Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
6068
Views
4
Helpful
45
Replies

Cannot ping interfaces

Go to solution
Roger Richards
Level 1
Level 1

‎11-19-2013 09:15 AM - edited ‎03-07-2019 04:40 PM

Ok.. Good day, I have an ASA 5510 and a 2921 -

My ASA is used for VPN and Internet

My 2921 is used to connect different subnets

I also have an attached diagram

I have a directly connected interface on 2921-10.10.10.1 to the ASA 10.10.10.2

Also on the 2921 i have a subnet 192.168.2.0 and 10.20.30.0

I have trunk link on my switch 2950 from the 2921... The ASA is aslo connected to the switch

on the ASA

Int0/0 66.xxx.xxx.xxx internet

Int0/1 10.20.60.2 - Gateway for computers

Int0/2 10.10.10.2 - connected to 2921

on the 2921

gig0/1 10.10.10.1 - connected to ASA

gig0/1.20 sub-if 192.168.2.1

gig0/1.30 sub-if 10.20.30.1

I have connected some static routes to get from 10.20.60.0 to 192.168.2.0

I cannot ping 10.10.10.2 from my PC

I cannot ping 10.20.60.2 from my 2921

I would appreciate any ideas for configuration help...  And redesign...

What cannot happen is for us to use the 2921 for vpn and internet..

Thanks,,, see image.

Labels:
Preview file
50 KB
0 Helpful
45 Replies 45

Go to solution
Jon Marshall
Hall of Fame
Hall of Fame
In response to admiralrich

‎12-03-2013 11:04 AM

Roger

No problem. Can you post the configs of the 2921 and the ASA and i can then have a look and suggest how to reorganize it so all vlans are routed off the 2921 and the ASA is just for internet.

Note when you post remove any sensitive info from the ASA such as public IPs etc.

Jon

0 Helpful

Go to solution
admiralrich
Level 1
Level 1
In response to Jon Marshall

‎12-03-2013 12:04 PM

THIS IS THE ASA:

ciscoasa-stx# show run

: Saved

:

ASA Version 8.3(1)

!

hostname ciscoasa-stx

domain-name stt.vidol.gov

enable password lb70NCTEuCJ09Sct encrypted

passwd 2KFQnbNIdI.2KYOU encrypted

names

!

interface Ethernet0/0

nameif Vipowernet

security-level 0

ip address 66.xx.xx.xx  255.255.255.248

!

interface Ethernet0/1

nameif Inside

security-level 100

ip address 10.20.60.2 255.255.254.0

!

interface Ethernet0/2

shutdown

nameif Voice

security-level 100

no ip address

!

interface Ethernet0/3

nameif 2921

security-level 100

ip address 10.10.10.2 255.255.254.0

!

interface Management0/0

nameif management

security-level 100

ip address 10.20.80.100 255.255.255.0

!

