Route between 1811 and ASA 5510 1

[overmodulation]

Hey guys,

I'm still getting used to this Cisco networking stuff in between other various and sundry development projects.

What I have is a Cisco 1811 router - subnet 192.168.1.x. It works dandy.

I also have a Cisco ASA 5510 security appliance. Outside1 interface is connected to a T1. Works dandy. Inside interface is subnet 192.168.3.x. Hosts can get out to the internet like I'd like them to.

However, I set the Outside2 interface to IP address 192.168.1.2. I want to be able to talk to hosts on each subnet from each subnet. For now, I can only ping hosts in the 192.168.1.x network through telnet logged into the ASA. I can't actually communicate with them from the host computer itself. I have set up routes on both devices which I thought would work. Apparently not.

First off, is this a stupid configuration? Second, is it possible to make it work the way I intended? I need both devices for different things as we have multiple WANs which inbound applications rely on. However, I just need computers on both (disparate) networks to communicate with each other.

I don't have any managed switches so I can't use VLANs (that I know of).

I'm still learning this stuff as I'm a web programmer by specialty, so please, any and all info is appreciated.

Thank you.

 

[nnnnnnnnnn]

You probably need to deal with nat to that segment. but it would be best if you post some sanitized configs and I will take a look.

cheers

 

[Supergrrover]

Do you want protected access from one network to the other or do you want it open with just routing and no security between the 2? You might need to change around the topology a bit. Post a scrubbed config of both the router and the ASA. (Delete passwords and mask the middle 2 octets of the public IPs.) What does your topology actually look like now?


Brent
Systems Engineer / Consultant
CCNP, CCSP

 

[overmodulation]

Thanks guys.

Cisco ASA:

asdm image disk0:/asdm-507.bin
asdm location 72.xxx.xxx.xxx 255.255.255.255 outside1 no asdm history enable
: Saved
:
ASA Version 7.0(7)
!
hostname ciscoasa
domain-name OnHoldMedia0.com
enable password xxxxx
names
dns-guard
!
interface Ethernet0/0
 description T1 line from Verizon
 nameif outside1
 security-level 0
 ip address 72.xxx.xxx.xxx 255.255.255.248 !
interface Ethernet0/1
 nameif outside2
 security-level 0
 ip address 192.168.1.2 255.255.255.0
!
interface Ethernet0/2
 nameif inside
 security-level 100
 ip address 192.168.3.1 255.255.255.0
!
interface Ethernet0/3
 shutdown
 nameif dmz
 security-level 50
 ip address 10.30.30.1 255.255.255.0
!
interface Management0/0
 nameif management
 security-level 100
 ip address 192.168.2.1 255.255.255.0
 management-only
!
passwd O.Uruh/R3Etxgveu encrypted
ftp mode passive
clock timezone CST -6
clock summer-time CDT recurring 1 Sun Apr 2:00 last Sun Oct 2:00 dns domain-lookup outside1 dns name-server 4.2.2.1 dns name-server 4.2.2.2 same-security-traffic permit inter-interface access-list outside extended permit tcp any interface outside1 eq [URL unfurl="true"]www access-list[/URL] outside extended permit tcp any interface outside1 eq nntp access-list outside extended permit tcp any interface outside1 eq
65531
access-list outside extended permit tcp any interface outside1 eq
65528
access-list outside extended permit tcp any interface outside1 eq
65529
access-list outside extended permit tcp any interface outside1 eq
3389
pager lines 24
logging asdm informational
mtu outside1 1500
mtu outside2 1500
mtu inside 1500
mtu dmz 1500
mtu management 1500
no failover
monitor-interface outside1
monitor-interface outside2
monitor-interface inside
monitor-interface dmz
monitor-interface management
asdm image disk0:/asdm-507.bin
no asdm history enable
arp timeout 14400
nat-control
global (outside1) 10 interface
nat (outside2) 0 192.168.1.0 255.255.255.0 outside nat (inside) 10 0.0.0.0 0.0.0.0 static (inside,outside1) tcp interface [URL unfurl="true"]www 192.168.3.10[/URL] [URL unfurl="true"]www netmask[/URL]
255.255.255.255
static (inside,outside1) tcp interface nntp 192.168.3.10 nntp netmask
255.255.255.255
static (inside,outside1) tcp interface 65531 192.168.3.10 65531 netmask 255.255.255.255 static (inside,outside1) tcp interface 65528 192.168.3.10 65528 netmask 255.255.255.255 static (inside,outside1) tcp interface 65529 192.168.3.10 65529 netmask 255.255.255.255 static (inside,outside1) tcp interface 3389 192.168.3.46 3389 netmask
255.255.255.255
access-group outside in interface outside1 route outside1 0.0.0.0 0.0.0.0 72.xxx.xxx.xxx 1 route inside 192.168.1.2 255.255.255.255 192.168.1.1 1 timeout xlate 3:00:00 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02 timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00 timeout uauth 0:05:00 absolute username xxxxx password xxxxx encrypted privilege 15 http server enable http 192.168.3.0 255.255.255.0 inside http 192.168.2.0 255.255.255.0 management no snmp-server location no snmp-server contact snmp-server enable traps snmp authentication linkup linkdown coldstart telnet 0.0.0.0 0.0.0.0 outside1 telnet 192.168.3.0 255.255.255.0 inside telnet timeout 5 ssh timeout 5 console timeout 0 dhcpd address 192.168.3.101-192.168.3.200 inside dhcpd address 192.168.2.2-192.168.2.254 management dhcpd dns 192.168.3.11 4.2.2.1 dhcpd lease 3600 dhcpd ping_timeout 50 dhcpd domain OnHoldMedia0.com dhcpd auto_config inside dhcpd enable inside dhcpd enable management !
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map global_policy
 class inspection_default
  inspect dns maximum-length 512
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
!
service-policy global_policy global
Cryptochecksum:bae24e88893b03caee829fed9603a826
: end

Cisco 1811 router:

!This is the running config of the router: 192.168.1.1
!----------------------------------------------------------------------------
!version 12.4
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname cisco1811
!
boot-start-marker
boot-end-marker
!
security authentication failure rate 3 log
security passwords min-length 6
logging buffered 51200 debugging
logging console critical
enable secret 5 xxxxx
!
no aaa new-model
!
resource policy
!
clock timezone PCTime -6
no ip source-route
!
!
ip cef
no ip dhcp use vrf connected
ip dhcp excluded-address 192.168.1.1 192.168.1.100
ip dhcp excluded-address 192.168.1.201 192.168.1.254
!
ip dhcp pool sdm-pool1
   import all
   network 192.168.1.0 255.255.255.0
   dns-server 192.168.1.11 
   default-router 192.168.1.1 
!
!
ip tcp synwait-time 10
no ip bootp server
ip domain name OnHoldMedia0.com
ip name-server 4.x.x.x
ip name-server 4.x.x.x
ip ssh time-out 60
ip ssh authentication-retries 2
!
!
crypto pki trustpoint TP-self-signed-3410901997
 enrollment selfsigned
 subject-name cn=IOS-Self-Signed-Certificate-3410901997
 revocation-check none
 rsakeypair TP-self-signed-3410901997
!
!
crypto pki certificate chain TP-self-signed-3410901997
 certificate self-signed 01
  30820252 308201BB A0030201 02020101 300D0609 2A864886 F70D0101 04050030 
  31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274 
  69666963 6174652D 33343130 39303139 3937301E 170D3037 31303139 31343536 
  31395A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649 
  4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D33 34313039 
  30313939 3730819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281 
  8100B9E4 4A1370D4 FC0B195C 1E13622C B3AD28AE 3E842AF1 9194E11A D3D0A84F 
  67878EF6 6AEA6929 A755D992 4C004193 4094BD6E F933BF1D CD8F76D8 6F4D4ACE 
  059FA2C9 240BEA01 4C9D1151 E5C97E3E 9371AA68 A551591A 19F59807 30C2EABA 
  8CBDBFB9 9DF6AD90 55A59B61 7A66C5B1 5EB34DAE 48214DD2 EB95D8B7 0CC4139F 
  36FD0203 010001A3 7A307830 0F060355 1D130101 FF040530 030101FF 30250603 
  551D1104 1E301C82 1A636973 636F3138 31312E4F 6E486F6C 644D6564 6961302E 
  636F6D30 1F060355 1D230418 30168014 2967373F BAD6B1C0 1B5FAA2F D16D3E48 
  F1EE7E20 301D0603 551D0E04 16041429 67373FBA D6B1C01B 5FAA2FD1 6D3E48F1 
  EE7E2030 0D06092A 864886F7 0D010104 05000381 81008F81 228EE003 854B0245 
  B5616954 A662E9F6 01B8AFE2 0C95FC65 B45B1409 E85A3031 AD4E87E1 5C0A3759 
  726D574F 57F739D3 6916932F 798FC6D5 A6A07AE9 359F02DB 65B6F972 457DB7DA 
  032BACB1 E4A09AE8 E30D77EF 2E26DAF2 1E60C730 FFBAA32D 267802B3 396D2D39 
  216BA803 234AD5D0 2EF06C14 5BF06AAC FE4CA47D C7E3
  quit
username xxxxx privilege 15 secret 5 xxxxx
!
! 
!
!
!
!
interface Null0
 no ip unreachables
!
interface FastEthernet0
 description $ETH-WAN$$FW_OUTSIDE$
 ip address 71.xxx.xxx.xxx 255.255.255.0
 ip access-group 101 in
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip nat outside
 ip virtual-reassembly
 ip route-cache flow
 ip tcp adjust-mss 1452
 duplex auto
 speed auto
!
interface FastEthernet1
 description $ES_WAN$$ETH-WAN$$FW_OUTSIDE$
 ip address 66.xxx.xxx.xxx 255.255.255.248
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip nat outside
 ip virtual-reassembly
 ip route-cache flow
 shutdown
 duplex auto
 speed auto
!
interface FastEthernet2
!
interface FastEthernet3
!
interface FastEthernet4
!
interface FastEthernet5
!
interface FastEthernet6
!
interface FastEthernet7
!
interface FastEthernet8
!
interface FastEthernet9
!
interface Vlan1
 description $ETH-SW-LAUNCH$$INTF-INFO-FE 2$$ES_LAN$$FW_INSIDE$
 ip address 192.168.1.1 255.255.255.0
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip nat inside
 ip virtual-reassembly
 ip route-cache flow
 ip tcp adjust-mss 1452
!
interface Async1
 no ip address
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 encapsulation slip
!
router rip
 passive-interface Vlan1
 network 192.168.3.0
 no auto-summary
!
ip route 0.0.0.0 0.0.0.0 71.xxx.xxx.1
ip route 192.168.3.0 255.255.255.0 192.168.1.2 2
!
!
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip nat inside source list 1 interface FastEthernet0 overload
ip nat inside source static tcp 192.168.1.3 80 66.xxx.xxx.xxx 80 extendable
ip nat inside source static tcp 192.168.1.3 119 66.xxx.xxx.xxx 119 extendable
ip nat inside source static tcp 192.168.1.3 65531 66.xxx.xxx.xxx 65531 extendable
ip nat inside source static tcp 192.168.1.3 80 71.xxx.xxx.xxx 80 extendable
ip nat inside source static tcp 192.168.1.3 119 71.xxx.xxx.xxx 119 extendable
ip nat inside source static tcp 192.168.1.11 1433 71.xxx.xxx.xxx 1433 extendable
ip nat inside source static tcp 192.168.1.8 3389 71.xxx.xxx.xxx 3389 extendable
ip nat inside source static tcp 192.168.1.3 59871 71.xxx.xxx.xxx 59871 extendable
ip nat inside source static tcp 192.168.1.3 65525 71.xxx.xxx.xxx 65525 extendable
ip nat inside source static tcp 192.168.1.3 65528 71.xxx.xxx.xxx 65528 extendable
ip nat inside source static tcp 192.168.1.3 65529 71.xxx.xxx.xxx 65529 extendable
ip nat inside source static tcp 192.168.1.3 65531 71.xxx.xxx.xxx 65531 extendable
!
logging trap debugging
access-list 1 remark INSIDE_IF=Vlan1
access-list 1 remark SDM_ACL Category=2
access-list 1 permit 192.168.1.0 0.0.0.255
access-list 101 permit tcp host 72.xxx.xxx.xxx any eq 1433
access-list 101 deny   tcp any any eq 1433
access-list 101 permit ip any any
no cdp run
!
!
!
!
!
!
control-plane
!
banner login ^CAuthorized access only!
 Disconnect IMMEDIATELY if you are not an authorized user!^C
!
line con 0
 login local
 transport output telnet
line 1
 modem InOut
 stopbits 1
 speed 115200
 flowcontrol hardware
line aux 0
 login local
 transport output telnet
line vty 0 4
 privilege level 15
 login local
 transport input telnet ssh
line vty 5 15
 privilege level 15
 login local
 transport input telnet ssh
!
scheduler allocate 4000 1000
scheduler interval 500
!
webvpn context Default_context
 ssl authenticate verify all
 !
 no inservice
!
end

 

[nnnnnnnnnn]

I think your just missing the nonat statement and acl to allow that traffic. hope that helps

cheers


access-list nonat-inside extended permit ip 192.168.3.0 255.255.255.0 192.168.1.0 255.255.255.0

nat (outside2) 0 access-list nonat-inside

access-list outside2-in extended permit ip 192.168.1.0 255.255.255.0 192.168.3.0 255.255.255.0

access-group outside2-in in interface outside2

 

[overmodulation]

Awesome.

Do these commands go into the 1811 config?

 

[overmodulation]

Ok I put these commands into the ASA and they took ... what should I put into the 1811?

 

[nnnnnnnnnn]

my bad, they go on the ASA.

cheers

 

[overmodulation]

yeah I put them in the ASA. They looked too weird to be IOS commands hahahaha.

What should I put in the 1811? I can ping hosts on the 192.168.1.x from my telnet session but not from the host itself. Nor can I reach hosts on the 192.168.1.x network from the 192.168.3.x network. And vice versa.

 

[nnnnnnnnnn]

The router looked like it was routing the ASA inside segment correctly. Try clearing the translationg on the ASA.

cheers


clear xlate

 

[brianinms]

I am confused, do you have 2 different internet connections connected to the same router? Then you are trying to connect them through the ASA?

 

[burtsbees]

Looks like he's got ASA like this...

---Internet------ASA(outside1)----------192.168.3.0/24
|
(outside2192.168.1.0/24)
|
|
|
|
C1811----------another inside LAN

This is what I got from the explanation in the first post. If this is true, then the 1841 must have ip nat inside on both connected interfaces, and the second inside LAN must be on a different (third) subnet than the 1841 (192.168.1.0/24).

Burt

 

[overmodulation]

Here's what I've got:

---INTERNET---(outside1)ASA----192.168.3.0/24(inside)
|
|
|(outside2)-192.168.1.2
|
|
---INTERNET---(fa0)C1811----192.168.1.0/24(Vlan1)

Does that make sense?

It's kind of a stupid setup, I'm sure. But I just need 192.168.1.x to talk to 192.168.3.x and vice versa.

 

[overmodulation]

Please note that outside2 on ASA is not connected to fa0 on 1811. It's connected to a switch connected to Vlan1 on the 1811.

Both devices have connections to the internet.

I'm not concerned with internet access failover at this point (yet) ... I just want the two disparate networks to communicate.