Solved

cisco asa 5505 routing internal subnets - recommend a router for me

Posted on 2010-09-02
3
1,367 Views
Last Modified: 2012-05-10
I've got a customer who had another consultant swap out their Watchguard Firebox for a Cisco ASA 5510.  This customer has 2 subnets behind an internal wireless network that also need to be routed. The consultant who set it up could not get the ASA to route packets back to the two subnets behind the wireless, so he ended up switching the default gateway for the whole organization to the wireless router that was handline the site-to-site wifi, and having it route back to the asa for internet traffic.

This made the wireless unstable, as the device was not designed to handle that much traffic.  I got called in to cleanup the mess, and so what I did was put dd-wrt on a linksys befsr41.  It was a simple test, and I made that device the router, and had it hand off to the ASA, and put the wireless behind it.  This fixed the problem, but the little linksys has introduced a delay to the network.

I know that PIXs could not route internal subnets, and I am assuming this is still the case with an ASA.  So what device can I get that is fairly inexpensive and will route to the asa and the two other subnets behind the wireless?


Thanks!
Justin
0
Comment
Question by:justinb67
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
3 Comments
 
LVL 79

Accepted Solution

by:
lrmoore earned 500 total points
ID: 33592078
You can do it on the ASA.

same-security-traffic permit intra interface
nat (inside,inside) <network A> <network A> mask 255.255.255.0
nat (inside,inside) <network B> <network B> mask 255.255.255.0

route inside <network A> 255.255.255.0 <router IP>
route inside <network B> 255.255.255.0 <router IP>
0
 
LVL 2

Expert Comment

by:cmonteith
ID: 33597671
lrmoore hit it right on the head.  Do that and you can route those subnets back to an internal router.

Now if you don't have an inside router, or simply wish to have those other subnets somewhat segregated from your other LAN traffic another option would be to spind up additional interfaces on the ASA, one for each subnet.  Then allow the ASA to actually be the router for each subnet.

You can even then assing the same security number to those new interfaces as your inside and use the command: "same-security-traffic permit inter-interface" to allow the traffic to flow between the interfaces without the need to be granular on what traffic.  You'll likely also need to exempt the NAT traffic between interfaces....if you need info on any of that just post and we can tell ya how...otherwise if you're using an internal router for those other subnets just run with it
0
 

Author Closing Comment

by:justinb67
ID: 33598367
that worked fantastic.  The static command was actually staitc (inside)  mask 1

I already had all of those commands in because we have a funky VPN and port forwarding inbound that routes to the remote subnets.  But I also had to put in some rules in the nonat ACL to get it working.  i just put in from  to  and vice-versa for both subnets.

Thanks for the help!
Justin
0

Featured Post

Surfing Is Meant To Be Done Outdoors

Featuring its rugged IP67 compliant exterior and delivering broad, fast, and reliable Wi-Fi coverage, the AP322 is the ideal solution for the outdoors. Manage this AP with either a Firebox as a gateway controller, or with the Wi-Fi Cloud for an expanded set of management features

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
can't ssh to external IP 9 64
Usage of Prefix-List 5 47
question about opening Non-profit website for organization in another country.. 5 49
IP Jumping 6 21
I work for a company that primarily works with small businesses as their outsourced IT vendor. As such the majority of these customers utilize some version of Small Business Server. Due to the economics of running a small business, many of these cus…
Shadow IT is coming out of the shadows as more businesses are choosing cloud-based applications. It is now a multi-cloud world for most organizations. Simultaneously, most businesses have yet to consolidate with one cloud provider or define an offic…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

733 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question