boot system disk0:/asa831-k8.bin

ftp mode passive

clock timezone AST -4

dns domain-lookup Inside

dns server-group DefaultDNS

name-server 10.20.60.21

name-server 172.20.16.3

domain-name stt.vidol.gov

same-security-traffic permit inter-interface

same-security-traffic permit intra-interface

object network obj_any

subnet 0.0.0.0 0.0.0.0

object network STT

subnet 172.20.16.0 255.255.255.0

description St. Thomas Office

object network A_66.xx.xx.xx.105

host 66.xx.xx.xx.105

object network PublicServer_NAT1

host 10.20.60.39

object service ClockLink

service tcp source eq 5074 destination eq 5074

description Clock Link Management Software

object network A_66.xx.xx.xx.107

host 66.xx.xx.xx.107

object service rdp

service tcp destination eq 3389

description Remote Desktop Protocol

object network VoIP-STT-Network

subnet 192.168.4.0 255.255.255.0

object network VoIP-STX-Network

subnet 192.168.2.0 255.255.255.0

object network STTNET

subnet 172.20.16.0 255.255.255.0

description STT NETWORK

object network STXET

subnet 10.20.60.0 255.255.254.0

description STX NETWORK

object network outside

host 66.xx.xx.xx.106

object network inside

host 10.20.60.2

object network Public-66.xx.xx.xx.108

host 66.xx.xx.xx.108

object service TCP8080

service tcp source eq 8080

object network VC_66.xx.xx.xx.109

host 66.xx.xx.xx.109

object network Clock82

host 10.20.61.82

object network Clock83

host 10.20.61.83

object network Clock81

host 10.20.61.81

object network Clocks

range 10.20.61.81 10.20.61.83

description Clocks

object network Polycom

host 10.20.60.8

object network PRTG

host 10.20.60.35

object network prtg1

host 10.20.60.35

object network Object_Clock81

host 10.20.61.81

object network Object_Clock_6401

host 10.20.61.81

object network Object_Clock_6402

host 10.20.61.82

object network Object_Clock_6403

host 10.20.61.83

object network Voice1

host 192.168.2.1

object-group network DM_INLINE_NETWORK_1

network-object host 172.20.21.4

network-object 172.20.16.0 255.255.255.0

network-object 192.168.4.0 255.255.255.0

object-group network DM_INLINE_NETWORK_2

network-object 10.20.60.0 255.255.254.0

network-object 192.168.2.0 255.255.255.0

object-group network DM_INLINE_NETWORK_3

network-object 10.20.60.0 255.255.254.0

network-object 192.168.2.0 255.255.255.0

object-group network DM_INLINE_NETWORK_4

network-object 10.20.60.0 255.255.254.0

network-object object VoIP-STX-Network

object-group network DM_INLINE_NETWORK_6

network-object object STT

network-object object VoIP-STT-Network

object-group network DM_INLINE_NETWORK_8

network-object host 125.210.221.172

network-object host 220.231.141.29

object-group service POLLY tcp

port-object eq h323

port-object eq sip

port-object eq 1731

port-object range 3230 3235

object-group service DM_INLINE_SERVICE_2

service-object tcp-udp destination eq domain

service-object tcp destination eq www

service-object tcp destination eq https

object-group service web tcp

port-object eq 8081

object-group network DM_INLINE_NETWORK_7

network-object host 10.20.61.81

network-object host 10.20.61.82

network-object host 10.20.61.83

object-group service ExtClkLnk tcp

port-object eq 5402

access-list Vipowernet_access_in extended deny ip object-group DM_INLINE_NETWORK_8 any inactive

access-list Vipowernet_access_in extended permit ip object-group DM_INLINE_NETWORK_3 any

access-list Vipowernet_access_in extended deny tcp any object PRTG eq 8081 inactive

access-list Vipowernet_access_in extended deny tcp any object Polycom eq www inactive

access-list Vipowernet_access_in extended permit tcp host 66.248.189.100 object-group DM_INLINE_NETWORK_7 eq 5402

access-list Vipowernet_cryptomap extended permit ip object-group DM_INLINE_NETWORK_2 object-group DM_INLINE_NETWORK_1

access-list Inside_access_in extended permit ip object STXET object STTNET

access-list Inside_access_in extended permit ip host 10.20.61.1 any

access-list Inside_access_in extended permit object-group DM_INLINE_SERVICE_2 host 10.20.60.81 any

access-list Inside_access_in extended deny ip host 10.20.60.81 any

access-list Inside_access_in extended permit ip object-group DM_INLINE_NETWORK_4 any

access-list Inside_access_in extended permit ip any any

access-list Inside_access_in extended deny ip any any

access-list 2921_access_in extended permit ip any any log

access-list outside_1_cryptomap extended permit ip 10.20.60.0 255.255.254.0 172.20.16.0 255.255.255.0

access-list DOF extended permit ip any 172.20.2.0 255.255.255.0

access-list vidolas extended permit ip host 10.20.60.251 host 172.20.16.109

access-list vidolas extended permit ip host 172.20.16.109 host 10.20.60.251

access-list STX-STT extended permit ip object STXET object STTNET

access-list STX-STT extended permit ip object STTNET object STXET

access-list block extended deny ip host 23.15.5.113 any

access-list voice-to-lan extended permit ip 10.20.60.0 255.255.254.0 192.168.2.0 255.255.255.0

pager lines 24

logging enable

logging timestamp

logging trap notifications

logging asdm informational

logging host Inside 10.20.60.35

logging host Inside 172.20.16.87

logging permit-hostdown

mtu Vipowernet 1500

mtu Inside 1500

mtu Voice 1500

mtu 2921 1500

mtu management 1500

no failover

icmp unreachable rate-limit 1 burst-size 1

icmp permit any Vipowernet

icmp permit any Inside

icmp permit any Voice

asdm image disk0:/asdm-631.bin

no asdm history enable

arp timeout 14400

nat (Inside,any) source static any any destination static DM_INLINE_NETWORK_6 DM_INLINE_NETWORK_6

!

object network obj_any

nat (management,Vipowernet) dynamic interface

object network Polycom

nat (Inside,Vipowernet) static 66.xx.xx.xx.108

object network prtg1

nat (Inside,Vipowernet) static 66.xx.xx.xx.109

object network Object_Clock_6401

nat (Inside,Vipowernet) static interface service tcp 5402 6401

object network Object_Clock_6402

nat (Inside,Vipowernet) static interface service tcp 5402 6402

object network Object_Clock_6403

nat (Inside,Vipowernet) static interface service tcp 5402 6403

!

nat (Inside,Vipowernet) after-auto source dynamic any interface

access-group Vipowernet_access_in in interface Vipowernet

access-group Inside_access_in in interface Inside

access-group 2921_access_in in interface 2921

route Vipowernet 0.0.0.0 0.0.0.0 66.xx.xx.xx.105 1

route 2921 10.20.30.0 255.255.254.0 10.10.10.1 1

route Inside 172.20.2.0 255.255.255.0 172.20.16.11 1

route 2921 192.168.2.0 255.255.255.0 10.10.10.1 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

dynamic-access-policy-record DfltAccessPolicy

aaa authentication telnet console LOCAL

aaa authorization command LOCAL

aaa authorization exec authentication-server

http server enable

http 192.168.1.0 255.255.255.0 management

http 10.20.60.0 255.255.254.0 Inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac

crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac

crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac

crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac

crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac

crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac

crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac

crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

crypto map Vipowernet_map0 1 match address Vipowernet_cryptomap

crypto map Vipowernet_map0 1 set peer 66.xx.xx.xxx.170

crypto  map Vipowernet_map0 1 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5  ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5  ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5

crypto map Vipowernet_map0 interface Vipowernet

crypto map outside_map 1 match address outside_1_cryptomap

crypto map outside_map 1 set peer 66.xx.xx.xx.170

crypto map outside_map 1 set transform-set ESP-3DES-SHA

crypto ca trustpoint ASDM_TrustPoint0

enrollment url http://stxdc3:80/certsrv

crl configure

crypto ca trustpoint ASDM_TrustPoint1

enrollment url http://stxdc3:80/CertSrv

crl configure

crypto ca trustpoint ASDM_TrustPoint2

enrollment url http://stxdc3:80/CertEnroll

crl configure

crypto ca trustpoint ASDM_TrustPoint3

enrollment url http://stxdc3:80/certsrv

crl configure

crypto ca trustpoint ASDM_TrustPoint4

enrollment terminal

crl configure

crypto isakmp enable Vipowernet

crypto isakmp enable Voice

crypto isakmp policy 5

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

crypto isakmp policy 15

authentication pre-share

encryption des

hash md5

group 2

lifetime 28800

telnet 172.20.16.0 255.255.255.0 Vipowernet

telnet 10.20.61.1 255.255.255.255 Inside

telnet 10.20.60.0 255.255.254.0 Inside

telnet 0.0.0.0 0.0.0.0 Inside

telnet 172.20.16.0 255.255.255.0 Inside

telnet timeout 30

ssh timeout 5

console timeout 0

management-access Inside

dhcpd auto_config management

!

dhcprelay timeout 60

threat-detection basic-threat

threat-detection statistics host number-of-rate 2

threat-detection statistics port number-of-rate 2

threat-detection statistics protocol number-of-rate 2

threat-detection statistics access-list

threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200

ntp server 10.20.60.21 source Inside prefer

ntp server 172.20.16.3 source Inside

webvpn

username Admin password 44WTHkc9M2sg5m4p encrypted privilege 15

username Ruser1 password IrO5kN5XfPlLpQcH encrypted

tunnel-group 66.xx.xx.xx.170 type ipsec-l2l

tunnel-group 66.xx.xx.xx.170 ipsec-attributes

pre-shared-key *****

!

class-map inspection_default

match default-inspection-traffic

!

