Physically Connect Two Cisco ASA's and Route vLans.
I have two Cisco ASA's.
Both in the same office.
1. Cisco ASA 5508-x
2. Cisco ASA 5506-x
Each ASA has a different ISP connected to the Outside interface.
Each ASA has multiple internal vLans.
I need to physically connect the devices to one another and setup routes between vLans on each device.
I have assigned two of the interfaces the following IP addresses:
5508 Interface 8 - 10.10 111.1/24
5506 Interface 4 - 10.10 111.2/24
I have directly connected the interfaces with an ethernet cable. I can ping across from interface to interface successfully, but the other vLans on either ASA cannot ping each other.
Can I accomplish my goal with this physical setup? If so, what am I missing?
Both in the same office.
1. Cisco ASA 5508-x
2. Cisco ASA 5506-x
Each ASA has a different ISP connected to the Outside interface.
Each ASA has multiple internal vLans.
I need to physically connect the devices to one another and setup routes between vLans on each device.
I have assigned two of the interfaces the following IP addresses:
5508 Interface 8 - 10.10 111.1/24
5506 Interface 4 - 10.10 111.2/24
I have directly connected the interfaces with an ethernet cable. I can ping across from interface to interface successfully, but the other vLans on either ASA cannot ping each other.
Can I accomplish my goal with this physical setup? If so, what am I missing?
mikecr
First you need to add a route to the networks on each ASA to each ASA. Then you need to create an access list on each ASA allowing that traffic between the two.
ASKER
Can you give me an example?
ASDM or command line? ASDM is easier but I can show you both.
ASKER
CLI please. Let me know if you need to see both configs.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Thanks for you help, but I still cannot ping across. Here is what I have.
ASA1
I haven't done anything on ASA 2 yet.
ASA's are connected directly from interface to interface with an ethernet cable.
interface GigabitEthernet1/2
nameif kub1
security-level 100
ip address 10.7.7.1 255.255.255.0
!
interface GigabitEthernet1/3
nameif kub2
security-level 100
ip address 10.7.8.1 255.255.255.0
!
interface GigabitEthernet1/4
nameif kub-route2
security-level 100
ip address 10.10.111.2 255.255.255.0
object network kub1-lan
subnet 10.7.7.0 255.255.255.0
object network kub2-lan
subnet 10.7.8.0 255.255.255.0
object-group network kub-lans
network-object object kub1-lan
network-object object kub2-lan
access-list kub1_access_out extended permit icmp any any
access-list kub1_access_out extended permit ip any any
access-list kub1_access_out extended permit icmp any any echo-reply
access-list kub2_access_out extended permit icmp any any
access-list kub2_access_out extended permit ip any any
access-list kub2_access_out extended permit icmp any any echo-reply
nat (kub1,kub-route2) source static kub-lans kub-lans
nat (kub2,kub-route2) source static kub-lans kub-lans
access-group kub1_access_out in interface kub1
access-group kub2_access_out in interface kub2
route kub-route2 10.10.101.0 255.255.255.0 10.10.111.1 1
route kub-route2 10.10.200.0 255.255.255.0 10.10.111.1 1
ASA1
I haven't done anything on ASA 2 yet.
ASA's are connected directly from interface to interface with an ethernet cable.
interface GigabitEthernet1/2
nameif kub1
security-level 100
ip address 10.7.7.1 255.255.255.0
!
interface GigabitEthernet1/3
nameif kub2
security-level 100
ip address 10.7.8.1 255.255.255.0
!
interface GigabitEthernet1/4
nameif kub-route2
security-level 100
ip address 10.10.111.2 255.255.255.0
object network kub1-lan
subnet 10.7.7.0 255.255.255.0
object network kub2-lan
subnet 10.7.8.0 255.255.255.0
object-group network kub-lans
network-object object kub1-lan
network-object object kub2-lan
access-list kub1_access_out extended permit icmp any any
access-list kub1_access_out extended permit ip any any
access-list kub1_access_out extended permit icmp any any echo-reply
access-list kub2_access_out extended permit icmp any any
access-list kub2_access_out extended permit ip any any
access-list kub2_access_out extended permit icmp any any echo-reply
nat (kub1,kub-route2) source static kub-lans kub-lans
nat (kub2,kub-route2) source static kub-lans kub-lans
access-group kub1_access_out in interface kub1
access-group kub2_access_out in interface kub2
route kub-route2 10.10.101.0 255.255.255.0 10.10.111.1 1
route kub-route2 10.10.200.0 255.255.255.0 10.10.111.1 1
Did you configure the other sides ASA as well?
ASKER
Haha, Just did that and were are good. Thank you for pointing me in the right direction.
You're absolutely welcome sir!
ASKER
Ok, so it's almost working.
I can ping 10.10.200.0/24 from 10.7.7.0/24 and vice versa, but I can't ping
10.10.101.0/24 from either network 10.7.7.0/24 or 10.7.8.0/24
I also can't ping the 10.7.8.0/24 from 10.10.200.0/24 or 10.10.101.0/24
Any ideas?
I can ping 10.10.200.0/24 from 10.7.7.0/24 and vice versa, but I can't ping
10.10.101.0/24 from either network 10.7.7.0/24 or 10.7.8.0/24
I also can't ping the 10.7.8.0/24 from 10.10.200.0/24 or 10.10.101.0/24
Any ideas?
ASKER
Never mind. I got it.
Thanks again.
Thanks again.