We help IT Professionals succeed at work.

Cisco 5510 ASA route 2 subnets through same inside interface

980 Views
Last Modified: 2012-05-10
Hello fellow experts! I need some advice on a problem I have. My network is running out of IPs and after evaluating the different ways to create more IPs I decided to add a new subnet. We have a Cisco ASA 5510 and some 3com Layer 3 switches. We decided not to use Vlans to achieve routing between to the 2 subnets. We added a secondary IP to the 3com switch. We know we have to change the gateway of any device on the original subnet (is now currently the ASA) to the IP of the 3com switch in order to achieve proper internal routing between to the subnets. Here are the specifics of the network below.

Cisco ASA:
Inside interface: 192.168.0.1/24

3com 5500G:
IP: 192.168.0.10/24
2nd IP: 192.168.2.10/24

We have tested routing through the 3com by connecting a workstation to it and manually assigning it an IP of 192.168.2.99 with 192.168.2.10 as the gateway and another with 192.168.0.99 with 192.168.0.10 as its gateway. Traffic goes through fine.

The problem I have is on the Cisco side. It still routes the 192.168.0.0/24 subnet fine with access to the internet and our other sites in different countries(site to site VPNs). The new 192.168.2.0/24 subnet does not seem to have outside access. Since the 3com switch was able to route traffic to a laptop in the 192.168.0.0/24 network it would also reason that it would route to the ASA(same subnet). Obviously all of these devices are connected to the 3com switch directly. So I must be missing something on the ASA.

I have added a dynamic NAT rule on the inside interface to allow traffic from the 192.168.2.0/24 subnet to be translated to the outside interface. Just as there is one already on their for the 192.168.0.0/24 subnet. I am currently working on my ccent/ccna so I am somewhat novice when it comes to this, can another expert point out what I am missing? Also I cannot ping the ASA from the laptop on the 192.168.2.0/24 subnet.

Thanks, Marco.
Comment
Watch Question

Commented:
Did you set default route in L3 switch to point to 192.168.0.1 on ASA?

Author

Commented:
yes there is a default route on there, it was already placed. Here is the full routing table on the switch.

dest ip         mask                            next hop            interface
0.0.0.0.        0.0.0.0.                        192.168.0.1       vlan-interface1
127.0.0.1     255.0.0.0                     127.0.0.1           inloopback0
127.0.0.1     255.255.255.255         127.0.0.1           inloopback0
192.168.0.0   255.255.255.0          192.168.0.10     vlan-interface1
192.168.0.10  255.255.255.255     127.0.0.1           inloopback0
192.168.2.0   255.255.255.0           192.168.2.10     vlan-interface1
192.168.2.10   255.255.255.255     127.0.0.1           inloopback0

Also if this was not placed the laptop we tested (ip: 192.168.0.99 with a gateway of 192.168.0.10) would not have internet access.

Commented:
On your ASA, do you have a route for 192.168.2.0/24 pointing to the switch?

Author

Commented:
I created a nat exemption rule on the inside interface stating, source: 192.168.0.0/24 to destination 192.168.2.0/24. I don't have one going the other way around. I checked the routes by going into the CLI: it does not show any routes for the 192.168.2.0 network.

Author

Commented:
the command I entered was "show route" it only shows some static routes ( for our vlient vpn access) and 2 connected routes for the interfaces (Outside and Inside)

Author

Commented:
Also do I want a route on the ASA for 192.168.2.0/24 pointing to the switch? I want to make sure that subnet can access the outside interface (internet access) as well.
Commented:
This one is on us!
(Get your first solution completely free - no credit card required)
UNLOCK SOLUTION
Top Expert 2010

Commented:
Can you post the sanitized config of the ASA?    

If the ASA can ping a device on the 192.168.2.0 network, then routes are fine.    I'm guessing you may have an access list or outbound NAT setup to allow only the original subnet.  Having a peek at the code will quickly identify or rule out that possibility.


Author

Commented:
I added the static route and I was able to access the internet. I still cannot access my other sites which are connected via site to site vpn. I will recheck my crypto map setups.

Commented:
For site-to-site VPN's, you need to modify encryption domain to include the new subnet and access-lists. Also, don't forget to do it on both sides of site-to-site VPN, local and remote. Otherwise, VPN will not come up.

Commented:
Forgot to add, you will need to create NAT exampt for 192.168.2.0 to go remote networks.

Author

Commented:
Yeah, I just figured that out, my crypto maps were fine. I forgot to add the NAT exemption to my remote sites. Once I did it began to work fine.

Alright now time to create a plan for changing the gateway on about 15 servers and additional dozen or so peripherals, not to mention DHCP!

Thank you SIM50, you saved me lots of time! I really need to finish studying and get my CCNA. I was able to logically figure things out with my current knowledge of networking, but if I were a proper CCNA I wouldn't need to ask for help. I could help others! points will be awarded.

Author

Commented:
Thank you!
Unlock the solution to this question.
Join our community and discover your potential

Experts Exchange is the only place where you can interact directly with leading experts in the technology field. Become a member today and access the collective knowledge of thousands of technology experts.

*This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

OR

Please enter a first name

Please enter a last name

8+ characters (letters, numbers, and a symbol)

By clicking, you agree to the Terms of Use and Privacy Policy.