vlanning

Ok, i have the following:

Cisco 1921
Cisco ASA 5505
HP 2910 24port POE (vlan1 on 192.168.3.4) (vlan20 on 192.168.100.1)
Cisco Unmanaged

The ASA has fe0/0 going to the cisco 1921
Fe0/1 is on vlan1 going to the cisco unmanaged (for pcs)
fe0/2 is on vlan20 going to the HP switch on vlan20

We are unable to ping between the networks/vlans.

But when connecting the switches together it seems to be working fine.

What are the consequences of the switches being connected and how should it be configured correctly?

Thanks
LVL 1
CHI-LTDAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

peeaCommented:
But when connecting the switches together it seems to be working fine.

Which ports were used to connect the HP and Cisco switches?
0
CHI-LTDAuthor Commented:
Port 24 of the unmanaged cisco to port 1 (vlan1) of the HP switch...
0
Steven CarnahanNetwork ManagerCommented:
Try adding to the ASA firewall:

static (<vlan1>,<vlan20>) 192.168.3.0 192.168.3.0 255.255.255.0
static (<vlan20>,<vlan1>) 192.168.100.0 192.168.100.0 255.255.255.0

put the name of your 2 vlans in place of the <vlanx>'s above
0
Turn Raw Data into a Real Career

There’s a growing demand for qualified analysts who can make sense of Big Data. With an MS in Data Analytics, you can become the data mining, management, mapping, and munging expert that today’s leading corporations desperately need.

peeaCommented:
Port 24 of the unmanaged cisco to port 1 (vlan1) of the HP switch...

This way actually puts the two VLANs into the same broadcasting domain which is not recommended.

We are unable to ping between the networks/vlans.

From which subnet did you ping the hosts on the two VLANs?
0
CHI-LTDAuthor Commented:
Sorry, forgot to add that the ASA is talking to the 2x vlans ok..
0
CHI-LTDAuthor Commented:
When switches connected i could ping from PC.
When switches connected directly to ASA i couldn't ping the HP switch at all on 3.1 or 100.1?
0
CHI-LTDAuthor Commented:
To confirm.
Vlan01 on the ASA is on 192.168.3.0/32 (255.255.255.0)
vlan20 on ASA is on 192.168.100.0/32 (255.255.255.0)

GW of clients is the ASA on 192.168.3.1
vlan01 interface 192.168.3.1
vlan20 interface 192.168.100.1
0
Steven CarnahanNetwork ManagerCommented:
Sample ASA config:

interface Ethernet0/0
  description LAN
  no nameif
  no security-level
  no ip address
 !
 interface Ethernet0/1
  vlan cisco
  nameif inside
  security-level 100
  ip address 192.168.3.4 255.255.255.0
 !
 interface Ethernet0/2
  vlan 3
  nameif hp
  security-level 100
  ip address 192.168.100.1 255.255.255.0
 !

 same-security-traffic permit inter-interface
 same-security-traffic permit intra-interface
 !
 global (outside) 1 interface
 nat (cisco) 1 192.168.3.0 255.255.255.0
 nat (hp) 1 192.168.100.0 255.255.255.0

static (<vlan1>,<vlan20>) 192.168.3.0 192.168.3.0 255.255.255.0
static (<vlan20>,<vlan1>) 192.168.100.0 192.168.100.0 255.255.255.0

Open in new window


You’ll need a separate static for each subint-to-subint (vlan-to-vlan) connection. For each one, the first sub-int specified is the one whose IP network you need to enter twice in the static statement.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Fred MarshallPrincipalCommented:
Rather than get into the details of the specific equipment, perhaps it would make sense to look at a broader perspective:

Here are the "definitions" that I use to help me parse things like this:
- a LAN is a physical thing made up of copper wires, wireless links, unmanaged switches, etc.
Of course, managed switches doing nothing more than a dumb switch are included as are the internal "switches" in routers, etc.
Note that a LAN can carry traffic of multiple subnets.  It's not IP address aware at all.  This means that you can run two subnets on the same copper and through the same switches.
So, you have to be a little careful of callling a subnet a LAN or a LAN a subnet even though they are usually synonymous.
Because of this, physical separation of subnets has to be on separate copper wires and switches.  (This has little to do with routing).
- a VLAN, in its simplest form, is just what the name implies a "virtual LAN".  This means that you get "virtual copper" in the context of switches in particular.  The switch assures that one LAN is separated from another LAN and that switch ports belong to one or another.
Then, VLAN tagging allows consolidation of these LANs and subsequent separation in other switches (if they are VLAN capable).
And, if any interVLAN routing is possible, it may be done in particular switches.
... and this is where things get equipment specific.

