07-22-2012 08:52 AM - edited 03-11-2019 04:33 PM
Hello Guys,
I have 3-VLANs on my cisco switch:
VLAN1- 192.168.2.2
VLAN2- 192.168.10.2
VLAN3- 192.168.11.2
i hv conected my switch --to-- ASA5510 inside int which is in vlan1 . my asa inside int ip is : 192.168.2.1 . so now i want know how to route traffic distined to VLAN2 & 3 on the asa?
Previosly i had Pix-firewall and i had these normal inside routing configured,
route inside 192.168.10.0 255.255.255.0 192.168.2.1 1
route inside 192.168.11.0 255.255.255.0 192.168.2.1 1
But on asa 5510 i can not do it like this, while doing this it gives an eorror mesage saying that you can not route to 192.168.2.1 inside int .
plz share ur idea
07-22-2012 08:54 AM
It should be as follows:
route inside 192.168.10.0 255.255.255.0 192.168.2.2 1
route inside 192.168.11.0 255.255.255.0 192.168.2.2 1
You should route it to your switch ip address as you can't route it to the ASA interface itself.
07-22-2012 09:09 AM
I did this but i dont know for some reason it hads slowed down all my VLAN1 (192.168.2.0) network. the network speed had goten slow and while i wanted to access any server from within vlan-1 some times i was able to access and some times i could not access them even though there was ping reply but i could not access share-folders and remote session . im not 100% sure that the slow speed was due to the routing, but i could not find anyother reason except the routing. because as i connected my old pix-firewall back to the network, then my vlan-1 net speed was normal back
07-22-2012 10:28 AM
Hi Bro
The advice provided by Jennier Halim is correct. I would have adviced the same thing too. Could you paste your latest show running-config here, so that everyone here can advise you further?
P/S: Paste the Cisco PIX config as well, so that we can see the config difference
07-22-2012 12:44 PM
Hi Imran,
Proceed as Jennifer suggested. Once you change replce PIX with ASA, try 'clear arp' on switch or reboot the SW. That should fix the slowness issue (as long as rest of the config and physical infrastructure is good).
hth
MS
07-26-2012 01:57 AM
Dear all, Bellow is my ASA5510 configuration output. please see what is wrong ??? i restarted everything the switch, the asa, clear arp..... but no result. when i connect the asa into my network, it automatically slows down the vlan-1 only. other vlans can access vlan-1 normaly. but a host from VLAN-1 can not access other host inside of VLAN-1. after many reties then they can access. plz see what is wrong
interface Ethernet0/0
nameif outside
security-level 0
ip address 202.86.17.246 255.255.255.240
!
interface Ethernet0/1
nameif inside
security-level 100
ip address 192.168.2.1 255.255.255.0
!
interface Ethernet0/1.4
vlan 4
nameif WIRELESS
security-level 94
ip address 192.168.101.1 255.255.255.0
!
interface Ethernet0/1.6
vlan 6
nameif GUEST
security-level 90
ip address 192.168.110.1 255.255.255.224
!
same-security-traffic permit intra-interface
object network NAT0
subnet 192.168.0.0 255.255.128.0
object network NAT0.1
subnet 192.168.2.0 255.255.255.0
object network NAT0.2
subnet 192.168.100.0 255.255.255.0
object network inside_any
subnet 0.0.0.0 0.0.0.0
object network guest_any
subnet 0.0.0.0 0.0.0.0
object network WIRELESS_any
subnet 0.0.0.0 0.0.0.0
mtu outside 1500
mtu inside 1500
mtu WIRELESS 1500
mtu GUEST 1500
mtu MPAISA-DMZ 1500
nat (inside,any) source static NAT0.1 NAT0.1 destination static NAT0 NAT0
nat (inside,any) source static NAT0.2 NAT0.2 destination static NAT0 NAT0
!
object network inside_any
nat (inside,outside) dynamic interface
object network guest_any
nat (GUEST,outside) dynamic interface
object network WIRELESS_any
nat (WIRELESS,outside) dynamic interface
route outside 0.0.0.0 0.0.0.0 202.86.17.245 1
route inside 192.168.100.0 255.255.255.0 192.168.2.250 1
route inside 192.168.101.192 255.255.255.240 192.168.2.250 1
route inside 192.168.102.0 255.255.255.224 192.168.2.250 1
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect pptp
inspect http
inspect ip-options
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email callhome@cisco.com
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:675eee6acc783964e9f064bc9158d5a0
: end
HQASA#
07-26-2012 02:43 AM
plz dont get confused. on my prevois post i was using old ips with my vlans, but on last one which i hav attached my asa config, i have changed the vlans-ip-address
07-26-2012 07:16 AM
Hi Imran,
Still i do see you inetrafce configurations and other configuration seems improper.
bject network NAT0
subnet 192.168.0.0 255.255.128.0
object network NAT0.1
subnet 192.168.2.0 255.255.255.0
object network NAT0.2
subnet 192.168.100.0 255.255.255.0
nat (inside,any) source static NAT0.1 NAT0.1 destination static NAT0 NAT0
nat (inside,any) source static NAT0.2 NAT0.2 destination static NAT0 NAT0
Can u pls explain what you are trying with the above statement.
Please do rate for the helpful posts.
By
Karthik
07-26-2012 07:06 PM
Hi Bro
Could you issue the command show threa-detection shun, and see if you have any IP Address 192.168.2.XXX being listed?
Perhaps, this could be a host issue, not VLAN-1.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: