Here is a link to the previous post to explain where we were. https://supportforums.cisco.com/message/4133793#4133793
I have an ASA 5510 and a 2921.
The ASA is used and vpn/firewall and and internet,
The 2921 is used for inter-vlan routing..
My primary scenario, take a look at the image . https://supportforums.cisco.com/servlet/JiveServlet/download/4096848-15371310/router_net.gif
My data network is 10.20.60.0
My Voice network is 192.168.2.0
The problem; with this setup, I cannot get the 192.168.2.0 network to browse the web. And I cannot get to access my VOICE mail server unless I use a 192 address.
Solved! Go to Solution.
Can you just clarify something.
In your existing setup you have on the ASA -
1) a connection from the ASA inside interface to the switch
2) a direct connection from the ASA to the 2921
regarding 2) is that literally a cable that goes direct between the two devices. If it is are the interfaces showing up/up on both devices ?
And when you tried to move to the new setup did you use the same cable as in 2) or did you use the cable in 1) to make the new connection ?
Thanks for starting a new thread.
1 and 2 is correct in the existing setup and regarding 2 yes.
In the new setup: The direct connection the was moved to the inside interface on the (ASA) and IP changed to 10.10.10.2.
The cable was removed from ASA to switch.
When changed, computers cannot browse the web.
Okay, i though it might be an issue with the cable ie. straight thru vs cross over.
When you tried to browse the web did you check that the interfaces on the 2921 and the ASA were both up ?
As long as the routes were adding ie, the default route on the 2921 to the ASA inside interface and routes on the ASA pointing back to the 2921 then it should have worked.
If it is not the cable then the only other things i can think of are -
1) the default gateway on the PCs is not set correctly but then the PC in different vlans would not be able to talk to each other.
In your diagram you say the gateway for the internet is now 10.10.10.2. But that is only on the router ie. the default route. The PCs should have their default gateways set to the respective subinterface IP on the 2921 - is this how you did it ?
2) some misconfiguration on your ASA.
In addition you say you cannot get to the voice server unless you use a 192.168.x.x address. What subnet is the voice server on ?
Did you manage to save the configs when you did the upgrade or are you back to where you were before without the configs ?
I am back to the orginal config.
Yes interfaces were both up on ASA and 2921...
Yes the 10.10.10.2 is only on the ASA and the PC are using there respectinve gateways.
Let me correct that with the Voice server. I can get to it sorry for the confusion. All the inter vlan routing works once I change my gw address to 10.20.60.1 . Just cant get to internet and the network on the other side of the VPN.
Assuming the default route was set on the 2921 it looks like there may be an issue with the ASA config then. Can you remember the exact changes you made on the ASA and can you post the current config of the ASA ?
The only changes i made to the ASA..
1.) Change the inside interface to 10.10.10.2
2.) Moved the cable to the inside interface of the ASA
Added the necessary routes in ASA. (basically all the sub-ifs from the 2921)
I still can't see anything wrong. You have a dynamic NAT statement for the inside interface which should still apply and your acls permit ip any any so that should not stop traffic.
I'm assuming you cleared the arp tables on the 2921 and ASA when you did the change ?
The only thing i can suggest is to try again but this time -
Before making the changes -
1) do a "sh ip arp" on the 2921 and a "sh arp" on the ASA and save them.
make the changes and then
2) make a copy of all the configs as you are testing and then post them
3) do the arp commands in 1) and save them
4) post a "sh ip route" from the 2921 and a "sh route" from the ASA
5) do a traceroute to an internet site from a client and see where it gets to
WORKED!!! I did the exact same things as before :/ ..
I just made sure I changed the gateway on the DNS servers too. Thats the only thing I believe was different... I can access every thing as normal , but faster...
Jon .. Thanks for all your help//
Got another issue,, I made this changes on the other side of the VPN . same router scenario and setup. But now I cant manage either VPN devices. I will start another thread..
My ASA is 10.10.10.2 2921 is 10.10.10.1
the other side of the VPN was 172.20.16.11 - (used to manage it until after the change)
Now the other side is 10.10.20.2
other side 2921 10.10.20.1 -
I now its a simple but i just can't figure it out.
Apologies for not responding to this thread, i was busy yesterday so i suggested opening a new one so you might get help from others as i didn't have time to look at it.
Not so busy today and your setup is still fairly fresh in my mind so can you perhaps explain how it used to work, what you did before and what isn't working now ie.
what IP are you coming from and what IP are you going to ?
is the VPN tunnel not working or is it just you don't have a particular kind of access ?
New thread link...
the IP's coming from is 10.20.60.0 to manage the asa on the other side of the vpn 10.10.20.2 ..
and oposite site coming from 172.20.16.0 to manage asa on other side 10.10.10.2
everything else is working fine.. I just cant manage the asa from the opposing sides