asa5505 … cant set up a route ??

Home Forums Networking Cisco Security – PIX/ASA/VPN asa5505 … cant set up a route ??

This topic contains 2 replies, has 3 voices, and was last updated by Avatar toandxpc3 2 years, 10 months ago.

Viewing 3 posts - 1 through 3 (of 3 total)
  • Author
    Posts
  • #166522

    Hi — I wonder if anyone else can help me .. Im at a total loss !!

    In have connected into port 2 an isolated network 10.0.9.x … this is totally seperate to my other network and no routes exist between the two
    I simply want to have an RDP access … I can access the internet and when I try and do an oper port check to the external address ending .251 the cisco sees the hit but doesnt send any traffic
    Port 2 on my cisco simply plugs into a basic hub with 2 computers the other end.

    If I come in on .252 externally this works and goes to the other machine (on different network)

    but not when I come in .251 !!!

    Please could someone take a look at the config and tell me what I am doing wrong .. am I missing a route somewhere ?

    interface Ethernet0/0
    switchport access vlan 2
    !
    interface Ethernet0/1
    !
    interface Ethernet0/2
    switchport access vlan 22
    !
    interface Ethernet0/3
    !
    interface Ethernet0/4
    switchport access vlan 12
    !
    interface Ethernet0/5
    switchport access vlan 12
    !
    interface Ethernet0/6
    !
    interface Ethernet0/7
    !
    interface Vlan1
    nameif inside
    security-level 100
    ip address 10.0.1.254 255.255.255.0
    !
    interface Vlan2
    nameif outside
    security-level 0
    ip address 81.41.242.249 255.255.255.248
    !
    interface Vlan12
    nameif public-wifi
    security-level 100
    ip address 192.168.8.254 255.255.255.0
    !
    interface Vlan22
    nameif linnaeus
    security-level 100
    ip address 10.0.9.100 255.255.255.0
    !
    ftp mode passive
    clock timezone GMT/BST 0
    clock summer-time GMT/BDT recurring last Sun Mar 1:00 last Sun Oct 2:00
    dns domain-lookup inside
    dns domain-lookup outside
    dns server-group DefaultDNS
    name-server 10.0.1.2
    domain-name willows.local
    object-group network EPA
    description Email Systems IP Ranges
    network-object EPA3 255.255.255.0
    network-object EPA1 255.255.255.240
    network-object EPA2 255.255.255.192
    network-object EPA9 255.255.248.0
    network-object EPA10 255.255.254.0
    network-object EPA11 255.255.254.0
    network-object EPA12 255.255.254.0
    network-object EPA4 255.255.240.0
    network-object EPA8 255.255.248.0
    network-object EPA5 255.255.240.0
    network-object EPA6 255.255.248.0
    network-object EPA7 255.255.248.0
    object-group service RDP tcp
    description Remote Desktop
    port-object eq 3386
    object-group service VNC tcp
    description VNC Viewer
    port-object eq 3386
    port-object eq 3387
    port-object eq 3388
    port-object eq 3389
    object-group network Fuji
    network-object host FUJI2
    network-object host FUJI
    network-object host FUJI3
    network-object host curtis
    object-group network EPA-LDAP
    description LDAP auth for EPA
    network-object host 176.34.228.109
    network-object host 176.34.228.117
    network-object host 176.34.228.121
    network-object host 176.34.228.76
    network-object host 46.137.116.147
    network-object ldaps-1 255.255.252.0
    network-object LDAPS-2 255.255.248.0
    network-object LDAPS-3 255.255.255.0
    network-object LDAPS-4 255.255.255.0
    network-object MIKETEST 255.255.255.0
    object-group service rdp2 tcp
    group-object RDP
    port-object eq 3385
    port-object eq https
    object-group service r3389 tcp
    port-object eq 3389
    object-group service https_and_6001 tcp
    port-object eq 6001
    port-object eq 6002
    port-object eq 6003
    port-object eq 6004
    port-object eq https
    object-group service fujIrequest tcp
    port-object eq 2837
    port-object eq 2861
    port-object eq 2876
    port-object eq 2898
    port-object eq 3011
    port-object eq 3030
    port-object eq 5900
    port-object eq 3387
    object-group service oayrollpc tcp
    description payrollpc
    port-object eq 3375
    object-group service port1433 tcp
    port-object eq 1433
    object-group service port1433single
    service-object tcp eq 1433
    object-group service DM_INLINE_SERVICE_1
    service-object tcp-udp eq www
    service-object tcp eq https
    access-list outside_access_in remark Allow SMTP access from EPA
    access-list outside_access_in extended permit tcp object-group EPA host 81.71.242.253 eq smtp
    access-list outside_access_in remark Allow LDAPS access from EPA
    access-list outside_access_in extended permit tcp object-group EPA-LDAP 81.41.242.248 255.255.255.248 eq ldaps
    access-list outside_access_in extended permit tcp object-group EPA-LDAP 81.41.242.248 255.255.255.248 eq ldap inactive
