Announcement

Collapse
No announcement yet.

CISCO ASA 5510 - Two Networks

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • CISCO ASA 5510 - Two Networks

    I have connected two separate networks to CISCO ASA 5510.
    Network E1 192.168.0.x
    Network E2 172.16.1.x
    I want to create a route between the two network. So both network can access each other resources. I tried adding the routes but it gave me the error.

    ASA Version 7.0(7)
    !
    hostname AHRA-FW
    domain-name default.domain.invalid
    enable password LKkVrn52b5rJQVnD encrypted
    names
    name 62.1.xx.x. GW_Router
    name 62.1x.x.x Exchange_Srv
    name 62.1x.xx.x AHRA_FW
    name 62.1x.x.x Exchange_Srv_ES
    dns-guard
    !
    interface Ethernet0/0
    nameif OUTSIDE
    security-level 0
    ip address AHRA_FW 255.255.255.248
    !
    interface Ethernet0/1
    nameif INSIDE
    security-level 100
    ip address 192.168.0.1 255.255.255.0
    !
    interface Ethernet0/2
    nameif INSIDE1
    security-level 100
    ip address 172.16.1.1 255.255.255.0
    !
    interface Management0/0
    shutdown
    no nameif
    no security-level
    no ip address
    management-only
    !
    passwd 2KFQnbNIdI.2KYOU encrypted
    ftp mode passive
    access-list 101 extended permit icmp any any time-exceeded
    access-list 101 extended permit icmp any any echo-reply
    access-list 101 extended permit tcp any host Exchange_Srv eq smtp
    access-list 101 extended permit tcp any host Exchange_Srv eq pop3
    access-list 101 extended permit tcp any host Exchange_Srv eq https
    access-list 101 extended permit tcp any host Exchange_Srv eq www
    access-list 101 extended permit tcp any host Exchange_Srv eq imap4
    access-list 101 extended permit tcp any host Exchange_Srv eq 3389
    access-list 101 extended permit tcp any host Exchange_Srv_ES eq smtp
    access-list 101 extended permit tcp any host Exchange_Srv_ES eq pop3
    access-list 101 extended permit tcp any host Exchange_Srv_ES eq https
    access-list 101 extended permit tcp any host Exchange_Srv_ES eq imap4
    access-list 101 extended permit tcp any host Exchange_Srv_ES eq www
    access-list 101 extended permit tcp any host Exchange_Srv_ES eq 3389
    pager lines 24
    logging enable
    mtu OUTSIDE 1500
    mtu INSIDE 1500
    mtu INSIDE1 1500
    asdm image disk0:/asdm-507.bin
    no asdm history enable
    arp timeout 14400
    nat-control
    global (OUTSIDE) 1 interface
    nat (INSIDE) 1 192.168.0.0 255.255.255.0
    nat (INSIDE1) 1 172.16.1.0 255.255.255.0
    static (INSIDE,OUTSIDE) Exchange_Srv 192.168.0.10 netmask 255.255.255.255
    static (INSIDE1,OUTSIDE) Exchange_Srv_ES 172.16.1.11 netmask 255.255.255.255
    access-group 101 in interface OUTSIDE
    route OUTSIDE 0.0.0.0 0.0.0.0 GW_Router 1
    timeout xlate 3:00:00
    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
    timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00
    timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00
    timeout uauth 0:05:00 absolute
    username admin password C8BY0vQHMsIUl3I6 encrypted privilege 15
    username remote password 3servbOCabjWVuF. encrypted privilege 15
    aaa authentication ssh console LOCAL
    aaa authentication telnet console LOCAL
    http server enable
    http 192.168.0.0 255.255.255.0 INSIDE
    no snmp-server location
    no snmp-server contact
    snmp-server enable traps snmp authentication linkup linkdown coldstart
    telnet 192.168.0.0 255.255.255.0 INSIDE
    telnet timeout 5
    ssh 0.0.0.0 0.0.0.0 OUTSIDE
    ssh 192.168.0.0 255.255.255.0 INSIDE
    ssh timeout 5
    console timeout 0
    management-access INSIDE
    !
    class-map inspection_default
    match default-inspection-traffic
    !
    !
    policy-map global_policy
    class inspection_default
    inspect ftp
    inspect h323 h225
    inspect h323 ras
    inspect netbios
    inspect rsh
    inspect rtsp
    inspect skinny
    inspect esmtp
    inspect sqlnet
    inspect sunrpc
    inspect tftp
    inspect sip
    inspect xdmcp
    !
    service-policy global_policy global
    Cryptochecksum:6f8621e22fb0b18eec1b0e5847c6b241
    : end
    AHRA-FW(config)# route inside1 192.168.0.0 255.255.255.0 192.168.0.1
    ERROR: Cannot add route, connected route exists
    AHRA-FW(config)# route inside 172.16.1.0 255.255.255.0 172.16.1.1
    ERROR: Cannot add route, connected route exists
    AHRA-FW(config)# quit
    AHRA-FW# exit

  • #2
    Re: CISCO ASA 5510 - Two Networks

    Well, the error message is imho quite clear. Since both networks are directly connected to the ASA you don't need additional routes.
    Marcel
    Technical Consultant
    Netherlands
    http://www.phetios.com
    http://blog.nessus.nl

    MCITP(EA, SA), MCSA/E 2003:Security, CCNA, SNAF, DCUCI, CCSA/E/E+ (R60), VCP4/5, NCDA, NCIE - SAN, NCIE - BR, EMCPE
    "No matter how secure, there is always the human factor."

    "Enjoy life today, tomorrow may never come."
    "If you're going through hell, keep going. ~Winston Churchill"

    Comment


    • #3
      Re: CISCO ASA 5510 - Two Networks

      In addition to what Dumber said you have nat-control enabled. So you'll need to configure Identity NAT (stupid name that means NAT Exclusion)

      nat (inside) 0 access-list blahblah

      access-list blahblah extended permit ip 192.168.0.0 255.255.255.0 172.16.1.0 255.255.255.0

      Comment

      Working...
      X