New Cisco ASA 5505 Config - Routing or Port issue?
Ok, this may seem like a dumb question but for some reason I can't figure it out.
We have a client who has a new MPLS network - 3 sites (More Details below). The primary site which is also the site that all the others use to access the internet needs a new ASA 5505 setup. For the life of me, I can't get the routing / config right.
Site A - 192.168.100.0. Router address is 192.168.100.1. MPLS Router (to access the other sites) is 192.168.100.254
Site B - 192.168.2.0 Router address (for internet / mpls) is 192.168.2.254
Site C - 192.168.3.0 Router address (for internet / mpls) is 192.168.3.254
From what I understand - the MPLS provider DOES have a static route setup for the .2 and .3 subnet which defaults traffic to go to 100.1. Don't know what that means but that's what they told me.
I've included the current config - The two routes I've added were required for the sites A and B to access the internet.
RBALOU-CONFIG.txt
We have a client who has a new MPLS network - 3 sites (More Details below). The primary site which is also the site that all the others use to access the internet needs a new ASA 5505 setup. For the life of me, I can't get the routing / config right.
Site A - 192.168.100.0. Router address is 192.168.100.1. MPLS Router (to access the other sites) is 192.168.100.254
Site B - 192.168.2.0 Router address (for internet / mpls) is 192.168.2.254
Site C - 192.168.3.0 Router address (for internet / mpls) is 192.168.3.254
From what I understand - the MPLS provider DOES have a static route setup for the .2 and .3 subnet which defaults traffic to go to 100.1. Don't know what that means but that's what they told me.
I've included the current config - The two routes I've added were required for the sites A and B to access the internet.
RBALOU-CONFIG.txt
ASKER
Ok thanks - what is not working is I can't get from 100 to 2 and 100 to 3. I can get to the internet from 2 and 3, but not to 100.
Try changing your routes to this.
route inside 192.168.2.0 255.255.255.0 192.168.2.254 1
route inside 192.168.3.0 255.255.255.0 192.168.3.254 1
Don't forget to remove the old ones:
route inside 192.168.2.0 255.255.255.0 192.168.100.254 1
route inside 192.168.3.0 255.255.255.0 192.168.100.254 1
route inside 192.168.2.0 255.255.255.0 192.168.2.254 1
route inside 192.168.3.0 255.255.255.0 192.168.3.254 1
Don't forget to remove the old ones:
route inside 192.168.2.0 255.255.255.0 192.168.100.254 1
route inside 192.168.3.0 255.255.255.0 192.168.100.254 1
ASKER
I'll give it a shot. Do I need to do anything in terms of access rules / firewall config to allow these sites to communicate?
Not that I can see.
On a side note. Most people x out their real Outside IP's in configs. If you concerned about it you may want to contact a moderator and see if they can remove the attachment.
On a side note. Most people x out their real Outside IP's in configs. If you concerned about it you may want to contact a moderator and see if they can remove the attachment.
While I was at it I had a look at the config.
route inside 192.168.2.0 255.255.255.0 192.168.100.254
route inside 192.168.3.0 255.255.255.0 192.168.100.254
Is correct (you're telling the firewall how to get to those networks).
For now, I would disable the inside access list till we get it working: no access-group inside_access_in in interface inside
I can't get from 100 to 2 and 100 to 3. I can get to the internet from 2 and 3, but not to 100
That definitely is a routing issue. The default gateway for the three networks is the ASA which doesn't route back. So the clients on the three subnets need to be told how to get to the other networks (not through the default gateway).
For site A that would be:
route add 192.168.2.0 mask 255.255.255.0 192.168.100.254
route add 192.168.3.0 mask 255.255.255.0 192.168.100.254
Site B:
route add 192.168.3.0 mask 255.255.255.0 192.168.2.254
route add 192.168.100.0 mask 255.255.255.0 192.168.2.254
Site C:
route add 192.168.2.0 mask 255.255.255.0 192.168.3.254
route add 192.168.100.0 mask 255.255.255.0 192.168.3.254
Using windows commands here:)
In DHCP you would use option 121 (classless static routes) to add that. The thing is that this isn't working in the ASA dhcp server: https://supportforums.cisco.com/thread/2051427 and I don't know if you have any DHCP at the other sites.