    access-list outside_access_in remark RDP
    access-list outside_access_in extended permit tcp any host 81.41.242.252 object-group r3389
    access-list outside_access_in extended permit tcp any host 81.41.242.251 object-group r3389
    access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_1 any 81.41.242.248 255.255.255.248
    access-list outside_access_in remark VPN
    access-list outside_access_in extended permit gre any 81.41.242.248 255.255.255.248
    access-list outside_access_in remark Fuji RDP access to Synapse Server
    access-list outside_access_in extended permit ip object-group Fuji 81.71.242.248 255.255.255.248
    access-list outside_access_in remark GE
    access-list outside_access_in extended permit udp host 195.177.212.157 host 81.41.242.252 eq isakmp
    access-list outside_access_in extended permit tcp any 81.41.242.248 255.255.255.248 eq pptp
    access-list outside_access_in extended permit gre any host 81.41.242.253
    access-list outside_access_in extended permit tcp any 81.41.242.248 255.255.255.248 object-group fujIrequest
    access-list outside_access_in extended permit tcp any 81.41.242.248 255.255.255.248 object-group oayrollpc inactive
    access-list outside_access_in extended permit tcp any host 81.41.242.253 object-group port1433 inactive
    access-list outside_access_in extended permit tcp any 81.41.242.248 255.255.255.248 eq 1433
    access-list inside_access_in extended permit gre any any
    access-list inside_access_in extended permit ip any any
    access-list inside_nat0_outbound extended permit ip 10.0.1.0 255.255.255.0 192.168.10.0 255.255.255.0
    access-list inside_nat0_outbound remark VLAN6
    access-list inside_nat0_outbound extended permit ip 10.0.2.0 255.255.255.0 192.168.10.0 255.255.255.0
    access-list inside_nat0_outbound extended permit ip 10.0.3.48 255.255.255.240 150.2.0.0 255.255.0.0
    access-list inside_nat0_outbound extended permit ip any 10.0.1.192 255.255.255.192
    access-list outside_2_cryptomap extended permit ip 10.0.3.48 255.255.255.240 150.2.0.0 255.255.0.0
    access-list public-wifi_access_in extended permit ip any any
    pager lines 24
    logging enable
    logging asdm informational
    mtu inside 1500
    mtu outside 1500
    mtu public-wifi 1500
    mtu linnaeus 1500
    ip local pool VPN 10.0.1.220-10.0.1.230 mask 255.255.255.0
    no failover
    icmp unreachable rate-limit 1 burst-size 1
    icmp permit any echo-reply outside
    asdm image disk0:/asdm-645.bin
    no asdm history enable
    arp timeout 14400
    global (outside) 1 interface
    nat (inside) 0 access-list inside_nat0_outbound
    nat (inside) 1 0.0.0.0 0.0.0.0
    nat (public-wifi) 1 0.0.0.0 0.0.0.0
    nat (linnaeus) 1 0.0.0.0 0.0.0.0
    static (inside,outside) tcp 81.41.242.252 3389 WillowsTS 3389 netmask 255.255.255.255
    static (inside,outside) tcp 81.41.242.251 3389 10.0.9.9 3389 netmask 255.255.255.255
    access-group inside_access_in in interface inside
    access-group outside_access_in in interface outside
    access-group public-wifi_access_in in interface public-wifi
    route outside 0.0.0.0 0.0.0.0 81.41.242.254 1
    route inside 10.0.2.0 255.255.255.0 10.0.1.100 1
    route inside 10.0.3.0 255.255.255.0 10.0.1.100 1
    route inside 10.0.4.0 255.255.255.0 10.0.1.100 1
    route inside 10.0.5.0 255.255.255.0 10.0.1.100 1
    route inside 192.168.10.0 255.255.255.0 10.0.1.100 1
    timeout xlate 3:00:00
    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
    timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
    timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
    timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
    timeout tcp-proxy-reassembly 0:01:00
    timeout floating-conn 0:00:00
    dynamic-access-policy-record DfltAccessPolicy
    nac-policy DfltGrpPolicy-nac-framework-create nac-framework
    reval-period 36000
    sq-period 300
    aaa authentication ssh console LOCAL
    aaa authentication telnet console LOCAL
    http server enable
    http 10.0.1.2 255.255.255.255 inside
    http 10.0.0.0 255.255.255.0 inside
    http 10.0.1.0 255.255.255.0 inside

    Thanks
    Mike

    Avatar
    clover
    Member
    #391271

    Not sure if anyone can help .. but also when I look in the log for the asa the packet comes in and then reads:

    6 Aug 04 2016 09:51:41 82.32.89.30 64148 10.0.9.9 3389 Teardown TCP connection 270840007 for outside:82.32.89.30/64148 to inside:10.0.9.9/3389 duration 0:00:00 bytes 0 No valid adjacency

    Avatar
    toandxpc3
    Member
    #391600

    ASA by default when you create networks you cannot ping and get a result it will reply no route to host , this is because the routing table has not been built . You will need to atleast connect a host to the network and this time your route table will be successful.

Viewing 3 posts - 1 through 3 (of 3 total)

You must be logged in to reply to this topic.