Cisco ASA 5512 LAN Config

I have a Cisco 5512 ASA with Firepower Service running on a VPN.   It currently has a Static IP out to the internet for WAN, and then one port being used on 192.168.2.5 and Firepower on 192.168.2.3 IP's.    
Learning on how to set this up and playing with configs, but I can only access it when on a IP Address on the PC with 192.168.2.X network.  
How can I set a config on this to allow me to access it from other IP's like 192.168.1.X etc.
NJ_CONSULTANTAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Ken BooneNetwork ConsultantCommented:
So in the config you would have a command something like this:

http 192.168.1.0 255.255.255.0 inside
http 192.168.2.0 255.255.255.0 inside

would allow those 2 networks to access the ASA via the browser

ssh 192.168.1.0 255.255.255.0 inside

or

telnet 192.168.1.0 255.255.255.0 inside

would allow ssh or telnet from that network address.  

To add more networks you just duplicate the command with the other network.

If you wanted to allow anyone on the inside you would do this:

ssh 0.0.0.0 0.0.0.0 inside

Hope that helps.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
NJ_CONSULTANTAuthor Commented:
I added those statements, but still can't get to it unless I am jack into the Switch on the 192.168.2.X network
Ken BooneNetwork ConsultantCommented:
Ok so the ASA needs to have a route in order to reach the other network that you are coming from.  So for instance let's say you are on 192.168.10.x.

The asa will need a route:

route 192.168.10.0 255.255.255.0 192.168.2.x inside

where .x is the router interface that will get him to the 10.x network.

That syntax might not be right.. I can't remember.. it is either what I have listed above or else it is like this:

route inside 192.168.10.0 255.255.255.0 192.168.2.x

Hope that helps.
Your Guide to Achieving IT Business Success

The IT Service Excellence Tool Kit has best practices to keep your clients happy and business booming. Inside, you’ll find everything you need to increase client satisfaction and retention, become more competitive, and increase your overall success.

NJ_CONSULTANTAuthor Commented:
Ken, I will try this later tonight when I get a moment to sit in front of it.
NJ_CONSULTANTAuthor Commented:
Get an error that the IP is the ASA device itself

ciscoasa(config)# route inside 192.168.3.0 255.255.255.0 192.168.2.5
ERROR: Invalid next hop address 192.168.2.5, it matches our IP address
Ken BooneNetwork ConsultantCommented:
You need to use the next hop that the ASA needs to route to in order to reach the route destination

route inside 192.168.3.0 255.255.255.0 192.168.2.x    <-- this needs to be a layer 3 device on the 192.168.2.x network that can route to the 192.168.3.x network.
William MurrayNetwork EngineerCommented:
Did you use the management port for access to the Firepower service?
William MurrayNetwork EngineerCommented:
If you used the management interface you will need a route statement like. Or if you have a layer 3 router in your network,
ip route 192.168.2.0 255.255.255.0 via the inside ip on the asa?
NJ_CONSULTANTAuthor Commented:
WIlliam,  Yes the Firepower Module is using the Management Port
William MurrayNetwork EngineerCommented:
So you then need a route route management 192.168.1.0 255.255.255.0 192.168.2.1
Ken BooneNetwork ConsultantCommented:
Are you having problems accessing the ASA or the firepower module?
NJ_CONSULTANTAuthor Commented:
Never had an issue accessing the firepower module or the VM Software for Firepower, was only for the ASA itself
NJ_CONSULTANTAuthor Commented:
I got access to the ASA per Ken's notes, now I can't get my VPN traffic to route to the internal network
Ken BooneNetwork ConsultantCommented:
ok so if the ASA can reach the internal network, that means this asa knows how to route traffic to that network.  Is this client vpn traffic of lan 2 lan vpn traffic?  

Do you have a nat statement that basically tells the internal traffic to NOT nat when talking to VPN users?  

Post your config lines that deal with the VPN.
NJ_CONSULTANTAuthor Commented:
The Client is the Cisco AnyConnect, not L2L traffic

I do not know if I have a NAT statement Ken, do you have an example statement I can try?

I can dump my config. its pretty messy right now from trying things.   Currently the ASA Connects to the Switch and then has a IP Passthrough to the ISP Router ( Wireless for Now Cradlepoint)
NJ_CONSULTANTAuthor Commented:
Thank you, that worked
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Cisco

From novice to tech pro — start learning today.