How to Configure Static Routing on Cisco ASA Firewall

Written By Harris Andrea

Although the Cisco ASA appliance does not act as a router in the network, it still has a routing table and it is essential to configure static or dynamic routing in order for the appliance to know where to send packets.

When a packet arrives to a network interface on the ASA firewall, the packet undergoes several security controls, such as ACL filtering, NAT, deep-packet inspection etc.

Table of Contents

Routing Support on ASA

After the packet passes all firewall controls, the security appliance needs to send the packet to its destination address. It therefore checks its routing table to determine the outgoing interface where the packet will be sent.

Cisco ASA firewalls support both static and dynamic routing. For dynamic routing, the ASA supports RIPv2, EIGRP and OSPF.

I recommend not to use dynamic routing though and stick with just static routes. The reason is that one of the purposes of a firewall is to hide your internal trusted network addressing and topology. By configuring dynamic routing support, you might be advertising routes to untrusted networks thus exposing your network to threats.

MORE READING: Cisco ASA Firewall Packet Tracer for Network Troubleshooting

Cisco ASA Static Route Configuration

The scenario in the diagram above will help us understand how to configure static routing.

The ASA connects to the internet on the outside and also has a DMZ and Internal zones. The default gateway towards the ISP is 200.1.1.1. The DMZ network is 10.0.0.0/24 and the internal LAN1 network is 192.168.1.0/24.

LAN1 is directly connected to the Inside interface of the firewall. Additionally, there is another internal network, namely LAN2, with network 192.168.2.0/24. LAN2 is not directly connected to the firewall. Rather, there is an internal router with address 192.168.1.1 through which we can reach LAN2.

Therefore, in order for the ASA to reach network LAN2, we need to configure a static route to tell the firewall that network 192.168.2.0/24 can be reached via 192.168.1.1.

So we need to configure two static routes. One Default Static route for Internet access, and one internal static route to reach network LAN2. For directly connected networks (DMZ and LAN1) we don’t need to configure a static route since the firewall already knows about these networks as they are directly connected to its interfaces.

MORE READING: Cisco ASA 5505 Basic Configuration Tutorial Step by Step

Static Route Configuration:

The format of the static route command is:

ASA(config)# route [interface name] [destination address] [netmask] [gateway]

! First configure a default static route towards the default gateway
ASA(config)# route outside 0.0.0.0 0.0.0.0 200.1.1.1

! Then configure an internal static route to reach network LAN2
ASA(config)# route inside 192.168.2.0 255.255.255.0 192.168.1.1

Verification Commands

Let’s now see how to check the routing table in the ASA appliance and verify the static route:

ASA#show route
Codes: C – connected, S – static, I – IGRP, R – RIP, M – mobile, B – BGP
D – EIGRP, EX – EIGRP external, O – OSPF, IA – OSPF inter area
N1 – OSPF NSSA external type 1, N2 – OSPF NSSA external type 2
E1 – OSPF external type 1, E2 – OSPF external type 2, E – EGP
i – IS-IS, L1 – IS-IS level-1, L2 – IS-IS level-2, ia – IS-IS inter area
* – candidate default, U – per-user static route, o – ODR
P – periodic downloaded static route

Gateway of last resort is 200.1.1.1 to network 0.0.0.0

C 192.168.1.0 255.255.255.0 is directly connected, inside
S 192.168.2.0 255.255.255.0 [1/0] via 192.168.1.1, inside
C 200.1.1.0 255.255.255.0 is directly connected, outside
S* 0.0.0.0/0 [1/0] via 200.1.1.1

The routes denoted with “S” are the static routes and the ones denoted with “C” are the directly connected routes.

DOWNLOAD THIS ARTICLE AS PDF FILE

About Harris Andrea

Harris Andrea is an Engineer with more than two decades of professional experience in the fields of TCP/IP Networks, Information Security and I.T. Over the years he has acquired several professional certifications such as CCNA, CCNP, CEH, ECSA etc.

He is a self-published author of two books ("Cisco ASA Firewall Fundamentals" and "Cisco VPN Configuration Guide") which are available at Amazon and on this website as well.

Comments

James E. says

March 18, 2009 at 3:52 pm

Hello,

I came across this article because I am having an issue doing what you have defined in your diagram.

I have a layer 3 switch that has two VLANS on it. I need to be able to configure a static route on the asa so that when workstations or other network devices can access the VLAN.

I am able to enter the route as you have shown and can ping from within the ASA to the vlan. But when a device on the network tries to access it, its still a no go.

It seems that it is no passing packets back out the interface when they come in.
BlogAdmin says

March 19, 2009 at 7:10 am

Hello James, thanks for visiting.

From what I understand, the inside interface of your ASA belongs to one VLAN, and then there is another VLAN on the switch, is that correct? If this is the case, you should create two Layer 3 Interfaces (SVI) on the switch using “Interface Vlan X” command and assign an IP address on the Vlan interfaces. This will configure your Layer 3 switch to work as a router separating the two internal networks. The gateways of the hosts should be the IP addresses of the Layer 3 interface Vlan on the switch. Please let me know if this clarifies your question.
Derek R. says

April 9, 2009 at 3:16 pm

You would also need to setup subinterfaces for each VL
AN in order to route traffic from the ASA to the switch interfaces.
BlogAdmin says

April 10, 2009 at 12:02 am

Hello Derek,
The scenario I’m describing here assumes only one firewall internal zone, which is the “inside” interface. For this particular scenario you don’t need subinterfaces. What you mention would be true if we wanted two or more internal security zones, and thus we would have to configure subinterfaces on the ASA.

Thanks for your comment.
mohamed ushama says

October 4, 2009 at 11:32 pm

Dear Friends,

My Network Diagram being like this I have one Adsl router it has been directly connected to ASA firewall e0 i assigned my public ip in e0 then i assigned local ip address in e1.e1 ip address is 192.168.2.1 subnet mask is 255.255.255.0 this line goes to connect to my server.my server ip address is 192.168.2.5 snm 255.255.255.0.
what is my question is?
if we want to communicate with outside networks we should add the static route in ASA firewall,which ip i want to configure my adsl gateway is 192.168.1.254 or my isp router gateway? i hope i want to add the default route in my ASA firewall about my isp router gateway.If it’s wrong kindly send me the details.

Thanks and Regards
N.Mohamed Ushama
BlogAdmin says

October 5, 2009 at 7:06 pm

It depends if your ADSL router works in routed mode or bridge mode. If your ADSL router is not in bridged mode, then you need to configure a default route on the ASA which will be the internal IP address of your ADSL router. If your ADSL box is configured in bridged mode, then the default gateway on the ASA should be the ISP router gateway address.
Ivan Mckenzie says

November 6, 2009 at 8:25 pm

Hi everone, I have the same config as the diagram. I can ping from ASA to computer on LAN2, but when I try to connect from DMZ(192.168.14.0) to LAN2(172.22.41.0)I get the next message:

“No translation group found for tcp src DMZ:192.168.14.2/59716 dst inside:172.22.41.5/3389” EXPLANATION(a packet does not meet any of the outbound nat command rules)

Thanks to all,
Ivan
BlogAdmin says

November 7, 2009 at 2:06 pm

You will need to configure a static nat between inside to DMZ in order for DMZ to be able to access the host on LAN2. The following shows you how to configure static identity NAT:

static (inside,dmz) 172.22.41.5 172.22.41.5 netmask 255.255.255.255
access-list DMZ-IN extended permit tcp 192.168.14.0 255.255.255.0 host 172.22.41.5 eq 3389
access-group DMZ-IN in interface dmz
Ivan Mckenzie says

November 9, 2009 at 10:59 pm

Thanks a lot BlogAdmin, using your example I did the next modifications and it worked fine.

static (inside,dmz) 172.22.41.0 172.22.41.0 netmask 255.255.255.0
didn’t put an access list because the default one on DMZ interface was enough. With this I let all comunication from DMZ to LAN2 opened.

New Problem:
I can’t get it to work from inside(172.18.0.0/16) to LAN2. I think it’s because when the packet returns from LAN2, as the internal router has an interface on inside the packet reaches the computer who started comunication directy and not through the ASA. In other words the return path is not the same as the starting path.

What dou you think?

Best regards,

Ivan Mckenzie
BlogAdmin says

November 10, 2009 at 7:59 am

Ivan,
Be careful with your DMZ. You said that you let all communication from DMZ to LAN2 open. This is not a good idea. If a host in your DMZ gets compromised from the Internet, then you also expose your internal LAN2 to danger. The attacker from DMZ can easily propagate into your LAN2 network. I suggest you to modify your DMZ access list and allow ONLY the required IP and protocols needed.

Regarding your new problem, this happens because your inside zone hosts (172.18.0.0) have as default gateway the ASA inside IP. By default, the ASA does not allow traffic redirection in order for the initial packet from 172.18.0.0 to reach LAN2. If the ASA was a normal router, then the traffic would go to the ASA and then get redirected to your internal LAN2 router. This does not happen with the ASA by default. You can change this behavior though.
You can try the following on ASA:
ciscoasa(config)# same-security-traffic permit intra-interface
The above will allow redirections to work.
Rocco says

November 16, 2009 at 6:34 pm

Hi All

I have diiferent internal VLAN (port)configure on the same switch (one for the pc-lan, one for Server, …one for DMZ) some with the same security level but different network.
I have open all the traffic between the same security sub-interface on the firewall, but it didn’t work
can You help me?

Thanks
BlogAdmin says

November 16, 2009 at 8:12 pm

By default the ASA does not allow traffic to flow between interfaces with same security level. You need to enable this using the following:

ASA(config)# same-security-traffic permit inter-interface
Rocco says

November 17, 2009 at 1:55 pm

Thanks
I have did it, but I’m not sure of:

1-The switch port must be in trunk mode?
2-For multiple LAN2/24 (11), like Your diagram, there’s a unique route or different to set?
3- i’m tryng to configure Active/Standby statefull failover with 2 ASA, on two different place in my network, I would use sub-interface on two different switch, doYou think it’s possible?

4-I’m not able to find a rich detailed manual, could You help me?

Regard
Rocco
suren says

January 8, 2010 at 7:48 am

Hi Guys,
I too have pretty much a same scenario, it is like this,
I’ve two vlans(100,101)connected to an cisco 2950 switch and the switch connects to the inside interface(ethernet 0/2) of the asa.

