Cisco 2800 & ASA 5510 Routing Question

Arne,

I hope my scenario is not like the one you had two years ago. My network is divided by departments using VLANs to make the broadcast domain smaller. By doing this, it actually helped speed up user experience. We also have about the same users and devices...approx 60 users, 8 servers, and 8 printers.

Here is my VLAN configuration:
VLAN1 = common resources (Domain Controllers, Internet, Printers, router/switch management, email server)
VLAN2 = VPN Users
VLAN3 = Professionals
VLAN4 = Accounting/Admin
VLAN5 = Telephone

I did this because users in their own respective VLAN would not congest other departments as they typically access their own server placed in their own VLAN. The only time users need inter-VLAN routing is when they access the Internet, authenticating with AD, needing DNS request, DHCP, print and email which are all on VLAN1.

I really like your idea to keep the 2800 as my inter-VLAN router and use the ASA as a firewall but I was planning to take the 2800 and move it to our branch office for site-to-site VPN with the ASA.

So in your opinion, if I plan to use only  the ASA as our router/firewall, should I consolidate my VLANs into 3 instead of 5? I could put the Common Resources (VLAN1), VPN Users (VLAN2) and the Professionals (VLAN3) together because they make most of the workforce and keeping Accounting/Admin (VLAN4) and Telephone (VLAN5) separate giving me 3 VLANs.

This reminds me though that the reason I kept the Exchange Server on its own VLAN (1) was to keep users traffic from VLAN4 separate from VLAN3. My main goal was to ensure the Professionals (VLAN3) had the quickest access to all resources. Taking everyone else off was why I divided them into separate VLANs. Question now is...would it be less intrusive for my Professionals (VLAN3) if...

-Everyone was put into the same VLAN sharing a larger broadcast domain,
-Keeping the VLANs how it is making the ASA route Inter-VLAN traffic,
-Consolidating VLAN1, 2 & 3 making the fastest access but having VLAN4 traffic share resources

I guess it all boils down to what is quicker, Inter-VLAN routing or having to share a larger broadcast domain. Can you give me your opinion on which is the better choice?

If all of your users were running Appletalk on OS9 or earlier, I might split it as you have it,  but as long as you're running on switched 100mb Ethernet instead of using 10base2 or 10baseT on hubs:-) you should have no issues with a single "internal" VLAN

Before doing this, you could attach a computer running wireshark to a network port and monitor the amount of broadcast traffic, my guess is that it would be measured in single digit kbps.

With modern servers, you should be able to consolidate your servers. I've consolidated many small servers into file server clusters with better availability and performance for everyone. Several of these have been for companies with high levels of users working on multi gigabyte artwork files and did this for less than the cost of replacing all of the individual servers when they reached their replacement point, the power consumption and electricity bill can also be a driver for doing this.

The exception might be HR or Finance, but I would only usually split them out if their IT was managed by dedicated HR or Finance IT department, for a company where I presume you manage all of it, I would quite happily put it all on one (clustered) server, or with 2k8 r2, two servers with DFS, one with Intel and one with AMD for even more redundancy.

I would keep the phone system on its own VLAN, but this could be terminated on the ASA as the traffic volume should be relatively small and you can also use it to restrict access to only required hosts.

Instead of using the 2800 at the remote office I would get an ASA5505, the NAT and ACL configuration is much simpler and you keep to a common platform with identical setup etc.

I moved one company that had grown through acquisition from three small offices into one large one, they were 300 people, and with gigabit to the desktop switches I put in a single VLAN and a new file server, two of the companies had already had gigabit and were pleasantly surprised when the new infrastructure was faster...

In short, divide up a network when you _need_ to, but try your best not to need to :-)

Thanks for the suggestions! I wanted to go back to my original question. Is there a way I can have users behind the ASA access the Internet via the 2800? How would I do it and what command(s) would I have to put on my ASA?

Arne,

I don't quite understand.

On the 2800, if I disable NAT how would my users access the Internet? The 2800 still holds the path to the Internet via WIC T1.

I apologize I'm still new to the ASA and don't really know how create a dynamic NAT rule.

INTERNET ---- 2800 ---- ASA ---- VLAN8

I'm trying to to have users in VLAN8 to access the Internet via 2800.

Is your instructions for what I'm trying to do?

your current config

2800 - main vlan
        - other vlan

to
2800 - main vlan - ASA (running NAT)
         - second vlan

or

Internet - ASA (running NAT) - main VLAN  - 2800 - second VLAN

the router then acts as an internal only router and doesn't need NAT.

Although the ASA can run routing protocols this is more to to determine what route to send a packet to, but it isn't a router...

current config and ultimately wanting to do...

Internet - 2800 - ASA - VLANs

I need to allow users behind the ASA to access the internet via the 2800's T1

Presumably you are running NAT on the 2800.

