Need help on routing

Answered Question
Feb 20th, 2007

Hi

I have the setup as below.

3750 (vlan 2,3,4,5) --> ASA --> 1700 router --> VPN to Remote site

vlan2- 10.1.100.1/24 (user)

vlan3- 10.1.101.1/24 (server)

vlan4- 10.1.1.1/24 (WAN segment) - ASA inside is connected to gig1/0/10 on 3750 and configured as access port. Gig1/0/10 is assigned on vlan4

vlan 5 - 10.1.102.1/24 (management)

I am using static routes through the whole network

3750 default route is ASA inside ip

ASA default route is 1700 router

There is vpn between 1700 router to remote site

1. can the port gig1/0/10 connecting from 3750 to ASA configured as access port or should that be trunk port?

2. As I am using the static routes to the remote networks through the VPN, does all the routes to be configured on every device in the path, eg. on 3750, ASA and 1700 devices?

3. Does the ASA and the router need to have the routes for internal vlans

4. Do I have to use "switchport trunk allowed vlan all" command on 3750?

thank you

I have this problem too.
0 votes
Correct Answer by Jon Marshall about 9 years 7 months ago

Hi

1) if you want the ASA to firewall between the vlans yes it should be a trunk. If you want all traffic to vlans other than 4 to route via your 3750 then no.

2) No if your default routes are pointing to the next hop devices. The 1700 doesn't need a route either as the VPN crypto access-list will pick up the traffic.

3) The ASA will if you are not running a trunk. The 1700 router will also.

HTH

Jon

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (2 ratings)
Loading.
Danilo Dy Tue, 02/20/2007 - 07:18

1. Depends, if you need to put security between vlans you can trunk it using 802.1Q and create subinterfaces in ASA.

2. You need to put it in 1700 and also in ACL for VPN

3. If you follow step 1, No need since 1700 DG is ASA. If not, ASA need to putstatic route and point it to 3750

Correct Answer
Jon Marshall Tue, 02/20/2007 - 07:21

Hi

1) if you want the ASA to firewall between the vlans yes it should be a trunk. If you want all traffic to vlans other than 4 to route via your 3750 then no.

2) No if your default routes are pointing to the next hop devices. The 1700 doesn't need a route either as the VPN crypto access-list will pick up the traffic.

3) The ASA will if you are not running a trunk. The 1700 router will also.

HTH

Jon

sarat1317 Tue, 02/20/2007 - 07:41

Thanks for the quick response.

I am sorry, the default route on ASA is to a different network as I have another network configured on same ASA. I dont think I can configured 2 default routes on ASA right?

eg - route outside 0.0.0.0 0.0.0.0 x.x.x.x

route outside1 0.0.0.0 0.0.0.0 y.y.y.y

1. I do not need any security between the vlans as they are all internal. All the internal traffic is routed through 3750. So this will be access port as you advised

2. As I do not have the default route to 1700 from ASA, I believe I need the static routes on 1700 for remote networks. In any case if I do not want to do the routing on 1700, can I do the routing for remote networks on 3750 and add the static routes there. If I do this, I think I also need the static routes on the ASA as well.

can you please provide the sample config on 1700 router for VPN crypto acl

3. route inside 10.1.0.0 255.255.0.0 10.1.1.1 - on ASA

ip route 10.1.0.0 255.255.255.0 - on 1700 router

thanks

Jon Marshall Tue, 02/20/2007 - 13:16

Hi

You shouldn't have 2 default routes on the ASA.

2) When you say remote networks, do you mean remote networks via the VPN. In which case the 1700 will not need a route to these remote networks. But the ASA device will need routes pointing to the 1700 if the 1700 is not the default gateway for the ASA (still a little unclear about this)

3) Yes you will need these routes so the 1700 and the ASA device know how to get to all your internal networks.

Is the VPN up and running at the moment. ?

Jon

sarat1317 Thu, 02/22/2007 - 11:16

Hi Jon

Thanks for the reply. I have attached a diagram and some commands. Can you please advise if I have to do any changes on it or any better way to configure.

I followed this link. http://cisco.com/en/US/tech/tk827/tk369/technologies_configuration_example09186a00800946b8.shtml

From the link above, ACL 103 is only used for incoming traffic from 'Fred' right?

My VPN is not up at the moment.

Thanks for your time

Sarat

Actions

This Discussion