I want to enable inter-vlan routing and want to access internet. I assume that I’ve to configure a trunk between the asa and 2950 switch(inside).

My problem is when I try to configure sub-interfaces on the asa interface(ethernet 0/2) it wont allow me to do so. Further it wont allow me to configure (nameif,security-level and ip address)on the physical interface. Every time I’ve to configure interface vlans and has to map them to the physical interface.

Can anyone assist me with this request.

Regards,
Suren
BlogAdmin says

January 8, 2010 at 11:36 am

Hello Suren,

From your description I have understood that you have a Cisco ASA 5505 model, is that correct? If that is the case, then you CAN NOT create subinterfaces on the physical interface if you have the base license on the ASA. For Cisco ASA 5505, all physical interfaces are Layer2 ports, and you must create a Layer 3 interface Vlan which is mapped to a specific Layer2 Vlan configured on the physical interface.

With the 5505 base license you can create up to 3 Vlans, but two of them can not communicate between each other. If you create for example two inside vlans (inside1, inside2) and one outside vlan, then inside1 and inside2 can only communicate with the outside, but not between each other.
daff42 says

January 8, 2010 at 12:40 pm

I have the same configuration : several internal VLANs with a layer 3 internal switch and ASA for outgoing connexions.
The ASA has only one internal IP in VLAN1 (and is connected to a VLAN1 port on the Layer 3 switch).
The internal switch is the default gateway for machines in other VLANs.
I couldn’t get the ASA to route connexions from VLAN1 to the others, I assume this is because it doesn’t see the return packets (packets form other VLANs to VLAN1 are routed directly through the internal switch).

Anyway, to fix this :
I attributed to the internal switch an IP for each VLAN. And a default route to go to the ASA.
Then I set all my machines to use the internal switch as their default gateway, even for machines in VLAN1.
That way traffic between internal VLANs doesn’t go through the ASA anymore.
BlogAdmin says

January 8, 2010 at 2:15 pm

Hello daff42, thank you for your comment. Yes you are right. The way you have configured the switch, all the Intervlan routing goes through the switch and never reaches the ASA. Ofcourse, internet traffic will have to go through the ASA via the default route that you have on the switch.

Regarding security, all traffic between your internal VLANs has no restrictions. If you want to implement traffic control between your internal Vlans, then you can use access-lists on the Layer3 switch for some basic protection (maybe you want to block some internal users for reaching sensitive servers in your internal network)
lbomani says

June 23, 2010 at 2:36 pm

I have a similiar configuration as daff42 w/ minor differences.

A.) Layer 3 switch with 4 internal vlans all on different subnets. SVI is setup on this device and it serves as the default gateway for machines in each respective vlan. 1 of the vlans will provide http/https services

B.) ASA 5550 firewall used for external connections.

My question is which is the best way to make the ASA “aware” of the internal vlans? I think my options are:

1.) Give the ASA an IP in each internal VLAN (though the L3 switch will still be the gateway). This way the routing table will auto populate with these networks. This requires more cabling and use of ports on the ASA. I only have 8 10/100/1000 ethernet ports.

or

2.) Create a new subnet just between the L3 switch and ASA (say 10.0.0.x) and then create static routes for each internal vlan. Will this make my NAT rules more complicated?
lbomani says

June 23, 2010 at 4:13 pm

I guess what I mean for quest # 2 is, will I have any problems creating network objects in ASDM (gui) for networks that are not directly attached or will I have to do some complicated NAT? As I said before, one of the internal vlans will provide http/https services.
BlogAdmin says

June 23, 2010 at 9:18 pm

Ibomani,

For each option you are mentioning above:

For option 1): You can remove all layer 3 functionality on the switch (i.e remove all SVI interfaces) and configure a SINGLE trunk port from the switch to one interface of the ASA (lets say gigabitethernet0/1). Then, on the ASA interface gig0/1 you can configure 4 subinterfaces (one for each internal vlan) and assign IP address on the ASA subinterfaces (e.g gig0/1.1, gig0/1.2, gig0/1.3 etc). All machines in each vlan will have as default gateway the IP address of the respective ASA subinterface.

For option 2): Leave all layer 3 functionality on the switch (SVI interfaces) and then configure another vlan connecting the switch with one internal interface of the ASA (e.g subnet 10.0.0.x – just as you suggest also). Then you have to configure one default route on the switch: ip route 0.0.0.0 0.0.0.0 10.0.0.1 (assume ASA internal IP is 10.0.0.1). For this option, you will NOT have any problems on the ASA by configuring object groups for networks that are not directly connected on the ASA. e.g if one internal vlan has subnet 10.1.1.x, then you can configure a network object on the ASA for network range 10.1.1.x with no problems. Then you can do NAT on the ASA for that network as normally you would do for a directly attached subnet.

Hope I’m clear.

Regards
lbomani says

June 24, 2010 at 9:28 pm

Thanks,

I will be using option 2 and keep the 3750 switch as a layer 3 device.

Regards,

lbomani
Saianara says

October 20, 2010 at 7:24 pm

Hi,

I’ve got the setup as shown in the picture, but I need to allow hosts from LAN1 to communicate with units on LAN2. Hosts on LAN1 has ASA as default gateway.

Is this an ASA issue or how do I solve this task ?

Regards
Saianara
BlogAdmin says

October 20, 2010 at 7:53 pm

The ASA can not do icmp redirect. This means that traffic from LAN1 when is reaching the interface of ASA, it is then dropped because the ASA does not send the traffic back to LAN2. You must set as default gateway for LAN1 the interface of router (192.168.1.1) and then configure a default route on router pointing to the ASA internal interface. This way you will be able to reach LAN2 from LAN1 and also you will be able to access the internet as well.
Tony says

October 25, 2010 at 8:56 pm

Here’s my issue. I’ve got the exact setup you’ve got there. I’ve got lan 1 192.168.200.0/24 and lan 2 192.168.210.0/24. They are connected with point to point bonded T1’s with routers at both sites to route the traffic between the 2 sites. Both sites have their own internet connection. I’ve got the ASA’s with a 0.0.0.0 route to the internet gateway and a static route for 192.168.210.0 255.255.255.0 192.168.200.2 (router) on Site1’s ASA, and 192.168.200.0 255.255.255.0 192.168.210.2(site 2’s router) on Site2’s ASA. I cannot connect pc’s or VOIP phones across to the other site from either direction. Both sites could connect to the internet.
BlogAdmin says

October 26, 2010 at 7:30 pm

Tony,

Here is what you need to do:

1. Configure a default route on each site’s router pointing to the internal IP of ASA.
2. Configure also static routes on the routers to reach the other site’s LAN network.
3. The default gateway on user’s PCs and IP phones should be the site’s router.

This means that all traffic routing will be handled by the routers and not the ASA.
aaronsiame says

November 20, 2010 at 6:13 pm

hello guys
I have a cisco router, one interface pointing the isp and the other pointing the ISA. the other interface of the ISA is pointing to my switch catalyst 3750. i have vlans(5) configured on the switch, the problem that is that i cannot ping the interface facing the router. but from the ouside interface of the ISA i can ping my LAN but when iam in my LAN i cannot ping the outside interface of the ISA. please assist i just bought this ISA5510.
BlogAdmin says

November 20, 2010 at 9:53 pm

aaronsiame,

sorry but I did not understand your problem exactly. When you say ISA do you mean the Cisco ASA firewall or the ISA server of Microsoft?
Shawn says

December 1, 2010 at 7:05 pm

This blog is great and I’ve almost got my issue solved. I have the same scenerio for a customer and I had added the ip route like you initially discussed. However, I cannot ping the router from the ASA. It’s an ASA5505 going to a linksys router (I know, I know). The routing table in the Linksys is correct and has a static route back to 192.168.1.0/24 for WAN and internet access and I can ping anything on the .1 network from the .2. I see the post saying I need to make the default gateway for the .1 network the IP address of the router. Shouldn’t I be able to ping the router from the ASA from adding the initial route to it?
BlogAdmin says

December 2, 2010 at 1:11 pm

Shawn,

The router in my example scenario above refers to a “Real” router…not a Linksys :)
Anyhow, I believe the WAN interface of your Linksys is blocking icmp traffic, thats why you can not ping it from the ASA. Also, usually SOHO routers (like Linksys) are configured to use NAT by default, so you can not actually go from the WAN to the internal network (i.e you will not be able to access network 192.168.2.0 from the 1.0 network if the linksys is doing NAT).
Brandon says

December 10, 2010 at 11:23 pm

I need a little help also. I have 2 buildings with multiple IP networks (B1 – 192.168.1.x,192.168.10.x,192.168.2.x and B2 – 172.30.10.x, 172.30.1.x). They both have ASA 5505’s. I have a network connection between the two buildings now and need to allow both networks to see and interact with each other. Would I set up something like the DMZ example above or is there an easier/better way for this to work?
Brandon says

December 10, 2010 at 11:34 pm

To further clarify, both will need to access the internet at their own locations, just network traffic needs to travel across the proposed DMZ (or other solution).
BlogAdmin says

December 11, 2010 at 7:21 pm

The DMZ as shown on the picture above is just for illustrative purposes only. In your case you don’t need a DMZ for your scenario. I assume that you have a dedicated router on each site for connecting the two building together? If yes, then the scenario is exactly as the picture above. All PCs in building A should have as default gateway the router which should have a default route towards the local ASA 5505.
elad says

December 26, 2010 at 10:21 pm

Hi,
I would like to do a static NAT on a server inside my LAN.
I have ASA 5520.
I was able to do NAVT on a server in my DMZ.
do I need to to do routing on my Router in order for the connection to
reach my LAN?
I will appreciate to know how is the easiest way to do the NAT.I would
like to be able to telnet to port 443 with real IP.

thanks alot!
Elad.
BlogAdmin says

December 27, 2010 at 7:09 pm

I assume you need to reach an inside server from the outside via a public IP address. You need to do static nat between inside/outside:

nat(inside,outside) [public IP] [private IP] netmask 255.255.255.255

You do not need any static routing on the outside router since the internal server will be translated into a public IP. You must allow also the proper entries in an access control list applied on the outside interface.
ScottA says