Presumably, you have a single public address on the T1 side of the 2800 and a block of addresses that you are using for NAT.

You could remove NAT from the 2800, use one of the addresses for its "internal" interface and use the rest on the ASA. This would mean either moving to a flat LAN, or using the ASA for communicating between VLANS.

When you new connection is activated, you simply add configure it on the ASA and modify the NAT rules and routing on the ASA.

hitsotntd,

Thank you for doing this. Instead of the public IP addresses between the 2800 and ASA, could I use private IP addresses? Just wondering why it would have to be a public IP address. I will try this as soon as I can.

Yes absolutely, just make sure the routes point to the correct interface.

okay i've tried this and unable to get out from a workstation in VLAN8.

My 2800 interface is configured as 10.50.1.2/24
My ASA outside interface is configured as 10.50.1.1/24

I've set the default routes on the ASA as:
route OUTSIDE 0.0.0.0 0.0.0.0 10.50.1.2

The workstations can ping the internal interface but cannot go beyond that. Any ideas?

Can the asa ping the 2800 interface?
Can the workstation ping the outside interface of the ASA?
Can the 2800 ping the outside interface of the asa?
Does the 2800 have a route back to the VLAN8? This is prob the issue.

2800 route should say something like, ip route (VLAN 8 network) 10.50.1.1 255.255.255.0

Also, you can run the command "show xlate" and this will tell you exactly what the internal vlan8 ip address is being NATed/translated too.

From my workstation, I cannot ping the outside of my ASA (10.50.1.1).

From the ASA, I can ping the outside interface (10.50.1.1) and inside interface (192.168.0.1) of the ASA. I can also ping the internal interface (10.50.1.2) of the 2800 but not the public interface.

When I run the "show xlate" command it returns "0 in use, 0 most used"

From the 2800, I can ping all interfaces on the 2800 as well as the outside interface of the ASA (10.50.1.1) and the inside interface of the ASA (192.168.0.1).

Seems like traffic is not getting past the ASA's default route as it is not showing up with anything with the "show xlate" command. Any other ideas?

oh and btw, Mightysampson is me too, I messed up on my username and wanted to change it.

Ok, so you said that the 2800 can ping the inside interface of the ASA? If you have the cabling like we think, you should not be able to ping the inside interface from the 2800 unless you have an ACL allowing it.

Does your workstation have a default gateway of 192.168.0.1?
Can your workstation ping the inside ip address of 192.168.0.1?

Would you mind showing me your the output on the ASA from the following commands? You can X.X any info you don't want me to view. I should be able to get this running pretty quick with seeing these outputs.

Show run access-list
show run access-group
show run nat
show run static
show run interface
show route

Also, how bout these output on the 2800?

show ip int bri
show ip route

Workstation does have the default gateway as 192.168.0.1 AND can ping it.

On the ASA
Show run access-list:
access-list global_mpc extended permit tcp any any object-group DM_INLINE_TCP_1
Show run access-group:
null
Show run nat:
null
show run static:
null
show run interface:
interface Ethernet0/0
nameif OUTSIDE
security-level 0
ip address 10.50.1.1 255.255.255.0
!
interface Ethernet0/1
nameif INSIDE
security-level 100
ip address 192.168.0.1 255.255.255.0
!
show route:
route OUTSIDE 0.0.0.0 255.255.255.255 10.50.1.2 1
route INSIDE 192.168.1.0 255.255.255.0 192.168.1.1 1

On the 2800
show ip int bri:
FastEthernet0/0.50 10.50.1.2 Yes manual up up
Serial0/0 Public IP Yes NVRAM up up

show ip route:
C 10.50.1.0 is directly connected, FastEthernet0/0.50
S 192.168.0.0/24 [1/0] via 10.50.1.1
S* 0.0.0.0/0 [1/0] via public ip

Well I do see some needed commands,

1.  You have no access-group binding your access-list to an interface. The example below is binding the access-list global_mp to the inbound traffic on the outside interface. Do not input this command unless your absolutely sure you want to. Your current access-list is permitting any TCP traffic to which ever machines are in the object group "DM_INLINE_TCP_1". If you want something to access something from the outside you will use the below access-group and the ACL named "global_mp" to make that happen.

1a. access-group global_mp in interface outside

2. There is no NAT configured. Below are the commands to enter.

2a. nat (inside) 1 192.168.0.0 255.255.255.0
      global (outside) 1 {public ip range}

3. Testing

3a. Try pinging 8.8.8.8 from the 2800.
3b. Try pinging 8.8.8.8 from workstation
3c. enter "show xlate" in ASA to see the NATed internal to the external.

Other then those everything looks good to me. You have all the routing correct. All interfaces are configured correctly. I am sure all you needed was the NATing configured.

Still not sure why you would be able to ping the inside address from the 2800.

