[Last Call] Learn how to a build a cloud-first strategyRegister Now

x
?
Solved

Create route to alternate gateway in ASA 5510

Posted on 2014-08-20
6
Medium Priority
?
271 Views
Last Modified: 2014-11-30
My apologies, I am fairly green when it comes to Cisco.

I have a setup in which I have a Cisco box as my default gateway (with local address 192.168.99.1, let's say) and another router which I intend to use as a VPN appliance at 192.168.99.2. The VPN network is 172.16.0.0 so I need to add a static route to the Cisco which routes traffic to/from 172.16.0.0 to the gateway 192.168.99.2. I added a default route which seems to work, however, the ASA seems to get hung up on an implicit rule (according to the Packet Tracer)

Cisco inside rules
If I try and manually add rules to allow traffic in both directions on the inside interface, it automatically overwrites the first implicit rule. How do I add the rules I need?
0
Comment
Question by:medium_grade
  • 3
  • 2
6 Comments
 
LVL 17

Expert Comment

by:lruiz52
ID: 40274906
Please post a sanitized config for both cisco devices.
0
 
LVL 26

Expert Comment

by:pony10us
ID: 40274946
Based on the picture you need to re-sequence the ACL.  

Example:

Router(config)# ip access-list resequence inside 100 10

should re-sequence starting at 100 and incrementing by 10.

Then you can insert up to 9 lines after the permit line and keep the deny any any as the last line.
0
 

Author Comment

by:medium_grade
ID: 40274967
Only the primary gateway (192.168.66.1) is a Cisco.

I can get communication to work if I manually add a static route to systems on the internal network so they know to use the alternate gateway when communicating with the 172.16.0.0 network, so I am fairly sure the issue is with the default gateway.

Cryptochecksum: ????????????????????????????????????????
: Saved
: Written by enable_15 at 13:42:49.775 UTC Wed Aug 20 2014
!
ASA Version 8.2(5)
!
hostname STA-5510
domain-name myorg.ca.org
enable password ???????????????? encrypted
passwd ???????????????? encrypted
names
!
interface Ethernet0/0
 description TPAC Primary ISP
 nameif outside
 security-level 0
 ip address 64.???.???2.150 255.255.255.240
!
interface Ethernet0/1
 description OLD XO Backup ISP
 nameif backup
 security-level 1
 ip address 64.???.???.70 255.255.255.240
!
interface Ethernet0/2
 description Inside
 nameif inside
 security-level 100
 ip address 192.168.99.1 255.255.255.0
!
interface Ethernet0/3
 no nameif
 no security-level
 no ip address
!
interface Management0/0
 shutdown
 nameif management
 security-level 100
 no ip address
 management-only
!
regex Pandora "\.pandora\.com"
ftp mode passive
dns domain-lookup outside
dns domain-lookup backup
dns domain-lookup inside
dns server-group DefaultDNS
 domain-name myorg.ca.org
access-list outside_access_in extended permit icmp any any
access-list outside_access_in extended permit tcp any host 64.???.???2.150 eq https
access-list outside_access_in extended permit tcp any host 64.???.???2.150 eq www
access-list outside_access_in extended permit tcp any host 64.???.???2.150 eq 9675
access-list outside_access_in extended permit tcp any host 64.???.???2.150 eq 9676
access-list outside_access_in extended permit tcp any host 64.???.???2.148 eq https
access-list outside_access_in extended permit tcp any host 64.???.???2.148 eq www
access-list outside_access_in extended permit tcp any host 64.???.???2.148 eq smtp
access-list backup_access_in extended permit icmp any any
access-list backup_access_in extended permit tcp any host 64.???.???.70 eq https
access-list backup_access_in extended permit tcp any host 64.???.???.70 eq www
access-list backup_access_in extended permit tcp any host 64.???.???.70 eq 9675
access-list backup_access_in extended permit tcp any host 64.???.???.70 eq 9676
access-list backup_access_in extended permit tcp any host 64.???.???.72 eq https
access-list backup_access_in extended permit tcp any host 64.???.???.72 eq www
access-list backup_access_in extended permit tcp any host 64.???.???.72 eq smtp
access-list backup_access_in extended permit ip any 172.16.0.0 255.255.255.0
access-list backup_access_in extended permit ip 172.16.0.0 255.255.255.0 any
access-list backup_access_in extended permit ip 192.168.99.0 255.255.255.0 172.16.0.0 255.255.255.0
access-list nonat extended permit ip 192.168.99.0 255.255.255.0 192.168.2??.0 255.255.255.0
access-list nonat extended permit ip 192.168.2??.0 255.255.255.0 192.168.99.0 255.255.255.0
access-list nonat extended permit ip 192.168.99.0 255.255.255.0 10.???.???.0 255.255.255.0
access-list nonat extended permit ip 192.168.99.0 255.255.255.0 172.16.0.0 255.255.255.0
access-list nonat extended permit ip 172.16.0.0 255.255.255.0 192.168.99.0 255.255.255.0
access-list orgsplit standard permit 192.168.99.0 255.255.255.0
access-list vpn_sta_2_ih extended permit ip 192.168.99.0 255.255.255.0 10.???.???.0 255.255.255.0
access-list stasslsplit standard permit 192.168.99.0 255.255.255.0
access-list stasslsplit standard permit 10.???.???.0 255.255.255.0
pager lines 24
logging enable
logging timestamp
logging buffer-size 819200
logging console informational
logging monitor informational
logging buffered informational
logging trap informational
logging history informational
logging asdm informational
logging device-id ipaddress outside
flow-export destination inside 192.168.99.75 2002
mtu outside 1500
mtu backup 1500
mtu inside 1500
mtu management 1500
ip local pool orgpool 192.168.2??.1-192.168.2??.254 mask 255.255.255.0
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-649-103.bin
no asdm history enable
arp timeout 14400
global (outside) 1 64.???.???2.151
global (backup) 1 64.???.???.71
nat (inside) 0 access-list nonat
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,backup) 64.???.???.72 192.168.99.54 netmask 255.255.255.255
static (inside,outside) 64.???.???2.148 192.168.99.54 netmask 255.255.255.255
access-group outside_access_in in interface outside
access-group backup_access_in in interface backup
route outside 0.0.0.0 0.0.0.0 64.???.???2.145 1
route backup 0.0.0.0 0.0.0.0 64.???.???.65 254
route inside 172.16.0.0 255.255.255.0 192.168.99.2 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
ldap attribute-map ORGMAP
  map-name  STA IETF-Radius-Class
  map-value STA CN=VPN,DC=myorg,DC=ca,DC=org stasslgroup_bK
dynamic-access-policy-record DfltAccessPolicy
 action terminate
dynamic-access-policy-record ADAuth
aaa-server ldapgroup protocol ldap
aaa-server ldapgroup (inside) host 192.168.99.8
 ldap-base-dn dc=myorg, dc=ca, dc=org
 ldap-scope subtree
 ldap-naming-attribute sAMAccountName
 ldap-login-password ?????????????????
 ldap-login-dn cn=VPNAdmin, dc=myorg, dc=ca, dc=org
 server-type microsoft
 ldap-attribute-map ORGMAP
http server enable
http 192.168.99.0 255.255.255.0 inside
snmp-server host inside 192.168.99.8 community myorgorg
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
sla monitor 127
 type echo protocol ipIcmpEcho 8.8.8.8 interface outside
 num-packets 3
 frequency 10
sla monitor schedule 127 life forever start-time now
service resetoutside
crypto ipsec transform-set orgsplit-set esp-3des esp-sha-hmac
crypto ipsec transform-set orgsplit-set-bk esp-3des esp-sha-hmac
crypto ipsec transform-set org_vpn_set_primary esp-3des esp-sha-hmac
crypto ipsec transform-set org_vpn_set_backup esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map outside_dyn_map 88 set transform-set orgsplit-set
crypto dynamic-map backup_dyn_map 99 set transform-set orgsplit-set-bk
crypto map outside_map 10 match address vpn_sta_2_ih
crypto map outside_map 10 set peer 98.1??.1??.55 99.1??.2??.93
crypto map outside_map 10 set transform-set org_vpn_set_primary
crypto map outside_map 11 match address vpn_sta_2_ih
crypto map outside_map 11 set peer 98.1??.1??.55 99.1??.2??.93
crypto map outside_map 11 set transform-set org_vpn_set_backup
crypto map outside_map 88 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
crypto map outside_map interface backup
crypto map backup_map 9 ipsec-isakmp dynamic backup_dyn_map
crypto ca trustpoint localtrust
 enrollment self
 fqdn stavpn.myorg.ca.org
 subject-name CN=myorg.ca.org
 keypair stavpnkey
 crl configure
crypto ca certificate chain localtrust
 certificate ?????????????????????????????????????????????????
  quit
crypto isakmp enable outside
crypto isakmp enable backup
crypto isakmp policy 10
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
!
track 1 rtr 128 reachability
telnet 192.168.99.0 255.255.255.0 inside
telnet timeout 15
ssh timeout 5
console timeout 0
threat-detection basic-threat
threat-detection statistics host
threat-detection statistics port
threat-detection statistics protocol
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ssl trust-point localtrust outside
webvpn
 port 444
 enable outside
 enable backup
 svc image disk0:/anyconnect-win-2.5.2014-k9.pkg 1
 svc enable
 tunnel-group-list enable
group-policy noaccess_pri internal
group-policy noaccess_pri attributes
 vpn-simultaneous-logins 0
group-policy noaccess_bk internal
group-policy noaccess_bk attributes
 vpn-simultaneous-logins 0
group-policy orgsplitpolicy_pri internal
group-policy orgsplitpolicy_pri attributes
 dns-server value 192.168.99.6 192.168.99.8
 vpn-tunnel-protocol IPSec l2tp-ipsec
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value orgsplit
 default-domain value myorg.ca.org
group-policy orgsslpolicy_pri internal
group-policy orgsslpolicy_pri attributes
 dns-server value 192.168.99.6 192.168.99.8
 vpn-idle-timeout none
 vpn-session-timeout none
 vpn-tunnel-protocol IPSec l2tp-ipsec webvpn
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value stasslsplit
 default-domain value myorg.ca.org
group-policy orgsplitpolicy_bk internal
group-policy orgsplitpolicy_bk attributes
 dns-server value 192.168.99.6 192.168.99.8
 vpn-tunnel-protocol IPSec l2tp-ipsec
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value orgsplit
 default-domain value myorg.ca.org
group-policy orgsslpolicy_bk internal
group-policy orgsslpolicy_bk attributes
 dns-server value 192.168.99.6 192.168.99.8
 vpn-idle-timeout none
 vpn-session-timeout none
 vpn-tunnel-protocol IPSec l2tp-ipsec webvpn
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value stasslsplit
 default-domain value myorg.ca.org
username test password ????????????? encrypted privilege 15
username vpnuser password ??????????? encrypted
username vpnuser attributes
 service-type remote-access
username neadmin password ????????????? encrypted
tunnel-group orgsplitgroup_pri type remote-access
tunnel-group orgsplitgroup_pri general-attributes
 address-pool orgpool
 authentication-server-group ldapgroup LOCAL
 default-group-policy orgsplitpolicy_pri
tunnel-group orgsplitgroup_pri ipsec-attributes
 pre-shared-key ???????????????????
tunnel-group orgsplitgroup_bk type remote-access
tunnel-group orgsplitgroup_bk general-attributes
 address-pool orgpool
 authentication-server-group ldapgroup LOCAL
 default-group-policy orgsplitpolicy_bk
tunnel-group orgsplitgroup_bk ipsec-attributes
 pre-shared-key ?????????????????
tunnel-group 98.1??.1??.55 type ipsec-l2l
tunnel-group 98.1??.1??.55 ipsec-attributes
 pre-shared-key ????????????????
 isakmp keepalive threshold 20 retry 3
tunnel-group stasslgroup_pri type remote-access
tunnel-group stasslgroup_pri general-attributes
 address-pool orgpool
 authentication-server-group ldapgroup LOCAL
 default-group-policy orgsslpolicy_pri
tunnel-group stasslgroup_bk type remote-access
tunnel-group stasslgroup_bk general-attributes
 address-pool orgpool
 authentication-server-group ldapgroup LOCAL
 default-group-policy orgsslpolicy_bk
!
class-map type regex match-any PandoraBlock
 match regex Pandora
class-map inspection_default
 match default-inspection-traffic
class-map type inspect http match-all AppHeaderClass
 match request header regex Pandora regex Pandora
class-map flow_export_class
 match any
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum client auto
  message-length maximum 512
policy-map type inspect http http_inspection_policy
 parameters
  protocol-violation action drop-connection
 match request method connect
  drop-connection log
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect sqlnet
  inspect skinny  
  inspect sunrpc
  inspect xdmcp
  inspect sip  
  inspect netbios
  inspect tftp
  inspect ip-options
policy-map flow_export_policy
 class flow_export_class
  flow-export event-type all destination 192.168.99.75
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
Cryptochecksum:???????????????????????????????????????
: end
0
VIDEO: THE CONCERTO CLOUD FOR HEALTHCARE