January 15, 2011 at 3:06 am

Hi,

I’m in process of segmenting critical servers from user workstations.
Equipment ASA 5510, and (2) Adtran 3200 routers
existing config:
Company 1 network 192.168.0.0/24
Company 2 network 192.168.1.0/24
Current Route Tabel in Adtran:
DEST. MASK Next Hop
0.0.0.0 0.0.0.0 192.168.0.101 (ASA Int. If)
192.168.0.0 255.255.255.0 0.0.0.0
192.168.1.0 255.255.255.0 200.1.1.2
200.1.1.0 255.255.255.252 0.0.0.0
200.0.0.2 255.255.255.255 0.0.0.0

I need to add segment network 192.168.2.0/24 where the “PCI” servers must be places. This PCI network is the highest security level, however all workstations in both existing networks must be able to communicate with the servers within the PCI network. Currently, the 192.168.2.0 network can ping both networks and has internet access. However, no services such as printing, DHCP, or Applications are working. Any assistance is much appreciated.
BlogAdmin says

January 15, 2011 at 2:15 pm

Scott,

You are asking for a whole network design with PCI from a blog post without giving too much detail. As you understand this is difficult to do. As a general guideline, you will need to put the PCI servers in a separate ASA 5510 DMZ (separate physical interface) and use the proper NAT and access-lists on the ASA to control traffic flow.
Gio says

February 2, 2011 at 11:44 am

My provider gave me a VLAN with number 2XXX.
i created subinterfaces on my 1841 router and with dot1q it works fine. now i want to replace router by ASA5505 with advipk9sekbundle license, but cant create subinterfaces on Ethernet ports. Though i created Vlan2XXX and assigned it to Ethernet 0/X and put it into trunk mode, still it doesnt work. any suggestions?
BlogAdmin says

February 3, 2011 at 7:52 am

Gio,

Use the wan port eth0/0 and connect it to the provider’s switch. Then do the following:

interface Ethernet 0/0
switchport access vlan 2XXX
no shutdown

Now, put an IP address on your WAN Vlan:

asa5505(config)# interface Vlan 2XXX
asa5505(config-if)# nameif outside
asa5505(config-if)# security-level 0
asa5505(config-if)# ip address X.X.X.X 255.255.255.0

Try the above and let us know.
Gio says

February 3, 2011 at 2:42 pm

Thx for help,

I figured out that switchport was not working, so i put it into trunk mode. now it works fine.
By the way: is there any chance that i configure failover or ISP redundancy on single ASA5505? For example ISP#1 on interface Eth0/0 and ISP#2 on Eth0/1. if one fails other must become route to 0.0.0.0 0.0.0.0 <<any chance of that?
BlogAdmin says

February 3, 2011 at 4:24 pm

Gio,

For ISP redundancy connection check out the following link:

https://www.networkstraining.com/cisco-asa-5500-dual-isp-connection/
Ivan Luiz says

February 4, 2011 at 11:31 pm

Hi everyone,

I have two network in the same interface, but the second one is behind a router, so I set a static route on ASA and some access-list permitting all traffic. When I try ping one host on the lan1 from the lan 2 it’s doesn’t work. Can anybody give me a tip?
BlogAdmin says

February 5, 2011 at 9:55 am

Ivan,

be more specific. Can you give us more details?
Ivan Luiz says

February 7, 2011 at 3:58 pm

Hi BlogAdmin, thanks for answer!

I have a topology like yours, put on the top, so i want that communication among those lan (A and B) pass through ASA. The communication between those lan, without pass through ASA already occur. My problem begin when i try to use ASA as a router.

I can ping both networks from the ASA. I insert access-list to permit any traffic from and to both networks, but it don’t work yet.

Regards,

Ivan Luiz
BlogAdmin says

February 9, 2011 at 7:44 am

Ivan,

When you create two lans (security zones) on a Cisco ASA firewall, you need both an access-list and a “translation rule” between them in order to communicate. So, just an access-list is not enough. You need to see which security zone has the highest security level and configure a proper NAT rule between the two Lan networks.
Ivan Luiz says

February 9, 2011 at 7:45 pm

Hi,

Ok. I’ll try it.

Thanks
Ivan Luiz says

February 10, 2011 at 10:25 pm

Hi everybody,

BlogAdmin, now it working!! below i let the resolution:

static (inside,inside) sorce1 sorce1_again netmask 255.255.255.0
static (inside,inside) soerce2 sorce2_again netmask 255.255.255.0

Ex:
static (inside,inside2) 192.168.1.0 192.168.1.0 netmask 255.255.255.0
static (inside2,inside) 192.168.0.0 192.168.0.0 netmask 255.255.255.0

Best regards,
AC says

February 15, 2011 at 12:18 am

Networking noob alert incoming…
I have very little experience with networking and few resources to contact but am trying to learn how to set up 2 subnets using static routing. We have a ASA 5505. My network is similar to above (right hand side of ASA) where I have 2 LAN’s on different subnets (192.168.1.32/27 & 192.168.1.64/27) going into the ASA and need to be able communicate between machines. I am currently unable to ping between machines (i.e. 192.168.1.36 -> 192.168.1.70), but can ping all from ASA without issue. I have been trying to set up Static Routing but because I really don’t know what I am doing, I haven’t been able to make it work yet. Thanks in advance for comments/help.
BlogAdmin says

February 15, 2011 at 7:26 pm

AC,

Configure all machines with default gateway being the IP address of router on each segment. Then configure a default route on router pointing to the inside interface of ASA.
Jimmy says

February 20, 2011 at 10:31 am

BlogAdmin:

I have an ASA 5550 and I am trying to get my inside interface to pass traffic past it and onto the outside interface. Below is something similar to what I have set up:

interface GigE0/3
description gateway
nameif inside
security-level 100
ip address 135.24.156.1 255.255.255.0

interface GigE1/3
description connection to internet
media-type sfp
nameif outside
security-level 0
ip address 135.24.127.62 255.255.255.252

route outside 0.0.0.0 0.0.0.0 135.24.127.61

I have tried quite a few things, but at a loss. I am sure the answer is too easy, but my head is too far wrapped around the problem.

Thank you for any assistance you can advise. Thank you.

/r,

Jimmy
BlogAdmin says

February 20, 2011 at 1:13 pm

Jimmy,

If the inside network is assigned public routable IP addresses, then the simplest thing to do is to disable NAT using “no nat-control”. This means that your ASA firewall will be working as a normal router with all firewall security still in place. Any inbound access (i.e from outside internet towards your internal network) will be controlled by an access control list that you will have to apply on the outside interface.

Please let me know what ASA version you are running and if you indeed need NAT control or not
Lam says

February 21, 2011 at 10:15 am

hi everybody,

Blogadmin:

I have the same topology, I’ve got Lan2 is 172.16.2.0/24, webserver is 172.16.2.2 (gateway: 172.16.2.1, on switch layer3).
But I can try to access from internet (ip outside asa: 192.168.1.2/24) to IP 192.168.1.4 port 80 (translate to webserver 172.16.2.2)

interface Ethernet0/0
nameif outside
security-level 0
ip address 192.168.1.2 255.255.255.0
!
interface Ethernet0/1
nameif inside
security-level 100
ip address 172.16.1.1 255.255.255.0
!
access-list 101 extended permit tcp any host 192.168.1.4 eq www
access-list 101 extended permit icmp any any
access-list 103 extended permit tcp host 172.16.2.2 any eq www
!
nat (inside) 2 172.16.1.0 255.255.255.0
global (outside) 2 192.168.1.5
!
static (inside,outside) tcp 172.16.2.2 www 192.168.1.4 www netmask 255.255.255.255
!
access-group 101 in interface outside
access-group 103 in interface inside
!
route outside 0.0.0.0 0.0.0.0 192.168.1.1 1
route inside 172.16.2.0 255.255.255.0 172.16.1.2 1
!
end

Thanks to all,
Lam
Lam says

February 21, 2011 at 10:17 am

Sorry, I cannot try to access from internet (ip outside asa: 192.168.1.2/24) to IP 192.168.1.4 port 80 (translate to webserver 172.16.2.2)
BlogAdmin says

February 21, 2011 at 9:58 pm

Lam,

You are having a very common mistake that many people do. Your static nat is not correct. You must change as following:

static (inside,outside) tcp 192.168.1.4 www 172.16.2.2 www netmask 255.255.255.255
Augusto says

April 5, 2011 at 4:15 am

Friend,
I have a main site ASA 5505 as the default gateway of the network, inside 192.168.0.253/24 and have a router MPLS IP 192.168.0.254 to connect to three branch offices with networks 192.168.2.0/24, 192.168.3.0 / 24 and 192.168.4.0/24
The machines in the array that are appointed to the Default gateway 192.168.0.253 ASA Can not access the machines from Branch.

I can not change the Default Gateway for the router to his speed and 10 Mbps.
How do I allow the ASA, that all machines of the four networks to communicate?
What commands do I use to do NAT?

LOG ASA
Access from 192.168.0.8 to HTTP 192.168.3.8
6 Apr 04 2011 11:10:47 106015 192.168.0.8 192.168.3.8 Deny TCP (no connection) from 192.168.0.8/3011 to 192.168.3.8/80 flags RST on interface inside
6 Apr 04 2011 11:10:26 302014 192.168.0.8 192.168.3.8 Teardown TCP connection 4551 for inside:192.168.0.8/3011 to inside:192.168.3.8/80 duration 0:00:24 bytes 0 TCP Reset-O
6 Apr 04 2011 11:10:02 302013 192.168.0.8 192.168.3.8 Built inbound TCP connection 4551 for inside:192.168.0.8/3011 (192.168.0.8/3011) to inside:192.168.3.8/80 (192.168.3.8/80)