Samp

Okay not sure if I need option 1.

I did the 2a command. Question on 2a. global public IP. Is this the IP address of my 2800's WAN interface?

3. Testing results:
3a. OK
3b. No reply
3c. Global 192.168.0.3 Local 192.168.0.3

Workstation still cannot ping 8.8.8.8.

Thanks for all the help. I'm still trying without any success.

No problem at all. We will get this up and running. We are almost there.

Global public IP address is going to be the same range as the serial 0/0 on the 2800.

FYI, it doesn't have to be a range, it can be just 1 public address. Here is an example for a one IP address and a range.

{Many to ONE NAT}
nat (inside) 1 192.168.0.0 255.255.255.0
global (outside) 1 69.85.58.68 255.255.255.255

{Many to Many NAT}
nat (inside) 1 192.168.0.0 255.255.255.0
global (outside) 1 69.85.58.0 255.255.255.0

Okay I configured the global (outside) with the correct public IP and still no luck.

Am I supposed to be able to ping 8.8.8.8 from the ASA because I am not able to. Also on the 2800 I have "IP NAT Outside" command on the S0/0 interface. Wondering if this is preventing traffic coming back into the network. I also have an access-list that is currently configured to allow traffic back in. Would I need to add the 192.168.0.0 network to be allowed back in from the internet?

Here is what my Serial0/0 is configured as...it's complex because I have production still behind the current router and I'm trying to add the ASA behind it concurrently. Please let me know if I cannot do this and if I have to take everyone off the 2800 and put it behind the ASA in order for this to work. Here is my WAN interface config:

interface Serial0/0
 description WAN Interface
 ip address PUBLICIP 255.255.255.252
 ip access-group 111 in
 ip access-group BLOCK_CS out
 ip verify unicast reverse-path
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip nbar protocol-discovery
 ip flow ingress
 ip flow egress
 ip inspect CBAC_OUT out
 ip virtual-reassembly
 encapsulation ppp
 ip route-cache flow
 crypto map SDM_CMAP_1

In the above config, I did take out the command ip nat outside but only do this when I test the workstation trying to ping 8.8.8.8.

Let me lab this up. I will get back to you on what will need to be done soon. I will then provide you with configs to be entered.

When you test, what are you getting with the "show xlate" command?

Is your public address on S0/0 the only external address you have?

Also, can you provide me with the access-list you have on the s0/0 interface?

On the ASA, show xlate:
2 in use, 2 most used
Global 192.168.0.2 Local 192.168.0.2
Global 192.168.0.3 Local 192.168.0.3

Actually I have a secondary public IP address but didn't think it would affect. Here it is anyway:
ip address PUBLICIP 255.255.255.248 secondary (I believe the ISP have created a static route on their end)

Access-list 111 is:

Extended IP access list 111
    10 permit tcp host X.X.X.X host PUBLICIP eq smtp
    20 permit tcp any host PUBLICIP eq www
    30 permit tcp any host PUBLICIP eq 443
    60 permit udp any host PUBLICIP eq domain
    70 permit ahp any host PUBLICIP
    80 permit esp any host PUBLICIP
    90 permit udp any host PUBLICIP eq isakmp
    100 permit udp any host PUBLICIP eq non500-isakmp
    110 permit icmp any host PUBLICIP echo-reply
    120 permit icmp any host PUBLICIP time-exceeded
    130 permit icmp any host PUBLICIP unreachable
    140 deny ip 10.0.0.0 0.255.255.255 any log-input
    150 deny ip 172.16.0.0 0.15.255.255 any log-input
    160 deny ip 192.168.0.0 0.0.255.255 any log-input
    170 deny ip 127.0.0.0 0.255.255.255 any log-input
    180 deny ip host 255.255.255.255 any log-input
    190 deny ip host 0.0.0.0 any log-input
    200 deny ip any any log-input

I completed the lab and you are not going to be able to have your topology the way it currently is.

You would need to turn off the inspection on your 2800 for the traffic to flow as expected.

You will probably want to setup a separate topology for testing your new ASA. You can do this by setting up the ASA's outside interface with an ip address in your external range. Then you could put a switch between your ISP device and the 2800. (this will require down time) With the switch in place, you could have both the ASA and the 2800 connected to the switch and communicating to the ISP and test freely on the ASA.

The end result is, the ASA will replace the 2800 as the firewall/inspection device and the 2800 will be your edge/peering device.

Samp

Any progress?

https://www.experts-exchange.com/questions/27731433/Cisco-2800-ASA-5510-Routing-Question.html?anchorAnswerId=38014817#a38014817

Yup, ArneLovius stated the correct answer from the very beginning. He should get the points.

Thanks for all your assistance. I will end up changing the config on the 2800 when we change ISPs. I cannot do it now but will use the info from this thread to get it working. Thanks again!