Networks Training

  • About
  • My Books
  • SUGGESTED TRAINING
  • HOME
  • Cisco Networking
    • Cisco General
    • Cisco IOS
    • Cisco VPN
    • Cisco Wireless
  • Cisco ASA
    • Cisco ASA General
    • Cisco ASA Firewall Configuration
  • Certifications Training
    • CCNA Training
    • Cisco Certifications
    • I.T Training
  • General
    • General Networking
    • IP Telephony
    • Network Security
    • Product Reviews
    • Software
  • Cisco Routers
  • Cisco Switches
You are here: Home / Cisco ASA Firewall Configuration / How to Configure Static Routing on Cisco ASA Firewall

How to Configure Static Routing on Cisco ASA Firewall

Written By Harris Andrea

Although the Cisco ASA appliance does not act as a router in the network, it still has a routing table and it is essential to configure static or dynamic routing in order for the appliance to know where to send packets.

When a packet arrives to a network interface on the ASA firewall, the packet undergoes several security controls, such as ACL filtering, NAT, deep-packet inspection etc.

Table of Contents

  • Routing Support on ASA
  • Cisco ASA Static Route Configuration
    • Verification Commands
    • DOWNLOAD THIS ARTICLE AS PDF FILE
    • Related Posts

Routing Support on ASA

After the packet passes all firewall controls, the security appliance needs to send the packet to its destination address. It therefore checks its routing table to determine the outgoing interface where the packet will be sent.

Cisco ASA firewalls support both static and dynamic routing. For dynamic routing, the ASA supports RIPv2, EIGRP and OSPF.

I recommend not to use dynamic routing though and stick with just static routes. The reason is that one of the purposes of a firewall is to hide your internal trusted network addressing and topology. By configuring dynamic routing support, you might be advertising routes to untrusted networks thus exposing your network to threats.

MORE READING:  Cisco ASA QoS for VoIP Traffic

Cisco ASA Static Route Configuration

The scenario in the diagram above will help us understand how to configure static routing.

The ASA connects to the internet on the outside and also has a DMZ and Internal zones. The default gateway towards the ISP is 200.1.1.1. The DMZ network is 10.0.0.0/24 and the internal LAN1 network is 192.168.1.0/24.

LAN1 is directly connected to the Inside interface of the firewall. Additionally, there is another internal network, namely LAN2, with network 192.168.2.0/24. LAN2 is not directly connected to the firewall. Rather, there is an internal router with address 192.168.1.1 through which we can reach LAN2.

Therefore, in order for the ASA to reach network LAN2, we need to configure a static route to tell the firewall that network 192.168.2.0/24 can be reached via 192.168.1.1.

So we need to configure two static routes. One Default Static route for Internet access, and one internal static route to reach network LAN2. For directly connected networks (DMZ and LAN1) we don’t need to configure a static route since the firewall already knows about these networks as they are directly connected to its interfaces.

Static Route Configuration:

The format of the static route command is:

ASA(config)# route [interface name] [destination address] [netmask] [gateway]

MORE READING:  How to Configure OSPF on Cisco ASA Firewall (Example Config and Troubleshooting)

! First configure a default static route towards the default gateway
ASA(config)# route outside 0.0.0.0 0.0.0.0 200.1.1.1

! Then configure an internal static route to reach network LAN2
ASA(config)# route inside 192.168.2.0 255.255.255.0 192.168.1.1

Verification Commands

Let’s now see how to check the routing table in the ASA appliance and verify the static route:

ASA#show route
Codes: C – connected, S – static, I – IGRP, R – RIP, M – mobile, B – BGP
D – EIGRP, EX – EIGRP external, O – OSPF, IA – OSPF inter area
N1 – OSPF NSSA external type 1, N2 – OSPF NSSA external type 2
E1 – OSPF external type 1, E2 – OSPF external type 2, E – EGP
i – IS-IS, L1 – IS-IS level-1, L2 – IS-IS level-2, ia – IS-IS inter area
* – candidate default, U – per-user static route, o – ODR
P – periodic downloaded static route

Gateway of last resort is 200.1.1.1 to network 0.0.0.0

C 192.168.1.0 255.255.255.0 is directly connected, inside
S 192.168.2.0 255.255.255.0 [1/0] via 192.168.1.1, inside
C 200.1.1.0 255.255.255.0 is directly connected, outside
S* 0.0.0.0/0 [1/0] via 200.1.1.1

The routes denoted with “S” are the static routes and the ones denoted with “C” are the directly connected routes.

DOWNLOAD THIS ARTICLE AS PDF FILE

Related Posts

  • Prevent Spoofing Attacks on Cisco ASA using RPF
  • Configuring Connection Limits on Cisco ASA Firewalls – Protect from DoS
  • Configuring AAA Authentication-Authorization-Accounting on Cisco ASA Firewall (TACACS+, RADIUS)
  • Cisco ASA Firewall Management Interface Configuration (with Example)
  • How to Configure Access Control Lists on a Cisco ASA 5500/5500-X Firewall (with Examples)

Filed Under: Cisco ASA Firewall Configuration

Download Free Cisco Commands Cheat Sheets

Enter your Email below to Download our Free Cisco Commands Cheat Sheets for Routers, Switches and ASA Firewalls.

We use Elastic Email as our marketing automation service. By submitting this form, you agree that the information you provide will be transferred to Elastic Email for processing in accordance with their Terms of Use and Privacy Policy. Also, you allow me to send you informational and marketing emails from time-to-time.

About Harris Andrea

Harris Andrea is an Engineer with more than two decades of professional experience in the fields of TCP/IP Networks, Information Security and I.T. Over the years he has acquired several professional certifications such as CCNA, CCNP, CEH, ECSA etc.

He is a self-published author of two books ("Cisco ASA Firewall Fundamentals" and "Cisco VPN Configuration Guide") which are available at Amazon and on this website as well.

Comments

  1. James E. says

    March 18, 2009 at 3:52 pm

    Hello,

    I came across this article because I am having an issue doing what you have defined in your diagram.

    I have a layer 3 switch that has two VLANS on it. I need to be able to configure a static route on the asa so that when workstations or other network devices can access the VLAN.

    I am able to enter the route as you have shown and can ping from within the ASA to the vlan. But when a device on the network tries to access it, its still a no go.

    It seems that it is no passing packets back out the interface when they come in.

  2. BlogAdmin says

    March 19, 2009 at 7:10 am

    Hello James, thanks for visiting.

    From what I understand, the inside interface of your ASA belongs to one VLAN, and then there is another VLAN on the switch, is that correct? If this is the case, you should create two Layer 3 Interfaces (SVI) on the switch using “Interface Vlan X” command and assign an IP address on the Vlan interfaces. This will configure your Layer 3 switch to work as a router separating the two internal networks. The gateways of the hosts should be the IP addresses of the Layer 3 interface Vlan on the switch. Please let me know if this clarifies your question.

  3. Derek R. says

    April 9, 2009 at 3:16 pm

    You would also need to setup subinterfaces for each VL
    AN in order to route traffic from the ASA to the switch interfaces.

  4. BlogAdmin says

    April 10, 2009 at 12:02 am

    Hello Derek,
    The scenario I’m describing here assumes only one firewall internal zone, which is the “inside” interface. For this particular scenario you don’t need subinterfaces. What you mention would be true if we wanted two or more internal security zones, and thus we would have to configure subinterfaces on the ASA.

    Thanks for your comment.

  5. mohamed ushama says

    October 4, 2009 at 11:32 pm

    Dear Friends,

    My Network Diagram being like this I have one Adsl router it has been directly connected to ASA firewall e0 i assigned my public ip in e0 then i assigned local ip address in e1.e1 ip address is 192.168.2.1 subnet mask is 255.255.255.0 this line goes to connect to my server.my server ip address is 192.168.2.5 snm 255.255.255.0.
    what is my question is?
    if we want to communicate with outside networks we should add the static route in ASA firewall,which ip i want to configure my adsl gateway is 192.168.1.254 or my isp router gateway? i hope i want to add the default route in my ASA firewall about my isp router gateway.If it’s wrong kindly send me the details.

    Thanks and Regards
    N.Mohamed Ushama

  6. BlogAdmin says

    October 5, 2009 at 7:06 pm

    It depends if your ADSL router works in routed mode or bridge mode. If your ADSL router is not in bridged mode, then you need to configure a default route on the ASA which will be the internal IP address of your ADSL router. If your ADSL box is configured in bridged mode, then the default gateway on the ASA should be the ISP router gateway address.

  7. Ivan Mckenzie says

    November 6, 2009 at 8:25 pm

    Hi everone, I have the same config as the diagram. I can ping from ASA to computer on LAN2, but when I try to connect from DMZ(192.168.14.0) to LAN2(172.22.41.0)I get the next message:

    “No translation group found for tcp src DMZ:192.168.14.2/59716 dst inside:172.22.41.5/3389” EXPLANATION(a packet does not meet any of the outbound nat command rules)

    Thanks to all,
    Ivan

  8. BlogAdmin says

    November 7, 2009 at 2:06 pm

    You will need to configure a static nat between inside to DMZ in order for DMZ to be able to access the host on LAN2. The following shows you how to configure static identity NAT:

    static (inside,dmz) 172.22.41.5 172.22.41.5 netmask 255.255.255.255
    access-list DMZ-IN extended permit tcp 192.168.14.0 255.255.255.0 host 172.22.41.5 eq 3389
    access-group DMZ-IN in interface dmz

  9. Ivan Mckenzie says

    November 9, 2009 at 10:59 pm

    Thanks a lot BlogAdmin, using your example I did the next modifications and it worked fine.

    static (inside,dmz) 172.22.41.0 172.22.41.0 netmask 255.255.255.0
    didn’t put an access list because the default one on DMZ interface was enough. With this I let all comunication from DMZ to LAN2 opened.

    New Problem:
    I can’t get it to work from inside(172.18.0.0/16) to LAN2. I think it’s because when the packet returns from LAN2, as the internal router has an interface on inside the packet reaches the computer who started comunication directy and not through the ASA. In other words the return path is not the same as the starting path.

    What dou you think?

    Best regards,

    Ivan Mckenzie

  10. BlogAdmin says

    November 10, 2009 at 7:59 am

    Ivan,
    Be careful with your DMZ. You said that you let all communication from DMZ to LAN2 open. This is not a good idea. If a host in your DMZ gets compromised from the Internet, then you also expose your internal LAN2 to danger. The attacker from DMZ can easily propagate into your LAN2 network. I suggest you to modify your DMZ access list and allow ONLY the required IP and protocols needed.

    Regarding your new problem, this happens because your inside zone hosts (172.18.0.0) have as default gateway the ASA inside IP. By default, the ASA does not allow traffic redirection in order for the initial packet from 172.18.0.0 to reach LAN2. If the ASA was a normal router, then the traffic would go to the ASA and then get redirected to your internal LAN2 router. This does not happen with the ASA by default. You can change this behavior though.
    You can try the following on ASA:
    ciscoasa(config)# same-security-traffic permit intra-interface
    The above will allow redirections to work.

  11. Rocco says

    November 16, 2009 at 6:34 pm

    Hi All

    I have diiferent internal VLAN (port)configure on the same switch (one for the pc-lan, one for Server, …one for DMZ) some with the same security level but different network.
    I have open all the traffic between the same security sub-interface on the firewall, but it didn’t work
    can You help me?

    Thanks

  12. BlogAdmin says

    November 16, 2009 at 8:12 pm

    By default the ASA does not allow traffic to flow between interfaces with same security level. You need to enable this using the following:

    ASA(config)# same-security-traffic permit inter-interface

  13. Rocco says

    November 17, 2009 at 1:55 pm

    Thanks
    I have did it, but I’m not sure of:

    1-The switch port must be in trunk mode?
    2-For multiple LAN2/24 (11), like Your diagram, there’s a unique route or different to set?
    3- i’m tryng to configure Active/Standby statefull failover with 2 ASA, on two different place in my network, I would use sub-interface on two different switch, doYou think it’s possible?

    4-I’m not able to find a rich detailed manual, could You help me?

    Regard
    Rocco

  14. suren says

    January 8, 2010 at 7:48 am

    Hi Guys,
    I too have pretty much a same scenario, it is like this,
    I’ve two vlans(100,101)connected to an cisco 2950 switch and the switch connects to the inside interface(ethernet 0/2) of the asa.

    I want to enable inter-vlan routing and want to access internet. I assume that I’ve to configure a trunk between the asa and 2950 switch(inside).

    My problem is when I try to configure sub-interfaces on the asa interface(ethernet 0/2) it wont allow me to do so. Further it wont allow me to configure (nameif,security-level and ip address)on the physical interface. Every time I’ve to configure interface vlans and has to map them to the physical interface.

    Can anyone assist me with this request.

    Regards,
    Suren

  15. BlogAdmin says

    January 8, 2010 at 11:36 am

    Hello Suren,

    From your description I have understood that you have a Cisco ASA 5505 model, is that correct? If that is the case, then you CAN NOT create subinterfaces on the physical interface if you have the base license on the ASA. For Cisco ASA 5505, all physical interfaces are Layer2 ports, and you must create a Layer 3 interface Vlan which is mapped to a specific Layer2 Vlan configured on the physical interface.

    With the 5505 base license you can create up to 3 Vlans, but two of them can not communicate between each other. If you create for example two inside vlans (inside1, inside2) and one outside vlan, then inside1 and inside2 can only communicate with the outside, but not between each other.

  16. daff42 says

    January 8, 2010 at 12:40 pm

    I have the same configuration : several internal VLANs with a layer 3 internal switch and ASA for outgoing connexions.
    The ASA has only one internal IP in VLAN1 (and is connected to a VLAN1 port on the Layer 3 switch).
    The internal switch is the default gateway for machines in other VLANs.
    I couldn’t get the ASA to route connexions from VLAN1 to the others, I assume this is because it doesn’t see the return packets (packets form other VLANs to VLAN1 are routed directly through the internal switch).

    Anyway, to fix this :
    I attributed to the internal switch an IP for each VLAN. And a default route to go to the ASA.
    Then I set all my machines to use the internal switch as their default gateway, even for machines in VLAN1.
    That way traffic between internal VLANs doesn’t go through the ASA anymore.

  17. BlogAdmin says

    January 8, 2010 at 2:15 pm

    Hello daff42, thank you for your comment. Yes you are right. The way you have configured the switch, all the Intervlan routing goes through the switch and never reaches the ASA. Ofcourse, internet traffic will have to go through the ASA via the default route that you have on the switch.

    Regarding security, all traffic between your internal VLANs has no restrictions. If you want to implement traffic control between your internal Vlans, then you can use access-lists on the Layer3 switch for some basic protection (maybe you want to block some internal users for reaching sensitive servers in your internal network)

  18. lbomani says

    June 23, 2010 at 2:36 pm

    I have a similiar configuration as daff42 w/ minor differences.

    A.) Layer 3 switch with 4 internal vlans all on different subnets. SVI is setup on this device and it serves as the default gateway for machines in each respective vlan. 1 of the vlans will provide http/https services

    B.) ASA 5550 firewall used for external connections.

    My question is which is the best way to make the ASA “aware” of the internal vlans? I think my options are:

    1.) Give the ASA an IP in each internal VLAN (though the L3 switch will still be the gateway). This way the routing table will auto populate with these networks. This requires more cabling and use of ports on the ASA. I only have 8 10/100/1000 ethernet ports.

    or

    2.) Create a new subnet just between the L3 switch and ASA (say 10.0.0.x) and then create static routes for each internal vlan. Will this make my NAT rules more complicated?

  19. lbomani says

    June 23, 2010 at 4:13 pm

    I guess what I mean for quest # 2 is, will I have any problems creating network objects in ASDM (gui) for networks that are not directly attached or will I have to do some complicated NAT? As I said before, one of the internal vlans will provide http/https services.

  20. BlogAdmin says

    June 23, 2010 at 9:18 pm

    Ibomani,

    For each option you are mentioning above:

    For option 1): You can remove all layer 3 functionality on the switch (i.e remove all SVI interfaces) and configure a SINGLE trunk port from the switch to one interface of the ASA (lets say gigabitethernet0/1). Then, on the ASA interface gig0/1 you can configure 4 subinterfaces (one for each internal vlan) and assign IP address on the ASA subinterfaces (e.g gig0/1.1, gig0/1.2, gig0/1.3 etc). All machines in each vlan will have as default gateway the IP address of the respective ASA subinterface.

    For option 2): Leave all layer 3 functionality on the switch (SVI interfaces) and then configure another vlan connecting the switch with one internal interface of the ASA (e.g subnet 10.0.0.x – just as you suggest also). Then you have to configure one default route on the switch: ip route 0.0.0.0 0.0.0.0 10.0.0.1 (assume ASA internal IP is 10.0.0.1). For this option, you will NOT have any problems on the ASA by configuring object groups for networks that are not directly connected on the ASA. e.g if one internal vlan has subnet 10.1.1.x, then you can configure a network object on the ASA for network range 10.1.1.x with no problems. Then you can do NAT on the ASA for that network as normally you would do for a directly attached subnet.

    Hope I’m clear.

    Regards

  21. lbomani says

    June 24, 2010 at 9:28 pm

    Thanks,

    I will be using option 2 and keep the 3750 switch as a layer 3 device.

    Regards,

    lbomani

  22. Saianara says

    October 20, 2010 at 7:24 pm

    Hi,

    I’ve got the setup as shown in the picture, but I need to allow hosts from LAN1 to communicate with units on LAN2. Hosts on LAN1 has ASA as default gateway.

    Is this an ASA issue or how do I solve this task ?

    Regards
    Saianara

  23. BlogAdmin says

    October 20, 2010 at 7:53 pm

    The ASA can not do icmp redirect. This means that traffic from LAN1 when is reaching the interface of ASA, it is then dropped because the ASA does not send the traffic back to LAN2. You must set as default gateway for LAN1 the interface of router (192.168.1.1) and then configure a default route on router pointing to the ASA internal interface. This way you will be able to reach LAN2 from LAN1 and also you will be able to access the internet as well.

  24. Tony says

    October 25, 2010 at 8:56 pm

    Here’s my issue. I’ve got the exact setup you’ve got there. I’ve got lan 1 192.168.200.0/24 and lan 2 192.168.210.0/24. They are connected with point to point bonded T1’s with routers at both sites to route the traffic between the 2 sites. Both sites have their own internet connection. I’ve got the ASA’s with a 0.0.0.0 route to the internet gateway and a static route for 192.168.210.0 255.255.255.0 192.168.200.2 (router) on Site1’s ASA, and 192.168.200.0 255.255.255.0 192.168.210.2(site 2’s router) on Site2’s ASA. I cannot connect pc’s or VOIP phones across to the other site from either direction. Both sites could connect to the internet.

  25. BlogAdmin says

    October 26, 2010 at 7:30 pm

    Tony,

    Here is what you need to do:

    1. Configure a default route on each site’s router pointing to the internal IP of ASA.
    2. Configure also static routes on the routers to reach the other site’s LAN network.
    3. The default gateway on user’s PCs and IP phones should be the site’s router.

    This means that all traffic routing will be handled by the routers and not the ASA.

  26. aaronsiame says

    November 20, 2010 at 6:13 pm

    hello guys
    I have a cisco router, one interface pointing the isp and the other pointing the ISA. the other interface of the ISA is pointing to my switch catalyst 3750. i have vlans(5) configured on the switch, the problem that is that i cannot ping the interface facing the router. but from the ouside interface of the ISA i can ping my LAN but when iam in my LAN i cannot ping the outside interface of the ISA. please assist i just bought this ISA5510.

  27. BlogAdmin says

    November 20, 2010 at 9:53 pm

    aaronsiame,

    sorry but I did not understand your problem exactly. When you say ISA do you mean the Cisco ASA firewall or the ISA server of Microsoft?

  28. Shawn says

    December 1, 2010 at 7:05 pm

    This blog is great and I’ve almost got my issue solved. I have the same scenerio for a customer and I had added the ip route like you initially discussed. However, I cannot ping the router from the ASA. It’s an ASA5505 going to a linksys router (I know, I know). The routing table in the Linksys is correct and has a static route back to 192.168.1.0/24 for WAN and internet access and I can ping anything on the .1 network from the .2. I see the post saying I need to make the default gateway for the .1 network the IP address of the router. Shouldn’t I be able to ping the router from the ASA from adding the initial route to it?

  29. BlogAdmin says

    December 2, 2010 at 1:11 pm

    Shawn,

    The router in my example scenario above refers to a “Real” router…not a Linksys :)
    Anyhow, I believe the WAN interface of your Linksys is blocking icmp traffic, thats why you can not ping it from the ASA. Also, usually SOHO routers (like Linksys) are configured to use NAT by default, so you can not actually go from the WAN to the internal network (i.e you will not be able to access network 192.168.2.0 from the 1.0 network if the linksys is doing NAT).

  30. Brandon says

    December 10, 2010 at 11:23 pm

    I need a little help also. I have 2 buildings with multiple IP networks (B1 – 192.168.1.x,192.168.10.x,192.168.2.x and B2 – 172.30.10.x, 172.30.1.x). They both have ASA 5505’s. I have a network connection between the two buildings now and need to allow both networks to see and interact with each other. Would I set up something like the DMZ example above or is there an easier/better way for this to work?

  31. Brandon says

    December 10, 2010 at 11:34 pm

    To further clarify, both will need to access the internet at their own locations, just network traffic needs to travel across the proposed DMZ (or other solution).

  32. BlogAdmin says

    December 11, 2010 at 7:21 pm

    The DMZ as shown on the picture above is just for illustrative purposes only. In your case you don’t need a DMZ for your scenario. I assume that you have a dedicated router on each site for connecting the two building together? If yes, then the scenario is exactly as the picture above. All PCs in building A should have as default gateway the router which should have a default route towards the local ASA 5505.

  33. elad says

    December 26, 2010 at 10:21 pm

    Hi,
    I would like to do a static NAT on a server inside my LAN.
    I have ASA 5520.
    I was able to do NAVT on a server in my DMZ.
    do I need to to do routing on my Router in order for the connection to
    reach my LAN?
    I will appreciate to know how is the easiest way to do the NAT.I would
    like to be able to telnet to port 443 with real IP.

    thanks alot!
    Elad.

  34. BlogAdmin says

    December 27, 2010 at 7:09 pm

    I assume you need to reach an inside server from the outside via a public IP address. You need to do static nat between inside/outside:

    nat(inside,outside) [public IP] [private IP] netmask 255.255.255.255

    You do not need any static routing on the outside router since the internal server will be translated into a public IP. You must allow also the proper entries in an access control list applied on the outside interface.

  35. ScottA says

    January 15, 2011 at 3:06 am

    Hi,

    I’m in process of segmenting critical servers from user workstations.
    Equipment ASA 5510, and (2) Adtran 3200 routers
    existing config:
    Company 1 network 192.168.0.0/24
    Company 2 network 192.168.1.0/24
    Current Route Tabel in Adtran:
    DEST. MASK Next Hop
    0.0.0.0 0.0.0.0 192.168.0.101 (ASA Int. If)
    192.168.0.0 255.255.255.0 0.0.0.0
    192.168.1.0 255.255.255.0 200.1.1.2
    200.1.1.0 255.255.255.252 0.0.0.0
    200.0.0.2 255.255.255.255 0.0.0.0

    I need to add segment network 192.168.2.0/24 where the “PCI” servers must be places. This PCI network is the highest security level, however all workstations in both existing networks must be able to communicate with the servers within the PCI network. Currently, the 192.168.2.0 network can ping both networks and has internet access. However, no services such as printing, DHCP, or Applications are working. Any assistance is much appreciated.

