Cisco ASA 5512 LAN Config

NJ_CONSULTANT
NJ_CONSULTANT used Ask the Experts™
on
I have a Cisco 5512 ASA with Firepower Service running on a VPN.   It currently has a Static IP out to the internet for WAN, and then one port being used on 192.168.2.5 and Firepower on 192.168.2.3 IP's.    
Learning on how to set this up and playing with configs, but I can only access it when on a IP Address on the PC with 192.168.2.X network.  
How can I set a config on this to allow me to access it from other IP's like 192.168.1.X etc.
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Network Consultant
Commented:
So in the config you would have a command something like this:

http 192.168.1.0 255.255.255.0 inside
http 192.168.2.0 255.255.255.0 inside

would allow those 2 networks to access the ASA via the browser

ssh 192.168.1.0 255.255.255.0 inside

or

telnet 192.168.1.0 255.255.255.0 inside

would allow ssh or telnet from that network address.  

To add more networks you just duplicate the command with the other network.

If you wanted to allow anyone on the inside you would do this:

ssh 0.0.0.0 0.0.0.0 inside

Hope that helps.

Author

Commented:
I added those statements, but still can't get to it unless I am jack into the Switch on the 192.168.2.X network
Ken BooneNetwork Consultant

Commented:
Ok so the ASA needs to have a route in order to reach the other network that you are coming from.  So for instance let's say you are on 192.168.10.x.

The asa will need a route:

route 192.168.10.0 255.255.255.0 192.168.2.x inside

where .x is the router interface that will get him to the 10.x network.

That syntax might not be right.. I can't remember.. it is either what I have listed above or else it is like this:

route inside 192.168.10.0 255.255.255.0 192.168.2.x

Hope that helps.
Ensure you’re charging the right price for your IT

Do you wonder if your IT business is truly profitable or if you should raise your prices? Learn how to calculate your overhead burden using our free interactive tool and use it to determine the right price for your IT services. Start calculating Now!

Author

Commented:
Ken, I will try this later tonight when I get a moment to sit in front of it.

Author

Commented:
Get an error that the IP is the ASA device itself

ciscoasa(config)# route inside 192.168.3.0 255.255.255.0 192.168.2.5
ERROR: Invalid next hop address 192.168.2.5, it matches our IP address
Ken BooneNetwork Consultant

Commented:
You need to use the next hop that the ASA needs to route to in order to reach the route destination

route inside 192.168.3.0 255.255.255.0 192.168.2.x    <-- this needs to be a layer 3 device on the 192.168.2.x network that can route to the 192.168.3.x network.
William MurrayNetwork Engineer

Commented:
Did you use the management port for access to the Firepower service?
William MurrayNetwork Engineer

Commented:
If you used the management interface you will need a route statement like. Or if you have a layer 3 router in your network,
ip route 192.168.2.0 255.255.255.0 via the inside ip on the asa?

Author

Commented:
WIlliam,  Yes the Firepower Module is using the Management Port
William MurrayNetwork Engineer

Commented:
So you then need a route route management 192.168.1.0 255.255.255.0 192.168.2.1
Ken BooneNetwork Consultant

Commented:
Are you having problems accessing the ASA or the firepower module?

Author

Commented:
Never had an issue accessing the firepower module or the VM Software for Firepower, was only for the ASA itself

Author

Commented:
I got access to the ASA per Ken's notes, now I can't get my VPN traffic to route to the internal network
Ken BooneNetwork Consultant

Commented:
ok so if the ASA can reach the internal network, that means this asa knows how to route traffic to that network.  Is this client vpn traffic of lan 2 lan vpn traffic?  

Do you have a nat statement that basically tells the internal traffic to NOT nat when talking to VPN users?  

Post your config lines that deal with the VPN.

Author

Commented:
The Client is the Cisco AnyConnect, not L2L traffic

I do not know if I have a NAT statement Ken, do you have an example statement I can try?

I can dump my config. its pretty messy right now from trying things.   Currently the ASA Connects to the Switch and then has a IP Passthrough to the ISP Router ( Wireless for Now Cradlepoint)

Author

Commented:
Thank you, that worked

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial