cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1971
Views
0
Helpful
8
Replies

ASA 5510 Inside Routing

Imran Ahmad
Level 2
Level 2

Hello Guys,

I have 3-VLANs on my cisco switch: 

VLAN1- 192.168.2.2

VLAN2- 192.168.10.2

VLAN3- 192.168.11.2

i hv conected my switch --to-- ASA5510 inside int which is in vlan1 . my asa inside int ip is : 192.168.2.1      . so now i want know how to route traffic distined to VLAN2 & 3 on the asa?     

Previosly i had Pix-firewall and i had these normal inside routing configured,

route inside 192.168.10.0 255.255.255.0 192.168.2.1 1        

route inside 192.168.11.0 255.255.255.0 192.168.2.1 1

But on asa 5510 i can not do it like this, while doing this it gives an eorror mesage saying that you can not route to 192.168.2.1 inside int . 

plz share ur idea

8 Replies 8

Jennifer Halim
Cisco Employee
Cisco Employee

It should be as follows:

route inside 192.168.10.0 255.255.255.0 192.168.2.2 1        

route inside 192.168.11.0 255.255.255.0 192.168.2.2 1

You should route it to your switch ip address as you can't route it to the ASA interface itself.

I did this but i dont know for some reason it hads slowed down all my VLAN1 (192.168.2.0) network. the network speed had goten slow and while i wanted to access any server from within vlan-1 some times i was able to access and some times i could not access them even though there was ping reply but i could not access share-folders and remote session .     im not 100% sure that the slow speed was due to the routing, but i could not find anyother reason except the routing. because as i connected my old pix-firewall back to the network, then my vlan-1 net speed was normal back

Hi Bro

The advice provided by Jennier Halim is correct. I would have adviced the same thing too. Could you paste your latest show running-config here, so that everyone here can advise you further?

      

P/S: Paste the Cisco PIX config as well, so that we can see the config difference

Warm regards,
Ramraj Sivagnanam Sivajanam

Hi Imran,

Proceed as Jennifer suggested. Once you change replce PIX with ASA, try 'clear arp' on switch or reboot the SW. That should fix the slowness issue (as long as rest of the config and physical infrastructure is good).

hth

MS

Dear all,  Bellow is my  ASA5510 configuration output. please see what is wrong ???     i restarted everything the switch, the asa, clear arp.....    but no result.    when i connect the asa into my network,  it automatically slows down the vlan-1 only.  other vlans can access vlan-1 normaly.  but a host from  VLAN-1 can not access other host inside of VLAN-1.   after many reties then they can access.  plz see what is wrong

interface Ethernet0/0
nameif outside
security-level 0
ip address 202.86.17.246 255.255.255.240
!
interface Ethernet0/1
nameif inside
security-level 100
ip address 192.168.2.1 255.255.255.0
!
interface Ethernet0/1.4
vlan 4
nameif WIRELESS
security-level 94
ip address 192.168.101.1 255.255.255.0
!
interface Ethernet0/1.6
vlan 6
nameif GUEST
security-level 90
ip address 192.168.110.1 255.255.255.224
!

same-security-traffic permit intra-interface

object network NAT0
subnet 192.168.0.0 255.255.128.0
object network NAT0.1
subnet 192.168.2.0 255.255.255.0
object network NAT0.2
subnet 192.168.100.0 255.255.255.0

object network inside_any
subnet 0.0.0.0 0.0.0.0
object network guest_any
subnet 0.0.0.0 0.0.0.0
object network WIRELESS_any
subnet 0.0.0.0 0.0.0.0


mtu outside 1500
mtu inside 1500
mtu WIRELESS 1500
mtu GUEST 1500
mtu MPAISA-DMZ 1500


nat (inside,any) source static NAT0.1 NAT0.1 destination static NAT0 NAT0
nat (inside,any) source static NAT0.2 NAT0.2 destination static NAT0 NAT0

!
object network inside_any
nat (inside,outside) dynamic interface
object network guest_any
nat (GUEST,outside) dynamic interface
object network WIRELESS_any
nat (WIRELESS,outside) dynamic interface


route outside 0.0.0.0 0.0.0.0 202.86.17.245 1
route inside 192.168.100.0 255.255.255.0 192.168.2.250 1
route inside 192.168.101.192 255.255.255.240 192.168.2.250 1
route inside 192.168.102.0 255.255.255.224 192.168.2.250 1

threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept

class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
  message-length maximum client auto
  message-length maximum 512
policy-map global_policy
class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny 
  inspect sunrpc
  inspect xdmcp
  inspect sip 
  inspect netbios
  inspect tftp
  inspect pptp
  inspect http
  inspect ip-options
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
call-home
profile CiscoTAC-1
  no active
  destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
  destination address email callhome@cisco.com
  destination transport-method http
  subscribe-to-alert-group diagnostic
  subscribe-to-alert-group environment
  subscribe-to-alert-group inventory periodic monthly
  subscribe-to-alert-group configuration periodic monthly
  subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:675eee6acc783964e9f064bc9158d5a0
: end

HQASA#

plz dont get confused.  on my prevois post i was using old ips with my vlans,  but on last one which i hav attached my asa config,  i have changed the vlans-ip-address

Hi Imran,

Still i do see you inetrafce configurations and other configuration seems improper.

bject network NAT0

subnet 192.168.0.0 255.255.128.0

object network NAT0.1

subnet 192.168.2.0 255.255.255.0

object network NAT0.2

subnet 192.168.100.0 255.255.255.0

nat (inside,any) source static NAT0.1 NAT0.1 destination static NAT0 NAT0

nat (inside,any) source static NAT0.2 NAT0.2 destination static NAT0 NAT0

Can u pls explain what you are trying with the above statement.

Please do rate for the helpful posts.

By

Karthik

Hi Bro

Could you issue the command show threa-detection shun, and see if you have any IP Address 192.168.2.XXX being listed?

Perhaps, this could be a host issue, not VLAN-1.

Warm regards,
Ramraj Sivagnanam Sivajanam
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: