ASA 5505 - Routing question

[VanZenden]

Hi all,

I'm a newbie for Cisco, and I have question how route to traffic betwen two subnets (in my example betwen VLAN1 and 33). I've added two routes:

route inside 172.16.0.0 255.255.255.0 192.168.8.1 1
route sales 192.168.0.0 255.255.255.0 172.16.200.1 1

but it doesn't work. Can anyone assist me?
Thanks in advance...




ciscoasa(config)# show run
: Saved
:
ASA Version 7.2(4)30
!
hostname ciscoasa
domain-name default.domain.invalid
enable password 1K2oIYvXKgScGpA9 encrypted
passwd ywL5eNY/yDiP2dof encrypted
names
!
interface Vlan1
nameif inside
security-level 100
ip address 192.168.8.1 255.255.255.0
ospf cost 10
!
interface Vlan2
mac-address 0034.55ed.39ae
nameif outside
security-level 0
ip address dhcp setroute
ospf cost 10
!
interface Vlan33
description Sales
no forward interface Vlan2
nameif sales
security-level 0
ip address 172.16.200.1 255.255.255.0
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
switchport access vlan 33
!
interface Ethernet0/7
!
boot system disk0:/asa724-30-k8.bin
boot system disk0:/
ftp mode passive
dns domain-lookup outside
dns server-group DefaultDNS
domain-name default.domain.invalid
access-list inside_access_out extended permit ip any any
access-list outside_access_out extended permit ip any any
access-list outside_access_in extended permit ip any any
access-list outside_access_in extended permit tcp any interface outside eq www
access-list outside_access_in extended permit tcp any interface outside eq 55512
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
mtu avaya 1500
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-523.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) tcp interface 55512 192.168.8.10 55512 netmask 255.255.255.255
no threat-detection statistics tcp-intercept
access-group inside_access_out out interface inside
access-group outside_access_in in interface outside
access-group outside_access_out out interface outside
route inside 172.16.0.0 255.255.255.0 192.168.8.1 1
route outside 0.0.0.0 0.0.0.0 212.x.x.1 1
route sales 192.168.0.0 255.255.255.0 172.16.200.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
http server enable
http 192.168.8.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
telnet 192.168.8.0 255.255.255.0 inside
telnet timeout 5
ssh 192.168.8.10 255.255.255.255 inside
ssh timeout 5
console timeout 0
dhcp-client client-id interface outside
dhcpd auto_config outside
!
dhcpd address 192.168.8.80-192.168.8.89 inside
dhcpd enable inside
!
username useraccess password 9UIVSWIp7g..yY9. encrypted
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:f2d0f03c3fe9d52c48b1dc022c348483
: end
ciscoasa(config)#

 

[North323]

cause your route outside 0.0.0.0 includes those subnets you indicated in 'inside'
route inside 172.16.0.0 255.255.255.0 192.168.8.1 1
route outside 0.0.0.0 0.0.0.0 212.x.x.1 1
route sales 192.168.0.0 255.255.255.0 172.16.200.1 1

172.16.0.0 falls under 0.0.0.0 and your cost of the routes are all (1)


best way to do that is use policy based routing

 

[VanZenden]

can you tell how to do that?

 

[North323]

http://www.cisco.com/en/US/tech/tk365/technologies_tech_note09186a008009481d.shtml

 

[VinceWhirlwind]

North323: What are you on about?

VanZenden: The routes on my ASAs always point to the neighbour, not the local interface - maybe try changing that?

 

[Supergrrover]

Ok, put the crack pipes down...

VLANs are attached to interfaces of the ASA. You do not need the routing statements. The ASA knows about directly attached networks. Remove all of the routes but the

route outside 0.0.0.0 0.0.0.0 212.x.x.1 1

The ASA will allow all traffic from a higher security interface to a lower security interface. The converse is not true. You will need specific access-lists and NAT mappings to allow traffic initiated from the lower security interface to the higher interface.

Delete all of these -
access-group inside_access_out out interface inside
access-group outside_access_in in interface outside
access-group outside_access_out out interface outside

What specific traffic do you want to allow from sales to inside?

Here is what I said but with specific commands -

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00807fc191.shtml

Hope this helps.
Good luck.








Brent
Systems Engineer / Consultant
CCNP, CCSP

 

[VinceWhirlwind]

Ah - I see - When I glanced at this I saw his ASA has no interfaces in either of the subnets he is trying to route to:
route inside 172.16.0.0 255.255.255.0
route sales 192.168.0.0 255.255.255.0

His local interfaces are:
ip address 192.168.8.1 255.255.255.0
&
ip address 172.16.200.1 255.255.255.0

...but then I realised the two routes are complete nonsense anyway.

VanZenden: Get rid of those two lines, and then do a show ip route. This will show you what those two lines should look like, *if* you had to put them in, which you don't.

 

[North323]

so I'm not smokin crak?

 

[VanZenden]

Thanks guys for replies, I'll try your recommendations ASAP.

 

[Supergrrover]

yeah, the routes are all off. PBR would work but I think it is overkill and over-complicated. The easier solution is to block traffic at the interface with an ACL and/or let the security levels do their thing.

Let us know how it goes.


Brent
Systems Engineer / Consultant
CCNP, CCSP

 

[VanZenden]

I've done everything (I think) you said. Also I have set same security level to both interfaces (VLAN 1 and 33) to enable traffic between them (command: same-security-traffic permit inter-interface).
What I am trying to achive is to have commucation between VLAN 1 (IP-PBX and HTTP server) and VLAN 33 (IP phones H.323).

Still doesn't work ...

From documentation:
By default, interfaces on the same security level cannot communicate with each other. Allowing
communication between same security interfaces lets traffic flow freely between all same security
interfaces without access lists.

Have i done anything wrong?



ASA Version 7.2(4)30
!
hostname ciscoasa
domain-name default.domain.invalid
enable password 1K2oIYvXKgScGpA9 encrypted
passwd ywL5eNY/yDiP2dof encrypted
names
!
interface Vlan1
nameif inside
security-level 100
ip address 192.168.8.1 255.255.255.0
ospf cost 10
!
interface Vlan2
mac-address 0034.55ed.39ae
nameif outside
security-level 0
ip address dhcp setroute
ospf cost 10
!
interface Vlan33
description avaya ip phone
no forward interface Vlan2
nameif avaya
security-level 100
ip address 172.16.200.1 255.255.255.0
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
switchport access vlan 33
!
interface Ethernet0/6
switchport access vlan 33
!
interface Ethernet0/7
!
boot system disk0:/asa724-30-k8.bin
boot system disk0:/
ftp mode passive
dns domain-lookup outside
dns server-group DefaultDNS
domain-name default.domain.invalid
same-security-traffic permit inter-interface
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
mtu avaya 1500
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-523.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
no threat-detection statistics tcp-intercept
route outside 0.0.0.0 0.0.0.0 213.143.68.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
http server enable
http 192.168.8.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
telnet 192.168.8.0 255.255.255.0 inside
telnet timeout 5
ssh 192.168.8.10 255.255.255.255 inside
ssh timeout 5
console timeout 0
dhcp-client client-id interface outside
dhcpd auto_config outside
!
dhcpd address 192.168.8.80-192.168.8.89 inside
dhcpd option 3 ip 192.168.8.1 interface inside
dhcpd enable inside
!
dhcpd address 172.16.200.10-172.16.200.20 avaya
dhcpd option 3 ip 172.16.200.1 interface avaya
dhcpd option 176 ascii MCIPADD=192.168.8.200,MCPORT=1719,TFTPSRVR=192.168.8.10 interface avaya
dhcpd enable avaya
!

tftp-server inside 192.168.8.10 C:\tftp
username asa9 password 9UIVSWIp7g..yY9. encrypted
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:39660fe7694f13591e812ddebda94e36
: end

 

[VanZenden]

Some more information:

I can't ping from PC (192.168.8.10) any address in subnet 172.16.200.0/24.
I can't ping from notebook (172.16.200.10) any address in subnet 192.168.8.0/24

from ASA I can ping hosts on both subnets.


>show route

Gateway of last resort is 213.x.x.1 to network 0.0.0.0

C 192.168.8.0 255.255.255.0 is directly connected, inside
C 172.16.200.0 255.255.255.0 is directly connected, avaya
C 213.143.68.0 255.255.255.0 is directly connected, outside
C 127.0.0.0 255.255.255.0 is directly connected, _internal_loopback
S* 0.0.0.0 0.0.0.0 [1/0] via 213.x.x.1, outside


>show ip

ystem IP Addresses:
Interface Name IP address Subnet mask Method
Vlan1 inside 192.168.8.1 255.255.255.0 CONFIG
Vlan2 outside y.y.y.210 255.255.255.0 DHCP
Vlan33 avaya 172.16.200.1 255.255.255.0 CONFIG
Current IP Addresses:
Interface Name IP address Subnet mask Method
Vlan1 inside 192.168.8.1 255.255.255.0 CONFIG
Vlan2 outside y.y.y.210 255.255.255.0 DHCP
Vlan33 avaya 172.16.200.1 255.255.255.0 CONFIG

 

[unclerico]

if you look through your logs do you see any errors regarding portmap tranlsations failing??

I hate all Uppercase... I don't want my groups to seem angry at me all the time! =)
- ColdFlame (vbscript forum)

 

[VanZenden]

I've no idea, how to see any logs ... could you assist me

thanks,

 

[unclerico]

issue this command: show logging asdm

I hate all Uppercase... I don't want my groups to seem angry at me all the time! =)
- ColdFlame (vbscript forum)