?
Solved

Cisco 5510 ASA route 2 subnets through same inside interface

Posted on 2010-11-08
13
Medium Priority
?
906 Views
Last Modified: 2012-05-10
Hello fellow experts! I need some advice on a problem I have. My network is running out of IPs and after evaluating the different ways to create more IPs I decided to add a new subnet. We have a Cisco ASA 5510 and some 3com Layer 3 switches. We decided not to use Vlans to achieve routing between to the 2 subnets. We added a secondary IP to the 3com switch. We know we have to change the gateway of any device on the original subnet (is now currently the ASA) to the IP of the 3com switch in order to achieve proper internal routing between to the subnets. Here are the specifics of the network below.

Cisco ASA:
Inside interface: 192.168.0.1/24

3com 5500G:
IP: 192.168.0.10/24
2nd IP: 192.168.2.10/24

We have tested routing through the 3com by connecting a workstation to it and manually assigning it an IP of 192.168.2.99 with 192.168.2.10 as the gateway and another with 192.168.0.99 with 192.168.0.10 as its gateway. Traffic goes through fine.

The problem I have is on the Cisco side. It still routes the 192.168.0.0/24 subnet fine with access to the internet and our other sites in different countries(site to site VPNs). The new 192.168.2.0/24 subnet does not seem to have outside access. Since the 3com switch was able to route traffic to a laptop in the 192.168.0.0/24 network it would also reason that it would route to the ASA(same subnet). Obviously all of these devices are connected to the 3com switch directly. So I must be missing something on the ASA.

I have added a dynamic NAT rule on the inside interface to allow traffic from the 192.168.2.0/24 subnet to be translated to the outside interface. Just as there is one already on their for the 192.168.0.0/24 subnet. I am currently working on my ccent/ccna so I am somewhat novice when it comes to this, can another expert point out what I am missing? Also I cannot ping the ASA from the laptop on the 192.168.2.0/24 subnet.

Thanks, Marco.
0
Comment
Question by:EvaUnit01
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 7
  • 5
13 Comments
 
LVL 14

Expert Comment

by:SIM50
ID: 34084485
Did you set default route in L3 switch to point to 192.168.0.1 on ASA?
0
 
LVL 3

Author Comment

by:EvaUnit01
ID: 34084612
yes there is a default route on there, it was already placed. Here is the full routing table on the switch.

dest ip         mask                            next hop            interface
0.0.0.0.        0.0.0.0.                        192.168.0.1       vlan-interface1
127.0.0.1     255.0.0.0                     127.0.0.1           inloopback0
127.0.0.1     255.255.255.255         127.0.0.1           inloopback0
192.168.0.0   255.255.255.0          192.168.0.10     vlan-interface1
192.168.0.10  255.255.255.255     127.0.0.1           inloopback0
192.168.2.0   255.255.255.0           192.168.2.10     vlan-interface1
192.168.2.10   255.255.255.255     127.0.0.1           inloopback0

Also if this was not placed the laptop we tested (ip: 192.168.0.99 with a gateway of 192.168.0.10) would not have internet access.
0
 
LVL 14

Expert Comment

by:SIM50
ID: 34084723
On your ASA, do you have a route for 192.168.2.0/24 pointing to the switch?
0
Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
LVL 3

Author Comment

by:EvaUnit01
ID: 34085307
I created a nat exemption rule on the inside interface stating, source: 192.168.0.0/24 to destination 192.168.2.0/24. I don't have one going the other way around. I checked the routes by going into the CLI: it does not show any routes for the 192.168.2.0 network.
0
 
LVL 3

Author Comment

by:EvaUnit01
ID: 34085356
the command I entered was "show route" it only shows some static routes ( for our vlient vpn access) and 2 connected routes for the interfaces (Outside and Inside)
0
 
LVL 3

Author Comment

by:EvaUnit01
ID: 34085490
Also do I want a route on the ASA for 192.168.2.0/24 pointing to the switch? I want to make sure that subnet can access the outside interface (internet access) as well.
0
 
LVL 14

Accepted Solution

by:
SIM50 earned 2000 total points
ID: 34085498
It looks like your firewall doesn't know about your 192.168.2.0 network. It knows about 192.168.1.0 since it is directly connected to it. Can you put in a static route for 192.168.2.0 to send it to 192.168.0.10?

You said you've created dynamic NAT for 192.168.2.0. You don't need another NAT exampt rule since your switch will take care of routing between vlans.

0
 
LVL 33

Expert Comment

by:MikeKane
ID: 34085521
Can you post the sanitized config of the ASA?    

If the ASA can ping a device on the 192.168.2.0 network, then routes are fine.    I'm guessing you may have an access list or outbound NAT setup to allow only the original subnet.  Having a peek at the code will quickly identify or rule out that possibility.


0
 
LVL 3

Author Comment

by:EvaUnit01
ID: 34085718
I added the static route and I was able to access the internet. I still cannot access my other sites which are connected via site to site vpn. I will recheck my crypto map setups.
0
 
LVL 14

Expert Comment

by:SIM50
ID: 34085756
For site-to-site VPN's, you need to modify encryption domain to include the new subnet and access-lists. Also, don't forget to do it on both sides of site-to-site VPN, local and remote. Otherwise, VPN will not come up.
0
 
LVL 14

Expert Comment

by:SIM50
ID: 34085773
Forgot to add, you will need to create NAT exampt for 192.168.2.0 to go remote networks.
0
 
LVL 3

Author Comment

by:EvaUnit01
ID: 34086026
Yeah, I just figured that out, my crypto maps were fine. I forgot to add the NAT exemption to my remote sites. Once I did it began to work fine.

Alright now time to create a plan for changing the gateway on about 15 servers and additional dozen or so peripherals, not to mention DHCP!

Thank you SIM50, you saved me lots of time! I really need to finish studying and get my CCNA. I was able to logically figure things out with my current knowledge of networking, but if I were a proper CCNA I wouldn't need to ask for help. I could help others! points will be awarded.
0
 
LVL 3

Author Closing Comment

by:EvaUnit01
ID: 34086140
Thank you!
0

Featured Post

Q2 2017 - Latest Malware & Internet Attacks

WatchGuard’s Threat Lab is a group of dedicated threat researchers committed to helping you stay ahead of the bad guys by providing in-depth analysis of the top security threats to your network.  Check out our latest Quarterly Internet Security Report!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Quality of Service (QoS) options are nearly endless when it comes to networks today. This article is merely one example of how it can be handled in a hub-n-spoke design using a 3-tier configuration.
Getting hacked is no longer a matter or "if you get hacked" — the 2016 cyber threat landscape is now titled "when you get hacked." When it happens — will you be proactive, or reactive?
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Suggested Courses

649 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question