ASA Routes
HELP!
I've just inherited a network and I'm having issues with the ASA. It is an ASA5540 configured with two outside interfaces.
GigabitEthernet0/0 unassigned
GigabitEthernet0/0.3 x.x.x.A
GigabitEthernet0/0.50 x.x.x.B
x.x.x.A is a backup bonded t1 while x.x.x.B is a 200MBps FIOS connection.
My issue is that all outbound internet traffic is using x.x.x.A and not x.x.x.B. Probably a very simple fix, but I'm afraid I'm going to break all kinds of NAT, VPN, etc.
By pasting in some of the configs, I'm hoping someone out there can help point me in the right direction to fix my wounded network.
route outside 0.0.0.0 0.0.0.0 x.x.x.A 1 track 1
route FIOS 0.0.0.0 0.0.0.0 x.x.x.B 250
global (outside) 1 interface
global (FIOS) 1 interface
nat (inside) 0 access-list NoNAT
nat (inside) 2 access-list MAILOUTNAT
nat (inside) 1 0.0.0.0 0.0.0.0
Gateway of last resort is x.x.x.A to network 0.0.0.0
S 192.168.40.0 255.255.255.0 [1/0] via x.x.x.A, outside
S 192.168.40.9 255.255.255.255 [1/0] via x.x.x.A, outside
S 192.168.40.10 255.255.255.255 [1/0] via x.x.x.A, outside
S 172.16.0.0 255.255.0.0 [1/0] via 10.111.252.5, inside
D 172.16.1.0 255.255.255.252
[90/2181376] via 10.111.252.5, 388:46:20, inside
D 172.16.1.2 255.255.255.255
[90/2181376] via 10.111.252.5, 388:46:20, inside
C X.X.X.B 255.255.255.0 is directly connected, FIOS
S* 0.0.0.0 0.0.0.0 [1/0] via X.X.X.A, outside
S 192.168.0.0 255.255.0.0 [1/0] via 10.111.252.1, inside
Hopefully I've provided enough of the config to shine some light on the issue. I really want outbound traffic to go to X.X.X.B instead of X.X.X.A network.
I see a SLA in place too, which I'm assuming is supposed to be used for a failover from X.X.X.B to X.X.X.A, but I don't think it's working, or maybe I don't fully understand how it's configured.
sla monitor 1
type echo protocol ipIcmpEcho 4.2.2.1 interface outside
frequency 10
sla monitor schedule 1 life forever start-time now
Anyways, if anyone out there could help out I'd be very very appreciative.
Thank you!
You should also have a "track" statement in the configuration that ties the ip sla operation to the track object your desired default route is set to use. Something like:
track 1 rtr 1 reachability
Without that, the preferred default route will not get a value for the tracked object and the backup route would kick in.
That aside, right now your statements:
route outside 0.0.0.0 0.0.0.0 x.x.x.A 1 track 1
route FIOS 0.0.0.0 0.0.0.0 x.x.x.B 250
...tell the ASA that as long as you can reach 4.2.2.1 to use the x.x.x.A default route. Only if the ip sla operation fails should you use the higher cost (AD 250) second static default route. If you want to reverse that setup then you would swap the bits following A and B in those statements.
If you're using VPN and NAT then, yes other things would change. Your VPN users would need to point to the FIOS-connected interface. Outbound dynamic NAT would also need to be setup to use that interface and any static NATs for incoming traffic would need to be modified/created as well.
Similar Messages
-
Hi there,
i have a problem with Routing on ASA 5505.
Here is a brief explanation of the topology:
DC Upstream IP: 77.246.165.141/30
ASA 5505 Upstream to DC IP: 77.246.165.142/30
Interface outside.
There is a Cisco Switch connected to one of ASA Ethernet ports, forming Public/DMZ VLAN.
ASA 5505 Public VLAN interface ip: 31.24.36.1/26
Cisco 3750 Public VLAN interface ip: 31.24.36.62, default gateway: 31.24.36.1, IP Routing enabled on Switch.
From the Cisco Switch I can access the Internet with source ip: 31.24.36.62.
Now I have asked from DC additional subnet: 31.24.36.192/26 and they have it routed correctly towards the ASA Outside interface ip: 77.246.165.142.
I have created additional Public2 VLAN on the Switch with IP address of: 31.24.36.193/26.
On the ASA 5505 i added the route to this Public2 VLAN:
#route public 31.24.36.192 255.255.255.192 31.24.36.62 1
Now the problem is that from the Switch with Source IP: 31.24.36.193 i can ping ASA 5505 Public VLAN IP: 31.24.36.1 so the routing between subnets 31.24.36.0/26 and 31.24.36.192/26 is working OK on both the ASA 5505 and the Switch.
But I can't access the Internet from the Switch with Source IP: 31.24.36.193.Thanks for the replies.
I am running:
Cisco Adaptive Security Appliance Software Version 8.2(2)
As for NAT configuration, there is NAT configured between the Outside Interface IP and the Internal Subnet:
global (outside) 1 interface
nat (inside) 1 192.168.X.0 255.255.255.0
nat (inside) 1 0.0.0.0 0.0.0.0
also there is NAT exemption configured because of the Site-to-Site IPSec VPN that we have:
nat (inside) 0 access-list inside_nat0_outbound1
access-list inside_nat0_outbound1 extended permit ip any 192.168.X.0 255.255.255.0
access-list inside_nat0_outbound1 extended permit ip 192.168.X.0 255.255.255.0 OtherSiteLAN 255.255.255.0
access-list inside_nat0_outbound1 extended permit ip any 192.168.X.240 255.255.255.248
access-list inside_nat0_outbound1 extended permit ip 192.168.X.0 255.255.255.128 OtherSiteLAN 255.255.255.0
I don't have any ACL configured on the Public interface in any direction.
Here is the configuration on the Switch regarding this scenario:
interface FastEthernet2/0/X
description Access Port for Public Subnet(31.24.32.0/26) to ASA
switchport access vlan 500
switchport mode access
interface Vlan500
description Public VLAN 1
ip address 31.24.36.62 255.255.255.192
interface Vlan510
description Public VLAN 2
ip address 31.24.36.193 255.255.255.192
ip route 0.0.0.0 0.0.0.0 31.24.36.1
Here is the output when pinging the ASA Public Interface IP with source IP address of: 31.24.36.193(VLAN 510)
SWITCH#ping 31.24.36.1 source vlan 510
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 31.24.36.1, timeout is 2 seconds:
Packet sent with a source address of 31.24.36.193
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/4/9 ms
And here is when I try to ping some Internet host:
SWITCH#ping 8.8.8.8 source vlan 510
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 8.8.8.8, timeout is 2 seconds:
Packet sent with a source address of 31.24.36.193
Success rate is 0 percent (0/5) -
Cisco ASA & Router Site to Site VPN up but not passing traffic
Dear all,
Please help me the attached document vpn issue, site-to-site vpn is up but I am not able to passing traffic.
Advance Thanks
ahossainASA#
ASA Version 8.2(1)
hostname Active
domain-name test.com
interface Ethernet0/0
description LAN/STATE Failover Interface
interface Ethernet0/1
speed 100
nameif outside
security-level 0
ip address 212.71.53.38 255.255.255.224 standby 212.71.53.37
interface Ethernet0/2
nameif DMZ
security-level 50
ip address 192.168.50.1 255.255.255.0 standby 192.168.50.4
interface Ethernet0/3
description INSIDE
speed 100
nameif inside
security-level 100
ip address 10.1.1.1 255.255.255.0 standby 10.1.1.2
interface Management0/0
shutdown
no nameif
no security-level
no ip address
boot system disk0:/asa821-k8.bin
boot config disk0:/running-config
ftp mode passive
dns server-group DefaultDNS
domain-name test.com
access-list deny-flow-max 1
access-list alert-interval 2
access-list allow extended permit ip any any
access-list VPN extended permit ip any any
access-list OUTSIDE extended permit ip any any
access-list al-outside extended permit ip any host 212.107.106.129
access-list al-outside extended permit ip any any
access-list encrypt_acl extended permit ip 10.1.1.0 255.255.255.0 10.2.2.0 255.255.255.0
access-list outside_access_in extended permit ip any any
access-list inside_access_out extended permit ip any any
access-list DMZ_access_out extended permit ip any any
access-list inside_access_in extended permit ip any any
access-list DMZ_access_in extended permit ip any any
access-list outside_access_in_1 extended permit ip any any
access-list no-nat extended permit ip 10.1.1.0 255.255.255.0 10.2.2.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 10.1.1.0 255.255.255.0 10.2.2.0 255.255.255.0
pager lines 24
mtu outside 1500
mtu DMZ 1500
mtu inside 1500
failover
failover lan unit primary
failover lan interface failover Ethernet0/0
failover key *****
failover link failover Ethernet0/0
failover interface ip failover 10.10.10.1 255.255.255.252 standby 10.10.10.2
icmp unreachable rate-limit 1 burst-size 1
icmp permit any outside
icmp permit any DMZ
icmp permit any inside
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
access-group outside_access_in_1 in interface outside
route outside 0.0.0.0 0.0.0.0 212.71.53.36 1
route outside 10.2.2.0 255.255.255.0 212.71.53.36 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
aaa authentication http console LOCAL
aaa authentication ssh console LOCAL
http server enable
http 0.0.0.0 0.0.0.0 outside
no snmp-server location
no snmp-server contact
service resetoutside
crypto ipsec transform-set mal esp-3des esp-md5-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto map mal 10 set peer 212.107.106.129
crypto map IPSec_map 10 match address encrypt_acl
crypto map IPSec_map 10 set peer 212.107.106.129
crypto map IPSec_map 10 set transform-set mal
crypto map IPSec_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 86400
telnet 0.0.0.0 0.0.0.0 outside
crypto isakmp policy 10
encr 3des
hash md5
authentication pre-share
group 2
crypto isakmp key XXXXXX address 212.71.53.38
crypto ipsec security-association lifetime seconds 28800
crypto ipsec transform-set mal esp-3des esp-md5-hmac
crypto map mal 10 ipsec-isakmp
set peer 212.71.53.38
set transform-set mal
match address 120
interface Loopback0
ip address 10.3.3.1 255.255.255.0
ip virtual-reassembly in
interface Embedded-Service-Engine0/0
no ip address
shutdown
interface GigabitEthernet0/0
ip address 172.20.34.54 255.255.255.252
ip nat outside
ip virtual-reassembly in
load-interval 30
duplex auto
speed auto
crypto map mal
interface GigabitEthernet0/1
ip address 212.107.106.129 255.255.255.248
ip nat outside
ip virtual-reassembly in
no ip route-cache
duplex auto
speed auto
crypto map mal
interface GigabitEthernet0/2
description *!* LAN *!*
ip address 10.2.2.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
duplex auto
speed auto
ip forward-protocol nd
ip http server
ip http secure-server
ip nat pool OUTPOOL 212.107.106.132 212.107.106.132 netmask 255.255.255.248
ip nat inside source route-map nonat pool OUTPOOL overload
ip route 0.0.0.0 0.0.0.0 172.20.34.53
ip route 10.1.1.0 255.255.255.0 212.107.106.130
ip route 192.168.50.0 255.255.255.0 212.71.53.38
ip access-list extended outside
remark CCP_ACL Category=1
permit ip any any log
ip access-list extended outside1
remark CCP_ACL Category=1
permit ip any any log
access-list 110 permit tcp 10.2.2.0 0.0.0.255 10.1.1.0 0.0.0.255
access-list 120 permit ip 10.2.2.0 0.0.0.255 10.1.1.0 0.0.0.255
access-list 130 deny ip 10.2.2.0 0.0.0.255 10.1.1.0 0.0.0.255
access-list 130 deny ip 10.2.2.0 0.0.0.255 192.168.50.0 0.0.0.255
access-list 130 permit ip 10.2.2.0 0.0.0.255 any
route-map nonat permit 10
match ip address 130
control-plane
ASA Version 8.2(1)
hostname Active
domain-name test.com
interface Ethernet0/0
description LAN/STATE Failover Interface
interface Ethernet0/1
speed 100
nameif outside
security-level 0
ip address 212.71.53.38 255.255.255.224 standby 212.71.53.37
interface Ethernet0/2
nameif DMZ
security-level 50
ip address 192.168.50.1 255.255.255.0 standby 192.168.50.4
interface Ethernet0/3
description INSIDE
speed 100
nameif inside
security-level 100
ip address 10.1.1.1 255.255.255.0 standby 10.1.1.2
interface Management0/0
shutdown
no nameif
no security-level
no ip address
boot system disk0:/asa821-k8.bin
boot config disk0:/running-config
ftp mode passive
dns server-group DefaultDNS
domain-name test.com
access-list deny-flow-max 1
access-list alert-interval 2
access-list allow extended permit ip any any
access-list VPN extended permit ip any any
access-list OUTSIDE extended permit ip any any
access-list al-outside extended permit ip any host 212.107.106.129
access-list al-outside extended permit ip any any
access-list encrypt_acl extended permit ip 10.1.1.0 255.255.255.0 10.2.2.0 255.255.255.0
access-list outside_access_in extended permit ip any any
access-list inside_access_out extended permit ip any any
access-list DMZ_access_out extended permit ip any any
access-list inside_access_in extended permit ip any any
access-list DMZ_access_in extended permit ip any any
access-list outside_access_in_1 extended permit ip any any
access-list no-nat extended permit ip 10.1.1.0 255.255.255.0 10.2.2.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 10.1.1.0 255.255.255.0 10.2.2.0 255.255.255.0
pager lines 24
mtu outside 1500
mtu DMZ 1500
mtu inside 1500
failover
failover lan unit primary
failover lan interface failover Ethernet0/0
failover key *****
failover link failover Ethernet0/0
failover interface ip failover 10.10.10.1 255.255.255.252 standby 10.10.10.2
icmp unreachable rate-limit 1 burst-size 1
icmp permit any outside
icmp permit any DMZ
icmp permit any inside
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
access-group outside_access_in_1 in interface outside
route outside 0.0.0.0 0.0.0.0 212.71.53.36 1
route outside 10.2.2.0 255.255.255.0 212.71.53.36 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
aaa authentication http console LOCAL
aaa authentication ssh console LOCAL
http server enable
http 0.0.0.0 0.0.0.0 outside
no snmp-server location
no snmp-server contact
service resetoutside
crypto ipsec transform-set mal esp-3des esp-md5-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto map mal 10 set peer 212.107.106.129
crypto map IPSec_map 10 match address encrypt_acl
crypto map IPSec_map 10 set peer 212.107.106.129
crypto map IPSec_map 10 set transform-set mal
crypto map IPSec_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 86400
telnet 0.0.0.0 0.0.0.0 outside
==================================================================
Remote-Router#
crypto isakmp policy 10
encr 3des
hash md5
authentication pre-share
group 2
crypto isakmp key XXXXXX address 212.71.53.38
crypto ipsec security-association lifetime seconds 28800
crypto ipsec transform-set mal esp-3des esp-md5-hmac
crypto map mal 10 ipsec-isakmp
set peer 212.71.53.38
set transform-set mal
match address 120
interface Loopback0
ip address 10.3.3.1 255.255.255.0
ip virtual-reassembly in
interface Embedded-Service-Engine0/0
no ip address
shutdown
interface GigabitEthernet0/0
ip address 172.20.34.54 255.255.255.252
ip nat outside
ip virtual-reassembly in
load-interval 30
duplex auto
speed auto
crypto map mal
interface GigabitEthernet0/1
ip address 212.107.106.129 255.255.255.248
ip nat outside
ip virtual-reassembly in
no ip route-cache
duplex auto
speed auto
crypto map mal
interface GigabitEthernet0/2
description *!* LAN *!*
ip address 10.2.2.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
duplex auto
speed auto
ip forward-protocol nd
ip http server
ip http secure-server
ip nat pool OUTPOOL 212.107.106.132 212.107.106.132 netmask 255.255.255.248
ip nat inside source route-map nonat pool OUTPOOL overload
ip route 0.0.0.0 0.0.0.0 172.20.34.53
ip route 10.1.1.0 255.255.255.0 212.107.106.130
ip route 192.168.50.0 255.255.255.0 212.71.53.38
ip access-list extended outside
remark CCP_ACL Category=1
permit ip any any log
ip access-list extended outside1
remark CCP_ACL Category=1
permit ip any any log
access-list 110 permit tcp 10.2.2.0 0.0.0.255 10.1.1.0 0.0.0.255
access-list 120 permit ip 10.2.2.0 0.0.0.255 10.1.1.0 0.0.0.255
access-list 130 deny ip 10.2.2.0 0.0.0.255 10.1.1.0 0.0.0.255
access-list 130 deny ip 10.2.2.0 0.0.0.255 192.168.50.0 0.0.0.255
access-list 130 permit ip 10.2.2.0 0.0.0.255 any
route-map nonat permit 10
match ip address 130
control-plane -
Best Practice for ASA Route Monitoring Options?
