Announcement

Collapse
No announcement yet.

ASA 5510 - Can't route between to internal networks?

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • ASA 5510 - Can't route between to internal networks?

    Hey guys,

    Need help with a Cisco ASA 5510 I am setting up at the moment and was wondering if anyone could help me out.

    I have two internals networks 192.168.172.x (voice) and 192.168.173.x (data) and one PPoE external connection. Between the two internal network I don't need any security and I want them to be able to route between each other.

    At the moment both of the data and voip networks go out to the internet with no problems but I can't make them talk to each other.

    I have done the tick box in ASDM "Enable traffic between two or more interfaces which are configured with same security levels" and "Enable traffic between two or more hosts connected to the same interface.

    When I try to ping the interface on the other side or a switch I get the "Teardown ICMP connection for faddr...."

    If anyone could point me in the right direction it would be greatly appreciated.

    I know it would better to use a router to do this but in the situation I havent been given much of choice.

    Thanks everyone

    I have pasted the config below:


    Code:
    interface Ethernet0/0
     nameif outside
     security-level 0
     pppoe client vpdn group blefts
     ip address ############ 255.255.255.255 pppoe setroute 
    !
    interface Ethernet0/1
     nameif inside
     security-level 100
     ip address 192.168.173.1 255.255.255.0 
    !
    interface Ethernet0/2
     nameif voip
     security-level 100
     ip address 192.168.172.1 255.255.255.0 
    !
    interface Ethernet0/3
     shutdown
     no nameif
     security-level 0
     no ip address
    !
    interface Management0/0
     nameif management
     security-level 100
     ip address 192.168.1.1 255.255.255.0 
     management-only
    !
    ftp mode passive
    clock timezone JST 9
    dns domain-lookup management
    dns server-group DefaultDNS
     domain-name default.domain.invalid
    same-security-traffic permit inter-interface
    same-security-traffic permit intra-interface
    object-group network DM_INLINE_NETWORK_1
     network-object 192.168.172.0 255.255.255.0
     network-object 192.168.173.0 255.255.255.0
    object-group network VPN_Users
     network-object 192.168.174.0 255.255.255.0
    object-group network DM_INLINE_NETWORK_2
     network-object 192.168.172.0 255.255.255.0
     network-object 192.168.173.0 255.255.255.0
    access-list internal-voip_access_in extended permit ip any any 
    access-list internal-data_access_in extended permit ip any any 
    access-list internal-data_access_in extended permit ip any object-group ############ 
    access-list external_access_in extended permit ip 192.168.173.0 255.255.255.0 any 
    access-list external_access_in extended permit ip 192.168.172.0 255.255.255.0 any 
    access-list external_access_in extended permit icmp any any 
    access-list outside_access_in extended permit ip object-group ############ any 
    access-list outside_access_in extended permit ip object-group ############ any 
    access-list outside_access_in extended permit ip object-group VPN_Users object-group DM_INLINE_NETWORK_1 
    access-list outside_access_in extended permit icmp any any 
    access-list Remote-Access_splitTunnelAcl standard permit 192.168.173.0 255.255.255.0 
    access-list Remote-Access_splitTunnelAcl standard permit 192.168.172.0 255.255.255.0 
    access-list inside_nat0_outbound extended permit ip 192.168.173.0 255.255.255.0 192.168.174.0 255.255.255.0 
    access-list outside_nat0_outbound extended permit ip 192.168.174.0 255.255.255.0 object-group DM_INLINE_NETWORK_2 
    access-list voip_nat0_outbound extended permit ip 192.168.172.0 255.255.255.0 192.168.174.0 255.255.255.0 
    pager lines 24
    logging enable
    logging asdm informational
    mtu outside 1500
    mtu inside 1500
    mtu voip 1500
    mtu management 1500
    icmp unreachable rate-limit 1 burst-size 1
    icmp permit any outside
    icmp permit any inside
    icmp permit any voip
    icmp permit any management
    asdm image disk0:/asdm-621.bin
    no asdm history enable
    arp timeout 14400
    global (outside) 101 interface
    nat (outside) 0 access-list outside_nat0_outbound
    nat (inside) 0 access-list inside_nat0_outbound
    nat (inside) 101 0.0.0.0 0.0.0.0
    nat (voip) 0 access-list voip_nat0_outbound
    nat (voip) 101 0.0.0.0 0.0.0.0
    access-group outside_access_in in interface outside
    access-group internal-data_access_in in interface inside
    access-group internal-voip_access_in in interface voip
    timeout xlate 3:00:00
    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
    timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
    timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
    timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
    timeout tcp-proxy-reassembly 0:01:00
    dynamic-access-policy-record DfltAccessPolicy
    http server enable
    no snmp-server location
    no snmp-server contact
    snmp-server enable traps snmp authentication linkup linkdown coldstart
    ###
    lots of crypto stuff
    ###
     authentication pre-share
     encryption 3des
     hash sha
     group 2
     lifetime 86400
    crypto isakmp policy 10
     authentication pre-share
     encryption des
     hash sha
     group 2
     lifetime 86400
    telnet timeout 5
    ssh timeout 5
    console timeout 5
    management-access inside
    vpdn group blefts request dialout pppoe
    vpdn group blefts localname ############
    vpdn group blefts ppp authentication chap
    vpdn username ############ password ********* 
    dhcpd dns ############ interface outside
    dhcpd option 3 ip 192.168.173.1 interface outside
    !
    dhcpd address 192.168.1.2-192.168.1.254 management
    dhcpd enable management
    !
    threat-detection basic-threat
    threat-detection statistics port
    threat-detection statistics protocol
    threat-detection statistics access-list
    no threat-detection statistics tcp-intercept
    webvpn
    group-policy Remote-Access internal
    group-policy Remote-Access attributes
     vpn-tunnel-protocol IPSec 
     split-tunnel-policy tunnelspecified
     split-tunnel-network-list value Remote-Access_splitTunnelAcl
     service-type remote-access
    tunnel-group Remote-Access type remote-access
    tunnel-group Remote-Access general-attributes
     address-pool VPN-Pool
     default-group-policy Remote-Access
    tunnel-group Remote-Access ipsec-attributes
     pre-shared-key *
    !
    class-map inspection_default
     match default-inspection-traffic
    !
    !
    policy-map type inspect dns preset_dns_map
     parameters
      message-length maximum 512
    policy-map global_policy
     class inspection_default
      inspect dns preset_dns_map 
      inspect ftp 
      inspect h323 h225 
      inspect h323 ras 
      inspect rsh 
      inspect rtsp 
      inspect esmtp 
      inspect sqlnet 
      inspect skinny  
      inspect sunrpc 
      inspect xdmcp 
      inspect sip  
      inspect netbios 
      inspect tftp 
    !
    
    asdm image disk0:/asdm-621.bin
    no asdm history enable
    Last edited by powpow45; 24th August 2009, 09:34. Reason: bad spelling
Working...
X