Hello, I am the admin for a small company, we host about 20 servers for development and internal applications, and 4 servers for web hosting and external application hosting for clients. I started here two years ago and when I started we had one server and hardly any networking equipment at all. I was pretty new to Cisco and after talking to some reps they talked us in to getting an ASA5505 instead of a router. I have enjoyed learning about this device over the past year, but it's not exactly a perfect fit, I think what we really needed was a true router but I have made it work thus far. Since we have started growing and adding servers so quickly we have moved to a larger office, and now I have the task of splitting the network and organizing everything for further growth. I thought this would be a simple task but with the ASA I have not been able to get my networks to talk to each other correctly. What I want to do is pretty straight forward but I have no access to a true router, nor do I have any layer 3 swiches/managed switches, just plain ole dummy switches. Right now the ASA is handling all routing and VPN traffic and with out having to spend any money, I would like to split up my networks. I'm not very well versed in this area, I don't understand every aspect of subnetting but reading about it hasn't really helped me much either.
What I want to do is, with out using a VLAN, I have 10.0.0.0 network which is working fine, 10.0.1.0 is VPN and is also working fine, but I want to add 10.0.2.0 and 3 4 and 5 and so on as I need them. I have been able to add these, and get everything to work, but for some reason I cannot access any of these networks from the 10.0.0.0 network, which might not be a big deal until I start moving things around, then it's going to be a head ache. I am able to get on the internet with my test machines, I am able to access servers and other resources on the 10.0.0.0 network from these, except my domain controller, I have not been able to get any machines to join the domain on 10.0.0.0 yet. However I also cannot RDP to any server on the 10.0.5.0 network from the 10.0.0.0 It is resolving names from WINS, and things like that, but still a few things that I'm missing. I have attached my current config and will be working on this until I get it figured out, please any help you can give would be appreciated.
Your inside network according to the firewall config is 10.0.0.0/16 or is it supposed to be /24?
All belong in the same subnet.
There is no need for routes and there is no need for static(inside,inside) either.
You will have one big flat layer 2 network.
You mention all the switches are just layer 2 switches if so, which device is 10.0.1.1?
That device is supposed to do the routing.
The topology should look like this.
There is no need for the inside networks to come to the ASA to talk among themselves. The default route on the router should point to the ASA's inside interface IP address for all internet destined traffic.
The ASA isn't a true router, but it's all I've got since I was told it would work for us.
10.0.1.1 is the VPN gateway I assume, VPN users are able to use everything like normal. They connect and are assigned a 10.0.1.0 IP using DHCP.
Everything should be /24, I was messing around with some settings not sure if I changed that or not. I can try to remove all that stuff from the ASA but with all the traffic going through there, it seems like I need some kind of rules for it to route to the correct place. And how am I suppose to get up gateways addresses, it shouldn't be this hard.
I see now, I knew there had to be a way. That got me a step closer I think, but I am still unable to communicate from 10.0.0.0 to 10.0.5.0 networks, I'm getting different errors depending on what I try. One is a portmap translation creation failed, then when I add NAT rules I still get a SYN timeout. If I add a dynamic rule I get a NAT error like nothing exists.
interface vlan 3
ip address 10.0.5.1 255.255.255.0
switchport trunk native vlan 1
switchport trunk allowed vlan 1,3
switchport mode trunk
I added this to my config, I have licenses for 8 Trunks, and 20 Vlans, and unlimited DMZ.
We have configured the outside and inside Interface with official ipv6 adresses, set a default route on outside Interface to our router, we also have definied a rule , which also gets hits, to permit tcp from inside Interface to any6.
In Syslog I also se...