Modern healthcare requires a modern cloud. View this brief video to understand how the Concerto Cloud for Healthcare can help your organization.

 

Author Comment

by:medium_grade
ID: 40274972
pony10us,

So just log into the CLI and execute that command?
0
 
LVL 26

Accepted Solution

by:
pony10us earned 1500 total points
ID: 40275055
You need to be in config mode to enter the command to renumber the ACL

login as: username
Using keyboard-interactive authentication.
Password: password
router>en
Password: enable password
router# config t
Enter configuration commands, one per line.  End with CNTL/Z.
router(config)# ip access-list resequence inside 100 10
.
.
. (don't have a sample of the output from this command)
router(config)# ip access-list extended inside
router(config-ext-nacl)# 105 the new command
router(config-ext-nacl)# exit
router(config)# exit
router# sh access-list
.
.
. (should see all three lines)
router# wr mem                (Only if satisfied that all three lines are there)
router# exit
router> exit

This is as close as I can get typing it all out.  Please use caution.
0
 

Author Closing Comment

by:medium_grade
ID: 40473129
Ha! I did not know that. Now I can edit the rest of the config. Thanks!
0

Featured Post

Windows Server 2016: All you need to know

Learn about Hyper-V features that increase functionality and usability of Microsoft Windows Server 2016. Also, throughout this eBook, you’ll find some basic PowerShell examples that will help you leverage the scripts in your environments!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

During and after that shift to cloud, one area that still poses a struggle for many organizations is what to do with their department file shares.
This program is used to assist in finding and resolving common problems with wireless connections.
Internet Business Fax to Email Made Easy - With  eFax Corporate (http://www.enterprise.efax.com), you'll receive a dedicated online fax number, which is used the same way as a typical analog fax number. You'll receive secure faxes in your email, f…
In this video we outline the Physical Segments view of NetCrunch network monitor. By following this brief how-to video, you will be able to learn how NetCrunch visualizes your network, how granular is the information collected, as well as where to f…

826 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question