Perhaps this is much too simple-minded of a model.  Part of my reason for sharing it is to stimulate this set of responses for you.

I'm not clear on what you mean by "it seems to be working fine".  
What's working fine?  Pinging between VLAN subnets?  That's my guess.
But since I have no idea what sort of routing is involved nor what subnet masks are being used then it's hard to say.
Here's an example:
One might *assume* that by quoting an address 192.168.3.xxx that you mean the subnet is 192.168.3.0/24.  Same thing with 192.168.100.xxx - that you're using 192.168.100.0/24.
If that's the case then there should be no effective communication between those subnets IF they are connected through a dumb switch - without some routing involved.
BUT, if the subnet mask is 255.255.0.0 then they will communicate IF they are physically connected.
The VLANs keep the "virtual physical" separation in the VLAN-capable switches.
The dumb switches won't do that.
So, running both VLANs into a single dumb switch will provide physical connection.
Perhaps that's what you meant by "connecting the switches" since one has but a single VLAN subnet and the other has the other single VLAN subnet AND connecting the switches runs them together in the dumb switch - eliminating the virtual physical separation.
How the subnets communicate then remains the question involving the subnet mask(s) and routing.

I have attached a paper that discusses some of this without VLANs being involved since they are more a convenience than a necessity.
How-Subnets-Work-in-Practice.pdf
0
CHI-LTDAuthor Commented:
@ fmarshal: Working fine - yes i can ping the interfaces on vlan20 and vlan1.  But assume connecting the switches together defeats object of have vlans!?
0
Steven CarnahanNetwork ManagerCommented:
With the Cisco being a "dumb" unmanaged switch it doesn't recognize VLAN's so technically speaking yes hooking them together defeats the object.  

Based on the description of what you have the entire VLAN process is taking place in the ASA between the two interfaces.
0
CHI-LTDAuthor Commented:
Yes, thats the plan, but not working at present.
0
CHI-LTDAuthor Commented:
To confirm.
Vlan01 on the ASA is on 192.168.3.0/24 (255.255.255.0)
vlan20 on ASA is on 192.168.100.0/24 (255.255.255.0)

GW of clients is the ASA on 192.168.3.1
vlan01 interface 192.168.3.1
vlan20 interface 192.168.100.1
0
CHI-LTDAuthor Commented:
Current switch config:

; J9146A Configuration Editor; Created on release #W.15.08.0012
; Ver #02:11.05:16
hostname "2910al_London"
module 1 type j9146a
power-over-ethernet pre-std-detect
ip authorized-managers 172.19.0.0 255.255.0.0 access manager
ip authorized-managers 192.168.2.0 255.255.255.0 access manager
ip authorized-managers 192.168.3.0 255.255.255.0 access manager
ip authorized-managers 172.16.0.0 255.255.0.0 access manager
ip default-gateway 192.168.3.1
no ip icmp redirects
ip route 0.0.0.0 0.0.0.0 192.168.3.1
ip routing
interface 1
   name "to firewall vlan20"
   no power-over-ethernet
   exit
interface 2
   no power-over-ethernet
   exit
snmp-server community "public" unrestricted
snmp-server contact "IT" location "London"
vlan 1
   name "DEFAULT_VLAN"
   no untagged 2-24
   untagged 1
   ip address 192.168.3.4 255.255.255.0
   exit
vlan 20
   name "Voice"
   untagged 2-24
   ip address 192.168.100.1 255.255.255.0
   exit
primary-vlan 20
no autorun
password manager
password operator
0
CHI-LTDAuthor Commented:
My firewall guy has confirmed packet tracer working also.
Cisco.jpg
0
Fred MarshallPrincipalCommented:
That's very helpful info.  Thanks....
So I'm still unclear as to what isn't working then?  Are you trying to achieve communication between the VLANs or not?
If so, then you'd need to add routes in the ASA such as:
192.168.3.0/24 to 192.168.100.1
and
192.168.100.0/24 to 192.168.3.1
Presumably this routing will not forward broadcast traffic - which would be one reason for two subnets.
It might help to know the overall objectives....

[earlier I used the term "dumb switch" when I probably should have said something like "unmanaged" or "simple" .. because a "smart switch" (i.e. not "dumb") will route traffic between ports without collisions and is pretty much the standard implementation for all switches today.]
0
Steven CarnahanNetwork ManagerCommented:
@fmarshall:

"[earlier I used the term "dumb switch" when I probably should have said something like "unmanaged" or "simple" .. because a "smart switch" (i.e. not "dumb") will route traffic between ports without collisions and is pretty much the standard implementation for all switches today.] "


:)

Now at the risk of having this post removed, there is a good article explaining what I have tried to convey at:    http://blog.braini.ac/?p=38 about Inter-VLAN routing on a Cisco ASA.  

We have one unmanaged Dell switch in our otherwise full managed Cisco environment. We use it for our training environment. We have basically the same set up with it and we had to do the VLAN control at the ASA as I (and the article) have described.
0
CHI-LTDAuthor Commented:
sorry it's unmanaged cisco
0
CHI-LTDAuthor Commented:
Ok, added ip route 0.0.0.0 0.0.0.0 192.168.100.1, changed default GW of the switch to 192.168.100.254 which is the fe0/2 interface on the ASA.

Disconnected link between the vlan1 interface on hp and cisco unmanaged.

Now cant ping the vlan01 interface 192.168.3.4 but can ping the vlan20 interface from a client on 192.168.3.4.
So looks like inter vlan routing on the switch isn't working..
0
CHI-LTDAuthor Commented:
Running configuration:

; J9146A Configuration Editor; Created on release #W.15.08.0012
; Ver #02:11.05:16
hostname "2910al_London"
module 1 type j9146a
power-over-ethernet pre-std-detect
ip authorized-managers 172.19.0.0 255.255.0.0 access manager
ip authorized-managers 192.168.2.0 255.255.255.0 access manager
ip authorized-managers 192.168.3.0 255.255.255.0 access manager
ip authorized-managers 172.16.0.0 255.255.0.0 access manager
ip default-gateway 192.168.100.254
no ip icmp redirects
ip route 0.0.0.0 0.0.0.0 192.168.3.1
ip route 0.0.0.0 0.0.0.0 192.168.100.254
ip routing
interface 1
   name "to cisco switch vlan01"
   no power-over-ethernet
   exit
interface 2
   name "to asa on fe0/1 (vlan20)"
   no power-over-ethernet
   exit
snmp-server community "public" unrestricted
snmp-server contact "IT" location "London"
vlan 1
   name "DEFAULT_VLAN"
   no untagged 2-24
   untagged 1
   ip address 192.168.3.4 255.255.255.0
   exit
vlan 20
   name "Voice"
   untagged 2-24
   ip address 192.168.100.1 255.255.255.0
   exit
primary-vlan 20
no autorun
password manager
password operator
0
Fred MarshallPrincipalCommented:
I don't know the ASA config code very well but I don't see any interVLAN routes there....
0
Steven CarnahanNetwork ManagerCommented:
Is that the config for the managed HP switch or the ASA?
0
Sandeep GuptaConsultantCommented:
CHI,

you always keep busy EE experts!!!!

cheers
0
CHI-LTDAuthor Commented:
Its the HP config...
will get the asa config too
0
CHI-LTDAuthor Commented:
interface config of the asa:


interface Vlan1
nameif inside
security-level 100
ip address 192.168.3.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address 'external ip' 255.255.255.0
!
interface Vlan20
nameif voice
security-level 100
ip address 192.168.100.254 255.255.255.0
0
CHI-LTDAuthor Commented:
and on the switch gui (hp) i am unable to ping the vlan1 interface of 192.168.3.1.
0
CHI-LTDAuthor Commented:
however, i can telnet and ping into the vlan20 interface 192.168.100.1 from a machine on the unmanaged cisco thats on vlan1...  So i assume routing is working to a point?
0
Steven CarnahanNetwork ManagerCommented:
Try this on the ASA:

interface Vlan1
nameif inside
security-level 100
ip address 192.168.3.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address 'external ip' 255.255.255.0
!
interface Vlan20
nameif voice
security-level 100
ip address 192.168.100.254 255.255.255.0 

same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
!
global (outside) 1 interface
nat (inside) 1 192.168.3.0 255.255.255.0
nat (voice) 1 192.168.100.0 255.255.255.0

static (inside,voice) 192.168.3.0 192.168.3.0 255.255.255.0
static (voice,inside) 192.168.100.0 192.168.100.0 255.255.255.0

Open in new window

0
Fred MarshallPrincipalCommented:
however, i can telnet and ping into the vlan20 interface 192.168.100.1 from a machine on the unmanaged cisco thats on vlan1...  So i assume routing is working to a point?
Maybe all this means is that the ASA knows where 192.168.100.1 is located because it's right there on the same machine.  HOWEVER, how is it supposed to know where 192.168.100.0/24 is to be reached otherwise?  I've suggested adding routes to accomplish this if that's what you want to do.
0
Sandeep GuptaConsultantCommented:
I am sharing HP & cisco box config doc..hope this may help.
HP-CISCO-configurations-guide.pdf
0
CHI-LTDAuthor Commented:
My guy has confirmed the following config:

interface Vlan1
nameif inside
security-level 100
ip address 192.168.3.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address external 255.255.255.0
!
interface Vlan20
nameif voice
security-level 100
ip address 192.168.100.254 255.255.255.0
!
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface

is in there already, I have no nat rules set for the internal LAN’s which is correct.

nat (inside) 0 access-list INSIDE-NO_NAT
nat (inside) 1 0.0.0.0 0.0.0.0
nat (voice) 0 access-list INSIDE-NO_NAT
nat (voice) 1 0.0.0.0 0.0.0.0

access-list INSIDE-NO_NAT extended permit ip 192.168.3.0 255.255.255.0 192.168.100.0 255.255.255.0
access-list INSIDE-NO_NAT extended permit ip 192.168.100.0 255.255.255.0 192.168.3.0 255.255.255.0

NAT shouldn’t be necessary are they are internal

and no static rules set as they shouldn’t be necessary, however I can make the suggested changes if you would like to try them.
0
CHI-LTDAuthor Commented:
Changed the setup there to:

Cisco ASA fe0/1 (vlan1) -------¿ HP Switch Port1/vlan1 ---------¿ Hp Switch Port2/vlan1 -------¿- cisco unmanaged switch (untagged) -----------¿ PCs
Cisco ASA fe0/2 (vlan20) -------¿ HP Switch Port24/vlan20 ------¿ HP switch port3/vlan20 -------¿ phones


So we have tested further and can get DHCP ips on vlan1.  vlan20 doesn't pick up DHCP from the asa.
We also tried setting the port going from port2 on the hp on vlan1 to the unmanaged cisco switch (where the pcs are) and this resulted in the machines on the cisco losing connection to the lan.
currently the port is configured as a simple access port (i think).

Latest switch config:

Running configuration:

; J9146A Configuration Editor; Created on release #W.15.08.0012
; Ver #02:11.05:16
hostname "2910al_London"
module 1 type j9146a
power-over-ethernet pre-std-detect
ip authorized-managers 172.19.0.0 255.255.0.0 access manager
ip authorized-managers 192.168.2.0 255.255.255.0 access manager
ip authorized-managers 192.168.3.0 255.255.255.0 access manager
ip authorized-managers 172.16.0.0 255.255.0.0 access manager
ip default-gateway 192.168.100.254
no ip icmp redirects
ip route 0.0.0.0 0.0.0.0 192.168.100.254
ip routing
interface 1
   name "to ASA fe0/1 vlan1"
   exit
interface 2
   name "to cisco switch port 1"
   no power-over-ethernet
   exit
interface 5
   name "client test pc"
   exit
interface 15
   name "client test pc"
   exit
interface 24
   name "to ASA fe0/2 vlan20"
   exit
snmp-server community "public" unrestricted
snmp-server contact "IT" location "London"
vlan 1
   name "DEFAULT_VLAN"
   no untagged 6-24
   untagged 1-5
   ip address 192.168.3.4 255.255.255.0
   exit
vlan 20
   name "Voice"
   untagged 6-24
   ip address 192.168.100.1 255.255.255.0
   exit
primary-vlan 20
no autorun
password manager
password operator
0
Fred MarshallPrincipalCommented:
Apparently you still have the inter-VLAN access problem.  I still don't see any routes that go between subnets.
0
CHI-LTDAuthor Commented:
can you explain?
0
Fred MarshallPrincipalCommented:
InPosted on 2013-10-10 at 08:30:22ID: 39562728 I said:

 
If so, then you'd need to add routes in the ASA such as:
192.168.3.0/24 to 192.168.100.1
and
192.168.100.0/24 to 192.168.3.1
0
jburgaardCommented:
How are the clients configured : where are the dgw's pointing, ASA or L3-sw? netmasks?
What does work now?
0
CHI-LTDAuthor Commented:
Ok, the latest is:

Clients (PCs) on the cisco unmanaged switch are working as are machines on the vlan1 on the HP switch.
The problem is that clients on the vlan20 (hp switch) are not working.  These are picking up dhcp ips from the asa but appear to be picking up the local ip address of the machine as its gateway.

The HP switch has 2x routes 0.0.0.0 0.0.0.0 192.168.100.254 and to 192.168.3.1 which are the asa interfaces.
0
jburgaardCommented:
Example of clients by DHCP
a) on vlan 20 ?
b) on vlan 1?
0
CHI-LTDAuthor Commented:
you want a screenshot of the machines TCPIP v4 details for each vlan?
0
CHI-LTDAuthor Commented:
0
jburgaardCommented:
fine picture, better than many words.
Is the vlan20 settings obtained from directly to ASA connected client?

'...These are picking up dhcp ips from the asa but appear to be picking up the local ip address of the machine as its gateway' ? in numers how would that look?

'The problem is that clients on the vlan20 (hp switch) are not working'
ex when testing by pinging from x on y with IP=z, dgw=p to r on s with IP=t, dgw=u I get ...
however when ...
0
Fred MarshallPrincipalCommented:
I would help better if I understood what the IP addresses are.  I don't read (and interpret) ASA config's that well.

Presumably the gateways have to route to the 172.xxx.xxx.xxx DNS servers, is that right?
What devices have those 172...... addresses?

Still, how are the 192.xxx subnets routed together in the ASA????  Either there's something in the ASA config that I don't see or understand or it just isn't there.  Which is it?  No route, no path for pinging.
0
CHI-LTDAuthor Commented:
jburgarrd: yes the ip details now coming from the ASA.
it was, but now the GW is correct.

Here is a diagram of how that site is setup.  

The 192.168.100.0 machines (in time phones) will need to get on the web and send/receive traffic over a VPN..
Network-Diagram-London.jpg
0
CHI-LTDAuthor Commented:
and is the HP config correct:?

Running configuration:

; J9146A Configuration Editor; Created on release #W.15.08.0012
; Ver #02:11.05:16
hostname "2910al_London"
module 1 type j9146a
power-over-ethernet pre-std-detect
ip authorized-managers 172.19.0.0 255.255.0.0 access manager
ip authorized-managers 192.168.2.0 255.255.255.0 access manager
ip authorized-managers 192.168.3.0 255.255.255.0 access manager
ip authorized-managers 172.16.0.0 255.255.0.0 access manager
ip default-gateway 192.168.100.254
no ip icmp redirects
ip route 0.0.0.0 0.0.0.0 192.168.3.1
ip route 0.0.0.0 0.0.0.0 192.168.100.254
ip routing
interface 1
   name "to ASA fe0/1 vlan1"
   exit
interface 2
   name "to cisco switch port 1"
   no power-over-ethernet
   exit
interface 5
   name "client test pc (vlan1)"
   exit
interface 15
   name "client test pc (vlan20)"
   exit
interface 24
   name "to ASA fe0/2 vlan20"
   exit
snmp-server community "public" unrestricted
snmp-server contact "IT" location "London"
vlan 1
   name "DEFAULT_VLAN"
   no untagged 6-24
   untagged 1-5
   ip address 192.168.3.4 255.255.255.0
   exit
vlan 20
   name "Voice"
   untagged 6-24
   ip address 192.168.100.1 255.255.255.0
   exit
primary-vlan 20
no autorun
password manager
password operator
0
jburgaardCommented:
When clients have ASA as DGW, it must be up to ASA to provide routing.
I guess the routing on the switch is history related to a setup prior to ID: 39570596 (2013-10-14 at 13:59:37)

But again: what is working and what is failing?
- in details please!
0
CHI-LTDAuthor Commented:
hosts on vlan20 on 192.168.100.0 cant get on the internet nor see machines locally on the LAN.  They can ping though...
0
jburgaardCommented:
'hosts on vlan20 on 192.168.100.0 cant get on the internet'
COULD be a missing route back on Cisco 1921 for network 192.168.100.0

'....nor see machines locally on the LAN.  They can ping though... '
not sure what you mean here..

As mentioned before:  I F  everything has DGW on ASA , then you do not need switch-routing and route-references to switch in ASA should not be there anymore (for THIS present setup) .
0
CHI-LTDAuthor Commented:
Ok, so i will remove the 0.0.0.0 0.0.0.0 192.168.3.1 & 192.168.100.254 routes on the switch?
0
CHI-LTDAuthor Commented:
What i mean, is that clients are picking up DHCP addresses correctly on from the ASA but thats it.  unable to route out...
0
CHI-LTDAuthor Commented:
And do i need trunks between the unmanaged and managed switches?
0
jburgaardCommented:
'Ok, so i will remove the 0.0.0.0 0.0.0.0 192.168.3.1 & 192.168.100.254 routes on the switch?' Yes, and I would also remove the
IP Routing  satement

when done: again try intervlan-routing to confirm this did not add to problems.

'And do i need trunks between the unmanaged and managed switches? ' no
0
CHI-LTDAuthor Commented:
and the gateway?
0
Fred MarshallPrincipalCommented:
We still don't know where the 172.xxx.xxx.xxx IP addresses are.
You still have not addressed the inter-VLAN routing in the ASA .. where is it?  Either it's not there or I don't see it in the config.  One or the other.

I believe, other than supporting your VLANs, the switches have nothing to do with anything here.  At least they should not.
0
CHI-LTDAuthor Commented:
Ok the Asa has been confirmed that's it's configured correctly.

So me thinks that the dgw of th clients should be the vlan interface ip instead of the Asa fe port?
0
Steven CarnahanNetwork ManagerCommented:
So this is basically the way I see what you have.

Since the Cisco is unmanaged all traffic flows to all ports from the ASA.

The two Vlans are isolated on the HP switch and therefore the ASA is still the location that has to handle the routing.

Am I missing something?
sample.vsd
0
CHI-LTDAuthor Commented:
thats what i have already uploaded, no different!?
0
CHI-LTDAuthor Commented:
we have removed the HP from the equation by plugging in a machine directly into the ASA fe0/2 (vlan20) and its got the same problems, no internet, no vpn connectivity...
0
Steven CarnahanNetwork ManagerCommented:
I am still confused - the original question was about talking between the two Vlans. Now it sounds like you are not trying to communicate between 192.168.3.x and 192.168.100.x but you want 192.168.100.x to be able to communicate to the 1921 and beyond? (internet/vpn)

Also, I compared what I posted and it is different from what you had. I had both switches connecting directly to the firewall where your diagram shows the Cisco connecting to the HP and it connecting to the firewall.
0
CHI-LTDAuthor Commented:
Oh sorry, its now been changed to reflect yours, eliminating the unmanaged switch.
So connected from the ASA vlan1 to vlan1 on HP switch and vlan2 on ASA to vlan20 on HP switch.

We currently can get DHCP IP from the ASA onto clients on the vlan1 and vlan20.
We also seem to be able to route/ping between the 2x clients.
Unable to route out to the web or over the VPN back to HQ (on vlan20 192.168.100.0)
0
Steven CarnahanNetwork ManagerCommented:
"The gateway is automatically set to the interface address. Because of this, the ASA DHCPD has a limited scope of functionality"

http://www.freeccnaworkbook.com/workbooks/ccna-security/cisco-asa-dhcp-services

Is this different from what you are seeing?

Are you able to see the router (1921) from the devices on Vlan20?
0
CHI-LTDAuthor Commented:
got there in the end.  was a problem with the vpn, thus the dns servers configured on site a couldn't communicate over the vpn to site b..

we still have the network exclamation mark on PC's on vlan1 though...  but they are routing
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Routers

From novice to tech pro — start learning today.