Solved

ASA 5505 routing

Posted on 2013-01-10
6
369 Views
Last Modified: 2013-02-04
Here is the scenario, I have a ASA 5505 that I have port 1 and port 7 configured to "switchport access vlan 2".  There is a secondary router that I do not control that is sharing internet with one of my public IP configured on it that is plugged into port 7.  Its a agreement between my client and the other party.  That part is working just fine.  But the question arose where the other party would like access to a printer that is connected my ASA on the local lan vlan.   I have tried multiple things and can not get it to route correctly.  I am banging my head against my desk to resolve this issue if it possible.    Please help.
0
Comment
Question by:Callabsolute
  • 3
  • 2
6 Comments
 
LVL 17

Expert Comment

by:lruiz52
ID: 38763773
Do you have a network diagram? and can you post a sanitized config.
0
 

Author Comment

by:Callabsolute
ID: 38763814
hostname APLaw5505
*.*.*.*
names
name 192.168.10.0 VPNClient
!
interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
 switchport access vlan 2
!
interface Vlan1
 nameif inside
 security-level 100
 ip address 10.0.1.254 255.255.255.0
!
interface Vlan2
 nameif outside
 security-level 0
 ip address *.*.*.* 255.255.255.248
!
ftp mode passive
object-group network Publicip170
 network-object host *.*.*.*
object-group network Austin
 network-object 192.168.1.0 255.255.255.0
object-group network Publicip171
 network-object host *.*.*.*
object-group network Publicip172
 network-object host *.*.*.*
object-group network Publicip173
 network-object host *.*.*.*
object-group network Publicip174
 network-object host *.*.*.*
object-group network Corpus
 network-object 10.0.1.0 255.255.255.0
object-group network MacServer
 network-object host 10.0.1.5
access-list NONAT extended permit ip object-group Corpus object-group Austin
access-list NONAT extended permit ip host 10.0.1.5 VPNClient 255.255.255.0
access-list NONAT extended permit ip any VPNClient 255.255.255.192
access-list NONAT extended permit ip 10.0.1.0 255.255.255.0 VPNClient 255.255.255.0
access-list AustinVPN extended permit ip object-group Corpus object-group Austin
access-list inside_access_in extended permit ip 10.0.1.0 255.255.255.0 VPNClient 255.255.255.0
access-list 50 extended permit icmp any any echo-reply
access-list 50 extended permit icmp any any source-quench
access-list 50 extended permit icmp any any unreachable
access-list 50 extended permit icmp any any time-exceeded
access-list 50 extended permit tcp any host *.*.*.*
access-list 50 extended permit udp any host *.*.*.*
access-list 50 extended permit tcp any host *.*.*.*
access-list 50 extended permit udp any host *.*.*.*
access-list inside_access_in_1 extended permit ip any any
access-list aplawremote_splitTunnelAcl standard permit 10.0.1.0 255.255.255.0
access-list appleserver extended permit ip 10.0.1.0 255.255.255.0 VPNClient 255.255.255.0
access-list capture extended permit ip host 192.168.10.2 host 10.0.1.5
access-list capture extended permit ip host 10.0.1.5 host 192.168.10.2
access-list capture1 extended permit ip host *.*.*.* host *.*.*.*
access-list capture1 extended permit ip host *.*.*.* host *.*.*.*
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
ip local pool REMOTEVPN 192.168.10.1-192.168.10.50
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list NONAT
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) *.*.*.* 10.0.1.5 netmask 255.255.255.255
static (inside,outside) *.*.*.* 10.0.1.200 netmask 255.255.255.255
access-group inside_access_in_1 in interface inside
access-group 50 in interface outside
route outside 0.0.0.0 0.0.0.0 *.*.*.* 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
aaa authentication ssh console LOCAL
http server enable
http *.*.*.* outside
http *.*.*.* inside
http 10.0.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-SHA2 esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map CorpusClientVPN 1 set pfs group1
crypto dynamic-map CorpusClientVPN 1 set transform-set ESP-3DES-SHA2
crypto map outside_map 1 match address AustinVPN
crypto map outside_map 1 set pfs
crypto map outside_map 1 set peer *.*.*.*
crypto map outside_map 1 set transform-set ESP-3DES-SHA2
crypto map outside_map 65535 ipsec-isakmp dynamic CorpusClientVPN
crypto map outside_map interface outside
crypto isakmp identity address
crypto isakmp enable outside
crypto isakmp policy 10
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
crypto isakmp ipsec-over-tcp port 10000
telnet *.*.*.* inside
telnet timeout 5
ssh *.*.*.* inside
ssh *.*.*.* outside
ssh timeout 10
ssh version 2
console timeout 0
management-access inside
dhcpd address 10.0.1.10-10.0.1.25 inside
dhcpd dns 8.8.8.8 8.8.4.4 interface inside
dhcpd enable inside
!

