• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1375
  • Last Modified:

cisco asa 5505 routing internal subnets - recommend a router for me

I've got a customer who had another consultant swap out their Watchguard Firebox for a Cisco ASA 5510.  This customer has 2 subnets behind an internal wireless network that also need to be routed. The consultant who set it up could not get the ASA to route packets back to the two subnets behind the wireless, so he ended up switching the default gateway for the whole organization to the wireless router that was handline the site-to-site wifi, and having it route back to the asa for internet traffic.

This made the wireless unstable, as the device was not designed to handle that much traffic.  I got called in to cleanup the mess, and so what I did was put dd-wrt on a linksys befsr41.  It was a simple test, and I made that device the router, and had it hand off to the ASA, and put the wireless behind it.  This fixed the problem, but the little linksys has introduced a delay to the network.

I know that PIXs could not route internal subnets, and I am assuming this is still the case with an ASA.  So what device can I get that is fairly inexpensive and will route to the asa and the two other subnets behind the wireless?


Thanks!
Justin
0
justinb67
Asked:
justinb67
1 Solution
 
lrmooreCommented:
You can do it on the ASA.

same-security-traffic permit intra interface
nat (inside,inside) <network A> <network A> mask 255.255.255.0
nat (inside,inside) <network B> <network B> mask 255.255.255.0

route inside <network A> 255.255.255.0 <router IP>
route inside <network B> 255.255.255.0 <router IP>
0
 
cmonteithCommented:
lrmoore hit it right on the head.  Do that and you can route those subnets back to an internal router.

Now if you don't have an inside router, or simply wish to have those other subnets somewhat segregated from your other LAN traffic another option would be to spind up additional interfaces on the ASA, one for each subnet.  Then allow the ASA to actually be the router for each subnet.

You can even then assing the same security number to those new interfaces as your inside and use the command: "same-security-traffic permit inter-interface" to allow the traffic to flow between the interfaces without the need to be granular on what traffic.  You'll likely also need to exempt the NAT traffic between interfaces....if you need info on any of that just post and we can tell ya how...otherwise if you're using an internal router for those other subnets just run with it
0
 
justinb67Author Commented:
that worked fantastic.  The static command was actually staitc (inside)  mask 1

I already had all of those commands in because we have a funky VPN and port forwarding inbound that routes to the remote subnets.  But I also had to put in some rules in the nonat ACL to get it working.  i just put in from  to  and vice-versa for both subnets.

Thanks for the help!
Justin
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Improved Protection from Phishing Attacks

WatchGuard DNSWatch reduces malware infections by detecting and blocking malicious DNS requests, improving your ability to protect employees from phishing attacks. Learn more about our newest service included in Total Security Suite today!

Tackle projects and never again get stuck behind a technical roadblock.
Join Now