asked on Cisco ASA 5512 LAN Config
I have a Cisco 5512 ASA with Firepower Service running on a VPN. It currently has a Static IP out to the internet for WAN, and then one port being used on 192.168.2.5 and Firepower on 192.168.2.3 IP's.
Learning on how to set this up and playing with configs, but I can only access it when on a IP Address on the PC with 192.168.2.X network.
How can I set a config on this to allow me to access it from other IP's like 192.168.1.X etc.
Learning on how to set this up and playing with configs, but I can only access it when on a IP Address on the PC with 192.168.2.X network.
How can I set a config on this to allow me to access it from other IP's like 192.168.1.X etc.
CiscoHardware FirewallsSoftware Firewalls
Last Comment
NJ_CONSULTANT
ASKER CERTIFIED SOLUTION
THIS SOLUTION ONLY AVAILABLE TO MEMBERS.
View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
ASKER
I added those statements, but still can't get to it unless I am jack into the Switch on the 192.168.2.X network
Ok so the ASA needs to have a route in order to reach the other network that you are coming from. So for instance let's say you are on 192.168.10.x.
The asa will need a route:
route 192.168.10.0 255.255.255.0 192.168.2.x inside
where .x is the router interface that will get him to the 10.x network.
That syntax might not be right.. I can't remember.. it is either what I have listed above or else it is like this:
route inside 192.168.10.0 255.255.255.0 192.168.2.x
Hope that helps.
The asa will need a route:
route 192.168.10.0 255.255.255.0 192.168.2.x inside
where .x is the router interface that will get him to the 10.x network.
That syntax might not be right.. I can't remember.. it is either what I have listed above or else it is like this:
route inside 192.168.10.0 255.255.255.0 192.168.2.x
Hope that helps.
ASKER
Ken, I will try this later tonight when I get a moment to sit in front of it.
ASKER
Get an error that the IP is the ASA device itself
ciscoasa(config)# route inside 192.168.3.0 255.255.255.0 192.168.2.5
ERROR: Invalid next hop address 192.168.2.5, it matches our IP address
ciscoasa(config)# route inside 192.168.3.0 255.255.255.0 192.168.2.5
ERROR: Invalid next hop address 192.168.2.5, it matches our IP address
You need to use the next hop that the ASA needs to route to in order to reach the route destination
route inside 192.168.3.0 255.255.255.0 192.168.2.x <-- this needs to be a layer 3 device on the 192.168.2.x network that can route to the 192.168.3.x network.
route inside 192.168.3.0 255.255.255.0 192.168.2.x <-- this needs to be a layer 3 device on the 192.168.2.x network that can route to the 192.168.3.x network.
Did you use the management port for access to the Firepower service?
If you used the management interface you will need a route statement like. Or if you have a layer 3 router in your network,
ip route 192.168.2.0 255.255.255.0 via the inside ip on the asa?
ip route 192.168.2.0 255.255.255.0 via the inside ip on the asa?
ASKER
WIlliam, Yes the Firepower Module is using the Management Port
So you then need a route route management 192.168.1.0 255.255.255.0 192.168.2.1
Are you having problems accessing the ASA or the firepower module?
ASKER
Never had an issue accessing the firepower module or the VM Software for Firepower, was only for the ASA itself
ASKER
I got access to the ASA per Ken's notes, now I can't get my VPN traffic to route to the internal network
ok so if the ASA can reach the internal network, that means this asa knows how to route traffic to that network. Is this client vpn traffic of lan 2 lan vpn traffic?
Do you have a nat statement that basically tells the internal traffic to NOT nat when talking to VPN users?
Post your config lines that deal with the VPN.
Do you have a nat statement that basically tells the internal traffic to NOT nat when talking to VPN users?
Post your config lines that deal with the VPN.
ASKER
The Client is the Cisco AnyConnect, not L2L traffic
I do not know if I have a NAT statement Ken, do you have an example statement I can try?
I can dump my config. its pretty messy right now from trying things. Currently the ASA Connects to the Switch and then has a IP Passthrough to the ISP Router ( Wireless for Now Cradlepoint)
I do not know if I have a NAT statement Ken, do you have an example statement I can try?
I can dump my config. its pretty messy right now from trying things. Currently the ASA Connects to the Switch and then has a IP Passthrough to the ISP Router ( Wireless for Now Cradlepoint)
ASKER
Thank you, that worked