Cisco 5510 ASA route 2 subnets through same inside interface
Hello fellow experts! I need some advice on a problem I have. My network is running out of IPs and after evaluating the different ways to create more IPs I decided to add a new subnet. We have a Cisco ASA 5510 and some 3com Layer 3 switches. We decided not to use Vlans to achieve routing between to the 2 subnets. We added a secondary IP to the 3com switch. We know we have to change the gateway of any device on the original subnet (is now currently the ASA) to the IP of the 3com switch in order to achieve proper internal routing between to the subnets. Here are the specifics of the network below.
Cisco ASA:
Inside interface: 192.168.0.1/24
3com 5500G:
IP: 192.168.0.10/24
2nd IP: 192.168.2.10/24
We have tested routing through the 3com by connecting a workstation to it and manually assigning it an IP of 192.168.2.99 with 192.168.2.10 as the gateway and another with 192.168.0.99 with 192.168.0.10 as its gateway. Traffic goes through fine.
The problem I have is on the Cisco side. It still routes the 192.168.0.0/24 subnet fine with access to the internet and our other sites in different countries(site to site VPNs). The new 192.168.2.0/24 subnet does not seem to have outside access. Since the 3com switch was able to route traffic to a laptop in the 192.168.0.0/24 network it would also reason that it would route to the ASA(same subnet). Obviously all of these devices are connected to the 3com switch directly. So I must be missing something on the ASA.
I have added a dynamic NAT rule on the inside interface to allow traffic from the 192.168.2.0/24 subnet to be translated to the outside interface. Just as there is one already on their for the 192.168.0.0/24 subnet. I am currently working on my ccent/ccna so I am somewhat novice when it comes to this, can another expert point out what I am missing? Also I cannot ping the ASA from the laptop on the 192.168.2.0/24 subnet.
Thanks, Marco.
Cisco ASA:
Inside interface: 192.168.0.1/24
3com 5500G:
IP: 192.168.0.10/24
2nd IP: 192.168.2.10/24
We have tested routing through the 3com by connecting a workstation to it and manually assigning it an IP of 192.168.2.99 with 192.168.2.10 as the gateway and another with 192.168.0.99 with 192.168.0.10 as its gateway. Traffic goes through fine.
The problem I have is on the Cisco side. It still routes the 192.168.0.0/24 subnet fine with access to the internet and our other sites in different countries(site to site VPNs). The new 192.168.2.0/24 subnet does not seem to have outside access. Since the 3com switch was able to route traffic to a laptop in the 192.168.0.0/24 network it would also reason that it would route to the ASA(same subnet). Obviously all of these devices are connected to the 3com switch directly. So I must be missing something on the ASA.
I have added a dynamic NAT rule on the inside interface to allow traffic from the 192.168.2.0/24 subnet to be translated to the outside interface. Just as there is one already on their for the 192.168.0.0/24 subnet. I am currently working on my ccent/ccna so I am somewhat novice when it comes to this, can another expert point out what I am missing? Also I cannot ping the ASA from the laptop on the 192.168.2.0/24 subnet.
Thanks, Marco.
SIM50
Did you set default route in L3 switch to point to 192.168.0.1 on ASA?
ASKER
yes there is a default route on there, it was already placed. Here is the full routing table on the switch.
dest ip mask next hop interface
0.0.0.0. 0.0.0.0. 192.168.0.1 vlan-interface1
127.0.0.1 255.0.0.0 127.0.0.1 inloopback0
127.0.0.1 255.255.255.255 127.0.0.1 inloopback0
192.168.0.0 255.255.255.0 192.168.0.10 vlan-interface1
192.168.0.10 255.255.255.255 127.0.0.1 inloopback0
192.168.2.0 255.255.255.0 192.168.2.10 vlan-interface1
192.168.2.10 255.255.255.255 127.0.0.1 inloopback0
Also if this was not placed the laptop we tested (ip: 192.168.0.99 with a gateway of 192.168.0.10) would not have internet access.
dest ip mask next hop interface
0.0.0.0. 0.0.0.0. 192.168.0.1 vlan-interface1
127.0.0.1 255.0.0.0 127.0.0.1 inloopback0
127.0.0.1 255.255.255.255 127.0.0.1 inloopback0
192.168.0.0 255.255.255.0 192.168.0.10 vlan-interface1
192.168.0.10 255.255.255.255 127.0.0.1 inloopback0
192.168.2.0 255.255.255.0 192.168.2.10 vlan-interface1
192.168.2.10 255.255.255.255 127.0.0.1 inloopback0
Also if this was not placed the laptop we tested (ip: 192.168.0.99 with a gateway of 192.168.0.10) would not have internet access.
On your ASA, do you have a route for 192.168.2.0/24 pointing to the switch?
ASKER
I created a nat exemption rule on the inside interface stating, source: 192.168.0.0/24 to destination 192.168.2.0/24. I don't have one going the other way around. I checked the routes by going into the CLI: it does not show any routes for the 192.168.2.0 network.
ASKER
the command I entered was "show route" it only shows some static routes ( for our vlient vpn access) and 2 connected routes for the interfaces (Outside and Inside)
ASKER
Also do I want a route on the ASA for 192.168.2.0/24 pointing to the switch? I want to make sure that subnet can access the outside interface (internet access) as well.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Can you post the sanitized config of the ASA?
If the ASA can ping a device on the 192.168.2.0 network, then routes are fine. I'm guessing you may have an access list or outbound NAT setup to allow only the original subnet. Having a peek at the code will quickly identify or rule out that possibility.
If the ASA can ping a device on the 192.168.2.0 network, then routes are fine. I'm guessing you may have an access list or outbound NAT setup to allow only the original subnet. Having a peek at the code will quickly identify or rule out that possibility.
ASKER
I added the static route and I was able to access the internet. I still cannot access my other sites which are connected via site to site vpn. I will recheck my crypto map setups.
For site-to-site VPN's, you need to modify encryption domain to include the new subnet and access-lists. Also, don't forget to do it on both sides of site-to-site VPN, local and remote. Otherwise, VPN will not come up.
Forgot to add, you will need to create NAT exampt for 192.168.2.0 to go remote networks.
ASKER
Yeah, I just figured that out, my crypto maps were fine. I forgot to add the NAT exemption to my remote sites. Once I did it began to work fine.
Alright now time to create a plan for changing the gateway on about 15 servers and additional dozen or so peripherals, not to mention DHCP!
Thank you SIM50, you saved me lots of time! I really need to finish studying and get my CCNA. I was able to logically figure things out with my current knowledge of networking, but if I were a proper CCNA I wouldn't need to ask for help. I could help others! points will be awarded.
Alright now time to create a plan for changing the gateway on about 15 servers and additional dozen or so peripherals, not to mention DHCP!
Thank you SIM50, you saved me lots of time! I really need to finish studying and get my CCNA. I was able to logically figure things out with my current knowledge of networking, but if I were a proper CCNA I wouldn't need to ask for help. I could help others! points will be awarded.
ASKER
Thank you!