?
Solved

ASA 5510: Want to route into the same interface to reach another network

Posted on 2014-07-15
3
Medium Priority
?
498 Views
Last Modified: 2014-07-18
I have configured an ASA 5510 with many services, most of them are working ok (DMZ, Internet, Routing to branch offices) but i cannot route computers on newtworks 192.168.0.0/16 to network 193.168.1.0/24. To reach 193.168.1.0/24 need pass through 192.168.0.249 (Located in the same network of ASA). Here's the configuration



ASA Version 8.2(1)

!

hostname ASAFCHFW

domain-name midominio.com

enable password 6Jfo5anznhoG00fM encrypted

passwd 2KFQnbNIdI.2KYOU encrypted

names

!

interface Ethernet0/0

 nameif Outside

 security-level 0

 ip address xxx.yyy.zzz.123 255.255.255.248

!

interface Ethernet0/1

 nameif Branch_Office

 security-level 100

 ip address 192.168.2.1 255.255.255.0

!

interface Ethernet0/2

 nameif DMZ

 security-level 10

 ip address 172.16.31.1 255.255.255.0

!

interface Ethernet0/3

 nameif Inside

 security-level 100

 ip address 192.168.0.2 255.255.255.0

!

interface Management0/0

 nameif management

 security-level 100

 ip address 192.168.1.1 255.255.255.0

 management-only

!