We have one pair Cisco ASA 5505 located in different location and there are two point to point links between those two locations, one for primary link (static route w/ low metric) and the other for backup (static route w/ high metric). The tracked options is enabled for monitoring the state of the primary route. the detail parameters regarding options as below,
Frequency: 30 seconds Data Size: 28 bytes
Threshold: 3000 milliseconds Tos: 0
Time out: 3000 milliseconds Number of Packets: 8
------ show run------
sla monitor 1
type echo protocol ipIcmpEcho 10.200.200.2 interface Intersite_Traffic
num-packets 8
timeout 3000
threshold 3000
frequency 30
sla monitor schedule 1 life forever start-time now
------ show run------
I'm not sure if the setting is so sensitive that the secondary static route begins to work right away, even when some small link flappings occur.
What is the best practice to set those parameters up in the production environment. How can we specify the reasonanble monitoring options to fit our needs.
Thank you for any idea.Hello,
Of course too sensitive might cause failover to happen when some packets get lost, but remember the whole purpose of this is to provide as less downtime to your network as possible,
Now if you tune these parameters what happen is that failover will be triggered on a different time basis.
This is taken from a cisco document ( If you tune the sla process as this states, 3 packets will be sent each 10 seconds, so 3 of them need to fail to SLA to happen) This CISCO configuration example looks good but there are network engineers that would rather to use a lower time-line than that.
sla monitor 123
type echo protocol ipIcmpEcho 10.0.0.1 interface outside
num-packets 3
frequency 10
Regards,
Remember to rate all of the helpful posts ( If you need assistance knowing how to rate a post just let me know ) -
ASA /Router -SNMP Trap when IP SLA monitored (ICMP timeout)
Hi,
I am looking for some solution for my below requirment
Requirment is :
How do I configure ASA or Router to send SNMP Trap when IP SLA monitored features enabled (ICMP request or 900 millisecond delay from destination IP)
Thanks in advance..Hi,
Maybe this thread might help you?
https://supportforums.cisco.com/thread/2039293
I have not personally configured these type of SLA configurations on an ASA other than for testing purposes. We handle Dual ISP setups outside the ASA firewalls.
- Jouni -
ASA/Router Exec Authorization
Hello Everyone,
After a user is authenticated using TACACS+, he/she must be authorized to access the IOS or ASA shell. However, when i just configured authentication (without authorization), the user can still access the level 15 shell after authentication by simply typing the "enable" command if he/she knows the enable password. Then, What Exec authorization really does? .. Also, when we say Exec Authorization, does it mean user-exec or privilege-exec?
Thx for your help.
AMHi there,
The behavior is different if this command is used in IOS or ASA, for example let's say that you have configured this command in your router "aaa authorizzation exec default group tacacs+", if you SSH/Telnet to this router than after entering the username/password you will be placed in privilege mode "#" if after retrieving the privilege level it's higher than 2, so you will be skipping the "enable" prompt.
But the syntax of this command is a little bit different in an ASA.and the behavior also changes, first of all you cannot skip the "enable" prompt in your ASA because this is a security device and this prompt is mandatory:
http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_configuration_example09186a00808d9138.shtml
"Note:
The Cisco Security Appliances (ASA/PIX) does not currently allow the user to be placed directly into the enable mode during login. The user must manually enter into the enable mode."
So in an ASA you won't be able to skip the "enable" prompt, so what it will do is just to retrieve the privilege level or Service-level value assigned to the user, there are multiple values like "Administrative" which is similar to privilege 15, or "NAS prompt", "Outbound", etc.
Each of these values has a different purpose, for further details check below:
http://www.cisco.com/en/US/docs/security/asa/asa80/configuration/guide/mgaccess.html#wp1070306
Hope I could have provided you some light into this situation. -
ASA Routed or Transparent mode
Hi ,
I am planning to deploy ASA as internal Firewall ... as all the Inside and Outside zones will be having same Ip range . I am confused about its deployment . Can any1 help me on deciding on deploying it as Routed mode or transparent modeTransparent.
Just the intro of the following file will answer your question:
http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a008089f467.shtml -
ASA Routed/Transparent Mode - Advice
Hi guys,
I'm looking for some advice regarding the deployment of an ASA. I have two networks separated by a routed link (layer 3 switch to layer 3 switch). I would like to deploy an ASA between the two networks for increased security. I'm leaning toward transparent mode so I don't have to have an additional IP subnetwork configured, and because deployment seems a little 'easier'.
I would welcome any feedback.
Thanks.Hi,
So there is 2 networks which are separated by a routed link between the L3 switches? Have you considered simply moving the LAN and Link networks IP address to a Routed Mode ASAs interfaces when inserting it between these networks or is there something on the L3 switch that prevents this?
Naturally you can use the ASA in Transparent Mode also. I have not deployed Transparent ASAs as usually the Routed Mode has been required. Even firewalls installed to internal networks (like between factory automation and office networks) have always been in Routed mode.
Looking at the ASA Configuration Guide the limitations set by the Transparent Mode are not something that would prevent us from using them instead of the current setups. I would imagine that the most important limitation in many setups has usually been the fact that the VPN is not supported in Transparent mode though I guess in your case that would not be a problem.
The ASA Configuration Guide section on Transparent mode (guidelines/limitations) can be found here:
http://www.cisco.com/c/en/us/td/docs/security/asa/asa92/configuration/general/asa-general-cli/intro-fw.html#pgfId-1501525
- Jouni -
ASA 5505:Static Routing and Deny TCP connection because of bad flag
Hi Everybody,
I have a problem. I made a VPN site-2-site with 2 ASA 5505. The VPN works great. And I create a redondant link if the VPN failed.
In fact, I use Dual ISP with route tracking. If the VPN fails, the default route change to an ISDN router, situated on the inside interface.
When I simulated a VPN fail, the ASAs routes switch automatically on backup ISDN routers. If I ping elements, it works great. But when i try TCP connection like telnet, the ASAs deny connections:
%PIX|ASA-6-106015: Deny TCP (no connection) from 172.16.10.57/35066 to 172.16.18.1/23 flags tcp_flags on interface interface_name.
the security appliance discarded a TCP packet that has no associated connection in the security appliance connection table. The security appliance looks for a SYN flag in the packet, which indicates a request to establish a new connection. If the SYN flag is not set, and there is not an existing connection, the security appliance discards the packet.
thanks!
EDIT: On the schema, The interface of the main asa is 172.16.18.148...Check if the xlate timer is set greater than or equal to what the conn timer, so as not to have connections waiting on xlates that no longer exist. To minimize the number of attempts, enable "service resetinbound" . The PIX will reset the connection and make it go away. Without service resetinbound, the PIX Firewall drops packets that are denied and generates a syslog message stating that the SYN was a denied connection.
-
ASA 5505 interface based routing?
Hi,
I got an ASA 5505 in my lab and got it working fine with one IP and various NAT and other scenarios (I'm currently refreshing my skills after a longer break on the job).
Now, from my ISP I can get up to 5 public IPs. However, those IPs are assigned via DHCP and they are pretty random and not all in the same subnet. For testing, I created an interface outside2 on e0/1 and connected that to one of the ports of the cable gateway. The interface does get an IP and INCOMING packets go to the right place via static PAT, BUT the replies don't arrive at the client. I strongly suspect that the ASA is sending the reply packets through the other public IP on outside (e0/0) which would make sense because that's where the default route points.
Is it possible to configure some kind of interface base routing, i.e. if a packet comes in via outside2, the corresponsing reply goes through outside2 and through the gateway outside2 receives via DHCP?
-StefanHi Stefan,
As I understand the traffic is coming in from outside2 going to a host-A behind the ASA.
Host-A will reply back, but this traffic will exit out through the outside 0/0 interface since there is where you have configured the default gateway.
In order to send the replies to client over outside2, you need to setup specific routes on the ASA through outside2 interface.
Also remember that ASA doesn´t support Policy Based Routing(PRB), because ASA routes the traffic based on destination:
http://www.cisco.com/c/en/us/td/docs/security/asa/asa82/configuration/guide/config/route_static.html#wp1121567
Harvey.
Please rate if this is the correct answer. -
Need Help for configuring Floating static route in My ASA.
Hi All,
I need your support for doing a floating static route in My ASA.
I have tried this last time but i was not able to make it. But this time i have to Finish it.
Please find our network Diagram and configuration of ASA
route outside 0.0.0.0 0.0.0.0 6.6.6.6 1 track 1
route outside 0.0.0.0 0.0.0.0 6.6.6.6 1
route rOutside 0.0.0.0 0.0.0.0 3.3.3.3 10
route inside 10.10.4.0 255.255.255.0 10.10.3.1 1
route inside 10.10.8.0 255.255.255.0 10.10.3.1 1
route inside 10.10.9.0 255.255.255.0 10.10.3.1 1
route inside 10.10.15.0 255.255.255.0 10.10.3.1 1
route rOutside x.x.x.x 255.255.255.255 5.5.5.5 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 10.10.3.77 255.255.255.255 inside
http 10.10.8.157 255.255.255.255 inside
http 10.10.3.59 255.255.255.255 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
sla monitor 123
type echo protocol ipIcmpEcho 8.8.8.8 interface outside
num-packets 3
frequency 10
sla monitor schedule 123 life forever start-time now
crypto ipsec transform-set cpa esp-3des esp-md5-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto map vpn_cpa 1 match address acl_cpavpn
crypto map vpn_cpa 1 set peer a.a.a.a
crypto map vpn_cpa 1 set transform-set abc
crypto map vpn_cpa 1 set security-association lifetime seconds 3600
crypto map vpn_cpa interface outside
crypto isakmp identity address
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 86400
crypto isakmp policy 65535
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
track 1 rtr 123 reachability
telnet 10.10.3.77 255.255.255.255 inside
telnet 10.10.8.157 255.255.255.255 inside
telnet 10.10.3.61 255.255.255.255 inside
telnet timeout 500
ssh timeout 5
console timeout 0
threat-detection basic-threat
threat-detection statistics port
threat-detection statistics protocol
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ntp server 10.10.3.14
webvpn
tunnel-group .a.a.a.a ipsec-attributes
pre-shared-key *
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
service-policy global_policy global
smtp-server 10.10.5.11
prompt hostname context
Cryptochecksum:eea6e7b6efe5d1a180439658c3912942
: end
i think half of the configuration stil there in the ASA.
Diagram.
Thanks
RoopeshYou have missed the last command in your configuration, Please check it again
route ISP1 0.0.0.0 0.0.0.0 6.6.6.6 track 1
route ISP2 0.0.0.0 0.0.0.0 3.3.3.3
sla monitor 10
type echo protocol ipIcmpEcho 8.8.8.8 interface ISP1
num-packets 3
frequency 10
sla monitor schedule 123 life forever start-time now
track 1 rtr 123 reachability
You can do NAT in same way, here the logical name of the interface will be different.
Share the result
Please rate any helpful posts. -
Problem of routing between inside and outside on ASA5505
I have a ASA5505 with mostly factory default configuration. Its license allows only two vlan interfaces (vlan 1 and vlan 2). The default config has interface vlan 1 as inside (security level 100), and interface vlan 2 as outside (security level 0 and using DHCP).
I only changed interface vlan 1 to IP 10.10.10.1/24. After I plugged in a few hosts to vlan 1 ports and connect port Ethernet0/0 (default in vlan 2) to a live network, here are a couple of issues I found:
a) One host I plugged in is a PC, and another host is a WAAS WAE device. Both are in vlan 1 ports. I hard coded their IP to 10.10.10.250 and 10.10.10.101, /24 subnet mask, and gateway of 10.10.10.1. I can ping from the PC to WAE but not from WAE to the PC, although the WAE has 10.10.10.250 in its ARP table. They are in the same vlan and same subnet, how could it be? Here are the ping and WAE ARP table.
WAE#ping 10.10.10.250
PING 10.10.10.250 (10.10.10.250) from 10.10.10.101 : 56(84) bytes of data.
--- 10.10.10.250 ping statistics ---
5 packets transmitted, 0 packets received, 100% packet loss
WAE#sh arp
Protocol Address Flags Hardware Addr Type Interface
Internet 10.10.10.250 Adj 00:1E:37:84:C9:CE ARPA GigabitEthernet1/0
Internet 10.10.10.10 Adj 00:14:5E:85:50:01 ARPA GigabitEthernet1/0
Internet 10.10.10.1 Adj 00:1E:F7:7F:6E:7E ARPA GigabitEthernet1/0
b) None of the hosts in vlan 1 in 10.10.10.0/24 can ping interface vlan 2 (address in 172.26.18.0/24 obtained via DHCP). But on ASA routing table, it has both 10.10.10.0/24 and 172.26.18.0/24, and also a default route learned via DHCP. Is ASA able to route between vlan 1 and vlan 2? (inside and outside). Any changes I can try?
Here are ASA routing table and config of vlan 1 and vlan 2 (mostly its default).
ASA# sh route
Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP
i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
* - candidate default, U - per-user static route, o - ODR
P - periodic downloaded static route
Gateway of last resort is 172.26.18.1 to network 0.0.0.0
C 172.26.18.0 255.255.255.0 is directly connected, outside
C 127.1.0.0 255.255.0.0 is directly connected, _internal_loopback
C 10.10.10.0 255.255.255.0 is directly connected, inside
d* 0.0.0.0 0.0.0.0 [1/0] via 172.26.18.1, outside
interface Vlan1
nameif inside
security-level 100
ip address 10.10.10.1 255.255.255.0
interface Vlan2
nameif outside
security-level 0
ip address dhcp setroute
interface Ethernet0/0
switchport access vlan 2
All other ports are in vlan 1 by default.I should have made the config easier to read. So here is what's on the ASA and the problems I have. The ASA only allows two VLAN interfaces configured (default to Int VLAN 1 - nameif inside, and Int VLAN 2 - nameif outside)
port 0: in VLAN 2 (outside). DHCP configured. VLAN 2 pulled IP in 172.26.18.0/24, default gateway 172.26.18.1
port 1-7: in VLAN 1 (inside). VLAN 1 IP is 10.10.10.1. I set all devices IP in VLAN 1 to 10.10.10.0/24, default gateway 10.10.10.1
I have one PC in port 1 and one WAE device in port 2. PC IP set to 10.10.10.250 and WAE set to 10.10.10.101. PC can ping WAE but WAE can't ping PC. Both can ping default gateway.
