?
Solved

ASA 5505 routing

Posted on 2013-01-10
6
Medium Priority
?
385 Views
Last Modified: 2013-02-04
Here is the scenario, I have a ASA 5505 that I have port 1 and port 7 configured to "switchport access vlan 2".  There is a secondary router that I do not control that is sharing internet with one of my public IP configured on it that is plugged into port 7.  Its a agreement between my client and the other party.  That part is working just fine.  But the question arose where the other party would like access to a printer that is connected my ASA on the local lan vlan.   I have tried multiple things and can not get it to route correctly.  I am banging my head against my desk to resolve this issue if it possible.    Please help.
0
Comment
Question by:Robert Ener
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 2
6 Comments
 
LVL 17

Expert Comment

by:lruiz52
ID: 38763773
Do you have a network diagram? and can you post a sanitized config.
0
 

Author Comment

by:Robert Ener
ID: 38763814
hostname APLaw5505
*.*.*.*
names
name 192.168.10.0 VPNClient
!
interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
 switchport access vlan 2
!
interface Vlan1
 nameif inside
 security-level 100
 ip address 10.0.1.254 255.255.255.0
!
interface Vlan2
 nameif outside
 security-level 0
 ip address *.*.*.* 255.255.255.248
!
ftp mode passive
object-group network Publicip170
 network-object host *.*.*.*
object-group network Austin
 network-object 192.168.1.0 255.255.255.0
object-group network Publicip171
 network-object host *.*.*.*
object-group network Publicip172
 network-object host *.*.*.*
object-group network Publicip173
 network-object host *.*.*.*
object-group network Publicip174
 network-object host *.*.*.*
object-group network Corpus
 network-object 10.0.1.0 255.255.255.0
object-group network MacServer
 network-object host 10.0.1.5
access-list NONAT extended permit ip object-group Corpus object-group Austin
access-list NONAT extended permit ip host 10.0.1.5 VPNClient 255.255.255.0
access-list NONAT extended permit ip any VPNClient 255.255.255.192
access-list NONAT extended permit ip 10.0.1.0 255.255.255.0 VPNClient 255.255.255.0
access-list AustinVPN extended permit ip object-group Corpus object-group Austin
access-list inside_access_in extended permit ip 10.0.1.0 255.255.255.0 VPNClient 255.255.255.0
access-list 50 extended permit icmp any any echo-reply
access-list 50 extended permit icmp any any source-quench
access-list 50 extended permit icmp any any unreachable
access-list 50 extended permit icmp any any time-exceeded
access-list 50 extended permit tcp any host *.*.*.*
access-list 50 extended permit udp any host *.*.*.*
access-list 50 extended permit tcp any host *.*.*.*
access-list 50 extended permit udp any host *.*.*.*
access-list inside_access_in_1 extended permit ip any any
access-list aplawremote_splitTunnelAcl standard permit 10.0.1.0 255.255.255.0
access-list appleserver extended permit ip 10.0.1.0 255.255.255.0 VPNClient 255.255.255.0
access-list capture extended permit ip host 192.168.10.2 host 10.0.1.5
access-list capture extended permit ip host 10.0.1.5 host 192.168.10.2
access-list capture1 extended permit ip host *.*.*.* host *.*.*.*
access-list capture1 extended permit ip host *.*.*.* host *.*.*.*
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
ip local pool REMOTEVPN 192.168.10.1-192.168.10.50
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list NONAT
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) *.*.*.* 10.0.1.5 netmask 255.255.255.255
static (inside,outside) *.*.*.* 10.0.1.200 netmask 255.255.255.255
access-group inside_access_in_1 in interface inside
access-group 50 in interface outside
route outside 0.0.0.0 0.0.0.0 *.*.*.* 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
aaa authentication ssh console LOCAL
http server enable
http *.*.*.* outside
http *.*.*.* inside
http 10.0.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-SHA2 esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map CorpusClientVPN 1 set pfs group1
crypto dynamic-map CorpusClientVPN 1 set transform-set ESP-3DES-SHA2
crypto map outside_map 1 match address AustinVPN
crypto map outside_map 1 set pfs
crypto map outside_map 1 set peer *.*.*.*
crypto map outside_map 1 set transform-set ESP-3DES-SHA2
crypto map outside_map 65535 ipsec-isakmp dynamic CorpusClientVPN
crypto map outside_map interface outside
crypto isakmp identity address
crypto isakmp enable outside
crypto isakmp policy 10
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
crypto isakmp ipsec-over-tcp port 10000
telnet *.*.*.* inside
telnet timeout 5
ssh *.*.*.* inside
ssh *.*.*.* outside
ssh timeout 10
ssh version 2
console timeout 0
management-access inside
dhcpd address 10.0.1.10-10.0.1.25 inside
dhcpd dns 8.8.8.8 8.8.4.4 interface inside
dhcpd enable inside
!

threat-detection basic-threat
threat-detection statistics access-list
threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
webvpn
 enable outside
group-policy aplawremote internal
group-policy aplawremote attributes
 vpn-tunnel-protocol IPSec l2tp-ipsec
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value aplawremote_splitTunnelAcl
 user-authentication enable
 address-pools value REMOTEVPN
group-policy aplawremote1 internal
group-policy aplawremote1 attributes
 dns-server value 8.8.8.8 8.8.4.4
 vpn-tunnel-protocol IPSec l2tp-ipsec
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value appleserver
username absolute password 8OmgqfUD6gNGhifA encrypted privilege 15
username absolute attributes
 vpn-group-policy aplawremote1
username admin password RNwSCC27JFXNk4tE encrypted privilege 15
username admin attributes
 vpn-group-policy aplawremote1
username remoteuser password NNOSNueZeXtjdJrQ encrypted
username remoteuser attributes
 vpn-group-policy aplawremote1
 service-type admin
username cisco password 3USUcOPFUiMCO4Jk encrypted
tunnel-group *.*.*.* type ipsec-l2l
tunnel-group *.*.*.* ipsec-attributes
 pre-shared-key *****
tunnel-group aplawremote type remote-access
tunnel-group aplawremote general-attributes
 address-pool REMOTEVPN
 default-group-policy aplawremote
tunnel-group aplawremote ipsec-attributes
 pre-shared-key *****
tunnel-group aplawremote1 type remote-access
tunnel-group aplawremote1 general-attributes
 address-pool REMOTEVPN
 default-group-policy aplawremote1
tunnel-group aplawremote1 ipsec-attributes
 pre-shared-key *****
!
!
prompt hostname context
no call-home reporting anonymous
Cryptochecksum:276451b650fdb0a75911a9f8d8410705
: end
0
 
LVL 22

Expert Comment

by:mcsween
ID: 38763824
These should be trunk ports, not access ports.  You can set allowed vlans on the trunk or allow all.  You can also set the native vlan as well (this must be set the same on both ends, switch and router)
the command below allows vlan 2, 10 and 20 through 40

switchport mode trunk
switchport trunk allowed vlan 2,10,20-40
switchport trunk native vlan 2

Open in new window

0
Video: Liquid Web Managed WordPress Comparisons

If you run run a WordPress, you understand the potential headaches you may face when updating your plugins and themes. Do you choose to update on the fly and risk taking down your site; or do you set up a staging, keep it in sync with your live site and use that to test updates?

 
LVL 22

Accepted Solution

by:
mcsween earned 2000 total points
ID: 38763853
After reviewing  your config, trunking this port won't help (though it should be done anyway).  Client A wants to print to Printer B.

What is Client A's subnet and gateway?
What is Printer B's subnet and gateway?
0
 

Author Comment

by:Robert Ener
ID: 38763884
The SonicWall that is plugged into port 7 has is configured with the gateway coming from my ISP, they wanted a public on their SonicWall.  The printer is configured with 10.0.1.150
ASA-5505.pdf
0
 
LVL 22

Expert Comment

by:mcsween
ID: 38763967
The only way they will be able to print to that printer is to open port 9100 on the outside interface or create a VPN between the SonicWALL and the Cisco.  This is not a routing problem as their traffic is routed to the internet at the SonicWALL.  Your firewall (outside --> inside ACL) is blocking this traffic.  You will also need a static mapping.

I'm using
1.1.1.1 as the public IP of their SonicWALL
2.2.2.2 as the public IP of your ASA
10.10.10.10 as the IP of the printer.
Also assuming you are printing using TCP 9100 (Windows IP Port Default)

access-list 50 extended permit TCP 1.1.1.1 eq 9100 2.2.2.2 eq 9100
static (inside,outside) tcp 1.1.1.1 eq 9100 10.10.10.10 eq 9100 netmask 255.255.255.255

Open in new window

0

Featured Post

The Ideal Solution for Multi-Display Applications

Check out ATEN’s VS1912 12-Port DP Video Wall Media Player at InfoComm 2017. Kerri describes how easy it is to design creative video walls in asymmetric layouts and schedule detailed playlists ahead of time with its advanced scheduling feature.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This program is used to assist in finding and resolving common problems with wireless connections.
This article explains the fundamentals of industrial networking which ultimately is the backbone network which is providing communications for process devices like robots and other not so interesting stuff.
NetCrunch network monitor is a highly extensive platform for network monitoring and alert generation. In this video you'll see a live demo of NetCrunch with most notable features explained in a walk-through manner. You'll also get to know the philos…
Monitoring a network: why having a policy is the best policy? Michael Kulchisky, MCSE, MCSA, MCP, VTSP, VSP, CCSP outlines the enormous benefits of having a policy-based approach when monitoring medium and large networks. Software utilized in this v…
Suggested Courses

777 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question