  36. BlogAdmin says

    January 15, 2011 at 2:15 pm

    Scott,

    You are asking for a whole network design with PCI from a blog post without giving too much detail. As you understand this is difficult to do. As a general guideline, you will need to put the PCI servers in a separate ASA 5510 DMZ (separate physical interface) and use the proper NAT and access-lists on the ASA to control traffic flow.

  37. Gio says

    February 2, 2011 at 11:44 am

    My provider gave me a VLAN with number 2XXX.
    i created subinterfaces on my 1841 router and with dot1q it works fine. now i want to replace router by ASA5505 with advipk9sekbundle license, but cant create subinterfaces on Ethernet ports. Though i created Vlan2XXX and assigned it to Ethernet 0/X and put it into trunk mode, still it doesnt work. any suggestions?

  38. BlogAdmin says

    February 3, 2011 at 7:52 am

    Gio,

    Use the wan port eth0/0 and connect it to the provider’s switch. Then do the following:

    interface Ethernet 0/0
    switchport access vlan 2XXX
    no shutdown

    Now, put an IP address on your WAN Vlan:

    asa5505(config)# interface Vlan 2XXX
    asa5505(config-if)# nameif outside
    asa5505(config-if)# security-level 0
    asa5505(config-if)# ip address X.X.X.X 255.255.255.0

    Try the above and let us know.

  39. Gio says

    February 3, 2011 at 2:42 pm

    Thx for help,

    I figured out that switchport was not working, so i put it into trunk mode. now it works fine.
    By the way: is there any chance that i configure failover or ISP redundancy on single ASA5505? For example ISP#1 on interface Eth0/0 and ISP#2 on Eth0/1. if one fails other must become route to 0.0.0.0 0.0.0.0 <<any chance of that?

  40. BlogAdmin says

    February 3, 2011 at 4:24 pm

    Gio,

    For ISP redundancy connection check out the following link:

    https://www.networkstraining.com/cisco-asa-5500-dual-isp-connection/

  41. Ivan Luiz says

    February 4, 2011 at 11:31 pm

    Hi everyone,

    I have two network in the same interface, but the second one is behind a router, so I set a static route on ASA and some access-list permitting all traffic. When I try ping one host on the lan1 from the lan 2 it’s doesn’t work. Can anybody give me a tip?

  42. BlogAdmin says

    February 5, 2011 at 9:55 am

    Ivan,

    be more specific. Can you give us more details?

  43. Ivan Luiz says

    February 7, 2011 at 3:58 pm

    Hi BlogAdmin, thanks for answer!

    I have a topology like yours, put on the top, so i want that communication among those lan (A and B) pass through ASA. The communication between those lan, without pass through ASA already occur. My problem begin when i try to use ASA as a router.

    I can ping both networks from the ASA. I insert access-list to permit any traffic from and to both networks, but it don’t work yet.

    Regards,

    Ivan Luiz

  44. BlogAdmin says

    February 9, 2011 at 7:44 am

    Ivan,

    When you create two lans (security zones) on a Cisco ASA firewall, you need both an access-list and a “translation rule” between them in order to communicate. So, just an access-list is not enough. You need to see which security zone has the highest security level and configure a proper NAT rule between the two Lan networks.

  45. Ivan Luiz says

    February 9, 2011 at 7:45 pm

    Hi,

    Ok. I’ll try it.

    Thanks

  46. Ivan Luiz says

    February 10, 2011 at 10:25 pm

    Hi everybody,

    BlogAdmin, now it working!! below i let the resolution:

    static (inside,inside) sorce1 sorce1_again netmask 255.255.255.0
    static (inside,inside) soerce2 sorce2_again netmask 255.255.255.0

    Ex:
    static (inside,inside2) 192.168.1.0 192.168.1.0 netmask 255.255.255.0
    static (inside2,inside) 192.168.0.0 192.168.0.0 netmask 255.255.255.0

    Best regards,

  47. AC says

    February 15, 2011 at 12:18 am

    Networking noob alert incoming…
    I have very little experience with networking and few resources to contact but am trying to learn how to set up 2 subnets using static routing. We have a ASA 5505. My network is similar to above (right hand side of ASA) where I have 2 LAN’s on different subnets (192.168.1.32/27 & 192.168.1.64/27) going into the ASA and need to be able communicate between machines. I am currently unable to ping between machines (i.e. 192.168.1.36 -> 192.168.1.70), but can ping all from ASA without issue. I have been trying to set up Static Routing but because I really don’t know what I am doing, I haven’t been able to make it work yet. Thanks in advance for comments/help.

  48. BlogAdmin says

    February 15, 2011 at 7:26 pm

    AC,

    Configure all machines with default gateway being the IP address of router on each segment. Then configure a default route on router pointing to the inside interface of ASA.

  49. Jimmy says

    February 20, 2011 at 10:31 am

    BlogAdmin:

    I have an ASA 5550 and I am trying to get my inside interface to pass traffic past it and onto the outside interface. Below is something similar to what I have set up:

    interface GigE0/3
    description gateway
    nameif inside
    security-level 100
    ip address 135.24.156.1 255.255.255.0

    interface GigE1/3
    description connection to internet
    media-type sfp
    nameif outside
    security-level 0
    ip address 135.24.127.62 255.255.255.252

    route outside 0.0.0.0 0.0.0.0 135.24.127.61

    I have tried quite a few things, but at a loss. I am sure the answer is too easy, but my head is too far wrapped around the problem.

    Thank you for any assistance you can advise. Thank you.

    /r,

    Jimmy

  50. BlogAdmin says

    February 20, 2011 at 1:13 pm

    Jimmy,

    If the inside network is assigned public routable IP addresses, then the simplest thing to do is to disable NAT using “no nat-control”. This means that your ASA firewall will be working as a normal router with all firewall security still in place. Any inbound access (i.e from outside internet towards your internal network) will be controlled by an access control list that you will have to apply on the outside interface.

    Please let me know what ASA version you are running and if you indeed need NAT control or not

  51. Lam says

    February 21, 2011 at 10:15 am

    hi everybody,

    Blogadmin:

    I have the same topology, I’ve got Lan2 is 172.16.2.0/24, webserver is 172.16.2.2 (gateway: 172.16.2.1, on switch layer3).
    But I can try to access from internet (ip outside asa: 192.168.1.2/24) to IP 192.168.1.4 port 80 (translate to webserver 172.16.2.2)

    interface Ethernet0/0
    nameif outside
    security-level 0
    ip address 192.168.1.2 255.255.255.0
    !
    interface Ethernet0/1
    nameif inside
    security-level 100
    ip address 172.16.1.1 255.255.255.0
    !
    access-list 101 extended permit tcp any host 192.168.1.4 eq www
    access-list 101 extended permit icmp any any
    access-list 103 extended permit tcp host 172.16.2.2 any eq www
    !
    nat (inside) 2 172.16.1.0 255.255.255.0
    global (outside) 2 192.168.1.5
    !
    static (inside,outside) tcp 172.16.2.2 www 192.168.1.4 www netmask 255.255.255.255
    !
    access-group 101 in interface outside
    access-group 103 in interface inside
    !
    route outside 0.0.0.0 0.0.0.0 192.168.1.1 1
    route inside 172.16.2.0 255.255.255.0 172.16.1.2 1
    !
    end

    Thanks to all,
    Lam

  52. Lam says

    February 21, 2011 at 10:17 am

    Sorry, I cannot try to access from internet (ip outside asa: 192.168.1.2/24) to IP 192.168.1.4 port 80 (translate to webserver 172.16.2.2)

  53. BlogAdmin says

    February 21, 2011 at 9:58 pm

    Lam,

    You are having a very common mistake that many people do. Your static nat is not correct. You must change as following:

    static (inside,outside) tcp 192.168.1.4 www 172.16.2.2 www netmask 255.255.255.255

  54. Augusto says

    April 5, 2011 at 4:15 am

    Friend,
    I have a main site ASA 5505 as the default gateway of the network, inside 192.168.0.253/24 and have a router MPLS IP 192.168.0.254 to connect to three branch offices with networks 192.168.2.0/24, 192.168.3.0 / 24 and 192.168.4.0/24
    The machines in the array that are appointed to the Default gateway 192.168.0.253 ASA Can not access the machines from Branch.

    I can not change the Default Gateway for the router to his speed and 10 Mbps.
    How do I allow the ASA, that all machines of the four networks to communicate?
    What commands do I use to do NAT?

    LOG ASA
    Access from 192.168.0.8 to HTTP 192.168.3.8
    6 Apr 04 2011 11:10:47 106015 192.168.0.8 192.168.3.8 Deny TCP (no connection) from 192.168.0.8/3011 to 192.168.3.8/80 flags RST on interface inside
    6 Apr 04 2011 11:10:26 302014 192.168.0.8 192.168.3.8 Teardown TCP connection 4551 for inside:192.168.0.8/3011 to inside:192.168.3.8/80 duration 0:00:24 bytes 0 TCP Reset-O
    6 Apr 04 2011 11:10:02 302013 192.168.0.8 192.168.3.8 Built inbound TCP connection 4551 for inside:192.168.0.8/3011 (192.168.0.8/3011) to inside:192.168.3.8/80 (192.168.3.8/80)

    7 Apr 04 2011 11:10:02 609001 192.168.3.8 Built local-host inside:192.168.3.8

    ASA-BIO# sh run
    : Saved
    :
    ASA Version 7.2(3)
    !
    hostname ASA
    domain-name
    enable password x
    names
    !
    interface Vlan1
    nameif inside
    security-level 100
    ip address 192.168.0.253 255.255.255.0
    !
    interface Vlan2
    nameif outside
    security-level 0
    ip address 187.x 255.255.255.248
    !
    interface Ethernet0/0
    !
    interface Ethernet0/1
    !
    interface Ethernet0/2
    !
    interface Ethernet0/3
    !
    interface Ethernet0/4
    !
    interface Ethernet0/5
    !
    interface Ethernet0/6
    !
    interface Ethernet0/7
    switchport access vlan 2
    !
    passwd x encrypted
    ftp mode passive
    clock timezone BRST -3
    clock summer-time BRDT recurring 2 Sun Oct 0:00 3 Sun Feb 0:00
    dns server-group DefaultDNS
    domain-name
    same-security-traffic permit inter-interface
    same-security-traffic permit intra-interface
    object-group service SSH2 tcp
    port-object range 2264 2264
    access-list outside_access_in remark Libera ICMP
    access-list outside_access_in extended permit icmp any any
    access-list outside_access_in remark Libera TS
    access-list outside_access_in extended permit tcp any interface inside eq 3389
    access-list outside_access_in remark Libera SSH
    access-list outside_access_in extended permit tcp any any object-group SSH2
    access-list outside_access_in extended permit ip any any
    access-list outside_access_in extended permit esp any any log debugging
    access-list outside_1_cryptomap extended permit ip 192.168.0.0 255.255.255.0 19
    .168.4.0 255.255.255.0
    pager lines 24
    logging enable
    logging asdm debugging
    mtu inside 1500
    mtu outside 1500
    ip audit signature 3040 disable
    ip audit signature 3041 disable
    ip audit signature 3042 disable
    no failover
    icmp unreachable rate-limit 1 burst-size 1
    asdm image disk0:/asdm-523.bin
    no asdm history enable
    arp timeout 14400
    global (outside) 1 interface
    static (inside,inside) 192.168.0.0 192.168.0.0 netmask 255.255.255.0
    static (inside,inside) 192.168.3.0 192.168.3.0 netmask 255.255.255.0
    access-group outside_access_in in interface outside
    route inside 192.168.3.0 255.255.255.0 192.168.0.254 1
    route inside 192.168.2.0 255.255.255.0 192.168.0.254 1
    route inside 192.168.4.0 255.255.255.0 192.168.0.254 1
    route outside 0.0.0.0 0.0.0.0 187.x 1
    timeout xlate 3:00:00
    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
    timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
    timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
    timeout uauth 0:05:00 absolute
    http server enable
    http 192.168.0.0 255.255.255.0 inside
    no snmp-server location
    no snmp-server contact
    snmp-server enable traps snmp authentication linkup linkdown coldstart
    sysopt connection timewait
    sysopt connection tcpmss 0
    crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
    crypto map outside_map 1 match address outside_1_cryptomap
    crypto map outside_map 1 set peer x
    crypto map outside_map 1 set transform-set ESP-3DES-SHA
    crypto map outside_map interface outside
    crypto isakmp enable inside
    crypto isakmp enable outside
    crypto isakmp policy 10
    authentication pre-share
    encryption 3des
    hash sha
    group 2
    lifetime 86400
    telnet 192.168.0.0 255.255.255.0 inside
    telnet 192.168.1.0 255.255.255.0 outside
    telnet 192.168.2.0 255.255.255.0 outside
    telnet 192.168.3.0 255.255.255.0 outside
    telnet 192.168.4.0 255.255.255.0 outside
    telnet timeout 5
    ssh timeout 5
    console timeout 0
    dhcpd auto_config outside
    !