If I can't ping from inside interface to outside interface on ASA, how can I verify inside hosts can get to outside addresses and vise versa? I looked at ASA docs, but didn't find out how to set the routing between inside and outside. They are both connected interfaces, should they route between each other already?
Thanks a lot -
Unable to access/lan2lan ping from VPN Fortigate to Cisco ASA 5505
Problem : Unable to access user A to user B
User A --- router A (122, fortigate 80c) --- (Site to Site VPN between fortigate & cisco asa) --- router B (93, cisco Asa 5505{in front asa got cisco800[81] before to internet} ) --- User B
After using wizard to configure the cisco ASA site to site VPN, the site-to-site tunnel is up.
Ping is unsuccessful from user A to user B
Ping is successful from user B to user A, data is accessable
After done the packet tracer from user A to user B,
Result :
Flow-lookup
Action : allow
Info: Found no matching flow, creating a new flow
Route-lookup
Action : allow
Info : 192.168.5.203 255.255.255.255 identity
Access-list
Action : drop
Config Implicit Rule
Result - The packet is dropped
Input Interface : inside
Output Interface : NP Identify Ifc
Info: (acl-drop)flow is denied by configured rule
Below is Cisco ASA 5505's show running-config
ASA Version 8.2(1)
hostname Asite
domain-name ssms1.com
enable password ZZZZ encrypted
passwd WWWW encrypted
names
name 82 B-firewall description Singapore office firewall
name 192.168.1.0 B-inside-subnet description Singapore office internal LAN IP
name 192.168.200.0 A-inside-VLAN12 description A-inside-VLAN12 (fortinet)
name 192.168.2.0 fw-inside-subnet description A office internal LAN IP
name 122 A-forti
interface Vlan1
nameif inside
security-level 100
ip address 192.168.5.203 255.255.255.0
interface Vlan2
nameif outside
security-level 0
ip address 93 255.255.255.240
interface Ethernet0/0
switchport access vlan 2
interface Ethernet0/7
ftp mode passive
dns server-group DefaultDNS
domain-name ssms1.com
object-group network obj_any
network-object 0.0.0.0 0.0.0.0
access-list inside_nat0_outbound extended permit ip any 80 255.255.255.240
access-list inside_nat0_outbound extended permit ip fw-inside-subnet 255.255.255.0 B-inside-subnet 255.255.255.0
access-list inside_nat0_outbound extended permit ip 192.168.5.0 255.255.255.0 A-inside-VLAN12 255.255.255.0
access-list outside_cryptomap extended permit ip fw-inside-subnet 255.255.255.0 B-inside-subnet 255.255.255.0
access-list Outside_nat-inbound extended permit ip A-inside-VLAN12 255.255.255.0 192.168.5.0 255.255.255.0
access-list Outside_nat-inbound extended permit ip host A-forti 192.168.5.0 255.255.255.0
access-list outside_1_cryptomap extended permit ip 192.168.5.0 255.255.255.0 A-inside-VLAN12 255.255.255.0
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-631.bin
no asdm history enable
arp timeout 14400
global (outside) 101 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 101 0.0.0.0 0.0.0.0
route outside 0.0.0.0 0.0.0.0 81 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http B-inside-subnet 255.255.255.0 inside
http fw-inside-subnet 255.255.255.0 inside
http 0.0.0.0 255.255.255.255 outside
http 0.0.0.0 0.0.0.0 outside
http 192.168.5.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto map outside_map 1 match address outside_1_cryptomap
crypto map outside_map 1 set pfs
crypto map outside_map 1 set peer A-forti
crypto map outside_map 1 set transform-set ESP-3DES-SHA
crypto map outside_map 2 match address outside_cryptomap
crypto map outside_map 2 set peer B-firewall
crypto map outside_map 2 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp policy 20
authentication pre-share
encryption aes-192
hash md5
group 2
lifetime 86400
crypto isakmp policy 30
authentication pre-share
encryption aes-256
hash md5
group 2
lifetime 86400
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd auto_config outside
dhcpd address 192.168.5.10-192.168.5.20 inside
dhcpd dns 165 165 interface inside
dhcpd enable inside
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
group-policy DfltGrpPolicy attributes
vpn-tunnel-protocol IPSec l2tp-ipsec svc webvpn
username admin password XXX encrypted privilege 15
tunnel-group 122 type ipsec-l2l
tunnel-group 122 ipsec-attributes
pre-shared-key *
class-map inspection_default
match default-inspection-traffic
class-map outside-class
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
message-length maximum client auto
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect icmp
policy-map outside-policy
description ok
class outside-class
inspect dns
inspect esmtp
inspect ftp
inspect h323 h225
inspect h323 ras
inspect icmp
inspect icmp error
inspect netbios
inspect rsh
inspect rtsp
inspect sip
inspect skinny
inspect sqlnet
inspect sunrpc
inspect tftp
inspect xdmcp
service-policy global_policy global
service-policy outside-policy interface outside
prompt hostname context
Cryptochecksum: XXX
: end
Kindly need your expertise&help to solve the problemany1 can help me ?
-
Cisco ASA Site to Site VPN with routers on inside
I have been asked to setup a site to site vpn to connect two remote offices.
We have two ASA 5510's, one on each side.
I can get the two ASA's setup and setup the VPN and have everything work like it is suppose to. Traffic passing from local network to remote network.
However, I have been asked to add two secure routers to the setup. One secure router between the local network and the ASA, and the other the same on the other end, between the remote network and it's ASA
Essentially, just like this:
LAN---------------------Router-------------------------ASA----------------ISP-----------ASA-------------------------Router---------------------------LAN
192.168.1.x (inside 192.168.1.1) (inside 10.0.1.1) (inside 10.0.2.1) (inside 192.168.2.1) 192.168.2.x
(outside 10.0.1.2) (outside public ip) (outside public ip) (outside 10.0.2.2)
I don't understand how this is suppose to work. I can get each side configured so that the clients on the inside can get out to the internet.
A local client using the inside interface of the router as the gateway, the router then sends by route this traffic to the ASA's inside interface which then forwards the traffic to the default route/gateway of the ASA to the ISP gateway out to the internet.
However, when I am thinking about the VPN I don't understand how it is suppose to work. Because the LAN address get's translated to the outside address of the Router which is 10.0.0.2, so that it goes to the ASA inside address 10.0.0.1. If I were to ping an ip address of the other LAN, it shows up as coming from 10.0.0.2 which wouldn't be part of the VPN traffic, since the VPN traffic is the local addresses as it was setup with just the two ASA's. I don't see changing the VPN traffic to the 10.0.0.0 network working because the clients on the remote network have 192.168.2.x addresses. While the ASA and router can translate from 192.168.1.x to 10.0.1.2 to the internet and back will work, I don't see requesting a connection to 192.168.2.x from 192.168.1.x working).
If it matters, one router is a cisco 1841, and the other an hp 7102dl.
I don't really understand why, but they just want to have the routers used in the setup. Whether it is on the inside or outside of the ASA, it doesn't matter.
Can someone help me make sense of this please?Hi Julio,
To set it up the way you mention would I keep the ip addresses the same or would I need to change them?
Also, in response to everyone, would setting it up using gre tunnel allow for some clients to still just go straight out to the internet as well as to the "other side" remote lan?
I appreciate everyones input very much.
In response to Jouni, yes there is a big L2 switch behind the ASA's, which under the new setup there would be a router between the L2 switch and the ASA.
This may be an important part I don't understand, but on the router, unless I nat the inside traffic to have the address of the outside interface on the router, then no traffic goes through. I just get messages from the router saying unable to determine destination route seemingly regardless of what static routes I put on the router, but maybe I am just not configuring the static routes correctly. -
ASA firewall wont ping remote site
We have remote office which I can ping while at the main office, but when I am connected to VPN from office or home, I cant ping the remote office.
VPN gives me an ip 10.21.18.x
remote site's IP is: 172.29.x.x
i have the access-list information for the ASA firewall and router below:
below is the multilayer:
OFFICE-CORE-01#show ip access-lists
Extended IP access list verizon-INTERNET-TRAFFIC
10 deny ip 10.21.0.0 0.0.255.255 10.0.0.0 0.255.255.255
20 deny ip 10.21.0.0 0.0.255.255 172.16.0.0 0.15.255.255
30 deny ip 10.21.0.0 0.0.255.255 192.168.0.0 0.0.255.255
40 permit ip 10.23.20.0 0.0.0.255 any
50 permit ip 10.23.21.0 0.0.0.255 any
60 permit ip 10.23.22.0 0.0.0.255 any
70 permit ip 10.23.23.0 0.0.0.255 any
80 permit ip 10.23.24.0 0.0.0.255 any
90 permit ip 10.23.25.0 0.0.0.255 any
100 permit ip 10.23.26.0 0.0.0.255 any
Extended IP access list PAETEC-INTERNET-TRAFFIC
10 deny ip 10.21.0.0 0.0.255.255 10.0.0.0 0.255.255.255
20 deny ip 10.21.0.0 0.0.255.255 172.16.0.0 0.15.255.255
30 deny ip 10.21.0.0 0.0.255.255 192.168.0.0 0.0.255.255
40 permit ip 10.23.20.0 0.0.0.255 any
50 permit ip 10.23.21.0 0.0.0.255 any
60 permit ip 10.23.22.0 0.0.0.255 any
70 permit ip 10.23.23.0 0.0.0.255 any
80 permit ip 10.23.24.0 0.0.0.255 any
90 permit ip 10.23.25.0 0.0.0.255 any
100 permit ip 10.23.26.0 0.0.0.255 any
Extended IP access list system-cpp-all-routers-on-subnet
10 permit ip any host 224.0.0.2
Extended IP access list system-cpp-all-systems-on-subnet
10 permit ip any host 224.0.0.1
Extended IP access list system-cpp-dhcp-cs
10 permit udp any eq bootpc any eq bootps
Extended IP access list system-cpp-dhcp-sc
10 permit udp any eq bootps any eq bootpc
Extended IP access list system-cpp-dhcp-ss
10 permit udp any eq bootps any eq bootps
Extended IP access list system-cpp-energywise-disc
10 permit udp any eq any eq 0
Extended IP access list system-cpp-hsrpv2
10 permit udp any host 224.0.0.102
Extended IP access list system-cpp-igmp
10 permit igmp any 224.0.0.0 31.255.255.255
Extended IP access list system-cpp-ip-mcast-linklocal
10 permit ip any 224.0.0.0 0.0.0.255
Extended IP access list system-cpp-ospf
10 permit ospf any 224.0.0.0 0.0.0.255
Extended IP access list system-cpp-pim
10 permit pim any 224.0.0.0 0.0.0.255
Extended IP access list system-cpp-ripv2
10 permit ip any host 224.0.0.9
----------------------------------ASA ACCESS-LIST is below the brief version-------
access-list CompanyName-vpn-maint_splitTunnelAcl line 10 standard permit 172.29.0.0 255.255.0.0 (hitcnt=0) 0x52bc4d4c
-----------------------below is the ASA routes-----------------------
Gateway of last resort is 53.138.58.129 to network 0.0.0.0
S 192.168.10.0 255.255.255.0 [1/0] via 10.21.0.1, inside
C 172.17.21.0 255.255.255.0 is directly connected, dmz_tier2
S 172.16.142.0 255.255.254.0 [1/0] via 53.138.58.129, outside
C 172.16.21.0 255.255.255.0 is directly connected, dmz_tier1
C 172.19.21.0 255.255.255.0 is directly connected, dmz_tier4
S 172.23.181.0 255.255.255.0 [1/0] via 10.21.0.1, outside
S 172.25.181.0 255.255.255.0 [1/0] via 53.138.58.129, outside
S 172.25.184.0 255.255.255.0 [1/0] via 53.138.58.129, outside
S 172.24.0.0 255.255.0.0 [1/0] via 10.21.0.1, inside
S 172.26.181.0 255.255.255.0 [1/0] via 53.138.58.129, outside
S 172.26.184.0 255.255.255.0 [1/0] via 53.138.58.129, outside
S 172.29.181.0 255.255.255.0 [1/0] via 10.21.0.1, outside
S 172.29.184.0 255.255.255.0 [1/0] via 53.138.58.129, outside
S 172.28.181.0 255.255.255.0 [1/0] via 53.138.58.129, outside
S 172.28.184.0 255.255.255.0 [1/0] via 53.138.58.129, outside
S 192.168.20.0 255.255.255.0 [1/0] via 10.21.0.1, inside
S 10.11.0.0 255.255.0.0 [1/0] via 10.21.0.1, inside
S 10.13.0.0 255.255.0.0 [1/0] via 10.21.0.1, inside
S 10.10.21.1 255.255.255.255 [1/0] via 10.21.0.1, inside
S 10.10.21.2 255.255.255.255 [1/0] via 10.21.0.1, inside
S 10.22.0.0 255.255.0.0 [1/0] via 53.138.58.129, outside
S 10.23.3.0 255.255.255.0 [1/0] via 10.21.0.1, inside
S 10.23.2.0 255.255.255.0 [1/0] via 10.21.0.1, inside
S 10.21.0.0 255.255.0.0 [1/0] via 10.21.0.1, inside
S 10.10.21.10 255.255.255.255 [1/0] via 10.21.0.1, inside
C 10.21.0.0 255.255.255.0 is directly connected, inside
S 10.22.3.0 255.255.255.0 [1/0] via 53.138.58.129, outside
S 10.10.41.0 255.255.255.0 [1/0] via 53.138.58.129, outside
C 53.138.58.128 255.255.255.128 is directly connected, outside
S 192.168.2.0 255.255.255.0 [1/0] via 10.21.0.1, inside
S* 0.0.0.0 0.0.0.0 [1/0] via 53.138.58.129, outside
S 0.0.0.0 0.0.0.0 [255/0] via 10.21.0.1, inside tunneled
------------------------------------below is the router's routes----------
Gateway of last resort is 10.21.0.11 to network 0.0.0.0
205.232.16.0/32 is subnetted, 1 subnets
S 205.232.16.25 [1/0] via 10.21.0.11
62.0.0.0/32 is subnetted, 1 subnets
S 62.100.0.146 [1/0] via 10.21.0.12
178.78.0.0/32 is subnetted, 1 subnets
S 178.78.147.193 [1/0] via 10.21.0.12
C 192.168.10.0/24 is directly connected, Vlan29
172.16.0.0/16 is variably subnetted, 5 subnets, 3 masks
S 172.16.141.0/24 [1/0] via 10.21.0.11
S 172.16.142.0/23 [1/0] via 10.21.0.11
S 172.16.40.1/32 [1/0] via 10.21.2.12
S 172.16.40.10/32 [1/0] via 10.21.2.12
S 172.16.21.0/24 [1/0] via 10.21.0.11
172.19.0.0/24 is subnetted, 1 subnets
S 172.19.21.0 [1/0] via 10.21.0.11
172.18.0.0/24 is subnetted, 1 subnets
S 172.18.21.0 [1/0] via 10.21.0.12
172.23.0.0/24 is subnetted, 3 subnets
S 172.23.186.0 [1/0] via 10.21.0.6
S 172.23.184.0 [1/0] via 10.21.0.6
S 172.23.181.0 [1/0] via 10.21.0.6
S 172.25.0.0/16 [1/0] via 10.21.0.11
172.24.0.0/24 is subnetted, 3 subnets
C 172.24.181.0 is directly connected, Vlan31
C 172.24.186.0 is directly connected, Vlan32
C 172.24.187.0 is directly connected, Vlan33
S 172.26.0.0/16 [1/0] via 10.21.0.11
172.29.0.0/24 is subnetted, 3 subnets
S 172.29.181.0 [1/0] via 10.21.0.6
S 172.29.184.0 [1/0] via 10.21.0.6
S 172.29.190.0 [1/0] via 10.21.0.6
S 172.28.0.0/16 [1/0] via 10.21.0.11
C 192.168.20.0/24 is directly connected, Vlan30
10.0.0.0/8 is variably subnetted, 35 subnets, 4 masks
S 10.11.0.0/16 [1/0] via 10.21.0.6
C 10.21.28.0/24 is directly connected, Vlan28
C 10.21.26.0/24 is directly connected, Vlan26
C 10.21.25.0/24 is directly connected, Vlan25
S 10.12.0.0/16 [1/0] via 10.21.0.6
C 10.21.24.0/24 is directly connected, Vlan24
S 10.13.0.0/16 [1/0] via 10.21.0.6
C 10.21.23.0/24 is directly connected, Vlan23
C 10.21.22.0/24 is directly connected, Vlan22
C 10.21.21.0/24 is directly connected, Vlan21
C 10.21.20.0/24 is directly connected, Vlan20
C 10.21.19.0/24 is directly connected, Vlan19
S 10.21.18.0/24 [1/0] via 10.21.0.12
S 10.21.17.0/24 [1/0] via 10.21.0.11
C 10.21.16.0/24 is directly connected, Vlan16
C 10.21.15.0/24 is directly connected, Vlan15
C 10.21.14.0/24 is directly connected, Vlan14
C 10.21.13.0/24 is directly connected, Vlan13
C 10.21.12.0/24 is directly connected, Vlan12
C 10.21.11.0/24 is directly connected, Vlan11
C 10.10.21.1/32 is directly connected, Loopback0
S 10.31.0.0/16 [1/0] via 10.21.0.6
D 10.10.21.2/32 [90/130816] via 10.21.252.10, 7w0d, Vlan999
C 10.21.5.0/24 is directly connected, Vlan5
C 10.21.4.0/24 is directly connected, Vlan4
S 10.22.0.0/16 [1/0] via 10.21.0.11
C 10.21.3.0/24 is directly connected, Vlan3
C 10.21.2.0/24 is directly connected, Vlan2
C 10.23.2.0/24 is directly connected, Vlan900
S 10.22.3.0/24 [1/0] via 10.21.0.11
C 10.21.0.0/24 is directly connected, Vlan1000
S 10.41.0.0/16 [1/0] via 10.21.0.11
S 10.10.41.0/24 [1/0] via 10.21.0.11
S 10.51.0.0/16 [1/0] via 10.21.0.6
C 10.21.252.8/30 is directly connected, Vlan999
62.0.0.0/32 is subnetted, 1 subnets
S 62.138.58.129 [1/0] via 10.21.0.11
S 192.168.2.0/24 [1/0] via 10.21.0.12
S* 0.0.0.0/0 [1/0] via 10.21.0.11We have remote office which I can ping while at the main office, but when I am connected to VPN from office or home, I cant ping the remote office.
VPN gives me an ip 10.21.18.x
remote site's IP is: 172.29.x.x
i have the access-list information for the ASA firewall and router below:
below is the multilayer:
OFFICE-CORE-01#show ip access-lists
Extended IP access list verizon-INTERNET-TRAFFIC
10 deny ip 10.21.0.0 0.0.255.255 10.0.0.0 0.255.255.255
20 deny ip 10.21.0.0 0.0.255.255 172.16.0.0 0.15.255.255
30 deny ip 10.21.0.0 0.0.255.255 192.168.0.0 0.0.255.255
40 permit ip 10.23.20.0 0.0.0.255 any
50 permit ip 10.23.21.0 0.0.0.255 any
60 permit ip 10.23.22.0 0.0.0.255 any
70 permit ip 10.23.23.0 0.0.0.255 any
80 permit ip 10.23.24.0 0.0.0.255 any
90 permit ip 10.23.25.0 0.0.0.255 any
100 permit ip 10.23.26.0 0.0.0.255 any
Extended IP access list PAETEC-INTERNET-TRAFFIC
10 deny ip 10.21.0.0 0.0.255.255 10.0.0.0 0.255.255.255
20 deny ip 10.21.0.0 0.0.255.255 172.16.0.0 0.15.255.255
30 deny ip 10.21.0.0 0.0.255.255 192.168.0.0 0.0.255.255
40 permit ip 10.23.20.0 0.0.0.255 any
50 permit ip 10.23.21.0 0.0.0.255 any
60 permit ip 10.23.22.0 0.0.0.255 any
70 permit ip 10.23.23.0 0.0.0.255 any
80 permit ip 10.23.24.0 0.0.0.255 any
90 permit ip 10.23.25.0 0.0.0.255 any
100 permit ip 10.23.26.0 0.0.0.255 any
Extended IP access list system-cpp-all-routers-on-subnet
10 permit ip any host 224.0.0.2
Extended IP access list system-cpp-all-systems-on-subnet
10 permit ip any host 224.0.0.1
Extended IP access list system-cpp-dhcp-cs
10 permit udp any eq bootpc any eq bootps
Extended IP access list system-cpp-dhcp-sc
10 permit udp any eq bootps any eq bootpc
Extended IP access list system-cpp-dhcp-ss
10 permit udp any eq bootps any eq bootps
Extended IP access list system-cpp-energywise-disc
10 permit udp any eq any eq 0
Extended IP access list system-cpp-hsrpv2
10 permit udp any host 224.0.0.102
Extended IP access list system-cpp-igmp
10 permit igmp any 224.0.0.0 31.255.255.255
Extended IP access list system-cpp-ip-mcast-linklocal
10 permit ip any 224.0.0.0 0.0.0.255
Extended IP access list system-cpp-ospf
10 permit ospf any 224.0.0.0 0.0.0.255
Extended IP access list system-cpp-pim
10 permit pim any 224.0.0.0 0.0.0.255
Extended IP access list system-cpp-ripv2
10 permit ip any host 224.0.0.9
----------------------------------ASA ACCESS-LIST is below the brief version-------
access-list CompanyName-vpn-maint_splitTunnelAcl line 10 standard permit 172.29.0.0 255.255.0.0 (hitcnt=0) 0x52bc4d4c
-----------------------below is the ASA routes-----------------------
Gateway of last resort is 53.138.58.129 to network 0.0.0.0
S 192.168.10.0 255.255.255.0 [1/0] via 10.21.0.1, inside
C 172.17.21.0 255.255.255.0 is directly connected, dmz_tier2
S 172.16.142.0 255.255.254.0 [1/0] via 53.138.58.129, outside
C 172.16.21.0 255.255.255.0 is directly connected, dmz_tier1
C 172.19.21.0 255.255.255.0 is directly connected, dmz_tier4
S 172.23.181.0 255.255.255.0 [1/0] via 10.21.0.1, outside
S 172.25.181.0 255.255.255.0 [1/0] via 53.138.58.129, outside
S 172.25.184.0 255.255.255.0 [1/0] via 53.138.58.129, outside
S 172.24.0.0 255.255.0.0 [1/0] via 10.21.0.1, inside
S 172.26.181.0 255.255.255.0 [1/0] via 53.138.58.129, outside
S 172.26.184.0 255.255.255.0 [1/0] via 53.138.58.129, outside
S 172.29.181.0 255.255.255.0 [1/0] via 10.21.0.1, outside
S 172.29.184.0 255.255.255.0 [1/0] via 53.138.58.129, outside