7 Apr 04 2011 11:10:02 609001 192.168.3.8 Built local-host inside:192.168.3.8

ASA-BIO# sh run
: Saved
:
ASA Version 7.2(3)
!
hostname ASA
domain-name
enable password x
names
!
interface Vlan1
nameif inside
security-level 100
ip address 192.168.0.253 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address 187.x 255.255.255.248
!
interface Ethernet0/0
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
switchport access vlan 2
!
passwd x encrypted
ftp mode passive
clock timezone BRST -3
clock summer-time BRDT recurring 2 Sun Oct 0:00 3 Sun Feb 0:00
dns server-group DefaultDNS
domain-name
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object-group service SSH2 tcp
port-object range 2264 2264
access-list outside_access_in remark Libera ICMP
access-list outside_access_in extended permit icmp any any
access-list outside_access_in remark Libera TS
access-list outside_access_in extended permit tcp any interface inside eq 3389
access-list outside_access_in remark Libera SSH
access-list outside_access_in extended permit tcp any any object-group SSH2
access-list outside_access_in extended permit ip any any
access-list outside_access_in extended permit esp any any log debugging
access-list outside_1_cryptomap extended permit ip 192.168.0.0 255.255.255.0 19
.168.4.0 255.255.255.0
pager lines 24
logging enable
logging asdm debugging
mtu inside 1500
mtu outside 1500
ip audit signature 3040 disable
ip audit signature 3041 disable
ip audit signature 3042 disable
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-523.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
static (inside,inside) 192.168.0.0 192.168.0.0 netmask 255.255.255.0
static (inside,inside) 192.168.3.0 192.168.3.0 netmask 255.255.255.0
access-group outside_access_in in interface outside
route inside 192.168.3.0 255.255.255.0 192.168.0.254 1
route inside 192.168.2.0 255.255.255.0 192.168.0.254 1
route inside 192.168.4.0 255.255.255.0 192.168.0.254 1
route outside 0.0.0.0 0.0.0.0 187.x 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
http server enable
http 192.168.0.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
sysopt connection timewait
sysopt connection tcpmss 0
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto map outside_map 1 match address outside_1_cryptomap
crypto map outside_map 1 set peer x
crypto map outside_map 1 set transform-set ESP-3DES-SHA
crypto map outside_map interface outside
crypto isakmp enable inside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
telnet 192.168.0.0 255.255.255.0 inside
telnet 192.168.1.0 255.255.255.0 outside
telnet 192.168.2.0 255.255.255.0 outside
telnet 192.168.3.0 255.255.255.0 outside
telnet 192.168.4.0 255.255.255.0 outside
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd auto_config outside
!

!
!
username x password x encrypted privilege 15
tunnel-group x type ipsec-l2l
tunnel-group x ipsec-attributes
pre-shared-key *
peer-id-validate nocheck
prompt hostname context
Cryptochecksum:14b079939d0406ee314da0c47d14b237
: end
ASA-#
BlogAdmin says

April 5, 2011 at 4:05 pm

You must change the default gateway for your internal PCs to be 192.168.0.254 (the router). Then you must configure a default route on the router to point to the ASA:

ip route 0.0.0.0 0.0.0.0 192.168.0.253
Miki says

April 8, 2011 at 12:24 am

Hi,

I have a similar scenario and would appreciate your help.
My DMZ (192.168.10.0/24, VLAN 10) and LAN (192.168.1.0/24, VLAN 1) are connected to ASA through 3COM 4200 switch, where I set ASA DMZ interface IP to 192.168.10.254, and ASA LAN interface to 192.168.1.254.
I manage to ping ASA LAN interface from my workstation, which is in VLAN 1, default gateway 192.168.1.1. The problem is that I cannot ping 192.168.10.254 from the same workstation. IP routing is enabled on the switch.
I hope you could help me to find where I went wrong…
What static routes do I need on ASA?

Thank you.
Augusto says

April 8, 2011 at 3:09 am

Thanks for the reply, but I need another way.
There is no other way to solve this problem?
I can not change the Default gateway of the PC LAN ASA 192.168.0.253 (100 Mbps) to the router 192.168.0.254 (10 Mbps).
If I do that causes a slow network.
I can not do so, I need another solution.
BlogAdmin says

April 11, 2011 at 12:34 pm

Miki,

As I explained on the post, if the networks are directly connected on the ASA, then you don’t need to configure a static route for them since the ASA device already knows about these network. Your mistake is that the default gateway for your workstation is 192.168.1.1 instead of 192.168.1.254.
Josh says

April 23, 2011 at 9:06 am

BlogAdmin
I have a similar config as the diagram: a pair of ASA 5505 with plus license configured as active/passive mode. Two Juniper SA 4500 SSL devices are configured in active/passive mode also. The internal interface of each SA 4500 are connected to the lan 1 (10.1.95.0) of each ASA 5505 and the external interface are connected to the DMZ of each ASA
I can ping from LAN1 (10.1.95.0) to computers on LAN2; and LAN 1 to DMZ with static identity NAT. But I can not connect from computers on Lan2 (10.1.10.0 and 10.1.11.0 to DMZ (172.16.2.0). Did computes in LAN 2 and Lan 1 suppose able to connect to DMZ (security at 50) by default? I have tried disable/enable the “nat-controll “, it would not help. What do I need to add to allow computers on Lan 2 talks to servers on DMZ?
2. I also use this ASA for VPN (IP pool 10.1.225.0), when connected through VPN, I can connect to Lan1 and DMZ with:
Access-list inside_nat0_outbound extended permit imp 10.1.95.0 255.255.255.0 10.1.225.0 255.255.255.0
Access-list DMZ_nat0_outbound extended permit ip 172.16.2.0 255.255.255.0 10.1.225.0 255.255.255.0
But I can not ping or connect to any computers on subnets on lan2. Do I have to add this same access list for each of subnets on lan 2? Or it has other easy way to accomplish this.
I have included both commands below in my config, but it would not help
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface

Thanks,
Josh
BlogAdmin says

April 23, 2011 at 10:56 am

Josh,

For your first question, you need to create some sort of NAT (either PAT, or identity NAT) for your LAN2 networks in order to be able to access the DMZ. Just like you created an Identity NAT for LAN1, you can do the same with LAN2 networks (create identity NAT between inside–>DMZ but use the subnets of 10.1.10.0 and 10.1.11.0).

For the second question, yes you add the subnets of lan2 to the same access lists as you did for lan1 and dmz subnets.
Jasper says

May 30, 2011 at 2:28 am

Lots of great stuff in here. I am hoping you can help me as well! I am running across a similar issue but I can’t seem to figure it out the last couple of days and I’m pulling my hair out :)

What I need to do is basically what your diagram at the top shows (no DMZ) and have lan2 reach lan1. I have a cisco asa 5505 with base license. The twist is that lan2 is a group of machines connected via openvpn (not my call, very tight budget, and was a working configuration previously with a basic firewall)

The local network is 192.168.0.0/255.255.255.0

Openvpn is running on address 192.168.0.3. The openvpn server has an IP of 192.168.20.1 and is allocating addresses to VPN clients in the 192.168.20.0/255.255.255.0 address range.

All hosts on the VPN server LAN (192.168.0.1 – 192.168.0.254) need to be visible to the VPN clients.

I have port forwarding working fine and I can connect to the openvpn server running on 192.168.0.3, and get an address of 192.168.20.2. I can ping 192.168.0.3 and 192.168.20.1 (same physical machine) from a VPN client. However I can’t ping any of the other machines on the network.

A static route on the old firewall accomplished the task of allowing the VPN clients to ping all the machines on the local network. On the ASA it’s currently set up as:

internal
IP 192.168.20.0
Netmask 255.255.255.0
Gateway: 192.168.0.3

But this does not seem to have any effect. The error I am getting in the firewall log when I try to ping from 192.168.20.2 to 192.168.0.10 for example is “regular translation creation failed for icmp”

One thing I tried that had some effect was creating a persistent route on 192.168.0.10 to the openvpn server (route -p add 192.168.20.0 mask 255.255.255.0 192.168.0.2). This let me ping the openvpn server’s 192.168.20.1 address but not the vpn client on 192.168.20.2. Since this was a previously working openvpn configuration I’m pretty sure there’s something I need to do on the ASA but I can’t figure it out.
BlogAdmin says

May 30, 2011 at 1:12 pm

Hi Jasper,

Sorry but you confused me. At the beginning you say that openvpn server is 192.168.0.3 and then below that “The openvpn server has an IP of 192.168.20.1”.

Please clarify again the network topology and the problem. I didn’t get it.
Jasper says

May 30, 2011 at 4:13 pm

Hi, thanks for the reply and sorry about the confusion.

The openvpn server on the local network is at address 192.168.0.3.

The openvpn server gives out addresses to VPN clients in the 192.168.20.0/24 range. To the VPN clients, its address is 192.168.20.1.

I guess you could say the openvpn server is like a router that has an external address of 192.168.0.3 and an internal address of 192.168.20.1.

What I want to do is set up routing on the ASA to allow a VPN client that connects and gets an IP of 192.168.20.2 and gets a route of:

IP 192.168.0.0
Netmask 255.255.255.0
Gateway: 192.168.20.1

to reach the machines on the 192.168.0.0/24 network. It would also be great if I could also route traffic destined for the internet through the VPN, but that might be for another time :)

Thank you,
Jasper
BlogAdmin says

May 31, 2011 at 6:37 pm

Jasper,

What is the default gateway IP for the hosts at 192.168.0.0/24 network? Try the following: Configure a host (lets say 192.168.0.10) with default gateway to be the IP of the vpnserver (192.168.0.3). Then try with a vpn client to reach the host 192.168.0.10.
Jasper says

June 1, 2011 at 3:03 am

Not the way I had it configured before (the default gateway for all the machines on the local network was 192.168.0.1)…but amazingly enough, that worked :)
Jasper says

June 1, 2011 at 3:04 am

thank you!
Borko says

June 5, 2011 at 8:45 pm

Dear BlogAdmin,

Is it possible to use an Cisco ASA5505(security plus licence) with L2 TPLink switch(support 802.1Q)for intervlan routing (ASA on stick)and Internet access. I want to configure several VLANs on switch, make trunk port on switch and connect to trunk port of asa5505. For each VLAN I will make VLAN interface on asa which will be default gateway for hosts in VLANs. Also, I plan to connect asa to Internet from one port which will be in separate VLAN and two asa`s port for servers in DMZ(separate VLAN). Have you seen this configuration somewhere, is this possible?

Many thanks,
Borko
BlogAdmin says

June 5, 2011 at 9:03 pm

Borko,

I have not seen this exact configuration in a real network but it should work with no problems. For the ASA5505 (security plus license) you can have one physical port configured as trunk port and then you must configure layer3 vlan interfaces on the ASA with IP address, security levels etc.

Example:

interface Vlan10
nameif zone10
security-level 60
ip address 192.168.10.1 255.255.255.0
!
interface Vlan20
nameif zone20
security-level 70
ip address 192.168.20.1 255.255.255.0
!
interface Ethernet0/1
description Trunk to Layer 2 Switch
switchport trunk allowed vlan 10,20
switchport mode trunk

So you get the idea right?
Borko says

June 5, 2011 at 9:38 pm

Dear BlogAdmin,

This is it what I try to accomplish. I am working with higher ASA models and I know their capabilities but I have never work with 5505, i have read conf guide 8.4 and it seems that is possible but i have to be sure because i have to know which hardware to buy.

Thank you for help and example configuration.
Pete says

June 11, 2011 at 11:23 am

Hi,

I have an ASA5505 which I know has some restrictions in the base license. I’m not 100% sure though if my problem is caused by that or something else.

I have setup the DMZ and due to the license restrictions have set it so that it cannot initiate connections to the inside interface.

However, should machines on the inside interface (security 100) be able to connect to machines in the dmz (security 50) or is that restricted by the license?

Basically I want to know if connections from inside -> dmz should work :-)

Thanks in advance!
BlogAdmin says

June 11, 2011 at 1:41 pm

Pete,

Communication from inside to DMZ should be working with no problems if you set up the proper nat and access-lists. So if you have a web server sitting in the dmz, then hosts from your inside network should be able to access the web server even with the base license.

Regards

Harris
Mamang says

June 22, 2011 at 5:37 am

Dear BlogAdmin,

I have existing PCS1 network with ip 172.31.34.0/255.255.255.0 tie-in to DLAN 172.18.120.0/255.255.255.0 with router interface 172.18.120.254 as gateway.
These existing networks work fine. New project coming in and I have and extra PCS2 network with ip 172.31.39.0/255.255.255.0
The PCS2 only have a cisco switch 2960 with ip interface 172.31.39.21/255.255.255.0
I would like to tie in this new network into existing one.

I have Cisco ASA 5510 in between router at the existing network and PCS2.
I have setup interface0/0 outside with ip 172.18.120.201/255.255.255.0 and interface0/1 inside 172.31.39.1/255.255.255.0
Add route outside 0.0.0.0 0.0.0.0 172.18.120.254 1

The result:
all ip outside are able to ping the firewall outside interface (172.18.120.201)
all ip inside are able to ping the firewall inside interface (172.31.39.1)
but can’t go through either ip inside to outside vice-verse.

please advice any configuration to make it work?
BlogAdmin says

June 28, 2011 at 8:01 am

Mamang,

To pass traffic through ASA firewall you need a few things in place:
1) Nat (if needed)
2) Access Lists
3) Proper routing

Have you configured the required NAT and ACLs?
Thomas says

July 8, 2011 at 2:09 pm

i’ve got an ASA5505 where i have ipsec plus addon and got some dmz’s up and running. I have outside, inside#1, inside#2 and DMZ
Inside#1 has seclvl 100, Inside#2 has seclvl 90, DMZ has seclvl 50 and Outside has seclvl 0 ofcourse.

On my DMZ i have a backupserver that get’s backups from some clients on the outside, and i now want to get it to do backups from my Inside#’s too. I can connect to it, but it wont send any files over it. It’s tries to do passive mode and just hangs there..

any ideas ???
BlogAdmin says

July 8, 2011 at 6:38 pm

Thomas,

What protocol are you using for the backup service? Is it just FTP? Do you have the proper NAT translation between the DMZ and Inside zones? Please give me more information so that I can help.
Kye says

July 9, 2011 at 2:45 am

Hi, I have got the same setup as indicated in the illustration above. I could ping Lan2 from Lan1 but failed remote desktop connection to Lan2. Could it be the firewall rules on ASA? Please advise. Thank you.
BlogAdmin says

July 9, 2011 at 2:07 pm

Kye,

What is the default gateway of the hosts on Lan1? Is it the inside address of firewall? For testing, change the default gateway of one of your hosts on Lan1 and make it to be the router interface. Then try to access remote desktop on Lan2. If it works, then the problem is that the firewall can not redirect traffic from Lan1 back to Lan2.
Kye says

July 14, 2011 at 2:26 am

Hi, thank you for your reply.
The default gateway is ASA,it is inside address of the ASA firewall. Yes, I did that and it worked by changing the default gateway to Lan2 router.
When the default gateway is ASA, I could not ping Lan2 but after ‘same-security-traffic permit intra-interface’ is enabled on ASA, I could ping Lan2 but not remote desktop connection.
BlogAdmin says

July 14, 2011 at 6:51 am

Kye,

It will not work for RDP (or for any other TCP/UDP protocol). The ASA can not redirect the RDP traffic back to the Lan2 router.
Kye says

July 18, 2011 at 5:01 pm

Hi, thank you for the reply.
Could advise me how to route the traffic from Lan1 to Lan2 in this case? Thank you in advance.
BlogAdmin says

July 19, 2011 at 7:45 am

only way that I know is to have the router as gateway
Jerry says

July 20, 2011 at 8:11 pm

I would like to understand how an ASA5510 would handle the following:
We have two independent networks (each supported by two 6509 cores one a the gateway for all odd vlans and the other a gateway for all even vlans) which we expect to link via four ASA5510s, two for each network, set up in what we hope will be redundant mode cross-connected through two 3750-12S switches (fiber). There will be two additional ASA5510s cross-connected to these switches (again redundant) that will create a DMZ for another series of servers/workstations. Finally, this DMZ will be linked to a “wild” network via a PIX firewall.

Data must travel between the two independent networks. Additional data will need to travel from either independent network to the servers in the DMZ. We need to control access from “wild” to DMZ and from DMZ to the two networks. The two inside networks will NEVER be allowed to connect to the “wild” and visa versa.

My questions are:
Does this seem like a workable architecture?
Is it overly complicated? We cannot tolerate a single point failure that blocks data flow.
How will the firewalls respond to hardware failures (loss of route) in a dual connected system?
Can they handle the route changes dynamically or do each need the full static route list to handle switchover?

Any recommendations on route/gateway setup would be appreciated.

I can supply a more detailed visio of the network if required.

Thanks,
Jerry
BlogAdmin says

July 21, 2011 at 7:31 am

Jerry,

I don’t have a clear picture in my head of your exact network topology that you want to establish. A diagram will be very helpful
Jerry says

July 21, 2011 at 4:42 pm

Thanks for the reply. I can’t seem to paste a copy of the diagram into this blog space. Any suggestions on how I can get the diagram to you for review?

Thanks,
Jerry
Thomas says

July 28, 2011 at 11:36 am

Sorry for late “reply” on my own question, been on vacation :-)
The backup software uses ie. port 2456 as a “hanshake” and i get the confirmation that it’s connected and all i ok, then the transfer of files itself goes on port “1024-2048”. So the “command port” is 2456″ and “data port range is 1024-2048.

i believe i have the NAT sorted since i can ping, and the “handshake” is working :-)
BlogAdmin says

July 29, 2011 at 7:54 am

Thomas,

It seems that the problem is that the backup traffic does not use fixed port numbers. This is very bad for a stateful firewall, which blocks such traffic. This is like the FTP which starts a handshake connection on port 21 and then data is being sent on port 20. ASA has a special “inspect ftp” command to fix that problem with FTP service. However, in your case the backup protocol you use maybe is not supported in ASA application inspection. What you can do is open up ports on the Access lists from 1024 up to 2048 and also open up port 2456. These are a lot of ports to have open but it maybe the only solution.
BlogAdmin says

July 29, 2011 at 7:55 am

Jerry,

You can send me the diagram to: admin at tech21century.com
Andrew says

July 30, 2011 at 10:20 am

Hi

We have an ASA5520 that has multiple sub interfaces. On the one subinterface I have two devices. The one needs to FTP to the other. It opens the connection, but when the FTP server tries to respond, it is sending it to the ASA instead of straight to the FTP client which the ASA then drops (deny tcp (no connection)). Any ideas as to why this would happen? It’s supposed to just talk directly to the client. The only thing I can think of is that the ASA is giving the wrong ARP response. Giving it’s own IP address instead of the client’s address when getting an ARP query? Does this sound correct?

Many thanks,
BlogAdmin says

August 1, 2011 at 8:53 am

Andrew,

If the two devices that you mention are sitting on the same vlan and same layer3 subnet, they are not supposed to send any traffic to the ASA when they communicate between them. The ARP assumption that you say is not valid unless there is a serious malfunction on the ASA which I don’t think it happens.
Andrew says

August 2, 2011 at 10:44 am

Hi

I have confirmed it again, the firewall gives it’s own mac address as an arp response for the server on the same vlan. If I force a static arp address on the server, everything works as expected. Unofortunately this entry doesn’t survive a reboot and gives me unexpected results from time to time.
Andrew says

August 2, 2011 at 2:56 pm

Ok, I think I have fixed it. Proxyarp is apparantly turned on by default under certain circumstances on some interfaces. It is possible to saftely remove this if you do not hit one of the restrictions.

https://supportforums.cisco.com/message/3136009

Many thanks for your time.
BooCo says

August 31, 2011 at 3:31 pm

Hi, I just wanted to say thanks. I had some router work done by a consultant and I figured I needed to set up a static route on my ASA afterwards, but I wasn’t totally sure. With your explanation and example I was able to get it right on the first try.
Thanks Again!
Andrey says

September 13, 2011 at 9:44 am

Hello. Sorry for my English (I’m from Russia). I have configuration with 1 VLAN and 2 LANs. LAN1 Network is connected to ASA 5505 directly by switch. LAN2 is connected with MPLS with router wich is connected to the same switch. There is no VLAN configurations on the swich. All other devices are connected to the same switch. MPLS router have the address in the same VLAN1. If it nessesary I can send diagram of the network. I have made configuration like you (add static route to LAN2 via MPLS Router) with default setting of inspect traffic. So ICMP is working beetwen host in LAN1 and LAN2, but any other traffic don’t work.
I can send configuration of my ASA and of MPLS Router.
If I use LynkSys RV082 instead ASA 5505 it works fine, if I use ASA I have a problem with another traffic.
Andrey says

September 13, 2011 at 12:29 pm

Hello Again. I have find solution for my problem. I think this solution will help for example to Augusto. Solution describes in this article:
http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/conns_tcpstatebypass.pdf
BD says

September 21, 2011 at 4:11 pm

Hi Everybody out there.

Well i would like to share with you the following:
I have configured my ASA 5520 V7…and everything is working properly but:: from the Inside or internal network, i can access the dmz server running the www and email.
I have tried all (little)i know, and i shoul admit im very knew to this industry though i love it.

bellow is the sh run of my asa.

Can anyone please try to figure out for me why i cant access or even ping from inside to the dmz? as our internal pcs wont be able to access the www plus mail servers?

I thank you all in advance.

BD
BlogAdmin says

September 21, 2011 at 5:42 pm

and where is the show run?
BD says

September 21, 2011 at 11:11 pm

Hi BlogAdmin

Im really sorry for that mistake..
According to the statement quation above from me BD… here is the sh run:

ASA Version 7.0(8)
!
hostname ASA2
domain-name xxxxxx
enable password xxxxxx
passwd
names
dns-guard
!
interface GigabitEthernet0/0
description “Link-To-GW-Router”
nameif outside
security-level 0
ip address 41.223.156.109 255.255.255.248
!
interface GigabitEthernet0/1
description Link To Local Lan
nameif inside
security-level 100
ip address 10.1.4.1 255.255.252.0
!
interface GigabitEthernet0/2
description “Link-To-DMZ”
nameif dmz
security-level 50
ip address 172.16.16.1 255.255.255.0
!
interface GigabitEthernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
shutdown
no nameif
no security-level
no ip address
!
ftp mode passive
access-list INSIDE extended permit ip 10.1.4.0 255.255.252.0 any
access-list OUT-TO-DMZ extended permit tcp any host 41.223.156.107 eq smtp
access-list OUT-TO-DMZ extended permit tcp any host 41.223.156.106 eq www
access-list OUT-TO-DMZ extended permit icmp any any log
access-list OUT-TO-DMZ extended deny ip any any
access-list inside extended permit tcp any any eq pop3
access-list inside extended permit tcp any any eq smtp
access-list inside extended permit tcp any any eq ssh
access-list inside extended permit tcp any any eq telnet
access-list inside extended permit tcp any any eq https
access-list inside extended permit udp any any eq domain
access-list inside extended permit tcp any any eq domain
access-list inside extended permit tcp any any eq www
access-list inside extended permit ip any any
access-list inside extended permit icmp any any
access-list dmz extended permit ip any any
access-list dmz extended permit icmp any any
access-list DMZ_IN extended permit icmp any any echo
access-list 101 extended permit icmp any any echo-reply
access-list 101 extended permit icmp any any source-quench
access-list 101 extended permit icmp any any unreachable
access-list 101 extended permit icmp any any time-exceeded
access-list cap extended permit ip 172.16.16.0 255.255.255.0 10.1.4.0 255.255.25
2.0
access-list cap extended permit ip 10.1.4.0 255.255.252.0 172.16.16.0 255.255.25
5.0
pager lines 24
mtu outside 1500
mtu inside 1500
mtu dmz 1500
no failover
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 10.1.4.0 255.255.252.0
static (inside,dmz) 10.1.0.0 10.1.16.0 netmask 255.255.252.0
access-group OUT-TO-DMZ in interface outside
access-group inside in interface inside
access-group dmz in interface dmz
route outside 0.0.0.0 0.0.0.0 41.223.156.108 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00
timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
telnet timeout 5
ssh timeout 5
console timeout 0
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map global_policy
class inspection_default
inspect dns maximum-length 512
inspect ftp
inspect h323 h225
inspect h323 ras
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
inspect icmp
!
service-policy global_policy global
Cryptochecksum:30d296dea4f5ffc1dd4560e075d47076
: end

Guys,on the other side i should honestly admit that im quiet new to the cisco asa industry, but willing to new adventure about these machine.

Please any single, simple (but big) help from you….will really be highly and fully appretiated..

Once again i thank you in advance all you guys.

BD
BlogAdmin says

September 22, 2011 at 7:07 am

BD,

The problem is on the static NAT between inside and dmz. You must change that to the following:

static (inside,dmz) 10.1.4.0 10.1.4.0 netmask 255.255.252.0

Do the change above and Let me know how it goes.
BD says

September 22, 2011 at 10:06 am

HI BlogAdmin….
First of pls do allow me to thank you so much for your time and cooperation….

Well im on my way to the office and once there i will do the change and let you know…

However just to clarify according to the above command you gave me…so should i remove the previous one?i mean the static nat which is there!!

Thanx BD
BlogAdmin says

September 22, 2011 at 11:16 am

Yes, you must remove the old static command
BD says

September 22, 2011 at 4:53 pm

Hi BlogAdmin.

I have done accordingly as per your advice….
But still. no ping or access from the inside zone to the dmz.

Basically for the dmz interface, the E0/2 connects directly to a switch (normal switch) and from this switch is where the 172.16.16.80 www and 172.16.17.25 email servers are.

On the other side… just to clarify….i got a router before Asa and bellow is the router 2800 series sh run

GW-RTR#sh run
Building configuration…

Current configuration : 1481 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname GW-RTR
!
boot-start-marker
boot-end-marker
!
logging buffered 51200 warnings
enable secret 5 $1$h.LH$3sc8ez.Vb62zHi86u1SYl1
!
aaa new-model
!
!
!
aaa session-id common
clock timezone PCTime 0
clock summer-time PCTime date Mar 30 2003 1:00 Oct 26 2003 2:00
ip cef
!
!
!
!
ip domain name tchipa.com
ip name-server 8.8.8.8
ip name-server 4.2.2.2
ip name-server 66.110.119.2
!
!
voice-card 0
!
!
!
!
!
!
!
!
!
!
!
!
!
!
username tchipa privilege 15 password 7 0010100E0D4B0A
archive
log config
hidekeys
!
!
!
!
!
!
!
interface FastEthernet0/0
description “Link-To-Angola-Telecom”
ip address 66.110.122.126 255.255.255.252
duplex auto
speed auto
!
interface FastEthernet0/1
description “Link-To-LocalLAN”$ES_LAN$
ip address 41.223.156.108 255.255.255.248
duplex auto
speed auto
!
ip route 0.0.0.0 0.0.0.0 FastEthernet0/0 66.110.122.125
ip route 41.223.156.104 255.255.255.248 FastEthernet0/1 41.223.156.109
!
!
ip http server
ip http authentication local
no ip http secure-server
ip http timeout-policy idle 600 life 86400 requests 10000
!
!
!
!
!
control-plane
!
!
!
!
!
!
!
!
banner motd ^C
PLEASE DO NOT LOGIN YOU NOT AUTHORIZED ^C
!
line con 0
password 7 09584D01101516
logging synchronous
line aux 0
password 7 1403110305142B
line vty 0 4
privilege level 15
logging synchronous
transport input ssh
!
scheduler allocate 20000 1000
end

Any other Idea Master BlogAdmin please. you anyone knew how much i must have this working….other wise from next week my www and smtp mail server will be launched….and as any one can imagine…my internal PCs wont be able to access them…

Please any help??

BD
BlogAdmin says

September 23, 2011 at 7:12 am

If you need access only from inside to dmz, you can configure PAT from inside to dmz interface.

First Remove the static NAT, and then do the following:

global (dmz) 2 interface
nat (inside) 2 10.1.4.0 255.255.252.0
BD says

September 23, 2011 at 3:16 pm

Hi ADMIN

thatnx for your repply

By the way, you mean i should remove this static :

static (inside,dmz) 10.1.4.0 10.1.4.0 netmask 255.255.252.0

and past this one above:

global (dmz) 2 interface
nat (inside) 2 10.1.4.0 255.255.252.0

right?

And according to my router theres nothing that could stop or block any acces right.

Thank you so much

BD
BD says

October 6, 2011 at 9:01 pm

Hi The BlogAdmin

My appology for not being able to give you the feedback of your last reply to my quations coz i´ve been out for work to a place with no internet accesas. my problem was that my internal PCs cannot reach my dmz.

Last reply of you, you said i should remove this static :static (inside,dmz) 10.1.4.0 10.1.4.0 netmask 255.255.252.0 coz when i past it, it still didnt work.

So then you said, if my problem is just the communication between inside to dmz, i should do this:

First Remove the static NAT, and then do the following:
global (dmz) 2 interface
nat (inside) 2 10.1.4.0 255.255.252.0

well i did it, i past the global (dmz) 2 interface
and when i past this; nat (inside) 2 10.1.4.0 255.255.252.0 it said duplicated entry….result my internal PCs still cannot access my server on dmz.

Dear BlogAdmin….im really so disparated and sorry for that. so any other help please?

by the way i have pasted my updated ASA sh run so you can have a better idea.

:
ASA Version 7.0(8)
!
hostname ASA2
domain-name assembleia.ao
enable password YVYn8G/3D1COct9U encrypted
passwd YVYn8G/3D1COct9U encrypted
names
dns-guard
!
interface GigabitEthernet0/0
description “Link-To-GW-Router”
nameif outside
security-level 0
ip address 41.223.xx.xx 255.255.255.0
!
interface GigabitEthernet0/1
description Link To Local Lan
nameif inside
security-level 100
ip address 10.1.4.x 255.255.255.0
!
interface GigabitEthernet0/2
description “Link-To-DMZ”
nameif dmz
security-level 50
ip address 172.16.16.1 255.255.255.0
!
interface GigabitEthernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
shutdown
no nameif
no security-level
no ip address
!
ftp mode passive
access-list INSIDE extended permit ip 10.1.4.x 255.255.255.0 any
access-list OUT-TO-DMZ extended permit tcp any host 41.223.xx.xx eq smtp
access-list OUT-TO-DMZ extended permit tcp any host 41.223.xx.xx eq www
access-list OUT-TO-DMZ extended permit icmp any any log
access-list OUT-TO-DMZ extended deny ip any any
access-list OUT-TO-DMZ extended permit tcp any host 41.223.xx.xx eq www
access-list inside extended permit tcp any any eq pop3
access-list inside extended permit tcp any any eq smtp
access-list inside extended permit tcp any any eq ssh
access-list inside extended permit tcp any any eq telnet
access-list inside extended permit tcp any any eq https
access-list inside extended permit udp any any eq domain
access-list inside extended permit tcp any any eq domain
access-list inside extended permit tcp any any eq www
access-list inside extended permit ip any any
access-list inside extended permit icmp any any
access-list dmz extended permit ip any any
access-list dmz extended permit icmp any any
access-list DMZ_IN extended permit icmp any any echo
access-list 101 extended permit icmp any any echo-reply
access-list 101 extended permit icmp any any source-quench
access-list 101 extended permit icmp any any unreachable
access-list 101 extended permit icmp any any time-exceeded
access-list cap extended permit ip 172.16.16.0 255.255.255.0 10.1.4.0 255.255.25
5.0
access-list cap extended permit ip 10.1.4.0 255.255.255.0 172.16.16.0 255.255.25
5.0
access-list nonat extended permit ip 10.1.4.0 255.255.255.0 172.16.16.0 255.255.
255.0
pager lines 24
mtu outside 1500
mtu inside 1500
mtu dmz 1500
no failover
asdm image disk0:/asdm-508.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
global (dmz) 2 interface
nat (inside) 0 access-list nonat
nat (inside) 1 10.1.4.0 255.255.255.0
nat (inside) 1 10.1.4.0 255.255.252.0
static (dmz,outside) tcp 41.223.XX.XX www 172.16.16.80 www netmask 255.255.255
.255
static (dmz,outside) tcp 41.223.XX.XX smtp 172.16.16.25 smtp netmask 255.255.2
55.255
access-group OUT-TO-DMZ in interface outside
access-group inside in interface inside
access-group dmz in interface dmz
route outside 0.0.0.0 0.0.0.0 41.223.XX.XX 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00
timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
username tchipa password JUU.kVt2Und.Vd23 encrypted privilege 15
http server enable
http 10.1.4.0 255.255.255.0 inside
http 10.1.6.0 255.255.255.0 inside
http 10.1.7.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
telnet timeout 5
ssh 10.1.4.0 255.255.255.255 inside
ssh 10.1.5.0 255.255.255.255 inside
ssh 10.1.6.0 255.255.255.255 inside
ssh 10.1.7.0 255.255.255.255 inside
ssh timeout 5
console timeout 0
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map global_policy
class inspection_default
inspect dns maximum-length 512
inspect ftp
inspect h323 h225
inspect h323 ras
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
inspect icmp
!
service-policy global_policy global
Cryptochecksum:1442681c2a378d10f026df4cf1005452
: end

