Link to home
Get AccessLog in
Avatar of katredrum
katredrumFlag for United States of America

asked on

Cisco 2800 & ASA 5510 Routing Question

Hello Experts,

I have a Cisco 2800 router currently in production that is doing the routing of all VLANs and is also the gateway of our network. We are preparing for a network upgrade and the company has purchased ASA 5510.

Since the 2800 serves as our T1 Internet Gateway and our bandwidth upgrade will have a RJ-45 drop and that ASA is new to me, I'm trying to co-deploy it until the day we will switch over from T1 to RJ-45. I am re-configuring all VLANs to be routed by the ASA (I'm currently only testing non-production VLANs) but don't know how to send Internet traffic to the 2800 for Internet access.

The goal in the end is to have everything configured on the ASA prior to the switch and just have to change routing the Internet traffic from the 2800 to the new ISP.

Is this possible to do? Has anyone done this? Can anyone recommend any other way to do this?
Avatar of ArneLovius
Flag of United Kingdom of Great Britain and Northern Ireland image

Link to home
This content is only available to members.
To access this content, you must be a member of Experts Exchange.
Get Access
Avatar of katredrum



I hope my scenario is not like the one you had two years ago. My network is divided by departments using VLANs to make the broadcast domain smaller. By doing this, it actually helped speed up user experience. We also have about the same users and devices...approx 60 users, 8 servers, and 8 printers.

Here is my VLAN configuration:
VLAN1 = common resources (Domain Controllers, Internet, Printers, router/switch management, email server)
VLAN2 = VPN Users
VLAN3 = Professionals
VLAN4 = Accounting/Admin
VLAN5 = Telephone

I did this because users in their own respective VLAN would not congest other departments as they typically access their own server placed in their own VLAN. The only time users need inter-VLAN routing is when they access the Internet, authenticating with AD, needing DNS request, DHCP, print and email which are all on VLAN1.

I really like your idea to keep the 2800 as my inter-VLAN router and use the ASA as a firewall but I was planning to take the 2800 and move it to our branch office for site-to-site VPN with the ASA.

So in your opinion, if I plan to use only  the ASA as our router/firewall, should I consolidate my VLANs into 3 instead of 5? I could put the Common Resources (VLAN1), VPN Users (VLAN2) and the Professionals (VLAN3) together because they make most of the workforce and keeping Accounting/Admin (VLAN4) and Telephone (VLAN5) separate giving me 3 VLANs.

This reminds me though that the reason I kept the Exchange Server on its own VLAN (1) was to keep users traffic from VLAN4 separate from VLAN3. My main goal was to ensure the Professionals (VLAN3) had the quickest access to all resources. Taking everyone else off was why I divided them into separate VLANs. Question now is...would it be less intrusive for my Professionals (VLAN3) if...

-Everyone was put into the same VLAN sharing a larger broadcast domain,
-Keeping the VLANs how it is making the ASA route Inter-VLAN traffic,
-Consolidating VLAN1, 2 & 3 making the fastest access but having VLAN4 traffic share resources

I guess it all boils down to what is quicker, Inter-VLAN routing or having to share a larger broadcast domain. Can you give me your opinion on which is the better choice?
If all of your users were running Appletalk on OS9 or earlier, I might split it as you have it,  but as long as you're running on switched 100mb Ethernet instead of using 10base2 or 10baseT on hubs:-) you should have no issues with a single "internal" VLAN

Before doing this, you could attach a computer running wireshark to a network port and monitor the amount of broadcast traffic, my guess is that it would be measured in single digit kbps.

With modern servers, you should be able to consolidate your servers. I've consolidated many small servers into file server clusters with better availability and performance for everyone. Several of these have been for companies with high levels of users working on multi gigabyte artwork files and did this for less than the cost of replacing all of the individual servers when they reached their replacement point, the power consumption and electricity bill can also be a driver for doing this.

The exception might be HR or Finance, but I would only usually split them out if their IT was managed by dedicated HR or Finance IT department, for a company where I presume you manage all of it, I would quite happily put it all on one (clustered) server, or with 2k8 r2, two servers with DFS, one with Intel and one with AMD for even more redundancy.

I would keep the phone system on its own VLAN, but this could be terminated on the ASA as the traffic volume should be relatively small and you can also use it to restrict access to only required hosts.

Instead of using the 2800 at the remote office I would get an ASA5505, the NAT and ACL configuration is much simpler and you keep to a common platform with identical setup etc.

I moved one company that had grown through acquisition from three small offices into one large one, they were 300 people, and with gigabit to the desktop switches I put in a single VLAN and a new file server, two of the companies had already had gigabit and were pleasantly surprised when the new infrastructure was faster...