S 172.28.181.0 255.255.255.0 [1/0] via 53.138.58.129, outside
S 172.28.184.0 255.255.255.0 [1/0] via 53.138.58.129, outside
S 192.168.20.0 255.255.255.0 [1/0] via 10.21.0.1, inside
S 10.11.0.0 255.255.0.0 [1/0] via 10.21.0.1, inside
S 10.13.0.0 255.255.0.0 [1/0] via 10.21.0.1, inside
S 10.10.21.1 255.255.255.255 [1/0] via 10.21.0.1, inside
S 10.10.21.2 255.255.255.255 [1/0] via 10.21.0.1, inside
S 10.22.0.0 255.255.0.0 [1/0] via 53.138.58.129, outside
S 10.23.3.0 255.255.255.0 [1/0] via 10.21.0.1, inside
S 10.23.2.0 255.255.255.0 [1/0] via 10.21.0.1, inside
S 10.21.0.0 255.255.0.0 [1/0] via 10.21.0.1, inside
S 10.10.21.10 255.255.255.255 [1/0] via 10.21.0.1, inside
C 10.21.0.0 255.255.255.0 is directly connected, inside
S 10.22.3.0 255.255.255.0 [1/0] via 53.138.58.129, outside
S 10.10.41.0 255.255.255.0 [1/0] via 53.138.58.129, outside
C 53.138.58.128 255.255.255.128 is directly connected, outside
S 192.168.2.0 255.255.255.0 [1/0] via 10.21.0.1, inside
S* 0.0.0.0 0.0.0.0 [1/0] via 53.138.58.129, outside
S 0.0.0.0 0.0.0.0 [255/0] via 10.21.0.1, inside tunneled
------------------------------------below is the router's routes----------
Gateway of last resort is 10.21.0.11 to network 0.0.0.0
205.232.16.0/32 is subnetted, 1 subnets
S 205.232.16.25 [1/0] via 10.21.0.11
62.0.0.0/32 is subnetted, 1 subnets
S 62.100.0.146 [1/0] via 10.21.0.12
178.78.0.0/32 is subnetted, 1 subnets
S 178.78.147.193 [1/0] via 10.21.0.12
C 192.168.10.0/24 is directly connected, Vlan29
172.16.0.0/16 is variably subnetted, 5 subnets, 3 masks
S 172.16.141.0/24 [1/0] via 10.21.0.11
S 172.16.142.0/23 [1/0] via 10.21.0.11
S 172.16.40.1/32 [1/0] via 10.21.2.12
S 172.16.40.10/32 [1/0] via 10.21.2.12
S 172.16.21.0/24 [1/0] via 10.21.0.11
172.19.0.0/24 is subnetted, 1 subnets
S 172.19.21.0 [1/0] via 10.21.0.11
172.18.0.0/24 is subnetted, 1 subnets
S 172.18.21.0 [1/0] via 10.21.0.12
172.23.0.0/24 is subnetted, 3 subnets
S 172.23.186.0 [1/0] via 10.21.0.6
S 172.23.184.0 [1/0] via 10.21.0.6
S 172.23.181.0 [1/0] via 10.21.0.6
S 172.25.0.0/16 [1/0] via 10.21.0.11
172.24.0.0/24 is subnetted, 3 subnets
C 172.24.181.0 is directly connected, Vlan31
C 172.24.186.0 is directly connected, Vlan32
C 172.24.187.0 is directly connected, Vlan33
S 172.26.0.0/16 [1/0] via 10.21.0.11
172.29.0.0/24 is subnetted, 3 subnets
S 172.29.181.0 [1/0] via 10.21.0.6
S 172.29.184.0 [1/0] via 10.21.0.6
S 172.29.190.0 [1/0] via 10.21.0.6
S 172.28.0.0/16 [1/0] via 10.21.0.11
C 192.168.20.0/24 is directly connected, Vlan30
10.0.0.0/8 is variably subnetted, 35 subnets, 4 masks
S 10.11.0.0/16 [1/0] via 10.21.0.6
C 10.21.28.0/24 is directly connected, Vlan28
C 10.21.26.0/24 is directly connected, Vlan26
C 10.21.25.0/24 is directly connected, Vlan25
S 10.12.0.0/16 [1/0] via 10.21.0.6
C 10.21.24.0/24 is directly connected, Vlan24
S 10.13.0.0/16 [1/0] via 10.21.0.6
C 10.21.23.0/24 is directly connected, Vlan23
C 10.21.22.0/24 is directly connected, Vlan22
C 10.21.21.0/24 is directly connected, Vlan21
C 10.21.20.0/24 is directly connected, Vlan20
C 10.21.19.0/24 is directly connected, Vlan19
S 10.21.18.0/24 [1/0] via 10.21.0.12
S 10.21.17.0/24 [1/0] via 10.21.0.11
C 10.21.16.0/24 is directly connected, Vlan16
C 10.21.15.0/24 is directly connected, Vlan15
C 10.21.14.0/24 is directly connected, Vlan14
C 10.21.13.0/24 is directly connected, Vlan13
C 10.21.12.0/24 is directly connected, Vlan12
C 10.21.11.0/24 is directly connected, Vlan11
C 10.10.21.1/32 is directly connected, Loopback0
S 10.31.0.0/16 [1/0] via 10.21.0.6
D 10.10.21.2/32 [90/130816] via 10.21.252.10, 7w0d, Vlan999
C 10.21.5.0/24 is directly connected, Vlan5
C 10.21.4.0/24 is directly connected, Vlan4
S 10.22.0.0/16 [1/0] via 10.21.0.11
C 10.21.3.0/24 is directly connected, Vlan3
C 10.21.2.0/24 is directly connected, Vlan2
C 10.23.2.0/24 is directly connected, Vlan900
S 10.22.3.0/24 [1/0] via 10.21.0.11
C 10.21.0.0/24 is directly connected, Vlan1000
S 10.41.0.0/16 [1/0] via 10.21.0.11
S 10.10.41.0/24 [1/0] via 10.21.0.11
S 10.51.0.0/16 [1/0] via 10.21.0.6
C 10.21.252.8/30 is directly connected, Vlan999
62.0.0.0/32 is subnetted, 1 subnets
S 62.138.58.129 [1/0] via 10.21.0.11
S 192.168.2.0/24 [1/0] via 10.21.0.12
S* 0.0.0.0/0 [1/0] via 10.21.0.11
Maybe you are looking for
-
TMG Error code 500 Certificate chain was issued by an authority that is not trusted
Hello colleagues I have site https://site.domain.ru:9510/pmpsvc In site work: http://imgur.com/2cQ6vlF I publish this site through TMG 2010, but I have error: 500 Internal Server Error. The certificate chain was issued by an authority that is not tru
-
Email submit button doesn't work with Thunderbird
I created a LiveCycle (v8.2.1) form with the email submit button. Works fine if the sender is using Outlook. If their using Thunderbird, it does not. I installed Thunderbird on my system (normally I use Outlook) and set Control Panel/Internet Options
-
Mega pc 865 runnig ubuntu linux
i've just instaled ubuntu linux on my mega pc 865. everything seems to be working properly... the only (big) problem is the fan noise. when i boot windows xp, the fan noise always reduces into an acceptable minimum. but that doesn't happen when i boo
-
WLC - Layer 3 Wired guest lan ?
Hello Has anyone been able to do this with a WLC, configuration guidlines say :" "Wired guest access ports must be in the same Layer 2 network as the foreign controller." Anyone know if Cisco is working on making this solution work on L3 aswell ? Reg
-
SA520 with 3 vlans, onboard DHCP is intermittent
Hello, I have a setup with 1 SA520w and 3 AP541n's in a residential network. I have setup 3 VLANs wired and 3 wireless VLANs. they are 1, 10, 20. I am using the SA520 as the DHCP server for all 3 subnets, "192.168.13.0"-"192.168.26.0"-"192.168.39.0",