boot system disk0:/asa821-k8.bin

ftp mode passive

dns server-group DefaultDNS

 domain-name farmaciachavez.com.bo

same-security-traffic permit inter-interface

same-security-traffic permit intra-interface

object-group network POSLINKSER

 network-object host 192.168.41.101

 network-object host 192.168.41.102

 network-object host 192.168.41.103

 network-object host 192.168.41.104

 network-object host 192.168.41.105

 network-object host 192.168.41.106

 network-object host 192.168.27.101

 network-object host 192.168.27.102

 network-object host 192.168.27.103

 network-object host 192.168.27.104

 network-object host 192.168.27.105

 network-object host 192.168.27.106

 network-object host 192.168.42.101

 network-object host 192.168.42.102

 network-object host 192.168.42.103

 network-object host 192.168.42.104

 network-object host 192.168.42.105

 network-object host 192.168.42.106

 network-object host 192.168.23.101

 network-object host 192.168.23.102

 network-object host 192.168.23.103

 network-object host 192.168.23.104

 network-object host 192.168.23.105

 network-object host 192.168.23.106

 network-object host 192.168.39.101

 network-object host 192.168.39.102

 network-object host 192.168.39.103

 network-object host 192.168.39.104

 network-object host 192.168.39.105

 network-object host 192.168.39.106

 network-object host 192.168.40.101

 network-object host 192.168.40.102

 network-object host 192.168.40.103

 network-object host 192.168.40.104

 network-object host 192.168.40.105

 network-object host 192.168.40.106

 network-object host 192.168.0.62

access-list dmz_in extended permit ip host 172.16.31.2 any

access-list dmz_in extended permit tcp host 172.16.31.2 any

access-list dmz_in extended permit udp host 172.16.31.2 any

access-list dmz_in extended permit tcp host 172.16.31.2 any eq 3000

access-list dmz_in extended permit tcp host 172.16.31.2 any eq https

access-list dmz_in extended permit udp host 172.16.31.2 any eq domain

access-list dmz_in extended permit tcp host 172.16.31.2 any eq pop3

access-list dmz_in extended permit tcp host 172.16.31.2 any eq smtp

access-list dmz_in extended permit tcp host 172.16.31.2 any eq www

access-list dmz_in extended permit tcp host 172.16.31.2 any eq 1000

access-list dmz_in extended permit tcp host 172.16.31.2 any eq echo

access-list Inside extended permit ip any any

access-list Inside extended permit icmp any any

access-list Inside extended permit tcp any any

access-list 100 extended permit ip any host xxx.yyy.zzz.122

access-list 100 extended permit tcp any host xxx.yyy.zzz.122

access-list 100 extended permit udp any host xxx.yyy.zzz.122

access-list linkser extended permit ip any 193.168.1.0 255.255.255.0

access-list linkser extended permit ip 193.168.1.0 255.255.255.0 any

access-list linkser extended permit tcp 193.168.1.0 255.255.255.0 any

access-list linkser extended permit tcp any 193.168.1.0 255.255.255.0

access-list linkser extended permit ip 192.168.0.0 255.255.255.0 193.168.1.0 25

.255.255.0

access-list netflow-export extended permit ip any any

pager lines 24

logging enable

logging buffered debugging

logging asdm informational

no logging message 106015

no logging message 313001

no logging message 313008

no logging message 106023

no logging message 710003

no logging message 106100

no logging message 302015

no logging message 302014

no logging message 302013

no logging message 302018

no logging message 302017

no logging message 302016

no logging message 302021

no logging message 302020

flow-export destination Inside 192.168.0.54 9996

flow-export template timeout-rate 1

flow-export delay flow-create 60

mtu Outside 1500

mtu Branch_Office 1500

mtu DMZ 1500

mtu Inside 1500

mtu management 1500

icmp unreachable rate-limit 1 burst-size 1

icmp permit host 192.168.0.43 Outside

icmp permit any Outside

icmp permit any DMZ

asdm image disk0:/asdm-647.bin

asdm history enable

arp timeout 14400

global (Outside) 101 interface

global (DMZ) 101 interface

global (Inside) 102 interface

global (Inside) 102 192.168.0.0 netmask 255.255.255.0

nat (Branch_Office) 101 0.0.0.0 0.0.0.0

nat (DMZ) 101 0.0.0.0 0.0.0.0

nat (Inside) 102 access-list linkser

nat (Inside) 101 0.0.0.0 0.0.0.0

static (DMZ,Inside) 172.16.31.0 172.16.31.0 netmask 255.255.255.0

static (Branch_Office,Inside) 192.168.2.0 192.168.2.0 netmask 255.255.255.0

static (Inside,DMZ) 192.168.0.0 192.168.0.0 netmask 255.255.255.0

static (Inside,Branch_Office) 192.168.0.0 192.168.0.0 netmask 255.255.255.0

static (DMZ,Branch_Office) 172.16.31.0 172.16.31.0 netmask 255.255.255.0

static (Branch_Office,DMZ) 192.168.2.0 192.168.2.0 netmask 255.255.255.0

static (Branch_Office,Inside) 192.168.3.0 192.168.3.0 netmask 255.255.255.0

static (Branch_Office,Inside) 172.16.1.0 172.16.1.0 netmask 255.255.255.0

static (Branch_Office,Inside) 172.16.2.0 172.16.2.0 netmask 255.255.255.0

static (Branch_Office,Inside) 172.16.3.0 172.16.3.0 netmask 255.255.255.0

static (Branch_Office,DMZ) 172.16.1.0 172.16.1.0 netmask 255.255.255.0

static (Branch_Office,Inside) 192.168.44.0 192.168.44.0 netmask 255.255.255.0

static (Branch_Office,Inside) 192.168.21.0 192.168.21.0 netmask 255.255.255.0

static (Branch_Office,Inside) 192.168.20.0 192.168.20.0 netmask 255.255.255.0

static (Branch_Office,Inside) 192.168.35.0 192.168.35.0 netmask 255.255.255.0

static (Branch_Office,Inside) 192.168.37.0 192.168.37.0 netmask 255.255.255.0

static (Branch_Office,Inside) 192.168.43.0 192.168.43.0 netmask 255.255.255.0

static (Branch_Office,Inside) 192.168.45.0 192.168.45.0 netmask 255.255.255.0

static (Branch_Office,Inside) 192.168.28.0 192.168.28.0 netmask 255.255.255.0

static (Branch_Office,Inside) 192.168.33.0 192.168.33.0 netmask 255.255.255.0

static (Branch_Office,Inside) 192.168.30.0 192.168.30.0 netmask 255.255.255.0

static (Branch_Office,Inside) 192.168.25.0 192.168.25.0 netmask 255.255.255.0

static (Branch_Office,Inside) 192.168.27.0 192.168.27.0 netmask 255.255.255.0

static (Branch_Office,Inside) 192.168.26.0 192.168.26.0 netmask 255.255.255.0

static (Branch_Office,Inside) 192.168.34.0 192.168.34.0 netmask 255.255.255.0

static (Branch_Office,Inside) 192.168.23.0 192.168.23.0 netmask 255.255.255.0

static (Branch_Office,Inside) 192.168.39.0 192.168.39.0 netmask 255.255.255.0

static (Branch_Office,Inside) 192.168.29.0 192.168.29.0 netmask 255.255.255.0

static (Branch_Office,Inside) 192.168.22.0 192.168.22.0 netmask 255.255.255.0

static (Branch_Office,Inside) 192.168.32.0 192.168.32.0 netmask 255.255.255.0

static (DMZ,Outside) xxx.yyy.zzz.122 172.16.31.2 netmask 255.255.255.255 dns

static (Inside,Inside) 193.168.1.0 192.168.0.249 netmask 255.255.255.255

access-group 100 in interface Outside

route Outside 0.0.0.0 0.0.0.0 xxx.yyy.zzz.121 20

route Branch_Office 172.16.1.0 255.255.255.0 192.168.2.2 1

route Branch_Office 172.16.2.0 255.255.255.0 192.168.2.2 1

route Branch_Office 172.16.3.0 255.255.255.0 192.168.2.2 1

route Branch_Office 192.1.0.0 255.255.192.0 192.168.2.2 1

route Branch_Office 192.168.20.0 255.255.255.0 192.168.2.2 1

route Branch_Office 192.168.21.0 255.255.255.0 192.168.2.2 1

route Branch_Office 192.168.22.0 255.255.255.0 192.168.2.2 1

route Branch_Office 192.168.23.0 255.255.255.0 192.168.2.2 1

route Branch_Office 192.168.25.0 255.255.255.0 192.168.2.2 1

route Branch_Office 192.168.26.0 255.255.255.0 192.168.2.2 1

route Branch_Office 192.168.27.0 255.255.255.0 192.168.2.2 1

route Branch_Office 192.168.28.0 255.255.255.0 192.168.2.2 1

route Branch_Office 192.168.29.0 255.255.255.0 192.168.2.2 1

route Branch_Office 192.168.30.0 255.255.255.0 192.168.2.2 1

route Branch_Office 192.168.32.0 255.255.255.0 192.168.2.2 1

route Branch_Office 192.168.33.0 255.255.255.0 192.168.2.2 1

route Branch_Office 192.168.34.0 255.255.255.0 192.168.2.2 1

route Branch_Office 192.168.35.0 255.255.255.0 192.168.2.2 1

route Branch_Office 192.168.37.0 255.255.255.0 192.168.2.2 1

route Branch_Office 192.168.39.0 255.255.255.0 192.168.2.2 1

route Branch_Office 192.168.43.0 255.255.255.0 192.168.2.2 1

route Branch_Office 192.168.44.0 255.255.255.0 192.168.2.2 1

route Branch_Office 192.168.45.0 255.255.255.0 192.168.2.2 1

route Branch_Office 192.168.100.0 255.255.255.0 192.168.2.2 1

route Inside 193.168.1.0 255.255.255.0 192.168.0.249 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

dynamic-access-policy-record DfltAccessPolicy

aaa authentication http console LOCAL

http server enable

http 192.168.1.0 255.255.255.0 management

http 192.168.0.0 255.255.255.0 Inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

telnet 0.0.0.0 0.0.0.0 Branch_Office

telnet 172.16.31.0 255.255.255.0 DMZ

telnet 192.168.0.0 255.255.255.0 Inside

telnet timeout 5

ssh timeout 5

console timeout 0

dhcpd address 192.168.1.2-192.168.1.254 management

dhcpd enable management

!

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

webvpn

username eguerra password dr6zkC4iOPQHLH5f encrypted privilege 15

!

class-map netflow-export-class

 match access-list netflow-export

class-map inspection_default

 match default-inspection-traffic

!

!

policy-map type inspect dns preset_dns_map

 parameters

  message-length maximum 512

policy-map global_policy

 class inspection_default

  inspect dns preset_dns_map

  inspect ftp

  inspect h323 h225

  inspect h323 ras

  inspect rsh

  inspect rtsp

  inspect esmtp

  inspect sqlnet

  inspect skinny

  inspect sunrpc

  inspect xdmcp

  inspect sip

  inspect netbios

  inspect tftp

  inspect icmp

  inspect icmp error

policy-map netflow-export-policy

 class netflow-export-class

  flow-export event-type all destination 192.168.0.54

!

service-policy global_policy global

prompt hostname context

Cryptochecksum:405977f6d76e3cdbb66b576c8c8cbc64

: end

ASAFCHFW(config)#
0
Comment
Question by:edumatico
  • 2
3 Comments
 
LVL 33

Accepted Solution

by:
Dave Howe earned 2000 total points
ID: 40199544
What you are talking about appears to be "hairpinning" and for 8.2 that was the command:

same-security-traffic permit intra-interface

(click link for manual page)
0
 

Author Comment

by:edumatico
ID: 40200198
Yes it is hairpinning, but i tried this morning to do this and seems to have no good results. Seems to have conflict with network 192.168.0.0. I will try this again
0
 
LVL 33

Expert Comment

by:Dave Howe
ID: 40201465
odd. Ok, looking though your config, I see a static nat:
static (Inside,Inside) 193.168.1.0 192.168.0.249 netmask 255.255.255.255
what is the purpose of this? might be worth removing it and seeing if that helps?
0

Featured Post

 The Evil-ution of Network Security Threats

What are the hacks that forever changed the security industry? To answer that question, we created an exciting new eBook that takes you on a trip through hacking history. It explores the top hacks from the 80s to 2010s, why they mattered, and how the security industry responded.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

It’s time for spooky stories and consuming way too much sugar, including the many treats we’ve whipped for you in the world of tech. Check it out!
Your business may be under attack from a silent enemy that is hard to detect. It works stealthily in the shadows to access and exploit your critical business information, sensitive confidential data and intellectual property, for commercial gain. T…
Email security requires an ever evolving service that stays up to date with counter-evolving threats. The Email Laundry perform Research and Development to ensure their email security service evolves faster than cyber criminals. We apply our Threat…
This video Micro Tutorial shows how to password-protect PDF files with free software. Many software products can do this, such as Adobe Acrobat (but not Adobe Reader), Nuance PaperPort, and Nuance Power PDF, but they are not free products. This vide…
Suggested Courses

864 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question