So you'll need to add the routes manually on the workstations or use an other DHCP server (have any windows servers on your network?)
route inside 192.168.2.0 255.255.255.0 192.168.100.254
route inside 192.168.3.0 255.255.255.0 192.168.100.254
Is correct (you're telling the firewall how to get to those networks).
For now, I would disable the inside access list till we get it working: no access-group inside_access_in in interface inside
I can't get from 100 to 2 and 100 to 3. I can get to the internet from 2 and 3, but not to 100
That definitely is a routing issue. The default gateway for the three networks is the ASA which doesn't route back. So the clients on the three subnets need to be told how to get to the other networks (not through the default gateway).
For site A that would be:
route add 192.168.2.0 mask 255.255.255.0 192.168.100.254
route add 192.168.3.0 mask 255.255.255.0 192.168.100.254
Site B:
route add 192.168.3.0 mask 255.255.255.0 192.168.2.254
route add 192.168.100.0 mask 255.255.255.0 192.168.2.254
Site C:
route add 192.168.2.0 mask 255.255.255.0 192.168.3.254
route add 192.168.100.0 mask 255.255.255.0 192.168.3.254
Using windows commands here:)
In DHCP you would use option 121 (classless static routes) to add that. The thing is that this isn't working in the ASA dhcp server: https://supportforums.cisco.com/thread/2051427 and I don't know if you have any DHCP at the other sites.
So you'll need to add the routes manually on the workstations or use an other DHCP server (have any windows servers on your network?)
ASKER
DHCP for 2 and 3 is being provided by the MPLS host (Windstream) on the locations routers.
Just to clarify, you are saying to make the route changes that pclinuxguru said AND make the changes on the 100 network to DHCP? We are currently using DHCP on the ASA but can easily turn it on on one of the internal servers.
Just to clarify, you are saying to make the route changes that pclinuxguru said AND make the changes on the 100 network to DHCP? We are currently using DHCP on the ASA but can easily turn it on on one of the internal servers.
No, the routes that are currently in your ASA are correct (otherwise site B and C wouldn't have internet access).
So you just need to tell the machines on your networks how to get to the other sites using a gateway other than the default (the route adds I posted if you'd do it manually). I would think it should be enough to add the routes at site A (since the MPLS provider manages the others). To test you could add the two routes manually on a machine to see if you can then access the other sites.
So you just need to tell the machines on your networks how to get to the other sites using a gateway other than the default (the route adds I posted if you'd do it manually). I would think it should be enough to add the routes at site A (since the MPLS provider manages the others). To test you could add the two routes manually on a machine to see if you can then access the other sites.
ASKER
Ok, I moved DHCP to the Windows server, added the classless routes and .100 is able to access 2 and 3 but 3 /2 are not able to access anything on 100. I can ping 100.254 from 2 and 3 and 100.1 from 2 and 3 but nothing else inside (printers, server, etc.)
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Since I was able to route traffic from 100 to 2 and 3 using DHCP, how will devices that have static IPs (Phone Systems, servers) access those remote networks?
I'll definitely have Windstream update the local sites, just want to make sure I'm covering all my basis. Thanks for the help!
I'll definitely have Windstream update the local sites, just want to make sure I'm covering all my basis. Thanks for the help!
My pleasure :)
On devices with static ip's you'll have to add that route manually (like said before) if possible. Servers shouldn't be a problem, not sure about the phone system (don't know what it is ;)
On devices with static ip's you'll have to add that route manually (like said before) if possible. Servers shouldn't be a problem, not sure about the phone system (don't know what it is ;)
ASKER
Ok, so I think my only option after spending the last 2 weeks on the phone with Windstream is to allow the FW to be a router as well. They have the remote sites 2 / 3 setup with a default route of 100.1. They can change it, but I don't know where else we would put it, besides sending it to the server, but then if the server is down, internet will be down across the board. Any thoughts on options or if I do need to setup the ASA as a router how to do that?
Just means that 192.168.2&3.0 is routing from the MPLS to the router at Site A.
What exactly is not working?