threat-detection basic-threat
threat-detection statistics access-list
threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
webvpn
 enable outside
group-policy aplawremote internal
group-policy aplawremote attributes
 vpn-tunnel-protocol IPSec l2tp-ipsec
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value aplawremote_splitTunnelAcl
 user-authentication enable
 address-pools value REMOTEVPN
group-policy aplawremote1 internal
group-policy aplawremote1 attributes
 dns-server value 8.8.8.8 8.8.4.4
 vpn-tunnel-protocol IPSec l2tp-ipsec
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value appleserver
username absolute password 8OmgqfUD6gNGhifA encrypted privilege 15
username absolute attributes
 vpn-group-policy aplawremote1
username admin password RNwSCC27JFXNk4tE encrypted privilege 15
username admin attributes
 vpn-group-policy aplawremote1
username remoteuser password NNOSNueZeXtjdJrQ encrypted
username remoteuser attributes
 vpn-group-policy aplawremote1
 service-type admin
username cisco password 3USUcOPFUiMCO4Jk encrypted
tunnel-group *.*.*.* type ipsec-l2l
tunnel-group *.*.*.* ipsec-attributes
 pre-shared-key *****
tunnel-group aplawremote type remote-access
tunnel-group aplawremote general-attributes
 address-pool REMOTEVPN
 default-group-policy aplawremote
tunnel-group aplawremote ipsec-attributes
 pre-shared-key *****
tunnel-group aplawremote1 type remote-access
tunnel-group aplawremote1 general-attributes
 address-pool REMOTEVPN
 default-group-policy aplawremote1
tunnel-group aplawremote1 ipsec-attributes
 pre-shared-key *****
!
!
prompt hostname context
no call-home reporting anonymous
Cryptochecksum:276451b650fdb0a75911a9f8d8410705
: end
0
 
LVL 21

Expert Comment

by:mcsween
ID: 38763824
These should be trunk ports, not access ports.  You can set allowed vlans on the trunk or allow all.  You can also set the native vlan as well (this must be set the same on both ends, switch and router)
the command below allows vlan 2, 10 and 20 through 40

switchport mode trunk
switchport trunk allowed vlan 2,10,20-40
switchport trunk native vlan 2

Open in new window

0
What Security Threats Are You Missing?

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

 
LVL 21

Accepted Solution

by:
mcsween earned 500 total points
ID: 38763853
After reviewing  your config, trunking this port won't help (though it should be done anyway).  Client A wants to print to Printer B.

What is Client A's subnet and gateway?
What is Printer B's subnet and gateway?
0
 

Author Comment

by:Callabsolute
ID: 38763884
The SonicWall that is plugged into port 7 has is configured with the gateway coming from my ISP, they wanted a public on their SonicWall.  The printer is configured with 10.0.1.150
ASA-5505.pdf
0
 
LVL 21

Expert Comment

by:mcsween
ID: 38763967
The only way they will be able to print to that printer is to open port 9100 on the outside interface or create a VPN between the SonicWALL and the Cisco.  This is not a routing problem as their traffic is routed to the internet at the SonicWALL.  Your firewall (outside --> inside ACL) is blocking this traffic.  You will also need a static mapping.

I'm using
1.1.1.1 as the public IP of their SonicWALL
2.2.2.2 as the public IP of your ASA
10.10.10.10 as the IP of the printer.
Also assuming you are printing using TCP 9100 (Windows IP Port Default)

access-list 50 extended permit TCP 1.1.1.1 eq 9100 2.2.2.2 eq 9100
static (inside,outside) tcp 1.1.1.1 eq 9100 10.10.10.10 eq 9100 netmask 255.255.255.255

Open in new window

0

Featured Post

Top 6 Sources for Identifying Threat Actor TTPs

Understanding your enemy is essential. These six sources will help you identify the most popular threat actor tactics, techniques, and procedures (TTPs).

Join & Write a Comment

Short answer to this question: there is no effective WiFi manager in iOS devices as seen in Windows WiFi or Macbook OSx WiFi management, but this article will try and provide some amicable solutions to better suite your needs.
If you're not part of the solution, you're part of the problem.   Tips on how to secure IoT devices, even the dumbest ones, so they can't be used as part of a DDoS botnet.  Use PRTG Network Monitor as one of the building blocks, to detect unusual…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're interested in additional methods for monitoring bandwidt…

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

23 Experts available now in Live!

Get 1:1 Help Now