Cisco 5510 ASA route 2 subnets through same inside interface

Hello fellow experts! I need some advice on a problem I have. My network is running out of IPs and after evaluating the different ways to create more IPs I decided to add a new subnet. We have a Cisco ASA 5510 and some 3com Layer 3 switches. We decided not to use Vlans to achieve routing between to the 2 subnets. We added a secondary IP to the 3com switch. We know we have to change the gateway of any device on the original subnet (is now currently the ASA) to the IP of the 3com switch in order to achieve proper internal routing between to the subnets. Here are the specifics of the network below.

Cisco ASA:
Inside interface:

3com 5500G:
2nd IP:

We have tested routing through the 3com by connecting a workstation to it and manually assigning it an IP of with as the gateway and another with with as its gateway. Traffic goes through fine.

The problem I have is on the Cisco side. It still routes the subnet fine with access to the internet and our other sites in different countries(site to site VPNs). The new subnet does not seem to have outside access. Since the 3com switch was able to route traffic to a laptop in the network it would also reason that it would route to the ASA(same subnet). Obviously all of these devices are connected to the 3com switch directly. So I must be missing something on the ASA.

I have added a dynamic NAT rule on the inside interface to allow traffic from the subnet to be translated to the outside interface. Just as there is one already on their for the subnet. I am currently working on my ccent/ccna so I am somewhat novice when it comes to this, can another expert point out what I am missing? Also I cannot ping the ASA from the laptop on the subnet.

Thanks, Marco.
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Did you set default route in L3 switch to point to on ASA?
EvaUnit01Author Commented:
yes there is a default route on there, it was already placed. Here is the full routing table on the switch.

dest ip         mask                            next hop            interface                     vlan-interface1                      inloopback0           inloopback0     vlan-interface1           inloopback0      vlan-interface1           inloopback0

Also if this was not placed the laptop we tested (ip: with a gateway of would not have internet access.
On your ASA, do you have a route for pointing to the switch?
Determine the Perfect Price for Your IT Services

Do you wonder if your IT business is truly profitable or if you should raise your prices? Learn how to calculate your overhead burden with our free interactive tool and use it to determine the right price for your IT services. Download your free eBook now!

EvaUnit01Author Commented:
I created a nat exemption rule on the inside interface stating, source: to destination I don't have one going the other way around. I checked the routes by going into the CLI: it does not show any routes for the network.
EvaUnit01Author Commented:
the command I entered was "show route" it only shows some static routes ( for our vlient vpn access) and 2 connected routes for the interfaces (Outside and Inside)
EvaUnit01Author Commented:
Also do I want a route on the ASA for pointing to the switch? I want to make sure that subnet can access the outside interface (internet access) as well.
It looks like your firewall doesn't know about your network. It knows about since it is directly connected to it. Can you put in a static route for to send it to

You said you've created dynamic NAT for You don't need another NAT exampt rule since your switch will take care of routing between vlans.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Can you post the sanitized config of the ASA?    

If the ASA can ping a device on the network, then routes are fine.    I'm guessing you may have an access list or outbound NAT setup to allow only the original subnet.  Having a peek at the code will quickly identify or rule out that possibility.

EvaUnit01Author Commented:
I added the static route and I was able to access the internet. I still cannot access my other sites which are connected via site to site vpn. I will recheck my crypto map setups.
For site-to-site VPN's, you need to modify encryption domain to include the new subnet and access-lists. Also, don't forget to do it on both sides of site-to-site VPN, local and remote. Otherwise, VPN will not come up.
Forgot to add, you will need to create NAT exampt for to go remote networks.
EvaUnit01Author Commented:
Yeah, I just figured that out, my crypto maps were fine. I forgot to add the NAT exemption to my remote sites. Once I did it began to work fine.

Alright now time to create a plan for changing the gateway on about 15 servers and additional dozen or so peripherals, not to mention DHCP!

Thank you SIM50, you saved me lots of time! I really need to finish studying and get my CCNA. I was able to logically figure things out with my current knowledge of networking, but if I were a proper CCNA I wouldn't need to ask for help. I could help others! points will be awarded.
EvaUnit01Author Commented:
Thank you!
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today

From novice to tech pro — start learning today.