!

policy-map type inspect dns preset_dns_map

parameters

  message-length maximum 512

policy-map global_policy

class inspection_default

  inspect dns preset_dns_map

  inspect ftp

  inspect h323 h225

  inspect h323 ras

  inspect rsh

  inspect rtsp

  inspect esmtp

  inspect sqlnet

  inspect skinny

  inspect sunrpc

  inspect xdmcp

  inspect sip

  inspect netbios

  inspect tftp

  inspect ip-options

  inspect pptp

!

service-policy global_policy global

privilege cmd level 3 mode exec command perfmon

privilege cmd level 3 mode exec command ping

privilege cmd level 3 mode exec command who

privilege cmd level 3 mode exec command logging

privilege cmd level 3 mode exec command failover

privilege cmd level 3 mode exec command packet-tracer

privilege show level 5 mode exec command import

privilege show level 5 mode exec command running-config

privilege show level 3 mode exec command reload

privilege show level 3 mode exec command mode

privilege show level 3 mode exec command firewall

privilege show level 3 mode exec command asp

privilege show level 3 mode exec command cpu

privilege show level 3 mode exec command interface

privilege show level 3 mode exec command clock

privilege show level 3 mode exec command dns-hosts

privilege show level 3 mode exec command access-list

privilege show level 3 mode exec command logging

privilege show level 3 mode exec command vlan

privilege show level 3 mode exec command ip

privilege show level 3 mode exec command ipv6

privilege show level 3 mode exec command failover

privilege show level 3 mode exec command asdm

privilege show level 3 mode exec command arp

privilege show level 3 mode exec command route

privilege show level 3 mode exec command ospf

privilege show level 3 mode exec command aaa-server

privilege show level 3 mode exec command aaa

privilege show level 3 mode exec command eigrp

privilege show level 3 mode exec command crypto

privilege show level 3 mode exec command vpn-sessiondb

privilege show level 3 mode exec command ssh

privilege show level 3 mode exec command dhcpd

privilege show level 3 mode exec command vpn

privilege show level 3 mode exec command blocks

privilege show level 3 mode exec command wccp

privilege show level 3 mode exec command dynamic-filter

privilege show level 3 mode exec command webvpn

privilege show level 3 mode exec command module

privilege show level 3 mode exec command uauth

privilege show level 3 mode exec command compression

privilege show level 3 mode configure command interface

privilege show level 3 mode configure command clock

privilege show level 3 mode configure command access-list

privilege show level 3 mode configure command logging

privilege show level 3 mode configure command ip

privilege show level 3 mode configure command failover

privilege show level 5 mode configure command asdm

privilege show level 3 mode configure command arp

privilege show level 3 mode configure command route

privilege show level 3 mode configure command aaa-server

privilege show level 3 mode configure command aaa

privilege show level 3 mode configure command crypto

privilege show level 3 mode configure command ssh

privilege show level 3 mode configure command dhcpd

privilege show level 5 mode configure command privilege

privilege clear level 3 mode exec command dns-hosts

privilege clear level 3 mode exec command logging

privilege clear level 3 mode exec command arp

privilege clear level 3 mode exec command aaa-server

privilege clear level 3 mode exec command crypto

privilege clear level 3 mode exec command dynamic-filter

privilege cmd level 3 mode configure command failover

privilege clear level 3 mode configure command logging

privilege clear level 3 mode configure command arp

privilege clear level 3 mode configure command crypto

privilege clear level 3 mode configure command aaa-server

prompt hostname context

call-home

profile CiscoTAC-1

  no active

  destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService

  destination address email callhome@cisco.com

  destination transport-method http

  subscribe-to-alert-group diagnostic

  subscribe-to-alert-group environment

  subscribe-to-alert-group inventory periodic monthly

  subscribe-to-alert-group configuration periodic monthly

  subscribe-to-alert-group telemetry periodic daily

hpm topN enable

Cryptochecksum:b414a7744b28428be148e7c9b3083d67

THIS IS THE 2921

Labrstxrt1#show run

Building configuration...

Current configuration : 4023 bytes

!

! Last configuration change at 16:55:18 Caracas Fri Nov 29 2013 by ruser1

version 15.2

service timestamps debug datetime msec

service timestamps log datetime msec

no service password-encryption

!

hostname Labrstxrt1

!

boot-start-marker

boot-end-marker

!

!

logging buffered 51200 warnings

enable secret 4 weG1bff8xq6vwYSaAhFlBe/uto9gzwL2MYg8LekeXp6

!

no aaa new-model

clock timezone Caracas -4 0

!

ip cef

!

!

!

!

!

!

ip domain name stt.vidol.gov

no ipv6 cef

!

multilink bundle-name authenticated

!

!

!

crypto pki trustpoint TP-self-signed-2781641347

enrollment selfsigned

subject-name cn=IOS-Self-Signed-Certificate-2781641347

revocation-check none

rsakeypair TP-self-signed-2781641347

!

!

crypto pki certificate chain TP-self-signed-2781641347

certificate self-signed 01

3082022B 30820194 A0030201 02020101 300D0609 2A864886 F70D0101 05050030

31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274

69666963 6174652D 32373831 36343133 3437301E 170D3133 30363135 30303433

35345A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649

4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D32 37383136

34313334 3730819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281

8100CFAF D23E606C C51528EA 47F8028A 83570542 09EFCB1F 67410747 F0C94084

AF3129F7 2233EACD 98F1F99C 2BCEC5C3 7C19832B D4C913E0 FC0FF02D 9A4F3082

8F97FDAE C02F9D94 AA1152C0 EA825EE5 00571372 0E3C6C8E B3FD9457 E15F1192

563C3B11 1670F621 C683FCC6 A947E4B4 3220EA1E BC011FAC CC84E076 02C9F617

29D10203 010001A3 53305130 0F060355 1D130101 FF040530 030101FF 301F0603

551D2304 18301680 14FDB25B C1F42448 FF76D440 401C0CEE 9D852B3C DD301D06

03551D0E 04160414 FDB25BC1 F42448FF 76D44040 1C0CEE9D 852B3CDD 300D0609

2A864886 F70D0101 05050003 81810073 05C06429 C2397277 F4943DEB C59B996C

66E43213 1B7350EA FBAC44D1 BEF573BF 746B9B6C AE149735 4BBFC01A 93D385D8

8828787C 68585752 459A247C CD84DE74 F23C35C6 10115568 F2A08FEB 42546A2F

F4203FD7 EE8251FF 17B76913 8CCF5C4F 8062F788 9B087559 93C0305F 91E880A7

4C0F0662 9656D563 801B5A6E C804FA

       quit

license udi pid CISCO2921/K9 sn FTX1724AM2U

license boot module c2900 technology-package securityk9

!

!

object-group network Clock_6401

host 10.20.61.81

!

object-group network Clock_6402

host 10.20.61.82

!

object-group network Clock_6403

host 10.20.61.83

!

username ruser1 privilege 15 secret 4 AOt2ZJMSG0QC5a/jxOxI9WhUy2Z8zyuyGyQheOp0w2E

username Admin view root secret 4 56jyXs.RSLFQFX5Ebzwqm0eXTwHAtDmINcDLgnOqA16

!

redundancy

!

!

!

!

!

!

!

!

!

!

!

!

!

!

interface Embedded-Service-Engine0/0

no ip address

shutdown

!

interface GigabitEthernet0/0

description Internet$ETH-SW-LAUNCH$$INTF-INFO-GE 0/0$

no ip address

shutdown

duplex auto

speed auto

!

interface GigabitEthernet0/1

no ip address

duplex auto

speed auto

media-type rj45

!

interface GigabitEthernet0/1.10

description Data$ETH-LAN$

encapsulation dot1Q 10

ip address 10.20.60.1 255.255.254.0

ip helper-address 10.20.60.21

!

interface GigabitEthernet0/1.20

description VoiceVlan$ETH-LAN$

encapsulation dot1Q 20

ip address 192.168.2.1 255.255.255.0

ip helper-address 10.20.60.21

!

interface GigabitEthernet0/2

description Directly Connected to ASA$ETH-LAN$

ip address 10.10.10.1 255.255.254.0

duplex auto

speed auto

!

ip forward-protocol nd

!

ip http server

ip http access-class 23

ip http authentication local

ip http secure-server

ip http timeout-policy idle 60 life 86400 requests 10000

!

ip route 172.20.16.0 255.255.255.0 10.10.10.2 permanent

ip route 192.168.4.0 255.255.255.0 10.10.10.2 permanent

!

!

!

!

control-plane

!

!

!

line con 0

login local

line aux 0

line 2

no activation-character

no exec

transport preferred none

transport input all

transport output pad telnet rlogin lapb-ta mop udptn v120 ssh

stopbits 1

line vty 0 4

access-class 23 in

privilege level 15

login local

transport input telnet ssh

line vty 5 15

privilege level 15

login local

transport input telnet ssh

!

scheduler allocate 20000 1000

!

Thanks

0 Helpful

Go to solution
Jon Marshall
Hall of Fame
Hall of Fame

‎12-03-2013 12:18 PM

Roger

Note that the ASA uses 8.3 code and that uses a completely different NAT than previous versions - are you comfortable with that NAT because i haven't used it before but i should be able to sort it out. Basically i think the easiest thing would be to simply reconnect the 2921 to the inside interface of the ASA but we would need to readdress the inside interface.

Anyway, lets do the router first. If you could answer the following -

1) you only have these routes on the router -

ip route 172.20.16.0 255.255.255.0 10.10.10.2 permanent

ip route 192.168.4.0 255.255.255.0 10.10.10.2 permanent

From your diagram i expected to see a default route so i'm not sure how 192.168.2.x clients get to the internet ?

2) Can you confirm that the only internal networks that need routing are -

10.20.60.0/24

192.168.2.0/24

If the 2) is correct then the only change we need to make on the router is to remove those 2 routes and simply add a default ie.

ip route 0.0.0.0 0.0.0.0 10.10.10.1   <-- which will be the new inside interface of the ASA

but i need both 1) and 2) answering first.

Also important to note you will need an outage to do this work and you have to do it all together so we also need to sort out the ASA.

Jon

0 Helpful

Go to solution
admiralrich
Level 1
Level 1
In response to Jon Marshall

‎12-03-2013 12:33 PM

OK...

1) Those address  are on the other side of the VPN. couldnt get to them from the 2921.

2) And Yes... only  two internal thats needs routing,, maybe more in the future..

0 Helpful

Go to solution
Jon Marshall
Hall of Fame
Hall of Fame
In response to admiralrich

‎12-03-2013 12:40 PM

Right, well that't the router sorted then. Once we have done all this the 192.168.2.x network will be able to get to the internet.

So it's just a question of sorting out the ASA.  Basically we need to have the inside interface readdressed to 10.10.10.2 and the 2921 interface on the ASA shutdown with no ip address.  I think it's a good idea to use the inside interfce because the NAT statements refer to that interface.

So you would need to reconnect the 2921 to the inside interface of the ASA and readdress.

But like i say i'm not familiar with the ASA NAT config so i need to have a look at it with the docs just to work out if there are any gotchas. How comfortable are you with the ASA config in terms of NAT ?

It's not that complicated it's just i can't give you an immediate answer unless you know it well.

Jon

0 Helpful

Go to solution
admiralrich
Level 1
Level 1
In response to Jon Marshall

‎12-03-2013 12:51 PM

I am somewhat familiar with it. 

Question, if you remove the  2921 interface and reconnect to the inside interface on the asa, what would happen to my Vlan 10 which is on my 10.20.60.0 network?

0 Helpful

Go to solution
Jon Marshall
Hall of Fame
Hall of Fame
In response to admiralrich

‎12-03-2013 01:01 PM

vlan 10 is going to be routed off the 2921 so the ASA does not need a connection to that network. So to get to the internet or VPN a 10.20.60.x client would send it's traffic to the 2921 as this is now it's default gateway (or it will be, can't remember whether we changed that or not). The 2921 has a default route pointing to the ASA so it will send the packets on to the ASA.

So if the clients are still using 10.20.60.2 as their default gateway that would need changing to 10.20.60.1 ie. the 2921.

Okay, so you know what needs doing. Bear in mind that you should probably reload the 2921 and ASA ot clear all caches and you may need to reboot the clients or clear their arp caches if they are still using 10.20.60.2 as the default gateway.

