Dual LAN, Dual WAN, procurve routing

I have an interesting network setup here and do to cost sharing issues among other things I can not change the physical or logical layout of the network so I need to get this working as shown here.

There are 2 LANs
1) HRI 192.168.45.0 /24
2) DEED 192.168.124.0 /24

There are two WANS IPS are fake)
1) 1.1.1.1 / 1.1.1.2 (VSAT)
2) 2.1.1.1 (MICROWAVE)

There are two ASA
1) ASA 5510 (ON HRI LAN)
2) ASA 5505 (ON DEED LAN)

The HRI ASA is using the 2.1.1.1 internet connection with a fail over to 1.1.1.2 (this works no problem)

The DEED network must use the 1.1.1.1 public IP for internet, this is configured and working
The HRI network must use the 2.1.1.1 or 1.1.1.2 public IP for internet, again this is configured and working

I have a procurve 2910al-24G switch connected to each flan
VLAN1 192.168.45.254 (can be pinged from HRI LAN)
VLAN2 192.168.124.254 (can be pinged from DEED LAN)

I want to do the routing between the VLANS on the 2910 but I can move it to the two ASAs if needed

I will accept either guidance on what needs to be done or exact configuration commands.

eb
HRI-Network.bmp
LVL 23
Erik BjersPrincipal Systems AdministratorAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Erik BjersPrincipal Systems AdministratorAuthor Commented:
Just wanted to let everyone know I figured out one way to do it by creating a VPN between the outside int on the 5505 and the failover int on the 5510.

I will leave this open for the next week to see if anyone else has any other ideas on the matter that may work better.  Other wise I will ask to accept this as the answer or delete the question.

eb
0
bbaoIT ConsultantCommented:
hi ebjers

i am not quite understand what you illustrated in the diagram as the descriptive text seems inconsistent with the labels in the diagram, e.g. eth4 and two public IPs do not exist in the diagram, 2910's IP for VLAN2 is not valid for VLAN2's IP subnet, and etc.

however, i reckon i can know your basic requirement: to enable routing between VLAN1 and VLAN2. am i right?

> I want to do the routing between the VLANS on the 2910
> but I can move it to the two ASAs if needed

"VLANS" is for VLANs connecting to 2910al-24G switch? additionally, the switch may be moved to connect ASA5505 and ASA5510 and you hope the configuration can be kept or reused. am i right?

i assume:

1. the 2910al-24G switch has been configured to support routing between VLAN1 and VLAN2.
2. the default gateway of client computers on VLAN1 is ASA5505, say 192.168.124.1.
3. the default gateway for VLAN2 is ASA5510, say 192.168.45.1.

OK, if the answers are all YES, then basically there are TWO approaches for you.

1. the FIREWALL based solution

add one more static routing item on ASA5505 to send all traffic for VLAN2 to 2910, it looks like this:

192.168.45.0 255.255.255.0 192.168.124.254 metric 1

add one more static routing item on ASA5510 to send all traffic for VLAN1 to 2910, it looks like this:

192.168.124.0 255.255.255.0 192.168.45.254 metric 1

as the result, all hosts on VLAN1 and VLAN2 can PING each other through the ProCurve switch via the two ASAs (of course, the computers' firewall should allow PING). the inter-VLAN traffic does not go through any external network (such as 1.1.1.0 subnet).

this approach also allows you to transparently move the ProCurve switch to directly connect the two ASAs. the clients won't be aware of this change. in this case, you need to define two more subnets for each ASA connecting to the ProCurve switch. the routing table should be updated as well but still similar as above.

NOTE: if you don't have any security policy applied on 2910al-24G, and only use it as a L3 routing switch for ONLY two subnets, why don't you connect the two ASAs by a single cross-over cable??