Pls help.
BlogAdmin says

October 7, 2011 at 8:30 pm

Do the following:

no nat (inside) 1 10.1.4.0 255.255.255.0
no global (dmz) 2 interface
global (dmz) 1 interface
BD says

October 10, 2011 at 7:38 pm

Hi Dear BlogAdmin.

I have procceede accordingly exactly as you said….
but unfortunatly it still didnt work…..insteady, after that i have no internet at all…

All the Inside PC or my entire network has no internet connection…it fails automatically after that…

How do i remove the above commands pls… i need the internet back or to bring back everything as before pls.

And as for my issue…any other clear idea why im not accessing my dmz from the inside network??

BD
BlogAdmin says

October 10, 2011 at 8:37 pm

OK, you have sent me so many configurations that you got me confused.

Put back the nat statements as below:

nat (inside) 1 10.1.4.0 255.255.255.0
global (outside) 1 interface
global (dmz) 1 interface

and remove the nat 0 command:

no nat (inside) 0 access-list nonat
BD says

October 11, 2011 at 5:32 pm

OK Dear BlogAdmin

I did accordingly to your above statement, and everything is back to normal, i mean the inside network now can access internet back, and thank you so much for your precious time and cooperation for being there as great IT professional, and as well for sharing your vision….i thank you Sir.

So by the way, the internal network still cannot reach my dmz.
Anyone can help according to the ASA 5520 v7 sh run please?

BD
BD says

October 19, 2011 at 11:16 am

Hi dear BlogAdmin

As you may know im stil struggling in getting my inside network to access or communicate to my dmz .

As i got another ASA5520 for my test, so i have configured the other asa, and according to this configuration bellow, i have installed a the EASYphp web server on the Server with 172.16.16.80 the wwww on the dmz. so now, from the inside network i can access that page, but i got dont get successfull ping like for instence at the same server with 172.16.16.80 even though i can access the web server on it through the easy php applic.

The other thing is that i dont have internet connection on my dmz, i mean the servers with 172.16.16.80 the www and 172.16.16.25 emal server

However, my concern is……does it really means that my inside network is communicating with the dmx now?
How do i enable reall ping?? is there any command to enable ping?

Dear BlogAdmin, according to my config bellow, can you recheck it for me if i have missed anything else.

Why im not getting succeessfull ping to dmz?but it can open the web server i have installed on server on the dmz? why im not getting internet on the dmz? can you pls help?
What other real test i should make to make sure im reaching my dmz? since right now i dont have yet the www and smtp email server running?

Dear BlogAdmin, i should always thank you so much for your time and cooperation, and remember that ant single help from you will be highly appretiated.

Thanx in advanced:

ciscoasa(config)# sh run
: Saved
:
ASA Version 7.0(8)
!
hostname ciscoasa
domain-name parlamento.ao
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
dns-guard
!
interface GigabitEthernet0/0
description Link to Gateway
nameif outside
security-level 0
ip address 41.223.156.109 255.255.255.248
!
interface GigabitEthernet0/1
description Link to Local Lan
nameif inside
security-level 100
ip address 10.1.4.1 255.255.252.0
!
interface GigabitEthernet0/2
description Link to dmz
nameif dmz
security-level 50
ip address 172.16.16.1 255.255.255.0
!
interface GigabitEthernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
shutdown
no nameif
no security-level
no ip address
!
ftp mode passive
access-list outside_in extended permit tcp any host 41.223.156.106 eq smtp
access-list outside_in extended permit tcp any host 41.223.156.107 eq www
access-list dmz_int extended permit tcp host 172.16.16.25 any eq smtp
access-list dmz_int extended permit tcp host 172.16.16.80 any eq www
access-list outside_int extended permit tcp any host 41.223.156.106 eq smtp
access-list outside_int extended permit icmp any any
access-list INSIDE extended permit ip 10.1.4.0 255.255.252.0 any
access-list OUT-TO-DMZ extended permit icmp any any log
access-list OUT-TO-DMZ extended deny ip any any
access-list inside extended permit tcp any any eq pop3
access-list inside extended permit tcp any any eq smtp
access-list inside extended permit tcp any any eq ssh
access-list inside extended permit tcp any any eq https
access-list inside extended permit udp any any eq domain
access-list inside extended permit tcp any any eq domain
access-list inside extended permit tcp any any eq www
access-list inside extended permit ip any any
access-list inside extended permit icmp any any
access-list dmz extended permit ip any any
access-list dmz extended permit icmp any any
access-list DMZ_IN extended permit icmp any any echo
access-list 101 extended permit icmp any any echo-reply
access-list cap extended permit ip 172.16.16.0 255.255.255.0 10.1.4.0 255.255.252.0
access-list cap extended permit ip 10.1.4.0 255.255.252.0 172.16.16.0 255.255.255.0
pager lines 24
mtu outside 1500
mtu inside 1500
mtu dmz 1500
no failover
asdm image disk0:/asdm-508.bin
no asdm history enable
arp timeout 14400
nat-control
global (outside) 1 interface
global (dmz) 1 interface
nat (inside) 1 10.1.4.0 255.255.252.0
static (inside,dmz) 10.1.4.0 10.1.4.0 netmask 255.255.252.0
static (dmz,outside) 41.223.156.106 172.16.16.25 netmask 255.255.255.255
static (dmz,outside) 41.223.156.107 172.16.16.80 netmask 255.255.255.255
access-group dmz_int in interface dmz
access-group inside in interface inside

route outside 0.0.0.0 0.0.0.0 41.223.156.108 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00
timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
username tchipa password JUU.kVt2Und.Vd23 encrypted privilege 15
aaa authentication ssh console LOCAL
http server enable
http 10.1.4.100 255.255.255.255 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
telnet timeout 5
ssh 10.1.4.100 255.255.255.255 inside
ssh timeout 10
console timeout 0
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map global_policy
class inspection_default
inspect dns maximum-length 512
inspect ftp
inspect h323 h225
inspect h323 ras
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
inspect icmp
!
service-policy global_policy global
Cryptochecksum:48ba8cf4e31f2940e44293256d84ce38
: end

BD
BlogAdmin says

October 19, 2011 at 11:54 am

If you access the web server from inside, it means that the inside communicated with dmz just fine. Pinging is not a reliable way to say if you have communication or not. Accessing real services (such as HTTP) is what proves that you actually have proper communication.

To allow ping you must allow icmp echo-reply on the dmz_int access-list. Also, to allow internet access from the dmz, you must allow DNS udp 53 on the dmz_int access list as well.
BD says

October 27, 2011 at 10:51 pm

Hi Dear BlogAdmin.

Well im really sorry for my insistence or for being so hard to understand you. but one thing is for sure, since i started writting you, i´ve been improving my skill as far as asa appliance is concern.

Well as i said before and as you know i was having a problem with my internal users who couldnot access my dmz zone…but now with the above sh run config (still the latest) it seem i can reach my dmz zone specifically to the server with ip 172.16.16.80 for www, as i have installed in this server a EASY PHP WEBSERVER..and from the inside pc or network (10.1.4.x) i can access that webserver through the browser 172.16.16.80:8080 and it open that web server.

So now the problem is: the server on dmz doent have internet access…could you please help me with the right config command (access list) hat will allow server on dmz to have internet?pls

On the Other side…..from the outside, or internet i tried to reach that server on dmz through its private or translated ip address, so through the browser i type (41.223.156.106:8080)or even without the 8080…but i couldnt reach that webpage on the server on dmz.

Could you pls help me finding out why im not accessing my server on dmz??pls

Dear Admin….pls forive as im still to young and just learning about the security appliance…..remember your help could be so vital and could make such a big impact.

I thank you in advanced.

