Solved

Cisco 5510 ASA route 2 subnets through same inside interface

Posted on 2010-11-08
13
871 Views
Last Modified: 2012-05-10
Hello fellow experts! I need some advice on a problem I have. My network is running out of IPs and after evaluating the different ways to create more IPs I decided to add a new subnet. We have a Cisco ASA 5510 and some 3com Layer 3 switches. We decided not to use Vlans to achieve routing between to the 2 subnets. We added a secondary IP to the 3com switch. We know we have to change the gateway of any device on the original subnet (is now currently the ASA) to the IP of the 3com switch in order to achieve proper internal routing between to the subnets. Here are the specifics of the network below.

Cisco ASA:
Inside interface: 192.168.0.1/24

3com 5500G:
IP: 192.168.0.10/24
2nd IP: 192.168.2.10/24

We have tested routing through the 3com by connecting a workstation to it and manually assigning it an IP of 192.168.2.99 with 192.168.2.10 as the gateway and another with 192.168.0.99 with 192.168.0.10 as its gateway. Traffic goes through fine.

The problem I have is on the Cisco side. It still routes the 192.168.0.0/24 subnet fine with access to the internet and our other sites in different countries(site to site VPNs). The new 192.168.2.0/24 subnet does not seem to have outside access. Since the 3com switch was able to route traffic to a laptop in the 192.168.0.0/24 network it would also reason that it would route to the ASA(same subnet). Obviously all of these devices are connected to the 3com switch directly. So I must be missing something on the ASA.

I have added a dynamic NAT rule on the inside interface to allow traffic from the 192.168.2.0/24 subnet to be translated to the outside interface. Just as there is one already on their for the 192.168.0.0/24 subnet. I am currently working on my ccent/ccna so I am somewhat novice when it comes to this, can another expert point out what I am missing? Also I cannot ping the ASA from the laptop on the 192.168.2.0/24 subnet.

Thanks, Marco.
0
Comment
Question by:EvaUnit01
  • 7
  • 5
13 Comments
 
LVL 13

Expert Comment

by:SIM50
ID: 34084485
Did you set default route in L3 switch to point to 192.168.0.1 on ASA?
0
 
LVL 3

Author Comment

by:EvaUnit01
ID: 34084612
yes there is a default route on there, it was already placed. Here is the full routing table on the switch.

dest ip         mask                            next hop            interface
0.0.0.0.        0.0.0.0.                        192.168.0.1       vlan-interface1
127.0.0.1     255.0.0.0                     127.0.0.1           inloopback0
127.0.0.1     255.255.255.255         127.0.0.1           inloopback0
192.168.0.0   255.255.255.0          192.168.0.10     vlan-interface1
192.168.0.10  255.255.255.255     127.0.0.1           inloopback0
192.168.2.0   255.255.255.0           192.168.2.10     vlan-interface1
192.168.2.10   255.255.255.255     127.0.0.1           inloopback0

Also if this was not placed the laptop we tested (ip: 192.168.0.99 with a gateway of 192.168.0.10) would not have internet access.
0
 
LVL 13

Expert Comment

by:SIM50
ID: 34084723
On your ASA, do you have a route for 192.168.2.0/24 pointing to the switch?
0
 
LVL 3

Author Comment

by:EvaUnit01
ID: 34085307
I created a nat exemption rule on the inside interface stating, source: 192.168.0.0/24 to destination 192.168.2.0/24. I don't have one going the other way around. I checked the routes by going into the CLI: it does not show any routes for the 192.168.2.0 network.
0
 
LVL 3

Author Comment

by:EvaUnit01
ID: 34085356
the command I entered was "show route" it only shows some static routes ( for our vlient vpn access) and 2 connected routes for the interfaces (Outside and Inside)
0
 
LVL 3

Author Comment

by:EvaUnit01
ID: 34085490
Also do I want a route on the ASA for 192.168.2.0/24 pointing to the switch? I want to make sure that subnet can access the outside interface (internet access) as well.
0
What Is Threat Intelligence?

Threat intelligence is often discussed, but rarely understood. Starting with a precise definition, along with clear business goals, is essential.

 
LVL 13

Accepted Solution

by:
SIM50 earned 500 total points
ID: 34085498
It looks like your firewall doesn't know about your 192.168.2.0 network. It knows about 192.168.1.0 since it is directly connected to it. Can you put in a static route for 192.168.2.0 to send it to 192.168.0.10?

You said you've created dynamic NAT for 192.168.2.0. You don't need another NAT exampt rule since your switch will take care of routing between vlans.

0
 
LVL 33

Expert Comment

by:MikeKane
ID: 34085521
Can you post the sanitized config of the ASA?    

If the ASA can ping a device on the 192.168.2.0 network, then routes are fine.    I'm guessing you may have an access list or outbound NAT setup to allow only the original subnet.  Having a peek at the code will quickly identify or rule out that possibility.


0
 
LVL 3

Author Comment

by:EvaUnit01
ID: 34085718
I added the static route and I was able to access the internet. I still cannot access my other sites which are connected via site to site vpn. I will recheck my crypto map setups.
0
 
LVL 13

Expert Comment

by:SIM50
ID: 34085756
For site-to-site VPN's, you need to modify encryption domain to include the new subnet and access-lists. Also, don't forget to do it on both sides of site-to-site VPN, local and remote. Otherwise, VPN will not come up.
0
 
LVL 13

Expert Comment

by:SIM50
ID: 34085773
Forgot to add, you will need to create NAT exampt for 192.168.2.0 to go remote networks.
0
 
LVL 3

Author Comment

by:EvaUnit01
ID: 34086026
Yeah, I just figured that out, my crypto maps were fine. I forgot to add the NAT exemption to my remote sites. Once I did it began to work fine.

Alright now time to create a plan for changing the gateway on about 15 servers and additional dozen or so peripherals, not to mention DHCP!

Thank you SIM50, you saved me lots of time! I really need to finish studying and get my CCNA. I was able to logically figure things out with my current knowledge of networking, but if I were a proper CCNA I wouldn't need to ask for help. I could help others! points will be awarded.
0
 
LVL 3

Author Closing Comment

by:EvaUnit01
ID: 34086140
Thank you!
0

Featured Post

Maximize Your Threat Intelligence Reporting

Reporting is one of the most important and least talked about aspects of a world-class threat intelligence program. Here’s how to do it right.

Join & Write a Comment

I eventually solved a perplexing problem setting up telnet for a new switch.  I installed a new Cisco WS-03560X-24P switch connected to an existing Cisco 4506 running a WS-X4013-10GE Sup II-Plus. After configuring vlans and trunking,  I could no…
Creating an OSPF network that automatically (dynamically) reroutes network traffic over other connections to prevent network downtime.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

744 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

15 Experts available now in Live!

Get 1:1 Help Now