2. the CLIENT based solution

if for same reason you can't change the routing table of the two ASAs, and you have a DHCP server for each VLAN, you may add one more DHCP option on each DHCP server. the DHCP option is for routing, which adds one more gateway to client's routing table. it should look like these:

for VLAN1:

192.168.45.0 255.255.255.0 192.168.124.254 metric 1

for VLAN2:

192.168.124.0 255.255.255.0 192.168.45.254 metric 1

in this approach, all client computers use DHCP to obtain their IPs and the routing table, they will know where to send their packets to the other internal VLAN. therefore, they don't need any help from the default (central) gateway.

due to the limitation of this approach, you need to update the DHCP options if you move the 2910 to the middle of the two ASAs.

does it make sense?

hope it helps
bbao
0
Erik BjersPrincipal Systems AdministratorAuthor Commented:
bbao,

Thanks for the input, I see where I made the mistakes on my diagram that have you a little confused.  
First I removed the actual public IP addresses to keep them private but I guess I forgot to change the gateway addresses I showed in the text and Eth4 should have been Eth3.  Anyway I have corrected and reattached the diagram.

Please note that the public IPs shown are not real but at least now everything should be consistent in the diagram.


1. the 2910al-24G switch has been configured to support routing between VLAN1 and VLAN2.
A) The 2910's primary function is on VLAN2 though it has a connection to both VLANs as of right now nothing other than creating the VLANs and setting the IPs for the VLANs no configuration has been done

2. the default gateway of client computers on VLAN1 is ASA5505, say 192.168.124.1.
A) Yes

3. the default gateway for VLAN2 is ASA5510, say 192.168.45.1.
A) Yes

In option 1 where you ask why I don't just connect the two ASAs with a crossover cable.  I am assuming that to do this I would need to have an interface for one of the VLANs on each ASA.  The 5505 is not a Sec+ so I can not do it on this one, I guess I could use the management  port on the 5510 and put it on VLAN1 (.124) then configure routing here.

Option 2
I was not aware that I could assign multiple routes in DHCP.  I think if I get the routing configured correctly on the 2910 this will be the best option as it will keep the load off the ASAs and on the switch where it belongs.

eb
0
How the Cloud Can Help You as an MSSP

Today, every Managed Security Service Provider (MSSP) needs a platform to deliver effective and efficient security-as-a-service to their customers. Scale, elasticity and profitability are a few of the many features that a Cloud platform offers. Register today to learn more!

bbaoIT ConsultantCommented:
> Anyway I have corrected and reattached the diagram.

the newly downloaded diagram is same as the older version.

> I was not aware that I could assign multiple routes in DHCP.

this can be done by applying DHCP Option 33 which is defined by RFC 2132 (http://www.ietf.org/rfc/rfc2132.txt).

some vendors do support this specification, including Cisco and Microsoft. check the following links for more official information about MS support on RFC 2132.

DHCP options of Windows Server 2003
http://technet.microsoft.com/en-us/library/cc787895(WS.10).aspx

DHCP Tools and Options of Windows Server 2008
http://technet.microsoft.com/en-us/library/dd145324(WS.10).aspx

Configuring IP Routing and DHCP Services for Cisco FWSM
http://www1.cisco.com/en/US/docs/security/fwsm/fwsm41/configuration/guide/ip_f.pdf

> it will keep the load off the ASAs and on the switch where it belongs

yes, that's performance advantage of Option 2. so you probably no longer need the VPN based solution? :-))

hope it helps,
bbao
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Erik BjersPrincipal Systems AdministratorAuthor Commented:
I will post the diagram again I may have accidently uploaded the same one not the edited version.

VPN solution was done to get things running right away so I could work. I will change dhcp in the morning and try routing this way.

Eb
0
Erik BjersPrincipal Systems AdministratorAuthor Commented:
Here it is again, this time it is the updated diagram.

eb
HRI-Network-2.bmp
0
Erik BjersPrincipal Systems AdministratorAuthor Commented:
I got it working but I used option 249 and not option 33.  Option 33 only lets me set gateway addresses for /32 devices (a single computer) but with option 249 I could create a route to the network.  This plus using ROUTE ADD to add persistent routes to my servers that use static IP and the routing was set.

After that all I had to do was enable IP routing on the 2910 and all was good and now my ping response is >1ms and not 15 - 30ms like it was with the VPN solution.

Thanks again for the assistance.

eb
0
bbaoIT ConsultantCommented:
glad to help. :-)
0
bbaoIT ConsultantCommented:
and thanks for correcting me regarding the DHCP option number.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Switches / Hubs

From novice to tech pro — start learning today.