    !
    !
    username x password x encrypted privilege 15
    tunnel-group x type ipsec-l2l
    tunnel-group x ipsec-attributes
    pre-shared-key *
    peer-id-validate nocheck
    prompt hostname context
    Cryptochecksum:14b079939d0406ee314da0c47d14b237
    : end
    ASA-#

  55. BlogAdmin says

    April 5, 2011 at 4:05 pm

    You must change the default gateway for your internal PCs to be 192.168.0.254 (the router). Then you must configure a default route on the router to point to the ASA:

    ip route 0.0.0.0 0.0.0.0 192.168.0.253

  56. Miki says

    April 8, 2011 at 12:24 am

    Hi,

    I have a similar scenario and would appreciate your help.
    My DMZ (192.168.10.0/24, VLAN 10) and LAN (192.168.1.0/24, VLAN 1) are connected to ASA through 3COM 4200 switch, where I set ASA DMZ interface IP to 192.168.10.254, and ASA LAN interface to 192.168.1.254.
    I manage to ping ASA LAN interface from my workstation, which is in VLAN 1, default gateway 192.168.1.1. The problem is that I cannot ping 192.168.10.254 from the same workstation. IP routing is enabled on the switch.
    I hope you could help me to find where I went wrong…
    What static routes do I need on ASA?

    Thank you.

  57. Augusto says

    April 8, 2011 at 3:09 am

    Thanks for the reply, but I need another way.
    There is no other way to solve this problem?
    I can not change the Default gateway of the PC LAN ASA 192.168.0.253 (100 Mbps) to the router 192.168.0.254 (10 Mbps).
    If I do that causes a slow network.
    I can not do so, I need another solution.

  58. BlogAdmin says

    April 11, 2011 at 12:34 pm

    Miki,

    As I explained on the post, if the networks are directly connected on the ASA, then you don’t need to configure a static route for them since the ASA device already knows about these network. Your mistake is that the default gateway for your workstation is 192.168.1.1 instead of 192.168.1.254.

  59. Josh says

    April 23, 2011 at 9:06 am

    BlogAdmin
    I have a similar config as the diagram: a pair of ASA 5505 with plus license configured as active/passive mode. Two Juniper SA 4500 SSL devices are configured in active/passive mode also. The internal interface of each SA 4500 are connected to the lan 1 (10.1.95.0) of each ASA 5505 and the external interface are connected to the DMZ of each ASA
    I can ping from LAN1 (10.1.95.0) to computers on LAN2; and LAN 1 to DMZ with static identity NAT. But I can not connect from computers on Lan2 (10.1.10.0 and 10.1.11.0 to DMZ (172.16.2.0). Did computes in LAN 2 and Lan 1 suppose able to connect to DMZ (security at 50) by default? I have tried disable/enable the “nat-controll “, it would not help. What do I need to add to allow computers on Lan 2 talks to servers on DMZ?
    2. I also use this ASA for VPN (IP pool 10.1.225.0), when connected through VPN, I can connect to Lan1 and DMZ with:
    Access-list inside_nat0_outbound extended permit imp 10.1.95.0 255.255.255.0 10.1.225.0 255.255.255.0
    Access-list DMZ_nat0_outbound extended permit ip 172.16.2.0 255.255.255.0 10.1.225.0 255.255.255.0
    But I can not ping or connect to any computers on subnets on lan2. Do I have to add this same access list for each of subnets on lan 2? Or it has other easy way to accomplish this.
    I have included both commands below in my config, but it would not help
    same-security-traffic permit inter-interface
    same-security-traffic permit intra-interface

    Thanks,
    Josh

  60. BlogAdmin says

    April 23, 2011 at 10:56 am

    Josh,

    For your first question, you need to create some sort of NAT (either PAT, or identity NAT) for your LAN2 networks in order to be able to access the DMZ. Just like you created an Identity NAT for LAN1, you can do the same with LAN2 networks (create identity NAT between inside–>DMZ but use the subnets of 10.1.10.0 and 10.1.11.0).

    For the second question, yes you add the subnets of lan2 to the same access lists as you did for lan1 and dmz subnets.

  61. Jasper says

    May 30, 2011 at 2:28 am

    Lots of great stuff in here. I am hoping you can help me as well! I am running across a similar issue but I can’t seem to figure it out the last couple of days and I’m pulling my hair out :)

    What I need to do is basically what your diagram at the top shows (no DMZ) and have lan2 reach lan1. I have a cisco asa 5505 with base license. The twist is that lan2 is a group of machines connected via openvpn (not my call, very tight budget, and was a working configuration previously with a basic firewall)

    The local network is 192.168.0.0/255.255.255.0

    Openvpn is running on address 192.168.0.3. The openvpn server has an IP of 192.168.20.1 and is allocating addresses to VPN clients in the 192.168.20.0/255.255.255.0 address range.

    All hosts on the VPN server LAN (192.168.0.1 – 192.168.0.254) need to be visible to the VPN clients.

    I have port forwarding working fine and I can connect to the openvpn server running on 192.168.0.3, and get an address of 192.168.20.2. I can ping 192.168.0.3 and 192.168.20.1 (same physical machine) from a VPN client. However I can’t ping any of the other machines on the network.

    A static route on the old firewall accomplished the task of allowing the VPN clients to ping all the machines on the local network. On the ASA it’s currently set up as:

    internal
    IP 192.168.20.0
    Netmask 255.255.255.0
    Gateway: 192.168.0.3

    But this does not seem to have any effect. The error I am getting in the firewall log when I try to ping from 192.168.20.2 to 192.168.0.10 for example is “regular translation creation failed for icmp”

    One thing I tried that had some effect was creating a persistent route on 192.168.0.10 to the openvpn server (route -p add 192.168.20.0 mask 255.255.255.0 192.168.0.2). This let me ping the openvpn server’s 192.168.20.1 address but not the vpn client on 192.168.20.2. Since this was a previously working openvpn configuration I’m pretty sure there’s something I need to do on the ASA but I can’t figure it out.

  62. BlogAdmin says

    May 30, 2011 at 1:12 pm

    Hi Jasper,

    Sorry but you confused me. At the beginning you say that openvpn server is 192.168.0.3 and then below that “The openvpn server has an IP of 192.168.20.1”.

    Please clarify again the network topology and the problem. I didn’t get it.

  63. Jasper says

    May 30, 2011 at 4:13 pm

    Hi, thanks for the reply and sorry about the confusion.

    The openvpn server on the local network is at address 192.168.0.3.

    The openvpn server gives out addresses to VPN clients in the 192.168.20.0/24 range. To the VPN clients, its address is 192.168.20.1.

    I guess you could say the openvpn server is like a router that has an external address of 192.168.0.3 and an internal address of 192.168.20.1.

    What I want to do is set up routing on the ASA to allow a VPN client that connects and gets an IP of 192.168.20.2 and gets a route of:

    IP 192.168.0.0
    Netmask 255.255.255.0
    Gateway: 192.168.20.1

    to reach the machines on the 192.168.0.0/24 network. It would also be great if I could also route traffic destined for the internet through the VPN, but that might be for another time :)

    Thank you,
    Jasper

  64. BlogAdmin says

    May 31, 2011 at 6:37 pm

    Jasper,

    What is the default gateway IP for the hosts at 192.168.0.0/24 network? Try the following: Configure a host (lets say 192.168.0.10) with default gateway to be the IP of the vpnserver (192.168.0.3). Then try with a vpn client to reach the host 192.168.0.10.

  65. Jasper says

    June 1, 2011 at 3:03 am

    Not the way I had it configured before (the default gateway for all the machines on the local network was 192.168.0.1)…but amazingly enough, that worked :)

  66. Jasper says

    June 1, 2011 at 3:04 am

    thank you!

  67. Borko says

    June 5, 2011 at 8:45 pm

    Dear BlogAdmin,

    Is it possible to use an Cisco ASA5505(security plus licence) with L2 TPLink switch(support 802.1Q)for intervlan routing (ASA on stick)and Internet access. I want to configure several VLANs on switch, make trunk port on switch and connect to trunk port of asa5505. For each VLAN I will make VLAN interface on asa which will be default gateway for hosts in VLANs. Also, I plan to connect asa to Internet from one port which will be in separate VLAN and two asa`s port for servers in DMZ(separate VLAN). Have you seen this configuration somewhere, is this possible?

    Many thanks,
    Borko

  68. BlogAdmin says

    June 5, 2011 at 9:03 pm

    Borko,

    I have not seen this exact configuration in a real network but it should work with no problems. For the ASA5505 (security plus license) you can have one physical port configured as trunk port and then you must configure layer3 vlan interfaces on the ASA with IP address, security levels etc.

    Example:

    interface Vlan10
    nameif zone10
    security-level 60
    ip address 192.168.10.1 255.255.255.0
    !
    interface Vlan20
    nameif zone20
    security-level 70
    ip address 192.168.20.1 255.255.255.0
    !
    interface Ethernet0/1
    description Trunk to Layer 2 Switch
    switchport trunk allowed vlan 10,20
    switchport mode trunk

    So you get the idea right?

  69. Borko says

    June 5, 2011 at 9:38 pm

    Dear BlogAdmin,

    This is it what I try to accomplish. I am working with higher ASA models and I know their capabilities but I have never work with 5505, i have read conf guide 8.4 and it seems that is possible but i have to be sure because i have to know which hardware to buy.

    Thank you for help and example configuration.

  70. Pete says

    June 11, 2011 at 11:23 am

    Hi,

    I have an ASA5505 which I know has some restrictions in the base license. I’m not 100% sure though if my problem is caused by that or something else.

    I have setup the DMZ and due to the license restrictions have set it so that it cannot initiate connections to the inside interface.

    However, should machines on the inside interface (security 100) be able to connect to machines in the dmz (security 50) or is that restricted by the license?

    Basically I want to know if connections from inside -> dmz should work :-)

    Thanks in advance!

  71. BlogAdmin says

    June 11, 2011 at 1:41 pm

    Pete,

    Communication from inside to DMZ should be working with no problems if you set up the proper nat and access-lists. So if you have a web server sitting in the dmz, then hosts from your inside network should be able to access the web server even with the base license.

    Regards

    Harris

  72. Mamang says

    June 22, 2011 at 5:37 am

    Dear BlogAdmin,

    I have existing PCS1 network with ip 172.31.34.0/255.255.255.0 tie-in to DLAN 172.18.120.0/255.255.255.0 with router interface 172.18.120.254 as gateway.
    These existing networks work fine. New project coming in and I have and extra PCS2 network with ip 172.31.39.0/255.255.255.0
    The PCS2 only have a cisco switch 2960 with ip interface 172.31.39.21/255.255.255.0
    I would like to tie in this new network into existing one.

    I have Cisco ASA 5510 in between router at the existing network and PCS2.
    I have setup interface0/0 outside with ip 172.18.120.201/255.255.255.0 and interface0/1 inside 172.31.39.1/255.255.255.0
    Add route outside 0.0.0.0 0.0.0.0 172.18.120.254 1

    The result:
    all ip outside are able to ping the firewall outside interface (172.18.120.201)
    all ip inside are able to ping the firewall inside interface (172.31.39.1)
    but can’t go through either ip inside to outside vice-verse.

    please advice any configuration to make it work?

  73. BlogAdmin says

    June 28, 2011 at 8:01 am

    Mamang,

    To pass traffic through ASA firewall you need a few things in place:
    1) Nat (if needed)
    2) Access Lists
    3) Proper routing

    Have you configured the required NAT and ACLs?

  74. Thomas says

    July 8, 2011 at 2:09 pm

    i’ve got an ASA5505 where i have ipsec plus addon and got some dmz’s up and running. I have outside, inside#1, inside#2 and DMZ
    Inside#1 has seclvl 100, Inside#2 has seclvl 90, DMZ has seclvl 50 and Outside has seclvl 0 ofcourse.

    On my DMZ i have a backupserver that get’s backups from some clients on the outside, and i now want to get it to do backups from my Inside#’s too. I can connect to it, but it wont send any files over it. It’s tries to do passive mode and just hangs there..

    any ideas ???

  75. BlogAdmin says

    July 8, 2011 at 6:38 pm

    Thomas,

    What protocol are you using for the backup service? Is it just FTP? Do you have the proper NAT translation between the DMZ and Inside zones? Please give me more information so that I can help.

  76. Kye says

    July 9, 2011 at 2:45 am

    Hi, I have got the same setup as indicated in the illustration above. I could ping Lan2 from Lan1 but failed remote desktop connection to Lan2. Could it be the firewall rules on ASA? Please advise. Thank you.

  77. BlogAdmin says

    July 9, 2011 at 2:07 pm

    Kye,

    What is the default gateway of the hosts on Lan1? Is it the inside address of firewall? For testing, change the default gateway of one of your hosts on Lan1 and make it to be the router interface. Then try to access remote desktop on Lan2. If it works, then the problem is that the firewall can not redirect traffic from Lan1 back to Lan2.

  78. Kye says

    July 14, 2011 at 2:26 am

    Hi, thank you for your reply.
    The default gateway is ASA,it is inside address of the ASA firewall. Yes, I did that and it worked by changing the default gateway to Lan2 router.
    When the default gateway is ASA, I could not ping Lan2 but after ‘same-security-traffic permit intra-interface’ is enabled on ASA, I could ping Lan2 but not remote desktop connection.

  79. BlogAdmin says

    July 14, 2011 at 6:51 am

    Kye,

    It will not work for RDP (or for any other TCP/UDP protocol). The ASA can not redirect the RDP traffic back to the Lan2 router.

  80. Kye says

    July 18, 2011 at 5:01 pm

    Hi, thank you for the reply.
    Could advise me how to route the traffic from Lan1 to Lan2 in this case? Thank you in advance.

  81. BlogAdmin says

    July 19, 2011 at 7:45 am

    only way that I know is to have the router as gateway

  82. Jerry says

    July 20, 2011 at 8:11 pm

    I would like to understand how an ASA5510 would handle the following:
    We have two independent networks (each supported by two 6509 cores one a the gateway for all odd vlans and the other a gateway for all even vlans) which we expect to link via four ASA5510s, two for each network, set up in what we hope will be redundant mode cross-connected through two 3750-12S switches (fiber). There will be two additional ASA5510s cross-connected to these switches (again redundant) that will create a DMZ for another series of servers/workstations. Finally, this DMZ will be linked to a “wild” network via a PIX firewall.

    Data must travel between the two independent networks. Additional data will need to travel from either independent network to the servers in the DMZ. We need to control access from “wild” to DMZ and from DMZ to the two networks. The two inside networks will NEVER be allowed to connect to the “wild” and visa versa.

    My questions are:
    Does this seem like a workable architecture?
    Is it overly complicated? We cannot tolerate a single point failure that blocks data flow.
    How will the firewalls respond to hardware failures (loss of route) in a dual connected system?
    Can they handle the route changes dynamically or do each need the full static route list to handle switchover?

    Any recommendations on route/gateway setup would be appreciated.

    I can supply a more detailed visio of the network if required.

    Thanks,
    Jerry

  83. BlogAdmin says

    July 21, 2011 at 7:31 am

    Jerry,

    I don’t have a clear picture in my head of your exact network topology that you want to establish. A diagram will be very helpful

  84. Jerry says

    July 21, 2011 at 4:42 pm

    Thanks for the reply. I can’t seem to paste a copy of the diagram into this blog space. Any suggestions on how I can get the diagram to you for review?

    Thanks,
    Jerry

  85. Thomas says

    July 28, 2011 at 11:36 am

    Sorry for late “reply” on my own question, been on vacation :-)
    The backup software uses ie. port 2456 as a “hanshake” and i get the confirmation that it’s connected and all i ok, then the transfer of files itself goes on port “1024-2048”. So the “command port” is 2456″ and “data port range is 1024-2048.

    i believe i have the NAT sorted since i can ping, and the “handshake” is working :-)

  86. BlogAdmin says

    July 29, 2011 at 7:54 am

    Thomas,

    It seems that the problem is that the backup traffic does not use fixed port numbers. This is very bad for a stateful firewall, which blocks such traffic. This is like the FTP which starts a handshake connection on port 21 and then data is being sent on port 20. ASA has a special “inspect ftp” command to fix that problem with FTP service. However, in your case the backup protocol you use maybe is not supported in ASA application inspection. What you can do is open up ports on the Access lists from 1024 up to 2048 and also open up port 2456. These are a lot of ports to have open but it maybe the only solution.

  87. BlogAdmin says

    July 29, 2011 at 7:55 am

    Jerry,

    You can send me the diagram to: admin at tech21century.com

  88. Andrew says

    July 30, 2011 at 10:20 am

    Hi

    We have an ASA5520 that has multiple sub interfaces. On the one subinterface I have two devices. The one needs to FTP to the other. It opens the connection, but when the FTP server tries to respond, it is sending it to the ASA instead of straight to the FTP client which the ASA then drops (deny tcp (no connection)). Any ideas as to why this would happen? It’s supposed to just talk directly to the client. The only thing I can think of is that the ASA is giving the wrong ARP response. Giving it’s own IP address instead of the client’s address when getting an ARP query? Does this sound correct?

    Many thanks,

  89. BlogAdmin says

    August 1, 2011 at 8:53 am

    Andrew,

    If the two devices that you mention are sitting on the same vlan and same layer3 subnet, they are not supposed to send any traffic to the ASA when they communicate between them. The ARP assumption that you say is not valid unless there is a serious malfunction on the ASA which I don’t think it happens.

  90. Andrew says

    August 2, 2011 at 10:44 am

    Hi

    I have confirmed it again, the firewall gives it’s own mac address as an arp response for the server on the same vlan. If I force a static arp address on the server, everything works as expected. Unofortunately this entry doesn’t survive a reboot and gives me unexpected results from time to time.

  91. Andrew says

    August 2, 2011 at 2:56 pm

    Ok, I think I have fixed it. Proxyarp is apparantly turned on by default under certain circumstances on some interfaces. It is possible to saftely remove this if you do not hit one of the restrictions.

    https://supportforums.cisco.com/message/3136009

    Many thanks for your time.

  92. BooCo says

    August 31, 2011 at 3:31 pm

    Hi, I just wanted to say thanks. I had some router work done by a consultant and I figured I needed to set up a static route on my ASA afterwards, but I wasn’t totally sure. With your explanation and example I was able to get it right on the first try.
    Thanks Again!

  93. Andrey says

    September 13, 2011 at 9:44 am

    Hello. Sorry for my English (I’m from Russia). I have configuration with 1 VLAN and 2 LANs. LAN1 Network is connected to ASA 5505 directly by switch. LAN2 is connected with MPLS with router wich is connected to the same switch. There is no VLAN configurations on the swich. All other devices are connected to the same switch. MPLS router have the address in the same VLAN1. If it nessesary I can send diagram of the network. I have made configuration like you (add static route to LAN2 via MPLS Router) with default setting of inspect traffic. So ICMP is working beetwen host in LAN1 and LAN2, but any other traffic don’t work.
    I can send configuration of my ASA and of MPLS Router.
    If I use LynkSys RV082 instead ASA 5505 it works fine, if I use ASA I have a problem with another traffic.

  94. Andrey says

    September 13, 2011 at 12:29 pm

    Hello Again. I have find solution for my problem. I think this solution will help for example to Augusto. Solution describes in this article:
    http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/conns_tcpstatebypass.pdf

  95. BD says

    September 21, 2011 at 4:11 pm

    Hi Everybody out there.

    Well i would like to share with you the following:
    I have configured my ASA 5520 V7…and everything is working properly but:: from the Inside or internal network, i can access the dmz server running the www and email.
    I have tried all (little)i know, and i shoul admit im very knew to this industry though i love it.

    bellow is the sh run of my asa.

    Can anyone please try to figure out for me why i cant access or even ping from inside to the dmz? as our internal pcs wont be able to access the www plus mail servers?

    I thank you all in advance.

    BD

  96. BlogAdmin says

    September 21, 2011 at 5:42 pm

    and where is the show run?

  97. BD says

    September 21, 2011 at 11:11 pm

    Hi BlogAdmin

    Im really sorry for that mistake..
    According to the statement quation above from me BD… here is the sh run:

    ASA Version 7.0(8)
    !
    hostname ASA2
    domain-name xxxxxx
    enable password xxxxxx
    passwd
    names
    dns-guard
    !
    interface GigabitEthernet0/0
    description “Link-To-GW-Router”
    nameif outside
    security-level 0
    ip address 41.223.156.109 255.255.255.248
    !
    interface GigabitEthernet0/1
    description Link To Local Lan
    nameif inside
    security-level 100
    ip address 10.1.4.1 255.255.252.0
    !
    interface GigabitEthernet0/2
    description “Link-To-DMZ”
    nameif dmz
    security-level 50
    ip address 172.16.16.1 255.255.255.0
    !
    interface GigabitEthernet0/3
    shutdown
    no nameif
    no security-level
    no ip address
    !
    interface Management0/0
    shutdown
    no nameif
    no security-level
    no ip address
    !
    ftp mode passive
    access-list INSIDE extended permit ip 10.1.4.0 255.255.252.0 any
    access-list OUT-TO-DMZ extended permit tcp any host 41.223.156.107 eq smtp
    access-list OUT-TO-DMZ extended permit tcp any host 41.223.156.106 eq www
    access-list OUT-TO-DMZ extended permit icmp any any log
    access-list OUT-TO-DMZ extended deny ip any any
    access-list inside extended permit tcp any any eq pop3
    access-list inside extended permit tcp any any eq smtp
    access-list inside extended permit tcp any any eq ssh
    access-list inside extended permit tcp any any eq telnet
    access-list inside extended permit tcp any any eq https
    access-list inside extended permit udp any any eq domain
    access-list inside extended permit tcp any any eq domain
    access-list inside extended permit tcp any any eq www
    access-list inside extended permit ip any any
    access-list inside extended permit icmp any any
    access-list dmz extended permit ip any any
    access-list dmz extended permit icmp any any
    access-list DMZ_IN extended permit icmp any any echo
    access-list 101 extended permit icmp any any echo-reply
    access-list 101 extended permit icmp any any source-quench
    access-list 101 extended permit icmp any any unreachable
    access-list 101 extended permit icmp any any time-exceeded
    access-list cap extended permit ip 172.16.16.0 255.255.255.0 10.1.4.0 255.255.25
    2.0
    access-list cap extended permit ip 10.1.4.0 255.255.252.0 172.16.16.0 255.255.25
    5.0
    pager lines 24
    mtu outside 1500
    mtu inside 1500
    mtu dmz 1500
    no failover
    no asdm history enable
    arp timeout 14400
    global (outside) 1 interface
    nat (inside) 1 10.1.4.0 255.255.252.0
    static (inside,dmz) 10.1.0.0 10.1.16.0 netmask 255.255.252.0
    access-group OUT-TO-DMZ in interface outside
    access-group inside in interface inside
    access-group dmz in interface dmz
    route outside 0.0.0.0 0.0.0.0 41.223.156.108 1
    timeout xlate 3:00:00
    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
    timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00
    timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00
    timeout uauth 0:05:00 absolute
    no snmp-server location
    no snmp-server contact
    snmp-server enable traps snmp authentication linkup linkdown coldstart
    crypto ipsec security-association lifetime seconds 28800
    crypto ipsec security-association lifetime kilobytes 4608000
    telnet timeout 5
    ssh timeout 5
    console timeout 0
    !
    class-map inspection_default
    match default-inspection-traffic
    !
    !
    policy-map global_policy
    class inspection_default
    inspect dns maximum-length 512
    inspect ftp
    inspect h323 h225
    inspect h323 ras
    inspect netbios
    inspect rsh
    inspect rtsp
    inspect skinny
    inspect esmtp
    inspect sqlnet
    inspect sunrpc
    inspect tftp
    inspect sip
    inspect xdmcp
    inspect icmp
    !
    service-policy global_policy global
    Cryptochecksum:30d296dea4f5ffc1dd4560e075d47076
    : end

    Guys,on the other side i should honestly admit that im quiet new to the cisco asa industry, but willing to new adventure about these machine.

    Please any single, simple (but big) help from you….will really be highly and fully appretiated..

    Once again i thank you in advance all you guys.

    BD

  98. BlogAdmin says

    September 22, 2011 at 7:07 am

    BD,

    The problem is on the static NAT between inside and dmz. You must change that to the following:

    static (inside,dmz) 10.1.4.0 10.1.4.0 netmask 255.255.252.0

    Do the change above and Let me know how it goes.

  99. BD says

    September 22, 2011 at 10:06 am

    HI BlogAdmin….
    First of pls do allow me to thank you so much for your time and cooperation….

    Well im on my way to the office and once there i will do the change and let you know…

    However just to clarify according to the above command you gave me…so should i remove the previous one?i mean the static nat which is there!!

    Thanx BD

  100. BlogAdmin says

    September 22, 2011 at 11:16 am

    Yes, you must remove the old static command

  101. BD says

    September 22, 2011 at 4:53 pm

    Hi BlogAdmin.

    I have done accordingly as per your advice….
    But still. no ping or access from the inside zone to the dmz.

    Basically for the dmz interface, the E0/2 connects directly to a switch (normal switch) and from this switch is where the 172.16.16.80 www and 172.16.17.25 email servers are.

    On the other side… just to clarify….i got a router before Asa and bellow is the router 2800 series sh run

    GW-RTR#sh run
    Building configuration…

    Current configuration : 1481 bytes
    !
    version 12.4
    service timestamps debug datetime msec
    service timestamps log datetime msec
    service password-encryption
    !
    hostname GW-RTR
    !
    boot-start-marker
    boot-end-marker
    !
    logging buffered 51200 warnings
    enable secret 5 $1$h.LH$3sc8ez.Vb62zHi86u1SYl1
    !
    aaa new-model
    !
    !
    !
    aaa session-id common
    clock timezone PCTime 0
    clock summer-time PCTime date Mar 30 2003 1:00 Oct 26 2003 2:00
    ip cef
    !
    !
    !
    !
    ip domain name tchipa.com
    ip name-server 8.8.8.8
    ip name-server 4.2.2.2
    ip name-server 66.110.119.2
    !
    !
    voice-card 0
    !
    !
    !
    !
    !
    !
    !
    !
    !
    !
    !
    !
    !
    !
    username tchipa privilege 15 password 7 0010100E0D4B0A
    archive
    log config
    hidekeys
    !
    !
    !
    !
    !
    !
    !
    interface FastEthernet0/0
    description “Link-To-Angola-Telecom”
    ip address 66.110.122.126 255.255.255.252
    duplex auto
    speed auto
    !
    interface FastEthernet0/1
    description “Link-To-LocalLAN”$ES_LAN$
    ip address 41.223.156.108 255.255.255.248
    duplex auto
    speed auto
    !
    ip route 0.0.0.0 0.0.0.0 FastEthernet0/0 66.110.122.125
    ip route 41.223.156.104 255.255.255.248 FastEthernet0/1 41.223.156.109
    !
    !
    ip http server
    ip http authentication local
    no ip http secure-server
    ip http timeout-policy idle 600 life 86400 requests 10000
    !
    !
    !
    !
    !
    control-plane
    !
    !
    !
    !
    !
    !
    !
    !
    banner motd ^C
    PLEASE DO NOT LOGIN YOU NOT AUTHORIZED ^C
    !
    line con 0
    password 7 09584D01101516
    logging synchronous
    line aux 0
    password 7 1403110305142B
    line vty 0 4
    privilege level 15
    logging synchronous
    transport input ssh
    !
    scheduler allocate 20000 1000
    end

    Any other Idea Master BlogAdmin please. you anyone knew how much i must have this working….other wise from next week my www and smtp mail server will be launched….and as any one can imagine…my internal PCs wont be able to access them…

    Please any help??

    BD

  102. BlogAdmin says

    September 23, 2011 at 7:12 am

    If you need access only from inside to dmz, you can configure PAT from inside to dmz interface.

    First Remove the static NAT, and then do the following:

    global (dmz) 2 interface
    nat (inside) 2 10.1.4.0 255.255.252.0

  103. BD says

    September 23, 2011 at 3:16 pm

    Hi ADMIN

    thatnx for your repply

    By the way, you mean i should remove this static :

    static (inside,dmz) 10.1.4.0 10.1.4.0 netmask 255.255.252.0

    and past this one above:

    global (dmz) 2 interface
    nat (inside) 2 10.1.4.0 255.255.252.0

    right?

    And according to my router theres nothing that could stop or block any acces right.

    Thank you so much

    BD

  104. BD says

    October 6, 2011 at 9:01 pm

    Hi The BlogAdmin

    My appology for not being able to give you the feedback of your last reply to my quations coz i´ve been out for work to a place with no internet accesas. my problem was that my internal PCs cannot reach my dmz.

    Last reply of you, you said i should remove this static :static (inside,dmz) 10.1.4.0 10.1.4.0 netmask 255.255.252.0 coz when i past it, it still didnt work.

    So then you said, if my problem is just the communication between inside to dmz, i should do this:

    First Remove the static NAT, and then do the following:
    global (dmz) 2 interface
    nat (inside) 2 10.1.4.0 255.255.252.0

    well i did it, i past the global (dmz) 2 interface
    and when i past this; nat (inside) 2 10.1.4.0 255.255.252.0 it said duplicated entry….result my internal PCs still cannot access my server on dmz.

    Dear BlogAdmin….im really so disparated and sorry for that. so any other help please?

    by the way i have pasted my updated ASA sh run so you can have a better idea.

    :
    ASA Version 7.0(8)
    !
    hostname ASA2
    domain-name assembleia.ao
    enable password YVYn8G/3D1COct9U encrypted
    passwd YVYn8G/3D1COct9U encrypted
    names
    dns-guard
    !
    interface GigabitEthernet0/0
    description “Link-To-GW-Router”
    nameif outside
    security-level 0
    ip address 41.223.xx.xx 255.255.255.0
    !
    interface GigabitEthernet0/1
    description Link To Local Lan
    nameif inside
    security-level 100
    ip address 10.1.4.x 255.255.255.0
    !
    interface GigabitEthernet0/2
    description “Link-To-DMZ”
    nameif dmz
    security-level 50
    ip address 172.16.16.1 255.255.255.0
    !
    interface GigabitEthernet0/3
    shutdown
    no nameif
    no security-level
    no ip address
    !
    interface Management0/0
    shutdown
    no nameif
    no security-level
    no ip address
    !
    ftp mode passive
    access-list INSIDE extended permit ip 10.1.4.x 255.255.255.0 any
    access-list OUT-TO-DMZ extended permit tcp any host 41.223.xx.xx eq smtp
    access-list OUT-TO-DMZ extended permit tcp any host 41.223.xx.xx eq www
    access-list OUT-TO-DMZ extended permit icmp any any log
    access-list OUT-TO-DMZ extended deny ip any any
    access-list OUT-TO-DMZ extended permit tcp any host 41.223.xx.xx eq www
    access-list inside extended permit tcp any any eq pop3
    access-list inside extended permit tcp any any eq smtp
    access-list inside extended permit tcp any any eq ssh
    access-list inside extended permit tcp any any eq telnet
    access-list inside extended permit tcp any any eq https
    access-list inside extended permit udp any any eq domain
    access-list inside extended permit tcp any any eq domain
    access-list inside extended permit tcp any any eq www
    access-list inside extended permit ip any any
    access-list inside extended permit icmp any any
    access-list dmz extended permit ip any any
    access-list dmz extended permit icmp any any
    access-list DMZ_IN extended permit icmp any any echo
    access-list 101 extended permit icmp any any echo-reply
    access-list 101 extended permit icmp any any source-quench
    access-list 101 extended permit icmp any any unreachable
    access-list 101 extended permit icmp any any time-exceeded
    access-list cap extended permit ip 172.16.16.0 255.255.255.0 10.1.4.0 255.255.25
    5.0
    access-list cap extended permit ip 10.1.4.0 255.255.255.0 172.16.16.0 255.255.25
    5.0
    access-list nonat extended permit ip 10.1.4.0 255.255.255.0 172.16.16.0 255.255.
    255.0
    pager lines 24
    mtu outside 1500
    mtu inside 1500
    mtu dmz 1500
    no failover
    asdm image disk0:/asdm-508.bin
    no asdm history enable
    arp timeout 14400
    global (outside) 1 interface
    global (dmz) 2 interface
    nat (inside) 0 access-list nonat
    nat (inside) 1 10.1.4.0 255.255.255.0
    nat (inside) 1 10.1.4.0 255.255.252.0
    static (dmz,outside) tcp 41.223.XX.XX www 172.16.16.80 www netmask 255.255.255
    .255
    static (dmz,outside) tcp 41.223.XX.XX smtp 172.16.16.25 smtp netmask 255.255.2
    55.255
    access-group OUT-TO-DMZ in interface outside
    access-group inside in interface inside
    access-group dmz in interface dmz
    route outside 0.0.0.0 0.0.0.0 41.223.XX.XX 1
    timeout xlate 3:00:00
    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
    timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00
    timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00
    timeout uauth 0:05:00 absolute
    username tchipa password JUU.kVt2Und.Vd23 encrypted privilege 15
    http server enable
    http 10.1.4.0 255.255.255.0 inside
    http 10.1.6.0 255.255.255.0 inside
    http 10.1.7.0 255.255.255.0 inside
    no snmp-server location
    no snmp-server contact
    snmp-server enable traps snmp authentication linkup linkdown coldstart
    crypto ipsec security-association lifetime seconds 28800
    crypto ipsec security-association lifetime kilobytes 4608000
    telnet timeout 5
    ssh 10.1.4.0 255.255.255.255 inside
    ssh 10.1.5.0 255.255.255.255 inside
    ssh 10.1.6.0 255.255.255.255 inside
    ssh 10.1.7.0 255.255.255.255 inside
    ssh timeout 5
    console timeout 0
    !
    class-map inspection_default
    match default-inspection-traffic
    !
    !
    policy-map global_policy
    class inspection_default
    inspect dns maximum-length 512
    inspect ftp
    inspect h323 h225
    inspect h323 ras
    inspect netbios
    inspect rsh
    inspect rtsp
    inspect skinny
    inspect esmtp
    inspect sqlnet
    inspect sunrpc
    inspect tftp
    inspect sip
    inspect xdmcp
    inspect icmp
    !
    service-policy global_policy global
    Cryptochecksum:1442681c2a378d10f026df4cf1005452
    : end

    Pls help.

  105. BlogAdmin says

    October 7, 2011 at 8:30 pm

    Do the following:

    no nat (inside) 1 10.1.4.0 255.255.255.0
    no global (dmz) 2 interface
    global (dmz) 1 interface

  106. BD says

    October 10, 2011 at 7:38 pm

    Hi Dear BlogAdmin.

    I have procceede accordingly exactly as you said….
    but unfortunatly it still didnt work…..insteady, after that i have no internet at all…

    All the Inside PC or my entire network has no internet connection…it fails automatically after that…

    How do i remove the above commands pls… i need the internet back or to bring back everything as before pls.

    And as for my issue…any other clear idea why im not accessing my dmz from the inside network??

    BD

  107. BlogAdmin says

    October 10, 2011 at 8:37 pm

    OK, you have sent me so many configurations that you got me confused.

    Put back the nat statements as below:

    nat (inside) 1 10.1.4.0 255.255.255.0
    global (outside) 1 interface
    global (dmz) 1 interface

    and remove the nat 0 command:

    no nat (inside) 0 access-list nonat

  108. BD says

    October 11, 2011 at 5:32 pm

    OK Dear BlogAdmin

    I did accordingly to your above statement, and everything is back to normal, i mean the inside network now can access internet back, and thank you so much for your precious time and cooperation for being there as great IT professional, and as well for sharing your vision….i thank you Sir.

    So by the way, the internal network still cannot reach my dmz.
    Anyone can help according to the ASA 5520 v7 sh run please?

    BD

  109. BD says

    October 19, 2011 at 11:16 am

    Hi dear BlogAdmin

    As you may know im stil struggling in getting my inside network to access or communicate to my dmz .

    As i got another ASA5520 for my test, so i have configured the other asa, and according to this configuration bellow, i have installed a the EASYphp web server on the Server with 172.16.16.80 the wwww on the dmz. so now, from the inside network i can access that page, but i got dont get successfull ping like for instence at the same server with 172.16.16.80 even though i can access the web server on it through the easy php applic.

    The other thing is that i dont have internet connection on my dmz, i mean the servers with 172.16.16.80 the www and 172.16.16.25 emal server

    However, my concern is……does it really means that my inside network is communicating with the dmx now?
    How do i enable reall ping?? is there any command to enable ping?

    Dear BlogAdmin, according to my config bellow, can you recheck it for me if i have missed anything else.

    Why im not getting succeessfull ping to dmz?but it can open the web server i have installed on server on the dmz? why im not getting internet on the dmz? can you pls help?
    What other real test i should make to make sure im reaching my dmz? since right now i dont have yet the www and smtp email server running?

    Dear BlogAdmin, i should always thank you so much for your time and cooperation, and remember that ant single help from you will be highly appretiated.

    Thanx in advanced:

    ciscoasa(config)# sh run
    : Saved
    :
    ASA Version 7.0(8)
    !
    hostname ciscoasa
    domain-name parlamento.ao
    enable password 8Ry2YjIyt7RRXU24 encrypted
    passwd 2KFQnbNIdI.2KYOU encrypted
    names
    dns-guard
    !
    interface GigabitEthernet0/0
    description Link to Gateway
    nameif outside
    security-level 0
    ip address 41.223.156.109 255.255.255.248
    !
    interface GigabitEthernet0/1
    description Link to Local Lan
    nameif inside
    security-level 100
    ip address 10.1.4.1 255.255.252.0
    !
    interface GigabitEthernet0/2
    description Link to dmz
    nameif dmz
    security-level 50
    ip address 172.16.16.1 255.255.255.0
    !
    interface GigabitEthernet0/3
    shutdown
    no nameif
    no security-level
    no ip address
    !
    interface Management0/0
    shutdown
    no nameif
    no security-level
    no ip address
    !
    ftp mode passive
    access-list outside_in extended permit tcp any host 41.223.156.106 eq smtp
    access-list outside_in extended permit tcp any host 41.223.156.107 eq www
    access-list dmz_int extended permit tcp host 172.16.16.25 any eq smtp
    access-list dmz_int extended permit tcp host 172.16.16.80 any eq www
    access-list outside_int extended permit tcp any host 41.223.156.106 eq smtp
    access-list outside_int extended permit icmp any any
    access-list INSIDE extended permit ip 10.1.4.0 255.255.252.0 any
    access-list OUT-TO-DMZ extended permit icmp any any log
    access-list OUT-TO-DMZ extended deny ip any any
    access-list inside extended permit tcp any any eq pop3
    access-list inside extended permit tcp any any eq smtp
    access-list inside extended permit tcp any any eq ssh
    access-list inside extended permit tcp any any eq https
    access-list inside extended permit udp any any eq domain
    access-list inside extended permit tcp any any eq domain
    access-list inside extended permit tcp any any eq www
    access-list inside extended permit ip any any
    access-list inside extended permit icmp any any
    access-list dmz extended permit ip any any
    access-list dmz extended permit icmp any any
    access-list DMZ_IN extended permit icmp any any echo
    access-list 101 extended permit icmp any any echo-reply
    access-list cap extended permit ip 172.16.16.0 255.255.255.0 10.1.4.0 255.255.252.0
    access-list cap extended permit ip 10.1.4.0 255.255.252.0 172.16.16.0 255.255.255.0
    pager lines 24
    mtu outside 1500
    mtu inside 1500
    mtu dmz 1500
    no failover
    asdm image disk0:/asdm-508.bin
    no asdm history enable
    arp timeout 14400
    nat-control
    global (outside) 1 interface
    global (dmz) 1 interface
    nat (inside) 1 10.1.4.0 255.255.252.0
    static (inside,dmz) 10.1.4.0 10.1.4.0 netmask 255.255.252.0
    static (dmz,outside) 41.223.156.106 172.16.16.25 netmask 255.255.255.255
    static (dmz,outside) 41.223.156.107 172.16.16.80 netmask 255.255.255.255
    access-group dmz_int in interface dmz
    access-group inside in interface inside

    route outside 0.0.0.0 0.0.0.0 41.223.156.108 1
    timeout xlate 3:00:00
    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
    timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00
    timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00
    timeout uauth 0:05:00 absolute
    username tchipa password JUU.kVt2Und.Vd23 encrypted privilege 15
    aaa authentication ssh console LOCAL
    http server enable
    http 10.1.4.100 255.255.255.255 inside
    no snmp-server location
    no snmp-server contact
    snmp-server enable traps snmp authentication linkup linkdown coldstart
    crypto ipsec security-association lifetime seconds 28800
    crypto ipsec security-association lifetime kilobytes 4608000
    telnet timeout 5
    ssh 10.1.4.100 255.255.255.255 inside
    ssh timeout 10
    console timeout 0
    !
    class-map inspection_default
    match default-inspection-traffic
    !
    !
    policy-map global_policy
    class inspection_default
    inspect dns maximum-length 512
    inspect ftp
    inspect h323 h225
    inspect h323 ras
    inspect netbios
    inspect rsh
    inspect rtsp
    inspect skinny
    inspect esmtp
    inspect sqlnet
    inspect sunrpc
    inspect tftp
    inspect sip
    inspect xdmcp
    inspect icmp
    !
    service-policy global_policy global
    Cryptochecksum:48ba8cf4e31f2940e44293256d84ce38
    : end

    BD

  110. BlogAdmin says

    October 19, 2011 at 11:54 am

    If you access the web server from inside, it means that the inside communicated with dmz just fine. Pinging is not a reliable way to say if you have communication or not. Accessing real services (such as HTTP) is what proves that you actually have proper communication.

    To allow ping you must allow icmp echo-reply on the dmz_int access-list. Also, to allow internet access from the dmz, you must allow DNS udp 53 on the dmz_int access list as well.

  111. BD says

    October 27, 2011 at 10:51 pm

    Hi Dear BlogAdmin.

    Well im really sorry for my insistence or for being so hard to understand you. but one thing is for sure, since i started writting you, i´ve been improving my skill as far as asa appliance is concern.

    Well as i said before and as you know i was having a problem with my internal users who couldnot access my dmz zone…but now with the above sh run config (still the latest) it seem i can reach my dmz zone specifically to the server with ip 172.16.16.80 for www, as i have installed in this server a EASY PHP WEBSERVER..and from the inside pc or network (10.1.4.x) i can access that webserver through the browser 172.16.16.80:8080 and it open that web server.

    So now the problem is: the server on dmz doent have internet access…could you please help me with the right config command (access list) hat will allow server on dmz to have internet?pls

    On the Other side…..from the outside, or internet i tried to reach that server on dmz through its private or translated ip address, so through the browser i type (41.223.156.106:8080)or even without the 8080…but i couldnt reach that webpage on the server on dmz.

    Could you pls help me finding out why im not accessing my server on dmz??pls

    Dear Admin….pls forive as im still to young and just learning about the security appliance…..remember your help could be so vital and could make such a big impact.

    I thank you in advanced.

    BD

  112. BlogAdmin says

    October 29, 2011 at 9:17 am

    BD,

    Assuming you have the configuration you have posted above, you will need to allow DNS protocol on the dmz_int access list as below:

    access-list dmz_int extended permit udp host 172.16.16.80 any eq 53

    Also, to access the web server on port 80 from outside, you need to create a static NAT command between dmz and outside ( something that you have done already) and also allow port 80 on the outside acl (which you have done already as well). The problem is that you have not attached the outside_in acl on the outside interface:

    access-group outside_in in interface outside

    After you do the above, you will be able to access the web server via 41.223.156.107 (on port 80 though, NOT on 8080)

    OK??

  113. Ivan says

    August 25, 2014 at 8:06 pm

    BlogAdmin,
    You have stated:
    “For option 2): Leave all layer 3 functionality on the switch (SVI interfaces) and then configure another vlan connecting the switch with one internal interface of the ASA (e.g subnet 10.0.0.x – just as you suggest also). Then you have to configure one default route on the switch: ip route 0.0.0.0 0.0.0.0 10.0.0.1 (assume ASA internal IP is 10.0.0.1). For this option, you will NOT have any problems on the ASA by configuring object groups for networks that are not directly connected on the ASA. e.g if one internal vlan has subnet 10.1.1.x, then you can configure a network object on the ASA for network range 10.1.1.x with no problems. Then you can do NAT on the ASA for that network as normally you would do for a directly attached subnet. ”

    If I have a VLAN192 that has 192.168.0.x /24 what static nat and access list would I have to setup on the ASA to expose a web server? Basically the Vlan192 is managed by the layer3 switch and the ASA does not have an interface directly connected to it. The traffic has to go through the switch. I managed to get the VLAN192 to reach the internet by doing nat on the IPs, but I can’t get an external IP address on the ASA to map to an internal IP address on the VLAN192 and pass traffic through the ASA.

  114. BlogAdmin says

    August 25, 2014 at 8:19 pm

    Ivan,
    To achieve that you need to configure static NAT on ASA between “inside” and “outside” even if vlan192 is not directly connected on the ASA. Since traffic from vlan192 will reach the “inside” interface of ASA, it will be statically NATed to outside interface. This is the only way to expose an inside host to the outside world (if you are using NAT).

  115. Matteo says

    November 2, 2014 at 4:05 pm

    Hi BlogAdmin,
    I have a situation like you describe that don’t work on asa-5505
    I need to connect e branch office through 2 switch layer 3 (one in the head office and one in branch office).
    the head office switch layer 3 with ip 192.168.100.249 is connected directly to ASA port
    after set a static route: “route inside 10.0.8.0 255.255.255.0 192.168.100.249” where 10.0.8.0 is the branch office network
    and also set acl “access-list in-acl extended permit ip 192.168.100.0 255.255.255.0 10.0.8.0 255.255.255.0”
    and “access-list in-acl extended permit ip 10.0.8.0 255.255.255.0 192.168.100.0 255.255.255.0”
    I’m not be able to reach the head office network, I can ping ASA and head office switch layer 3 interface but the PC don’t answer.
    from ASA CLI I can ping branch office network.

    do you have suggestions?

    thanks
    Matteo

  116. BlogAdmin says

    November 2, 2014 at 7:56 pm

    Matteo,
    This is a problem I had encountered in the past as well. It is because the default gateway of the PCs in head office is the ASA internal IP. So when you ping a PC in head office from the branch office, the ICMP REPLY packets from the PC goes to ASA internal interface. The ASA does not allow redirection of traffic back out its same interface by default.

    One way to mitigate this is to configure the PCs in head office to have as default gateway the L3 switch (192.168.100.249) and then configure a default route on the L3 switch to point to the ASA inside IP. So the PCs will have both internet access and also able to reach the branch hosts as well.

  117. Matteo says

    November 3, 2014 at 11:39 pm

    BlogAdmin,
    yes, what you suggest is my plan B
    but if I understand well the command: same-security-traffic permit intra-interface shoud be allow the traffic in and out on the same interface? or not?

  118. BlogAdmin says

    November 4, 2014 at 7:55 am

    Yes that’s correct, but I haven’t tried it to tell you for sure if it will work. Give it a shot and let me know.

  119. Mike says

    June 17, 2015 at 7:51 am

    Thank you for your time. I have a Cisco 5510 and my goal is to route specific traffic from the internet to specific web servers on the inside interface while employing VLAN tags. The traffic will be coming in on an IPsec tunnel from a non-Cisco device. Thus due to compatibility issues, I want to route the tunnel through the ASA (punch a hole) into a VLAN to get to its ultimate endpoint on a web server where the IPsec tunnel will end. I want the IPsec tunnel to pass through the ASA. The ASA doesn’t seem to play nice with IPsec between a non-Cisco and Cisco product. My thinking is that if I can VLAN tag the incoming traffic, then I can let the VLAN tags get the IPsec tunnel traffic to where it needs to go at its ultimate endpoint where it will be de-encapsulated and read.

    For example, a flow like this:
    Internet traffic from 64.x.x.x in tunnel -> ASA outside interface 72.x.x.x -> ASA inside interface 0/1 vlan 10 with IP 192.168.1.1 255.255.255.0 -> L2 switch (trunked to ASA) -> VMware vSphere vSwitch (trunked to L2 switch) -> virtual machine host at 192.168.1.1 (web server) and then back out to internet.

    And then:
    Internet traffic from 68.x.x.x -> ASA outside interface 72.x.x.x -> ASA inside interface 0/1 vlan 20 with IP 192.168.2.1 255.255.255.0 -> L2 switch (trunked to ASA) -> VMware vSphere vSwitch (trunked to L2 switch) -> virtual machine host at 192.168.2.1 (web server) and then back out to internet.

    and so forth…

    I have done this successfully when employing IPsec tunnels between a remote Cisco ASA across the internet to another Cisco ASA in front of the infrastructure I mentioned above. However, I am not sure where to start when trying to do it with non-Cisco equipment. I only want to allow in the specific tunnels I have set up.

    Thanks in advance for any help you can provide.

  120. BlogAdmin says

    June 17, 2015 at 11:54 am

    Hi Mike,

    In order to achieve the above, you must create a static NAT mapping in order to make the internal web server (192.168.1.1) visible on the internet. You must create a static NAT mapping between a public IP (let’s call it 72.1.1.1) and the private IP of the webserver (192.168.1.1). Then, the other site (non-Cisco device) must communicate with the public IP (72.1.1.1) for its IPSEC end-point peer.

    You must also configure an ACL applied on the outside interface of ASA in order to allow the IPSEC protocols to come in. These protocols are UDP 500, AH, ESP.

    Please let me know if you need more details.

    Harris

  121. Ben Pipilyo says

    June 9, 2016 at 7:04 am

    Hi BlogAdmin,

    I have a similar setup as your diagram above except the IP addresses and the Internal router. Instead of the internal router, i have a hp 2920 switch which acts as a L3 switch and does all the inter-vlan routing. Vlan1 subnet (192.168.100.0/24) is directly connected to the ASA’s inside interface 192.168.100.2. So devices on that vlan1 can go out to the internet fine. The second vlan104 subnet (192.168.104.0/24) cannot go out the ASA although I have the routes. Vlan104 can ping as far as the core switch (hp 2920). The 2x vlans can ping across each other fine.

    Sir, I desperately need assistance from you. THANK YOU!!!

    Here is the ASA config…

    ASA Version 9.1(2)
    !
    hostname ngcbFW2016
    domain-name pngngcb.local
    enable password 3hN7jFemnOzlCoGu encrypted
    xlate per-session deny tcp any4 any4
    xlate per-session deny tcp any4 any6
    xlate per-session deny tcp any6 any4
    xlate per-session deny tcp any6 any6
    xlate per-session deny udp any4 any4 eq domain
    xlate per-session deny udp any4 any6 eq domain
    xlate per-session deny udp any6 any4 eq domain
    xlate per-session deny udp any6 any6 eq domain
    names
    !
    interface GigabitEthernet0/0
    description Outside Interface
    nameif outside
    security-level 0
    ip address 10.15.1.13 255.255.255.252
    !
    interface GigabitEthernet0/1
    description Inside Interface
    nameif inside
    security-level 100
    ip address 192.168.100.2 255.255.255.0
    !
    domain-name pngngcb.local
    same-security-traffic permit inter-interface
    same-security-traffic permit intra-interface
    object network inside-outside
    subnet 192.168.100.0 255.255.255.0
    description Inside LAN to Outside
    object network 192.168.100.5
    host 192.168.100.5
    description mail-server
    object network 192.168.100.103
    host 192.168.100.103
    description mail-server
    object network 192.168.100.3
    host 192.168.100.3
    description server
    object network vlan104
    subnet 192.168.104.0 255.255.255.0
    object-group service DM_INLINE_SERVICE_1
    service-object icmp echo
    service-object icmp6 echo
    access-list inside_access_in extended permit object-group DM_INLINE_SERVICE_1 any any
    access-list inside_access_in remark NGCB Server – Mail & File Server
    access-list inside_access_in extended permit ip object 192.168.100.5 any
    access-list inside_access_in extended permit ip host 192.168.100.102 any
    access-list inside_access_in extended permit ip host 192.168.100.111 any
    access-list inside_access_in extended permit ip host 192.168.104.11 any
    no asdm history enable
    arp timeout 14400
    no arp permit-nonconnected
    !
    object network inside-outside
    nat (inside,outside) dynamic interface
    nat (inside,outside) dynamic interface
    object network vlan104
    nat (inside,outside) dynamic interface
    access-group outside_access_in in interface outside
    access-group inside_access_in in interface inside
    route outside 0.0.0.0 0.0.0.0 10.15.1.14 1
    route inside 192.168.104.0 255.255.255.0 192.168.100.9 1
    timeout xlate 3:00:00
    timeout pat-xlate 0:00:30
    http server enable
    http 192.168.1.0 255.255.255.0 management
    http 192.168.100.0 255.255.255.0 inside
    no snmp-server location
    no snmp-server contact
    snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
    crypto ipsec security-association pmtu-aging infinite
    crypto ca trustpool policy
    telnet timeout 5
    ssh timeout 5

    !
    class-map inspection_default
    match default-inspection-traffic
    !
    !
    policy-map type inspect dns preset_dns_map
    parameters
    message-length maximum client auto
    message-length maximum 512
    policy-map global_policy
    class inspection_default
    inspect dns preset_dns_map
    inspect ftp
    inspect h323 h225
    inspect h323 ras
    inspect ip-options
    inspect netbios
    inspect rsh
    inspect rtsp
    inspect skinny
    inspect esmtp
    inspect sqlnet
    inspect sunrpc
    inspect tftp
    inspect sip
    inspect xdmcp
    inspect icmp
    !

  122. Harris Andrea says

    June 9, 2016 at 9:16 am

    Ben,

    Some troubleshooting recommendations:

    1) Can you ping ASA inside (192.168.100.2) from vlan104 subnet?
    2) allow all IP traffic on ACL “inside_access_in” to make sure its not an ACL blocking issue.

  123. Sur says

    December 20, 2021 at 12:45 pm

    The following statement is used on Cisco website for static route connectivity. My question is how one interface can be connected to 3 gateways ?

    “You can define up to three equal cost routes to the same destination per interface. Equal-cost multi-path (ECMP) is not supported across multiple interfaces. With ECMP, the traffic is not necessarily divided evenly between the routes; traffic is distributed among the specified gateways based on an algorithm that hashes the source and destination IP addresses.”

  124. Harris Andrea says

    December 20, 2021 at 2:32 pm

    Sur, if the outside interface (for example) is connected to a switch in the same VLAN as the 3 gateways, then you can have a common subnet between this outside interface and the 3 gateways. For example, assume the outside common subnet is 192.168.1.0/28 then the ASA interface can be 192.168.1.1 and the gateways can be .2, .3, .4 in the same subnet.

  125. Sur says

    December 21, 2021 at 3:31 am

    Thanks Harris for quick reply .

    What is the design Use case for such a Topology ? Will One gateway not Sufficient for all the ASA traffic can be routed with default route ?

    Thanks again for your time

  126. Harris Andrea says

    December 21, 2021 at 6:33 am

    The design use case is usually in big internal networks where you have multiple Layer 3 switches (or routers) acting as default gateways for an internal ASA firewall.

  127. sur says

    December 21, 2021 at 8:00 am

    thanks a lot Harris .

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Search this site

About Networks Training

We Provide Technical Tutorials and Configuration Examples about TCP/IP Networks with focus on Cisco Products and Technologies. This blog entails my own thoughts and ideas, which may not represent the thoughts of Cisco Systems Inc. This blog is NOT affiliated or endorsed by Cisco Systems Inc. All product names, logos and artwork are copyrights/trademarks of their respective owners.

Amazon Disclosure

As an Amazon Associate I earn from qualifying purchases.
Amazon and the Amazon logo are trademarks of Amazon.com, Inc. or its affiliates.

Search

BLOGROLL

Tech21Century
Firewall.cx

Copyright © 2023 | Privacy Policy | Terms and Conditions | Hire Me | Contact | Amazon Disclaimer | Delivery Policy

41 shares