Routing issue with Cisco 1800 , 2 subnets and 1 internet connection
Hi all,
I have a issue that I cannot seem to work through. I have a Cisco ASA Firewall and a Cisco 1800 series router and 2 subnets connected (192.168.100.0/24 int 0/1 and 192.168 101.0/24 int 0/0).
I have the 2 networks talking between the 2 just fine. I will add that the 192.168.100.x/24 network was already in place and I put up the second one after the fact.
the 192.168.100.x network get out to the firewall but the 192.168.101.x doesn't at all. If I get on the firewall I can ping and traceroute to any device on the 192.168.100.x network but not the other one. I know its a routing issue but confused how I get the other subnet to route out. My route of last resort is:
ip route 0.0.0.0 0.0.0.0 192.168.100.253 . Again that was already in place but not sure if I can add another one without affecting the first subnet outbound traffic. I will add that on the router there isn't any NAT rules.. Any help you can give me would be greatly appreciated.
I have a issue that I cannot seem to work through. I have a Cisco ASA Firewall and a Cisco 1800 series router and 2 subnets connected (192.168.100.0/24 int 0/1 and 192.168 101.0/24 int 0/0).
I have the 2 networks talking between the 2 just fine. I will add that the 192.168.100.x/24 network was already in place and I put up the second one after the fact.
the 192.168.100.x network get out to the firewall but the 192.168.101.x doesn't at all. If I get on the firewall I can ping and traceroute to any device on the 192.168.100.x network but not the other one. I know its a routing issue but confused how I get the other subnet to route out. My route of last resort is:
ip route 0.0.0.0 0.0.0.0 192.168.100.253 . Again that was already in place but not sure if I can add another one without affecting the first subnet outbound traffic. I will add that on the router there isn't any NAT rules.. Any help you can give me would be greatly appreciated.
ASKER
Both Terminate to the 1800 router. A little background of what and why I am doing this. I've been at this company for about 6 months. This place has not infrastructure at all. No active directory, dumb switches, 10+ year old servers, Windows 2000 servers, ect... I am putting up all new switches, servers, AD, NAS, ect.. replacing it all with new update equipment. So the existing network IP Scheme was 192.168.100.x and I'm putting up the 192.168.101.x to replace the old one and the old one will go away once I get everything implemented. Sound fun huh..
Anyways back to my issue. I am a checkpoint guy and never used a ASA before so in my checkpoint I would add a static route for traffic 192.168.101.x to go through the inside interface 192.168.100.x but there isn't any static routes defined here at all. Eventually I do have a updated model of the ASA to put in its place but until the other infrastructure is replaced Im not wanting to replace this at the moment and break all the VPN's .. figure I'll break 1 thing at a time.
so having said that anyone that is familiar with the ASA and can guide me on how to accomplish the routes for this would be appreciated. I know the issue is between firewall and 1800 cause I cannot ping or traceroute any node on the 192.168.101.x network but I can for the 192.168.100.x net.
sorry for the long winded response but I wanted to paint as clear of a picture of what I am trying to accomplish here.
Anyways back to my issue. I am a checkpoint guy and never used a ASA before so in my checkpoint I would add a static route for traffic 192.168.101.x to go through the inside interface 192.168.100.x but there isn't any static routes defined here at all. Eventually I do have a updated model of the ASA to put in its place but until the other infrastructure is replaced Im not wanting to replace this at the moment and break all the VPN's .. figure I'll break 1 thing at a time.
so having said that anyone that is familiar with the ASA and can guide me on how to accomplish the routes for this would be appreciated. I know the issue is between firewall and 1800 cause I cannot ping or traceroute any node on the 192.168.101.x network but I can for the 192.168.100.x net.
sorry for the long winded response but I wanted to paint as clear of a picture of what I am trying to accomplish here.