Do you want to me look at the ASA configs or are you comfortable with that.

On a more general note are you comfortable with all i've outlined because it is quite a big change ?

Jon

0 Helpful

Go to solution
admiralrich
Level 1
Level 1
In response to Jon Marshall

‎12-03-2013 04:01 PM

I am totally comfortable with the changes and I dont mind if you look at the configs...

0 Helpful

Go to solution
Jon Marshall
Hall of Fame
Hall of Fame
In response to admiralrich

‎12-03-2013 04:10 PM

Roger

Good to hear. I was only worried about the ASA because i know the old NAT very well but then Cisco had to go and change it and i've not go to use the new NAT yet.

But it should all be fine and it would then be much easier i think to add new subnets etc. in future.

Let me know how it goes and if you want/need a second pair of eyes on the config just post them here and i'll be happy to have a look.

Jon

0 Helpful

Go to solution
Jon Marshall
Hall of Fame
Hall of Fame
In response to admiralrich

‎12-03-2013 01:11 PM

Roger

Sorry, i forgot to mention we will need to add these routes to the ASA -

route inside 10.20.60.0 255.255.254.0 10.10.10.1

route inside 192.168.2.0 255.255.255.0 10.10.10.1

Jon

0 Helpful

Go to solution
Jon Marshall
Hall of Fame
Hall of Fame
In response to Jon Marshall

‎12-03-2013 01:42 PM

And obviously remove these routes -

route 2921 10.20.30.0 255.255.254.0 10.10.10.1 1

route Inside 172.20.2.0 255.255.255.0 172.20.16.11 1

route 2921 192.168.2.0 255.255.255.0 10.10.10.1 1

Jon

0 Helpful

Go to solution
Roger Richards
Level 1
Level 1
In response to Jon Marshall

‎12-09-2013 11:37 AM

Hey there, back again. Can I change my local network subnet instead of changing the interface? Just wondering if it would be easier instead of messing with the natting and stuff.

example; instead of using 10.20.60.0 on my local net, ill use 10.20.40.0 on vlan 10...

then and the necesarry routing.

route inside 10.20.40.0/23 10.10.10.1

0 Helpful

Go to solution
Jon Marshall
Hall of Fame
Hall of Fame
In response to Roger Richards

‎12-09-2013 01:01 PM

Roger

Whatever is easiest basically. But the inside interface on the ASA is not 10.10.10.2 so -

route inside 10.20.40.0/23 10.10.10.1

not sure how that would work.  I thought you were going to simply  move the 2921 connection on the ASA to the inside interface and then readdress that to 10.10.10.2. The NAT refers to "inside" so it just should work. 

I can't see any NAT statements that refer to the actual 10.20.60.2 address of the inside interface so changing it should not make a difference. And you simply shutdown the 2921 interface on the ASA.

The only reason i said it needed checking was just in case i missed something because i'm not that familiar with 8.3 NAT on the ASA.

Jon

0 Helpful

Go to solution
Roger Richards
Level 1
Level 1
In response to Jon Marshall

‎12-11-2013 12:12 PM

Jon, I made a mistake in that last post..Take a look at the changes.. Also dont pay attention to the routes shown. They were not changed from the previous setup...

0 Helpful

Go to solution
Jon Marshall
Hall of Fame
Hall of Fame
In response to Roger Richards

‎12-11-2013 12:18 PM

Roger

My understanding was that you wanted to use the 2921 to route the internal vlans ? If so there are quite a few points to clarify -

1) The ASA only has 2 routes via it's inside interface. This interface (inside) is now connected to the 2921 is that correct ?

The routes it has are for 10.20.60.0 which is directly connected and 172.16.20.0 which i think you said was just a test route.

So how is it going to get to the 2921 subnets ?

You need to add routes for vlans 10 and 20 pointing to 10.20.60.1.  Also your diagram shows a guest network (vlan 50) so you would need to add a route for that as well.

2) The 2921 only needs a default route pointing to the ASA. Why are all the routes pointing to 10.10.10.2 still there ?

3)  What do you mean when you say in the diagram "But there is no vlan 10 on the router" ?

Edit - okay, you have just updated post so the stuff about the routes does not apply. Can you answer point 3) though.

Jon

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card