  subscribe-to-alert-group environment
  subscribe-to-alert-group inventory periodic monthly
  subscribe-to-alert-group configuration periodic monthly
  subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:c76168fa7f31fdfea11dff4130e5f7af
: end
Avatar of asavener
asavener
Flag of United States of America image

1. Shouldn't I be able to just go straight from the 0/1 port on the Cisco 2900 to my hub. At first I was plugging right into the ASA, but i don't think I need to do that, why go from the branch office through my ASA to access resources and then back out the ASA for internet. If they're already coming from 192.168.1.225, through the MPLS network, then they should go right to my network and then back out the ASA.
This is what you want.


Just connect the MPLS router (192.168.0.225) to your internal LAN.

Add a route on your internal router (192.168.0.1) and a route on the ASA:

router:

ip route 192.168.1.0 255.255.255.0 192.168.0.225 192.168.0.225

ASA:

route inside 192.168.1.0 255.255.255.0 192.168.0.225
Avatar of bkana

ASKER

I already have those routes defined.
OK, so what isn't working?
Avatar of bkana

ASKER

Hosts on the branch network (192.168.1.0)  cannot access the internet or any resources on the main network (192.168.0.1) The MPLS connection at the branch site is 192.168.1.225 and 192.168.0.225 on my end at 0/1 on the router. If I change my localGW to 192.168.0.225 I can RDP to hosts in the branch office.

I have these setup on my ASA: (what else am I missing?)

route inside 192.168.1.0 255.255.255.0 192.168.0.225 1

nat (inside) 1 192.168.1.0 255.255.255.0

access-list inside_nat0_outbound extended permit ip 192.168.0.0 255.255.255.0 192.168.1.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 192.168.1.0 255.255.255.0 192.168.0.0 255.255.255.0

and

nat (inside) 0 access-list inside_nat0_outbound

I can ping everything on 192.168.1.0 from the ASA only and not from anything on 192.168.0.0
You need to add the route on the 192.168.0.1 router as well.
Avatar of bkana

ASKER

Correct me if I'm wrong, but I am able to RDP to a host at the branch office (192.168.1.98) and ping back across the their local gateway (192.168.1.225), the connection on the MPLS router here at HQ (192.168.0.225) and my ASA 5505's gateway (192.168.0.1).

Wouldn't the route on the MPLS router (192.168.0.1) allow me to do that. So that route should already be in place, correct?

Here is the setup again and my running config.

1. Connection right from the MPLS router 0/1 (192.168.0.225) straight into my hub.
 
ASA 5505 config (relative info):

hostname ciscoasa
domain-name audiology.org
enable password ulzaQiFnKVzDwUmW encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface Vlan1
 nameif inside
 security-level 100
 ip address 192.168.0.1 255.255.255.0
 ospf cost 10
!
interface Vlan2
 nameif outside
 security-level 0
 ip address 216.64.78.2 255.255.255.240
 ospf cost 10
!
interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7

same-security-traffic permit inter-interface
same-security-traffic permit intra-interface

access-list inside_nat0_outbound extended permit ip any 192.168.50.0 255.255.255.240
access-list inside_nat0_outbound extended permit ip any 192.168.100.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip any 192.168.25.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip any 192.168.60.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip any 192.168.1.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 192.168.1.0 255.255.255.0 192.168.0.0 255.255.255.0
access-list outside_20_cryptomap standard permit 192.168.0.0 255.255.255.0

access-list TCP_bypass extended permit ip 192.168.0.0 255.255.255.0 192.168.1.0 255.255.255.0  (DON'T THINK I NEED THIS THOUGH)

global (outside) 1 216.64.78.10 netmask 255.0.0.0
global (outside) 2 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 2 192.168.0.217 255.255.255.255
nat (inside) 2 192.168.0.219 255.255.255.255
nat (inside) 2 192.168.0.229 255.255.255.255
nat (inside) 1 192.168.1.0 255.255.255.0
nat (inside) 1 0.0.0.0 0.0.0.0
nat (outside) 1 192.168.60.0 255.255.255.0

route outside 0.0.0.0 0.0.0.0 X.X.X.X
route inside 192.168.1.0 255.255.255.0 192.168.0.225 1
Hosts on the branch network (192.168.1.0)  cannot access the internet or any resources on the main network (192.168.0.1) The MPLS connection at the branch site is 192.168.1.225 and 192.168.0.225 on my end at 0/1 on the router. If I change my localGW to 192.168.0.225 I can RDP to hosts in the branch office.
OK.  Two things to check.

1.  Make sure that the MPLS routers on both ends are not filtering or firewalling any traffic.  Can you post (sanitized) configurations?

2.  Make sure that the branch PCs have a default gateway of 192.168.1.225.


(It is possible that when you make a connection, then they are creating their own cached route called an RCE or route cache entry, and that they do not have the correct default gateway.)
Avatar of bkana

ASKER

Thanks for responding asavener.

1. I do not have access to either routers, as they are managaed by the ISP (Windstream). However, I have an open trouble ticket to verify the configs at both ends and will add the question concerning filtering or firewalling traffic to my list when they call.

2. They do.

Also, after doing some research concerning my issue, it seems to me that the ASA shouldn't even be part of the equation, do you agree? I have the connection from 0/1 (192.168.0.225) on the MPLS router on my end connected directly into my LAN. With the correct routes in place on both ends, the clients at the branch office should be able to access the internet and any resources at the main site, correct?

I'm not sure I understand your side comment about RCE, how do I check? I have ran "route print" on the branch PC's via RDP and nothing seemed out of the oridnary. They used to be connected to an old Adtran, but it had the same IP (192.168.1.225). Now, they connect to a new router that sits on the MPLS.
Yes, I agree that the ASA is not likely to be the culprit.  RCEs should not be an issue, since the RCE would match the address of the default gateway, anyway.

An RCE would show up as a route to a single IP address on your 192.168.0.0/24 network.
Avatar of bkana

ASKER

Well, I have installed an HP 1910 - 48G switch, added a static route on it (192.168.1.0 MASK 255.255.255.0 192.168.0.225) and still, nothing. I can RDP to a host on the 192.168.1.0 network but can't even ping anything on the 192.168.0.0 network unless I specifically set routes on each server/device in the 192.168.0.0 network. I thought for sure that a layer 3 switch would do the trick, as I'm connected directly from the 0/1 port on the MPLS router to my L3 switch. Should a route be setup on the remote branch gateway (192.168.1.225) back to the L3 switch here?
Are the 192.168.0.x devices using the new L3 switch as their default gateways?
Avatar of bkana

ASKER

The 192.168.0.0 devices use the ASA 5505 (192.168.0.1, which is connected to the internet port on the router) as thier gateway and everything on that end is good. The issue is that hosts on the 192.168.1.0 network can't access resources on the 192.168.0.0 network, unless I add routes to certain devices on the 192.168.0.0. They (192.168.0.1) also cannot access the internet. I can RDP to a host on the 192.168.1.0 network but can't ping back to devices on the 192.168.0.0 network - only those to which I have setup routes. If the static routes were setup properly on the local and remote gateways, I should be able to ping back, correct?
ASKER CERTIFIED SOLUTION
Avatar of asavener
asavener
Flag of United States of America image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of bkana

ASKER

asavener, I totally agree with you that the ASA is not a router. However, in the old network configuration before we moved and MPLS was not in the picture, I only had a simple layer 2 device (hub) to connect everything and the ASA was my only way of getting internet access, as I had the 0/1 inside interface configured as 192.168.0.1, and 0/0 configured with 216.X.X.X which connected to the old cisco IAD 2900 router. I assigned all of my clients an address of 192.168.0.2-255 with a GW of 192.168.0.1. Also, the branch office (192.168.1.0) was connected by a point-to-point T1 using 2 Adtran routers.

Now, the branch office is connected using a different router (192.168.1.225) , using MPLS, back to the main office MPLS router at 192.168.0.225.

Also, I am a little confused by your RDP paths. I am at the 192.168.0.0 network using RDP to a host at the192.168.1.0 network:

RDP from 192.168.0.221 to 192.168.1.98. My GW is 192.168.0.1. This works, unless I'm reading your RDP paths wrong. And, I thought we agreed that the ASA was not in the picture.

Are you saying because the GW address of the hosts on the 192.168.0.0 network being 192.168.0.1is the issue? So, the ping is going from 192.168.1.98, to it's local gateway (192.168.1.225), to the MPLS router on my end (192.168.0.225), to a host of say 192.168.0.240 - and because 192.168.0.240 has 192.168.0.1 as it's GW, its going to the 0/1 of the ASA and stopping. I hope that made sense. If that's the case, would changing the GW of the hosts on 192.168.0.0 to the IP of the new L3 switch allow the ping to come back? I still don't understand how that's going to affect the hosts at 192.168.1.0 not being able to gain access to the internet.
I thought the ASA is 192.168.0.1?  And I thought RDP from 192.168.1.0/24 to 192.168.0.0/24 only works if you have an explicit route, so that the default gateway of 192.168.0.1 is not used.
Avatar of bkana

ASKER

The ASA is 192.168.0.1 (internal interface). I haven't tried to RDP from 192.1681.0 as I don't need to. I can RDP from 192.168.0.0 (192.168.0.221) to 192.168.1.0 (192.168.1.98) if I set my GW to 192.168.0.100 (the L3 switch) or I set a route on my PC if using 192.168.0.1 as the GW. It makes more sense, like you said, to use the switch as the GW and let it do the routing instead of the ASA.

Obviously, if I set all the hosts on 192.168.0.0 to use 192.168.0.100 (L3 switch) as their GW, then when I RDP to 192.168.1.98 and ping back from there, the pings work and I should be able to map drives, access resources here (192.168.0.0) without issue. This should also eliminate the need to set up routes on specific hosts for access.  

But I'm still unclear as to how to get hosts at 192.168.1.0 access to the internet. Even if I set the GW to 192.168.0.100 (L3 switch) on a host at 192.168.1.0 they still can't access the internet. Of course, I know I should keep their GW set to 192.168.1.225, which is their local router.

Maybe is has something to do with the MPLS network that they have to go through first.
OK, now you need a default route on the layer three switch that points to the ASA.
Avatar of bkana

ASKER

That default route is already setup:

0.0.0.0    0.0.0.0    192.168.0.1
OK, what about the 192.168.0.225 router?
Avatar of bkana

ASKER

Turns out it was an error in the config on one of the ISP's routers, which they have corrected. Everything is working as expected.
Avatar of bkana

ASKER

I've requested that this question be closed as follows:

Accepted answer: 0 points for bkana's comment #a38645525

for the following reason:

Since the issue was resolved by the ISP, I am closing this question.
I find this explanation unconvincing, since there was never any discussion of an ISP having any routers at the site.  My understanding is that this was a WAN connection using MPLS.

One would assume that any routers from the ISP would be on the outside interface of the ASA; how could they interfere with internal routing?
Avatar of bkana

ASKER

The WAN connection through the MPLS used routers on either end. Those routers are owned and configured by the ISP

1. I do not have access to either routers, as they are managed by the ISP (Windstream). was posted on 11/12.

The ISP told me today that they found errors in the configuration and resolved them accordingly.

Most (if not all) of the solutions you provided I already had in place. But if you feel you deserve the points, I'm happy to give them to you.
Avatar of bkana

ASKER

After going through the post I realized that a post by asavener on 11/19 led me to make a small configuration change that may have helped my situation. Although, the ISP's correction to their equipment (also) solved my issue, I believe a combination of the 2 changes ultimately got me where I needed to be. Points will be awarded accordingly. Sorry for the delay and miscommunication.