Hello,
So the ASA has a ASDM and CLI interface
Here is the CLI command to add the route
route inside 192.168.101.0 255.2555.255.0 192.168.100.x
This will add the route on the inside interface. I do not understand why the Firewall has a 0.0.0.0. ing to 192.168.100.253 If .253 is the Firewall inside IP then this could be the transit network Gateway ---Firewall
You can add all 192.168.x.x/24 networks as route from the Firewall to the 1800 and it will work fine. Just need to understand whose IP is whose
Or am I mistaken
What is the inside IP of the Firewall and route
type show IP
Also type sh route
What is th eIP of the Switch (or inside gateway device
Hope this helps
Thanks
So the ASA has a ASDM and CLI interface
Here is the CLI command to add the route
route inside 192.168.101.0 255.2555.255.0 192.168.100.x
This will add the route on the inside interface. I do not understand why the Firewall has a 0.0.0.0. ing to 192.168.100.253 If .253 is the Firewall inside IP then this could be the transit network Gateway ---Firewall
You can add all 192.168.x.x/24 networks as route from the Firewall to the 1800 and it will work fine. Just need to understand whose IP is whose
Or am I mistaken
What is the inside IP of the Firewall and route
type show IP
Also type sh route
What is th eIP of the Switch (or inside gateway device
Hope this helps
Thanks
ASKER
ok thanks for that. If I do the all 192.168.x.x/24 from the firewall would it be just a "route inside 192.168.0.0. 255.255.255.0"
Hi,
Yes but it may give you an error that it is directly connected.
Do it with a 192.168.101.0/24 first to make sure it works. There may be something else at play here.
Yes but it may give you an error that it is directly connected.
Do it with a 192.168.101.0/24 first to make sure it works. There may be something else at play here.
ASKER
ok please help me understand.. in Checkpoint the log would tell you exactly what rule whether it be a security rule or a nat rule it was getting hung up on. when I look at the log here all I am getting is:
6 Aug 04 2016 15:09:50 302020 192.168.101.235 1 8.8.8.8 0 Built outbound ICMP connection for faddr 8.8.8.8/0 gaddr 192.168.101.235/1 laddr 192.168.101.235/1
this isn't telling me anything except the packets are making it to the firewall but there has be a rule its getting hung up on but I can't tell where.. If I do a packet trace with these same IP's it looks like its working..
6 Aug 04 2016 15:09:50 302020 192.168.101.235 1 8.8.8.8 0 Built outbound ICMP connection for faddr 8.8.8.8/0 gaddr 192.168.101.235/1 laddr 192.168.101.235/1
this isn't telling me anything except the packets are making it to the firewall but there has be a rule its getting hung up on but I can't tell where.. If I do a packet trace with these same IP's it looks like its working..
Its telling you it got out to the internet but not back towards the 192.168.101.x network
Simple test
add route for one host
route inside 192.168.101.x 255.255.255.255 192.168.100.x (this is the next hop 1800 interface closest to the ASA
Thanks
Simple test
add route for one host
route inside 192.168.101.x 255.255.255.255 192.168.100.x (this is the next hop 1800 interface closest to the ASA
Thanks
ASKER
your a genius :) thanks that worked .. now I can just change that last route to 192.168.101.0/24 and point it to the 192.168.100.254 and it should work correct?
ASKER
I just change that route and the entire network is working! again thank you so much you saved me a lot of hassles..
This question needs an answer!
Become an EE member today
7 DAY FREE TRIALMembers can start a 7-Day Free trial then enjoy unlimited access to the platform.
View membership options
or
Learn why we charge membership fees
We get it - no one likes a content blocker. Take one extra minute and find out why we block content.
Where does the 192.168.101 network terminate? on the router? If so is its default gateway the Firewall?
If so does the Firewall have a route to the 192.168.101 network?
If the connection between FW and Router is 192.168.100.x you may need a route for the FW to access the network and use the routers as its next hope gateway and the network to get out
Hope this helps.