Link to home
Start Free TrialLog in
Avatar of NJ_CONSULTANT
NJ_CONSULTANTFlag for United States of America

asked on

Cisco ASA 5512 LAN Config

I have a Cisco 5512 ASA with Firepower Service running on a VPN.   It currently has a Static IP out to the internet for WAN, and then one port being used on 192.168.2.5 and Firepower on 192.168.2.3 IP's.    
Learning on how to set this up and playing with configs, but I can only access it when on a IP Address on the PC with 192.168.2.X network.  
How can I set a config on this to allow me to access it from other IP's like 192.168.1.X etc.
ASKER CERTIFIED SOLUTION
Avatar of Ken Boone
Ken Boone
Flag of United States of America image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of NJ_CONSULTANT

ASKER

I added those statements, but still can't get to it unless I am jack into the Switch on the 192.168.2.X network
Ok so the ASA needs to have a route in order to reach the other network that you are coming from.  So for instance let's say you are on 192.168.10.x.

The asa will need a route:

route 192.168.10.0 255.255.255.0 192.168.2.x inside

where .x is the router interface that will get him to the 10.x network.

That syntax might not be right.. I can't remember.. it is either what I have listed above or else it is like this:

route inside 192.168.10.0 255.255.255.0 192.168.2.x

Hope that helps.
Ken, I will try this later tonight when I get a moment to sit in front of it.
Get an error that the IP is the ASA device itself

ciscoasa(config)# route inside 192.168.3.0 255.255.255.0 192.168.2.5
ERROR: Invalid next hop address 192.168.2.5, it matches our IP address
You need to use the next hop that the ASA needs to route to in order to reach the route destination

route inside 192.168.3.0 255.255.255.0 192.168.2.x    <-- this needs to be a layer 3 device on the 192.168.2.x network that can route to the 192.168.3.x network.
Did you use the management port for access to the Firepower service?
If you used the management interface you will need a route statement like. Or if you have a layer 3 router in your network,
ip route 192.168.2.0 255.255.255.0 via the inside ip on the asa?
WIlliam,  Yes the Firepower Module is using the Management Port
So you then need a route route management 192.168.1.0 255.255.255.0 192.168.2.1
Are you having problems accessing the ASA or the firepower module?
Never had an issue accessing the firepower module or the VM Software for Firepower, was only for the ASA itself
I got access to the ASA per Ken's notes, now I can't get my VPN traffic to route to the internal network
ok so if the ASA can reach the internal network, that means this asa knows how to route traffic to that network.  Is this client vpn traffic of lan 2 lan vpn traffic?  

Do you have a nat statement that basically tells the internal traffic to NOT nat when talking to VPN users?  

Post your config lines that deal with the VPN.
The Client is the Cisco AnyConnect, not L2L traffic

I do not know if I have a NAT statement Ken, do you have an example statement I can try?

I can dump my config. its pretty messy right now from trying things.   Currently the ASA Connects to the Switch and then has a IP Passthrough to the ISP Router ( Wireless for Now Cradlepoint)
Thank you, that worked