J3ckyl
asked on
Help with routing between networks
In my foray into the Cisco realm, I recently configured an ASA with access to the internet via static public IP (see blue shaded area of attached topology). The green shaded area of the topology represents a different subnet connected to the ASA. I configured the ASA to perform NAT for both of the following networks:
172.10.0.0
10.0.25.0
I verified that both of the above could reach the internet.
What I am having difficulty with is configuring both the router and the ASA to allow communication with each other from the 172.10.0.0 network to the 10.0.25.0 network. I've been reading through CCNA materials and have tried to follow lab examples, but can't seem to get it working. I enabled EIGRP on both and verified that routes are being advertised. I know I missing something.
My goal is understand the commands required under the different platforms (ASA 9.0 and IOS 15) and learn the most efficient way of establishing communication between the two subnets. Also, I need to fill my knowledge gaps.
Please see the attached topology, ASA configuration, and router configuration. Thank you all in advance for taking a look!
ASA-Running-Config.txt
Router-Running-Config.txt
Lab-Topology.docx
172.10.0.0
10.0.25.0
I verified that both of the above could reach the internet.
What I am having difficulty with is configuring both the router and the ASA to allow communication with each other from the 172.10.0.0 network to the 10.0.25.0 network. I've been reading through CCNA materials and have tried to follow lab examples, but can't seem to get it working. I enabled EIGRP on both and verified that routes are being advertised. I know I missing something.
My goal is understand the commands required under the different platforms (ASA 9.0 and IOS 15) and learn the most efficient way of establishing communication between the two subnets. Also, I need to fill my knowledge gaps.
Please see the attached topology, ASA configuration, and router configuration. Thank you all in advance for taking a look!
ASA-Running-Config.txt
Router-Running-Config.txt
Lab-Topology.docx
ASKER
Thanks rauenpc. I entered that command into the ASA cli, but nothing changed. From hosts on the 172.10.0.0 network, I can ping the 10.0.25.1 interface, but not hosts on the 10.0.25.0 network. I still cannot ping hosts on the 172.10.0.0 network from the 10.0.25.0 network. I appreciate the input. Any other areas I should look at? I am completely new to ASA and I wondering if I have to configure ACL's to specifically allow the two networks to communicate.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Thanks, I'll mark that as a solution. While that definitely is a solid solution and makes for a cleaner network, for the sake of learning, what would I need to correct the current situation?
You would need to either
set all the 10.x devices to use the router as a default gateway
or
add static routes on all devices in the 10.x network to use the router when going to the 172.x network
or
configure state bypass on the asa for that particular traffic. State bypass essentially ignores the state of traffic and just lets it route with no care as to half open connections, or any other possible attack.
A neat thing that you can do if you're using a windows DHCP server, is set option 249. Option 249 is the Classless IP static route option, and it pushes down a set of static routes to any machine that requests it. Windows machines do request that option by default. The option allows you to specify a subnet and a gateway to use for this. In your case, you would only need this in the 10.x subnet. Although this works, I wouldn't really suggest this in a production network except as a bandaid while working through a better solution such as redesigning the layout to mitigate the need for such static routes. I don't know if any non-windows devices accept option 249, so any linux/unix machines or printers would still have an issue.
set all the 10.x devices to use the router as a default gateway
or
add static routes on all devices in the 10.x network to use the router when going to the 172.x network
or
configure state bypass on the asa for that particular traffic. State bypass essentially ignores the state of traffic and just lets it route with no care as to half open connections, or any other possible attack.
A neat thing that you can do if you're using a windows DHCP server, is set option 249. Option 249 is the Classless IP static route option, and it pushes down a set of static routes to any machine that requests it. Windows machines do request that option by default. The option allows you to specify a subnet and a gateway to use for this. In your case, you would only need this in the 10.x subnet. Although this works, I wouldn't really suggest this in a production network except as a bandaid while working through a better solution such as redesigning the layout to mitigate the need for such static routes. I don't know if any non-windows devices accept option 249, so any linux/unix machines or printers would still have an issue.
By default an Asa will not allow hairpin routing so you'll need to enable it.