BD
BlogAdmin says

October 29, 2011 at 9:17 am

BD,

Assuming you have the configuration you have posted above, you will need to allow DNS protocol on the dmz_int access list as below:

access-list dmz_int extended permit udp host 172.16.16.80 any eq 53

Also, to access the web server on port 80 from outside, you need to create a static NAT command between dmz and outside ( something that you have done already) and also allow port 80 on the outside acl (which you have done already as well). The problem is that you have not attached the outside_in acl on the outside interface:

access-group outside_in in interface outside

After you do the above, you will be able to access the web server via 41.223.156.107 (on port 80 though, NOT on 8080)

OK??
Ivan says

August 25, 2014 at 8:06 pm

BlogAdmin,
You have stated:
“For option 2): Leave all layer 3 functionality on the switch (SVI interfaces) and then configure another vlan connecting the switch with one internal interface of the ASA (e.g subnet 10.0.0.x – just as you suggest also). Then you have to configure one default route on the switch: ip route 0.0.0.0 0.0.0.0 10.0.0.1 (assume ASA internal IP is 10.0.0.1). For this option, you will NOT have any problems on the ASA by configuring object groups for networks that are not directly connected on the ASA. e.g if one internal vlan has subnet 10.1.1.x, then you can configure a network object on the ASA for network range 10.1.1.x with no problems. Then you can do NAT on the ASA for that network as normally you would do for a directly attached subnet. ”

If I have a VLAN192 that has 192.168.0.x /24 what static nat and access list would I have to setup on the ASA to expose a web server? Basically the Vlan192 is managed by the layer3 switch and the ASA does not have an interface directly connected to it. The traffic has to go through the switch. I managed to get the VLAN192 to reach the internet by doing nat on the IPs, but I can’t get an external IP address on the ASA to map to an internal IP address on the VLAN192 and pass traffic through the ASA.
BlogAdmin says

August 25, 2014 at 8:19 pm

Ivan,
To achieve that you need to configure static NAT on ASA between “inside” and “outside” even if vlan192 is not directly connected on the ASA. Since traffic from vlan192 will reach the “inside” interface of ASA, it will be statically NATed to outside interface. This is the only way to expose an inside host to the outside world (if you are using NAT).
Matteo says

November 2, 2014 at 4:05 pm

Hi BlogAdmin,
I have a situation like you describe that don’t work on asa-5505
I need to connect e branch office through 2 switch layer 3 (one in the head office and one in branch office).
the head office switch layer 3 with ip 192.168.100.249 is connected directly to ASA port
after set a static route: “route inside 10.0.8.0 255.255.255.0 192.168.100.249” where 10.0.8.0 is the branch office network
and also set acl “access-list in-acl extended permit ip 192.168.100.0 255.255.255.0 10.0.8.0 255.255.255.0”
and “access-list in-acl extended permit ip 10.0.8.0 255.255.255.0 192.168.100.0 255.255.255.0”
I’m not be able to reach the head office network, I can ping ASA and head office switch layer 3 interface but the PC don’t answer.
from ASA CLI I can ping branch office network.

do you have suggestions?

thanks
Matteo
BlogAdmin says

November 2, 2014 at 7:56 pm

Matteo,
This is a problem I had encountered in the past as well. It is because the default gateway of the PCs in head office is the ASA internal IP. So when you ping a PC in head office from the branch office, the ICMP REPLY packets from the PC goes to ASA internal interface. The ASA does not allow redirection of traffic back out its same interface by default.

One way to mitigate this is to configure the PCs in head office to have as default gateway the L3 switch (192.168.100.249) and then configure a default route on the L3 switch to point to the ASA inside IP. So the PCs will have both internet access and also able to reach the branch hosts as well.
Matteo says

November 3, 2014 at 11:39 pm

BlogAdmin,
yes, what you suggest is my plan B
but if I understand well the command: same-security-traffic permit intra-interface shoud be allow the traffic in and out on the same interface? or not?
BlogAdmin says

November 4, 2014 at 7:55 am

Yes that’s correct, but I haven’t tried it to tell you for sure if it will work. Give it a shot and let me know.
Mike says

June 17, 2015 at 7:51 am

Thank you for your time. I have a Cisco 5510 and my goal is to route specific traffic from the internet to specific web servers on the inside interface while employing VLAN tags. The traffic will be coming in on an IPsec tunnel from a non-Cisco device. Thus due to compatibility issues, I want to route the tunnel through the ASA (punch a hole) into a VLAN to get to its ultimate endpoint on a web server where the IPsec tunnel will end. I want the IPsec tunnel to pass through the ASA. The ASA doesn’t seem to play nice with IPsec between a non-Cisco and Cisco product. My thinking is that if I can VLAN tag the incoming traffic, then I can let the VLAN tags get the IPsec tunnel traffic to where it needs to go at its ultimate endpoint where it will be de-encapsulated and read.

For example, a flow like this:
Internet traffic from 64.x.x.x in tunnel -> ASA outside interface 72.x.x.x -> ASA inside interface 0/1 vlan 10 with IP 192.168.1.1 255.255.255.0 -> L2 switch (trunked to ASA) -> VMware vSphere vSwitch (trunked to L2 switch) -> virtual machine host at 192.168.1.1 (web server) and then back out to internet.

And then:
Internet traffic from 68.x.x.x -> ASA outside interface 72.x.x.x -> ASA inside interface 0/1 vlan 20 with IP 192.168.2.1 255.255.255.0 -> L2 switch (trunked to ASA) -> VMware vSphere vSwitch (trunked to L2 switch) -> virtual machine host at 192.168.2.1 (web server) and then back out to internet.

and so forth…

I have done this successfully when employing IPsec tunnels between a remote Cisco ASA across the internet to another Cisco ASA in front of the infrastructure I mentioned above. However, I am not sure where to start when trying to do it with non-Cisco equipment. I only want to allow in the specific tunnels I have set up.

Thanks in advance for any help you can provide.
BlogAdmin says

June 17, 2015 at 11:54 am

Hi Mike,

In order to achieve the above, you must create a static NAT mapping in order to make the internal web server (192.168.1.1) visible on the internet. You must create a static NAT mapping between a public IP (let’s call it 72.1.1.1) and the private IP of the webserver (192.168.1.1). Then, the other site (non-Cisco device) must communicate with the public IP (72.1.1.1) for its IPSEC end-point peer.

You must also configure an ACL applied on the outside interface of ASA in order to allow the IPSEC protocols to come in. These protocols are UDP 500, AH, ESP.

Please let me know if you need more details.

Harris
Ben Pipilyo says

June 9, 2016 at 7:04 am

Hi BlogAdmin,

I have a similar setup as your diagram above except the IP addresses and the Internal router. Instead of the internal router, i have a hp 2920 switch which acts as a L3 switch and does all the inter-vlan routing. Vlan1 subnet (192.168.100.0/24) is directly connected to the ASA’s inside interface 192.168.100.2. So devices on that vlan1 can go out to the internet fine. The second vlan104 subnet (192.168.104.0/24) cannot go out the ASA although I have the routes. Vlan104 can ping as far as the core switch (hp 2920). The 2x vlans can ping across each other fine.

Sir, I desperately need assistance from you. THANK YOU!!!

Here is the ASA config…

ASA Version 9.1(2)
!
hostname ngcbFW2016
domain-name pngngcb.local
enable password 3hN7jFemnOzlCoGu encrypted
xlate per-session deny tcp any4 any4
xlate per-session deny tcp any4 any6
xlate per-session deny tcp any6 any4
xlate per-session deny tcp any6 any6
xlate per-session deny udp any4 any4 eq domain
xlate per-session deny udp any4 any6 eq domain
xlate per-session deny udp any6 any4 eq domain
xlate per-session deny udp any6 any6 eq domain
names
!
interface GigabitEthernet0/0
description Outside Interface
nameif outside
security-level 0
ip address 10.15.1.13 255.255.255.252
!
interface GigabitEthernet0/1
description Inside Interface
nameif inside
security-level 100
ip address 192.168.100.2 255.255.255.0
!
domain-name pngngcb.local
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object network inside-outside
subnet 192.168.100.0 255.255.255.0
description Inside LAN to Outside
object network 192.168.100.5
host 192.168.100.5
description mail-server
object network 192.168.100.103
host 192.168.100.103
description mail-server
object network 192.168.100.3
host 192.168.100.3
description server
object network vlan104
subnet 192.168.104.0 255.255.255.0
object-group service DM_INLINE_SERVICE_1
service-object icmp echo
service-object icmp6 echo
access-list inside_access_in extended permit object-group DM_INLINE_SERVICE_1 any any
access-list inside_access_in remark NGCB Server – Mail & File Server
access-list inside_access_in extended permit ip object 192.168.100.5 any
access-list inside_access_in extended permit ip host 192.168.100.102 any
access-list inside_access_in extended permit ip host 192.168.100.111 any
access-list inside_access_in extended permit ip host 192.168.104.11 any
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
!
object network inside-outside
nat (inside,outside) dynamic interface
nat (inside,outside) dynamic interface
object network vlan104
nat (inside,outside) dynamic interface
access-group outside_access_in in interface outside
access-group inside_access_in in interface inside
route outside 0.0.0.0 0.0.0.0 10.15.1.14 1
route inside 192.168.104.0 255.255.255.0 192.168.100.9 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
http server enable
http 192.168.1.0 255.255.255.0 management
http 192.168.100.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
crypto ipsec security-association pmtu-aging infinite
crypto ca trustpool policy
telnet timeout 5
ssh timeout 5

!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect ip-options
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
inspect icmp
!
Harris Andrea says

June 9, 2016 at 9:16 am

Ben,

Some troubleshooting recommendations:

1) Can you ping ASA inside (192.168.100.2) from vlan104 subnet?
2) allow all IP traffic on ACL “inside_access_in” to make sure its not an ACL blocking issue.
Sur says

December 20, 2021 at 12:45 pm

The following statement is used on Cisco website for static route connectivity. My question is how one interface can be connected to 3 gateways ?

“You can define up to three equal cost routes to the same destination per interface. Equal-cost multi-path (ECMP) is not supported across multiple interfaces. With ECMP, the traffic is not necessarily divided evenly between the routes; traffic is distributed among the specified gateways based on an algorithm that hashes the source and destination IP addresses.”
Harris Andrea says

December 20, 2021 at 2:32 pm

Sur, if the outside interface (for example) is connected to a switch in the same VLAN as the 3 gateways, then you can have a common subnet between this outside interface and the 3 gateways. For example, assume the outside common subnet is 192.168.1.0/28 then the ASA interface can be 192.168.1.1 and the gateways can be .2, .3, .4 in the same subnet.
Sur says

December 21, 2021 at 3:31 am

Thanks Harris for quick reply .

What is the design Use case for such a Topology ? Will One gateway not Sufficient for all the ASA traffic can be routed with default route ?

Thanks again for your time
Harris Andrea says

December 21, 2021 at 6:33 am

The design use case is usually in big internal networks where you have multiple Layer 3 switches (or routers) acting as default gateways for an internal ASA firewall.
sur says

December 21, 2021 at 8:00 am

thanks a lot Harris .

This site uses Akismet to reduce spam. Learn how your comment data is processed.

How to Configure Static Routing on Cisco ASA Firewall

Routing Support on ASA

Cisco ASA Static Route Configuration

Verification Commands

DOWNLOAD THIS ARTICLE AS PDF FILE

Related Posts

Download Free Cisco Commands Cheat Sheets

About Harris Andrea

Comments

Leave a Reply

About Networks Training

Amazon Disclosure

Search

BLOGROLL