Solved

data routing / layer 3 switch to asa

Posted on 2011-03-08
12
357 Views
Last Modified: 2012-05-11
Hi,

I have two networks in my office which do not touch.  I need to connect them now.

One is a simple mpls -> asa (with no outside line)
The Other one has a a layer 3 switch -> asa --> router

Can anybody explain, or point me in the right direction on what to do if i connect my layer 3 switch to the asa via cable?
0
Comment
Question by:vburshteyn
12 Comments
 
LVL 35

Expert Comment

by:Ernie Beek
Comment Utility
Could you elaborate a bit?

At the moment you have one or two ASA's?
Are the two networks in one office or is the second network at a remote location (through the mpls)?

Just trying to get the whole picture here.
0
 
LVL 3

Expert Comment

by:topdavis
Comment Utility
This is too vague, can you be more specific in describing your network topology and your problem?
0
 

Author Comment

by:vburshteyn
Comment Utility
sorry about that

Network A
ds3 router - ASA 5505 -- Catalyst 4507

Network B

MPLS router - ASA 5500 --- Cisco Catalyst WS-C2950T-48 (this network does not have a data line yet)

at the moment the two networks dont talk.  If i had a data line on the MPLS network i would just set up a vpn-vpn line between the two asa, but since i dont have that option i was thinking of running a network cable from the catalyst 4507, since it is a level 3 switch to the ASA on the mpls network and route data from network A to network B that way.

Just dont know how to set it up.
0
 
LVL 13

Expert Comment

by:kdearing
Comment Utility
You can run a cable between the 2 switches.
The port on the 4507 will have to be configured for the 2950s subnet
0
 

Author Comment

by:vburshteyn
Comment Utility
any chance you can provide more info?

How do i route the data for that subnet from the 4507?
0
 
LVL 3

Expert Comment

by:topdavis
Comment Utility
On the 4507 create a VLAN that is the same as the one on the 2950.

On the ports you will be using to connect the 4507 to the 2950, you need to configure them in trunking mode.

Then you can use the 4507 to do the routing of information between the vlans on the 4507 and the 2950.

If you provide the configurations of the 4507 and the 2950, I am sure I or any of the other contributors can script it out for you.
0
Free camera licenses with purchase of My Cloud NAS

Milestone Arcus software is compatible with thousands of industry-leading cameras for added flexibility. Upon installation on your My Cloud NAS, you will receive two (2) camera licenses already enabled in the software. And for a limited time, get additional camera licenses FREE.

 

Author Comment

by:vburshteyn
Comment Utility
so if the one on 2950 is set for general vlan 1, just turn all the ports to say vlan 2.. turn one port on 4507 into vlan 2 and trunk em together.  

then route date between 2 vlans
0
 
LVL 3

Expert Comment

by:topdavis
Comment Utility
No.  You don't necessarily have to change vlans.  The subnet of the vlans matter so just moving the ports on the 2950 to vlan 2 and connecting the switches may not do any good.  If you provide the existing configurations it will be much easier to tell exactly what you need to do.
0
 

Author Comment

by:vburshteyn
Comment Utility
ok so the 2950 has the generic config, there is nothing on it so its the default config other then
Switch IP 10.59.1.4 ---> connected to ASA 10.59.1.1


the 4507 is
For this purpose i created VLAN 10 and assigned FA 3/35 to it
i gave vlan 10 ip of 10.59.1.2


So what i need to figure out is how do i get the 4507 to see a device 205.132.168.191 255.255.255.255  that i can get from the 2950.  

Hope this makes sense!


I pulled out some of the redundand stuff from the config:

version 12.2
no service pad
service timestamps debug uptime
service timestamps log datetime
no service password-encryption
service compress-config
service sequence-numbers
!
hostname BW4507
!
boot-start-marker
boot-end-marker
!
no aaa new-model
qos
qos dbl
qos map dscp 24 25 26 27 28 29 30 31 to tx-queue 4
qos map dscp 32 33 34 35 36 37 38 39 to tx-queue 4
qos map cos 3 to dscp 26
qos map cos 5 to dscp 46
ip subnet-zero
!
vtp mode transparent
!
!
!
power redundancy-mode redundant
!
redundancy
 mode sso
no file verify auto
spanning-tree mode pvst
spanning-tree extend system-id
!
vlan internal allocation policy ascending
!
vlan 2
 name VoiceVLAN
!
policy-map autoqos-voip-policy
  class class-default
    dbl
!

