We help IT Professionals succeed at work.

Cisco ASA 5505 Multiple Internal Subnets

I have two offices, office A which is the main office that consists of Cisco ASA 5505, Cisco MPLS router, and Layer 2 switch, and office B which consists of MPLS router and Layer 2 switch. MPLS router and Layer 2 switch configured and managed by Telephone company. We have four VLAN's defined in the switch - VLAN 1 -, VLAN2,, VLAN3 -, and VLAN4 - VLAN2 and VLAN4 are VoIP and work fine. VLAN1 and VLAN3 are data and are causing issues. All data must touch the ASA since we do not have layer 3 switches. I added the following commands to my ASA configuration:

Static (inside,inside) netmask
route inside
route inside
route inside is the MPLS router, not the ASA. When I do this I am able to ping across the data MPLS and all is great except, my internal network VLAN1 goes all to pieces, internal traffic starts getting blocked, nobody can get DHCP leases, etc. Office B can get on the internet but can't access any hosts on the internal network at Office A. If I take out the Static (inside, inside) netmask then Office A's internal network goes back to working fine as it should but we no longer have connectivity back to Office B.
Watch Question


Just to clarify, Internet is at Office A, no Internet connection at Office B - all traffic destined for Internet must travel across the MPLS.
Top Expert 2011

What is the purpose of this command?

Static (inside,inside) netmask


Without this command you can't ping across subnets.
Top Expert 2011

I understand, but do you know why you configured it this way?

What is you default gateway on ASA side? Can you post your ASA config?


interface Ethernet0/0
 switchport access vlan 2
interface Ethernet0/1
interface Ethernet0/2
interface Ethernet0/3
interface Ethernet0/4
interface Ethernet0/5
interface Ethernet0/6
interface Ethernet0/7
interface Vlan1
 nameif inside
 security-level 100
 ip address
interface Vlan2
 nameif outside
 security-level 0
 ip address <public ip address>
interface Vlan5
 no nameif
 security-level 50
 ip address dhcp
ftp mode passive
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
access-list outside_1_cryptomap extended permit ip
access-list inside_nat0_outbound extended permit ip
access-list outside_access_in extended permit tcp any interface outside eq smtp
access-list outside_access_in extended permit tcp any interface outside eq www
access-list inside_access_in extended permit ip any any
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
ipv6 access-list outside_access_ipv6_in permit ip any any
icmp unreachable rate-limit 1 burst-size 1
icmp permit any inside
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1
static (inside,outside) tcp interface smtp smtp netmask
static (inside,outside) tcp interface www www netmask  
static (inside,inside) netmask
access-group inside_access_in in interface inside
access-group outside_access_in in interface outside
access-group outside_access_ipv6_in in interface outside
route outside 1
route inside 1
route inside 1
route inside 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto map outside_map 1 match address outside_1_cryptomap
crypto map outside_map 1 set peer
crypto map outside_map 1 set transform-set ESP-3DES-SHA
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd auto_config outside
dhcpd update dns both interface inside

threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
tunnel-group type ipsec-l2l
tunnel-group ipsec-attributes
 pre-shared-key *****
class-map inspection_default
 match default-inspection-traffic
policy-map global_policy
 class inspection_default
  inspect esmtp
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
: end
Top Expert 2011

What is your default gateway in


The ASA is the default gateway in the 2.0 subnet - ASA ip is
Top Expert 2011

Get rid of this line, you dont need it, the problem is somewhere else
static (inside,inside) netmask

This command configures NAT exempt

Your config looks fine, you should be able to reach all of your networks, no clue

Bear in mind, that ASA is NOT a router, so you should get a router to properly router between subnets


If I remove that line I no longer have access to the other subnets. I have tried it with and without that line.

Please do a 'show firewall' and post the results.


Result of the command: "show firewall"

Firewall mode: Router

Can you explain your physical topology? Where is ASA?

Because typically your router should be handling the routing for the vlans. So is the ASA in between the switch and the router?


MPLS Router --> Switch --> ASA ---> Internet

Best I could do from phone

Then through the internet is MPLS connection  to your other office?

It seems to me that what your are trying to do, your topology should be:

switch--> ASA-->MPLS Router-->Internet
Just FYI, the answer is below:

no static (inside,inside) netmask

static (inside,inside) netmask
static (inside,inside) netmask
static (inside,inside) netmask

Set all hosts on the ASA side default gateway to, which is the MPLS router.