Configuration for private IP address

Unanswered Question
Jul 8th, 2010

My inside interface of the ASA is 10.10.10.1.  Some of the servers have the private IP address of 192.168.100.0.  Other servers have another private IP address 172.16.20.0.  Is it possible to configure so that these servers communicate to each other?  For example, I want to be able to ping from Server A with the private IP address of 192.168.100.10 to the Server B with IP address 172.16.20.5.  Also, is it possible to configure these servers so that they can get on the internet?


Thanks

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Jennifer Halim Thu, 07/08/2010 - 22:57

Yes, you can definitely configure the different internal subnets to communicate with each other, and also for those networks to access the internet.

How is each of the internal subnet connected at the moment? Is their default gateway configured as the ASA interface, or you have an internal router or L3 switch to do the routing?

laurabolda Fri, 07/09/2010 - 14:48

Thanks for your prompt response, Halijenn.  All internal subnets are connected to Cisco 6509.  The default gateway of each internal network is configured on the Cisco 3750.  The Cisco 3750 does the routing.  The default gateway of the ASA is configured on Cisco 3750.  Let me know if I still have not answered your questions or need additional information.  Thanks.

                                                           internet

                                                              ^

                                                              |

                                                              |

internal networks ----> Cisco 6509 ---> Cisco 3750

                                                              ^

                                                              |

                                                              |

                                                             ASA

Jennifer Halim Sat, 07/10/2010 - 01:05

Thanks for the description. It's clear now.

For communication between internal networks as per the current design, it should already be working (ie: all internal networks should be able to communicate with each other through the inter vlan routing on the 3750).

For internet access from all the internal networks, you would need to configure the following on the ASA:

1) Routes for all the internal subnets towards the 3750.

2) NAT statement for all the internal subnets so it gets PAT to either a spare public ip address or the outside interface ip address for internet access.

3) If you have ACL configured on the inside interface, you would also need to allow all the internal subnets access to the Internet.

Hope that helps.

laurabolda Sat, 07/10/2010 - 17:49

Halijenn,

Thanks for your prompt response and information.  Is it possible to write me the sample configurations?  Thanks.

Jennifer Halim Sat, 07/10/2010 - 18:03

Here is what can be configured on the ASA:

1) Routes for all the internal subnets towards the 3750:

Below 10.10.10.x should be substituted with the 3750 ip address which is connected to the ASA inside of 10.10.10.1

route inside 192.168.100.0 255.255.255.0 10.10.10.x

route inside 172.16.20.0 255.255.255.0 10.10.10.x

2) NAT statement for all the internal subnets so it gets PAT to either a  spare public ip address or the outside interface ip address for  internet access:

-- If you already have "nat (inside) 1 0 0" and "global (outside) 1 interface", you don't have to configure anything anymore.

-- If you haven't had the above, then you can configure the following accordingly:

nat (inside) 1 192.168.100.0 255.255.255.0

nat (inside) 1 172.16.20.0 255.255.255.0

global (outside) 1 interface

3) If you have ACL configured on the inside interface, you would also  need to allow all the internal subnets access to the Internet:

-- Check "sh run access-group", and see if there is any access-list applied to the inside interface. If there is, configure ACL to add the new subnets:

access-list permit ip 192.168.100.0 255.255.255.0 any

access-list permit ip 172.16.20.0 255.255.255.0  any

Here is a sample config that might help too:

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a0080094769.shtml

laurabolda Sat, 07/10/2010 - 20:27

Thanks very much, Halijenn for your prompt response and assistance.  I will let you know the status next week.  Thanks.

Actions

This Discussion