!
interface Vlan1
 ip address 172.17.20.2 255.255.255.0
!
interface Vlan2
 ip address 172.17.30.2 255.255.255.0
!
ip route profile
ip route 0.0.0.0 0.0.0.0 172.17.20.1 permanent
ip http server
!
!
interface FastEthernet6/48
 switchport mode access
 switchport voice vlan 2
 switchport port-security
 switchport port-security maximum 2
 switchport port-security aging time 2
 switchport port-security violation restrict
 switchport port-security aging type inactivity
 qos trust cos
 qos trust device cisco-phone
 macro description cisco-phone
 auto qos voip cisco-phone
 tx-queue 3
   bandwidth percent 33
   priority high
   shape percent 33
 spanning-tree portfast
 spanning-tree bpduguard enable
 service-policy output autoqos-voip-policy
!
interface GigabitEthernet7/1
!
interface GigabitEthernet7/2
!
interface GigabitEthernet7/3
!
interface GigabitEthernet7/4
!
interface GigabitEthernet7/5
!
interface GigabitEthernet7/6
!
interface GigabitEthernet7/7
!
interface GigabitEthernet7/8
!
interface GigabitEthernet7/9
!
interface GigabitEthernet7/10
!
interface GigabitEthernet7/11
!
interface GigabitEthernet7/12
!
!
interface GigabitEthernet7/36
!
interface GigabitEthernet7/37
 switchport trunk encapsulation dot1q
 switchport trunk native vlan 2
 switchport mode trunk
 switchport nonegotiate
 qos trust dscp
 macro description cisco-router
 auto qos voip trust
 tx-queue 3
   bandwidth percent 33
   priority high
   shape percent 33
 spanning-tree portfast
 spanning-tree bpduguard enable
 service-policy output autoqos-voip-policy
!
interface GigabitEthernet7/38
 switchport access vlan 2
 switchport mode access
 switchport port-security
 switchport port-security aging time 2
 switchport port-security violation restrict
 switchport port-security aging type inactivity
 macro description cisco-desktop
 spanning-tree portfast
 spanning-tree bpduguard enable
!
interface GigabitEthernet7/39
 switchport access vlan 2
 switchport mode access
 switchport port-security
 switchport port-security aging time 2
 switchport port-security violation restrict
 switchport port-security aging type inactivity
 macro description cisco-desktop
 spanning-tree portfast
 spanning-tree bpduguard enable
!
interface GigabitEthernet7/40
 switchport access vlan 2
 switchport mode access
 switchport port-security
 switchport port-security aging time 2
 switchport port-security violation restrict
 switchport port-security aging type inactivity
 macro description cisco-desktop
 spanning-tree portfast
 spanning-tree bpduguard enable
!
interface GigabitEthernet7/41
!
interface GigabitEthernet7/42
!
interface GigabitEthernet7/43
!
interface GigabitEthernet7/44
!
interface GigabitEthernet7/45
!
interface GigabitEthernet7/46
!
interface GigabitEthernet7/47
!
interface GigabitEthernet7/48
!
interface Vlan1
 ip address 172.17.20.2 255.255.255.0
!
interface Vlan2
 ip address 172.17.30.2 255.255.255.0
!
ip route profile
ip route 0.0.0.0 0.0.0.0 172.17.20.1 permanent
ip http server
!
!
!
snmp-server community Br0adway1 RO
!
control-plane
!
!
line con 0
 stopbits 1
 length 0
!
end

BW4507#

0
 
LVL 1

Expert Comment

by:arasmy
Comment Utility
Hi vburshteyn,

Could you make it more clear?

Do you have to Internet lines and you want to activate them both over the network with the 4507?

0
 

Accepted Solution

by:
vburshteyn earned 0 total points
Comment Utility
ok so i handed this by creating a new vlan on both of the devices and ran a cable between the both.  Then i modified the routing tables to handle.
0
 

Author Closing Comment

by:vburshteyn
Comment Utility
none of the provided solutions worked.
0

Featured Post

How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

Join & Write a Comment

Join Greg Farro and Ethan Banks from Packet Pushers (http://packetpushers.net/podcast/podcasts/pq-show-93-smart-network-monitoring-paessler-sponsored/) and Greg Ross from Paessler (https://www.paessler.com/prtg) for a discussion about smart network …
When it comes to security, there are always trade-offs between security and convenience/ease of administration. This article examines some of the main pros and cons of using key authentication vs password authentication for hosting an SFTP server.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

728 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

8 Experts available now in Live!

Get 1:1 Help Now