In short, divide up a network when you _need_ to, but try your best not to need to :-)
Thanks for the suggestions! I wanted to go back to my original question. Is there a way I can have users behind the ASA access the Internet via the 2800? How would I do it and what command(s) would I have to put on my ASA?
Link to home
This content is only available to members.
To access this content, you must be a member of Experts Exchange.
Get Access

I don't quite understand.

On the 2800, if I disable NAT how would my users access the Internet? The 2800 still holds the path to the Internet via WIC T1.

I apologize I'm still new to the ASA and don't really know how create a dynamic NAT rule.

INTERNET ---- 2800 ---- ASA ---- VLAN8

I'm trying to to have users in VLAN8 to access the Internet via 2800.

Is your instructions for what I'm trying to do?
your current config

2800 - main vlan
        - other vlan

2800 - main vlan - ASA (running NAT)
         - second vlan


Internet - ASA (running NAT) - main VLAN  - 2800 - second VLAN

the router then acts as an internal only router and doesn't need NAT.

Although the ASA can run routing protocols this is more to to determine what route to send a packet to, but it isn't a router...
current config and ultimately wanting to do...

Internet - 2800 - ASA - VLANs

I need to allow users behind the ASA to access the internet via the 2800's T1
Presumably you are running NAT on the 2800.

Presumably, you have a single public address on the T1 side of the 2800 and a block of addresses that you are using for NAT.

You could remove NAT from the 2800, use one of the addresses for its "internal" interface and use the rest on the ASA. This would mean either moving to a flat LAN, or using the ASA for communicating between VLANS.

When you new connection is activated, you simply add configure it on the ASA and modify the NAT rules and routing on the ASA.
Link to home
This content is only available to members.
To access this content, you must be a member of Experts Exchange.
Get Access

Thank you for doing this. Instead of the public IP addresses between the 2800 and ASA, could I use private IP addresses? Just wondering why it would have to be a public IP address. I will try this as soon as I can.
Avatar of hitsotntd

Yes absolutely, just make sure the routes point to the correct interface.
okay i've tried this and unable to get out from a workstation in VLAN8.

My 2800 interface is configured as
My ASA outside interface is configured as

I've set the default routes on the ASA as:

The workstations can ping the internal interface but cannot go beyond that. Any ideas?
Can the asa ping the 2800 interface?
Can the workstation ping the outside interface of the ASA?
Can the 2800 ping the outside interface of the asa?
Does the 2800 have a route back to the VLAN8? This is prob the issue.

2800 route should say something like, ip route (VLAN 8 network)
Also, you can run the command "show xlate" and this will tell you exactly what the internal vlan8 ip address is being NATed/translated too.
From my workstation, I cannot ping the outside of my ASA (

From the ASA, I can ping the outside interface ( and inside interface ( of the ASA. I can also ping the internal interface ( of the 2800 but not the public interface.

When I run the "show xlate" command it returns "0 in use, 0 most used"

From the 2800, I can ping all interfaces on the 2800 as well as the outside interface of the ASA ( and the inside interface of the ASA (
Seems like traffic is not getting past the ASA's default route as it is not showing up with anything with the "show xlate" command. Any other ideas?
oh and btw, Mightysampson is me too, I messed up on my username and wanted to change it.
Ok, so you said that the 2800 can ping the inside interface of the ASA? If you have the cabling like we think, you should not be able to ping the inside interface from the 2800 unless you have an ACL allowing it.

Does your workstation have a default gateway of
Can your workstation ping the inside ip address of

Would you mind showing me your the output on the ASA from the following commands? You can X.X any info you don't want me to view. I should be able to get this running pretty quick with seeing these outputs.

Show run access-list
show run access-group
show run nat
show run static
show run interface
show route

Also, how bout these output on the 2800?

show ip int bri
show ip route
Workstation does have the default gateway as AND can ping it.

On the ASA
Show run access-list:
access-list global_mpc extended permit tcp any any object-group DM_INLINE_TCP_1
Show run access-group:
Show run nat:
show run static:
show run interface:
interface Ethernet0/0
nameif OUTSIDE
security-level 0
ip address
interface Ethernet0/1
nameif INSIDE
security-level 100
ip address
show route:
route OUTSIDE 1
route INSIDE 1

On the 2800
show ip int bri:
FastEthernet0/0.50 Yes manual up up
Serial0/0 Public IP Yes NVRAM up up

show ip route:
C is directly connected, FastEthernet0/0.50
S [1/0] via
S* [1/0] via public ip
Well I do see some needed commands,

1.  You have no access-group binding your access-list to an interface. The example below is binding the access-list global_mp to the inbound traffic on the outside interface. Do not input this command unless your absolutely sure you want to. Your current access-list is permitting any TCP traffic to which ever machines are in the object group "DM_INLINE_TCP_1". If you want something to access something from the outside you will use the below access-group and the ACL named "global_mp" to make that happen.

1a. access-group global_mp in interface outside

2. There is no NAT configured. Below are the commands to enter.

2a. nat (inside) 1
      global (outside) 1 {public ip range}

3. Testing

3a. Try pinging from the 2800.
3b. Try pinging from workstation
3c. enter "show xlate" in ASA to see the NATed internal to the external.

Other then those everything looks good to me. You have all the routing correct. All interfaces are configured correctly. I am sure all you needed was the NATing configured.

Still not sure why you would be able to ping the inside address from the 2800.

Okay not sure if I need option 1.

I did the 2a command. Question on 2a. global public IP. Is this the IP address of my 2800's WAN interface?

3. Testing results:
3a. OK
3b. No reply
3c. Global Local

Workstation still cannot ping

Thanks for all the help. I'm still trying without any success.
No problem at all. We will get this up and running. We are almost there.

Global public IP address is going to be the same range as the serial 0/0 on the 2800.
FYI, it doesn't have to be a range, it can be just 1 public address. Here is an example for a one IP address and a range.

{Many to ONE NAT}
nat (inside) 1
global (outside) 1

{Many to Many NAT}
nat (inside) 1
global (outside) 1
Okay I configured the global (outside) with the correct public IP and still no luck.

Am I supposed to be able to ping from the ASA because I am not able to. Also on the 2800 I have "IP NAT Outside" command on the S0/0 interface. Wondering if this is preventing traffic coming back into the network. I also have an access-list that is currently configured to allow traffic back in. Would I need to add the network to be allowed back in from the internet?
Link to home
This content is only available to members.
To access this content, you must be a member of Experts Exchange.
Get Access
Here is what my Serial0/0 is configured's complex because I have production still behind the current router and I'm trying to add the ASA behind it concurrently. Please let me know if I cannot do this and if I have to take everyone off the 2800 and put it behind the ASA in order for this to work. Here is my WAN interface config:

interface Serial0/0
 description WAN Interface
 ip address PUBLICIP
 ip access-group 111 in
 ip access-group BLOCK_CS out
 ip verify unicast reverse-path
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip nbar protocol-discovery
 ip flow ingress
 ip flow egress
 ip inspect CBAC_OUT out
 ip virtual-reassembly
 encapsulation ppp
 ip route-cache flow
 crypto map SDM_CMAP_1
In the above config, I did take out the command ip nat outside but only do this when I test the workstation trying to ping
Let me lab this up. I will get back to you on what will need to be done soon. I will then provide you with configs to be entered.

When you test, what are you getting with the "show xlate" command?

Is your public address on S0/0 the only external address you have?

Also, can you provide me with the access-list you have on the s0/0 interface?
On the ASA, show xlate:
2 in use, 2 most used
Global Local
Global Local

Actually I have a secondary public IP address but didn't think it would affect. Here it is anyway:
ip address PUBLICIP secondary (I believe the ISP have created a static route on their end)

Access-list 111 is:

Extended IP access list 111
    10 permit tcp host X.X.X.X host PUBLICIP eq smtp
    20 permit tcp any host PUBLICIP eq www
    30 permit tcp any host PUBLICIP eq 443
    60 permit udp any host PUBLICIP eq domain
    70 permit ahp any host PUBLICIP
    80 permit esp any host PUBLICIP
    90 permit udp any host PUBLICIP eq isakmp
    100 permit udp any host PUBLICIP eq non500-isakmp
    110 permit icmp any host PUBLICIP echo-reply
    120 permit icmp any host PUBLICIP time-exceeded
    130 permit icmp any host PUBLICIP unreachable
    140 deny ip any log-input
    150 deny ip any log-input
    160 deny ip any log-input
    170 deny ip any log-input
    180 deny ip host any log-input
    190 deny ip host any log-input
    200 deny ip any any log-input
I completed the lab and you are not going to be able to have your topology the way it currently is.

You would need to turn off the inspection on your 2800 for the traffic to flow as expected.

You will probably want to setup a separate topology for testing your new ASA. You can do this by setting up the ASA's outside interface with an ip address in your external range. Then you could put a switch between your ISP device and the 2800. (this will require down time) With the switch in place, you could have both the ASA and the 2800 connected to the switch and communicating to the ISP and test freely on the ASA.

The end result is, the ASA will replace the 2800 as the firewall/inspection device and the 2800 will be your edge/peering device.

Any progress?
Yup, ArneLovius stated the correct answer from the very beginning. He should get the points.
Thanks for all your assistance. I will end up changing the config on the 2800 when we change ISPs. I cannot do it now but will use the info from this thread to get it working. Thanks again!