Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Unsure on how to configure static routes properly

This is a newb question from a routing newb, but I'm not sure how to properly set up specific static routes using a new 1921 cli
The client network is 192.168.1.0, the current gateway is 192.168.1.1 (inside interface of ASA).
I now need to put the 1921 between, and also route the 192.168.1.0 network to the 192.168.100.0 data center network.
So in short I need to route traffic between the 192.168.1.0 and 192.168.100.0 networks and both of these networks need to reach the Internet through the ASA.

How do I accomplish this? Sorry for the junior question, I'm still learning

Peter


Sent from Cisco Technical Support Android App

2 ACCEPTED SOLUTIONS

Accepted Solutions
Hall of Fame Super Blue

Re:Unsure on how to configure static routes properly

Pete

It is a good idea to have a dedicated vlan for connecting the L3 switch to the ASA and it sounds like that is what you are trying to do.

Unfortunately what you would need to do is readdress your inside interface on the ASA to the new vlan 4 IP subnet. This may not be an issue because NAT/access lists refer to the interface name and not the IP address although you would need to fo through the ASA config to make sure.

If you only use vlan 4 to connect the L3 switch to the ASA then you simply assign the L3 switchport into vlan 4 and the ASA simply receives untagged packets ie. the connection between the switch and ASA is not a trunk link so the native vlan does not come into it.

Does this make sense ?

Jon

New Member

Unsure on how to configure static routes properly

Pete,

Do you have a return route defined on the ASA?

I would enable logging on the inside interface, and try pinging the ASA again from your domain network and watch what is logged. I don't think the ASA is blocking ICMP as you said you can get through with the laptop on the same vlan. If you then see traffic going in, but there is no reply, then see if the ASA knows about the domain network on the other side of the router.

Brad

20 REPLIES
New Member

Unsure on how to configure static routes properly

What is the connection to the 192.168.100.0 network?

Hall of Fame Super Blue

Unsure on how to configure static routes properly

Pete

It's not clear how the network is laid out so it's difficult to provide an answer.

Can you provide a quick diagram showing how things are connected up and where the DC connection is, in relation to the new router.

Because you are putting the 1921 between the 192.168.1.x subnet and the ASA is it safe to assume you are going to readdress the inside interface of the ASA ?

Jon

New Member

Unsure on how to configure static routes properly

Thanks for your reply, sorry i wasn't so clear in my first post. The 1941 is not yet implemented, but this is how we'd like to place it. The link to the Data Center is transparent LAN service.

New Member

Unsure on how to configure static routes properly

why not use a sub interface on the ASA to route to the data centre VLAN?

For example on the third port create the 3.12 subinterface with the ip of 192.168.100.254, then route the internal network through there.

Hall of Fame Super Blue

Unsure on how to configure static routes properly

Pete

Couple of questions / points -

1) The interface on the 1921 that connects to the DC - is that going to have a 192.168.100.x address ie. is the 1921 going to route for the DC servers as well ?

2) Are you adding another interface to the 1921 as it only comes with two inbuilt interfaces ?

3) You can't have the same vlan/IP subnet on two interfaces of the router (unless you bridge and there is no need here). So if 192.168.1.x is for the clients then you need to use a different subnet to connect the ASA to the router. They cannot be the same subnet. This means either -

a) using a different subnet for the clients

or

b) readdressing the ASA inside interface

As Brad says, an alternative is to use a subinterface on the ASA and not use the router at all but unless you have strict security requirements i generally don't like using ASAs as routers.

Can you please answer the above and then we can provide the routing details you need.

Jon

New Member

Unsure on how to configure static routes properly

Brad: We don't want to overload the ASA with routing.

Jon:

1. - Yes, the 1921 would route for the DC servers as well.

2. - Is there a way we can do it without purchasing more hardware or expansion cards? Can't we do subinterfaces like Brad suggested only on the 1921?

3. readdressing the ASA inside interface would be the least disruptive for us.

Peter

Hall of Fame Super Blue

Unsure on how to configure static routes properly

Peter

You can use subinterfaces one of the 1921 inbuilt interfaces yes but you then need to be aware you are sharing the bandwidth of the interface with multiple vlans. So you need to decide which two vlans/IP subnets you want on one interface.

If you are happy to readdress the ASA inside interface then choose an unused subnet for the 1921 to ASA link and configure the new addressing on the both the 1921 interface (or subinterface) and the ASA. Your routing would then be -

1921

====

ip route 0.0.0.0 0.0.0.0  

ASA

====

route inside 192.168.1.0 255.255.255.0 <1921 interface/subinterface IP>   <-- this is the new IP you have configured for the 1921 to ASA connection

route inside 192.168.100.0 255.255.255.0 <1921 interface/subinterface IP>

I'm assuming you already have a default route for the ASA pointing upstream to the ISP.

One last point. Depending on the amount of traffic between the client vlan and the DC + the general internet traffic you may find that a future upgrade would be a L3 switch in place of the router as L3 switches have much greater throughput than an equivalent cost router but at the expense of not having such a rich feature set eg. most switches don't support NAT, have a limited QOS toolset compared with routers etc.

It all depends on whether you need the additional features of the router and whether you router can handle the traffic load. Just something worth bearing in mind.

Jon

New Member

Re:Unsure on how to configure static routes properly

Jon, Brad,

Thanks for your replies.

I've been away from work unexpectedly for a while, but I am back to working on this now.
We actually have a layer 3 switch, and I am having a tough time with the routing configuration still.
I have enabled routing,
Vlan 1 IP is 192.168.1.254
Vlan 4 IP is 192.168.4.254
Vlan 100 IP is 192.168.100.254

I've created a static route 0.0.0.0 0.0.0.0 192.168.4.1

I can ping both above Vlan IPs from the PCs on the network. Now I want to change the inside interface of the ASA from 192.168.1.1 to 192.168.4.1, but the inside interface where all the rules are applied is the physical interface, using the native Vlan 1, not a sub-interface.
The native Vlan for the network is the default 1. If I create a sub-interface on the ASA of 1.4 for Vlan 4, I guess it would work, but there has to be an easier way. I don't want to mess around with the ASA very much.
The switch port connected to the inside interface of the ASA is trunking NN, vlans 1 and 4.

Peter



Sent from Cisco Technical Support Android App

Hall of Fame Super Blue

Re:Unsure on how to configure static routes properly

Pete

Where do you want to route between vlans ie. is it on the ASA or do you want to route between vlans on the L3 switch and just use the firewall for internet access ?

If you want to route on the L3 switch then there is no need for a trunk to the ASA. If you want to route on the ASA then you probably will need to create subinterfaces on the ASA.

So before we try and help with any configuration we need to know where you want to route the vlans within your network ?

Jon

New Member

Re:Unsure on how to configure static routes properly

Jon,.

All vlan routing would take place behind the inside interface Gig0/1. So even if I assign Gig0/1's switchport on the switch as access, and have no subinterfaces on the ASA's port., wouldn't the ASA's be expecting traffic on the connected switch's native vlan 1?

Or can I change the switchport's native vlan to 4 and have it untag all traffic from vlan 4 and send it to the ASA's?

Thanks again,

Peter



Sent from Cisco Technical Support Android App

Hall of Fame Super Blue

Re: Unsure on how to configure static routes properly

Peter

All vlan routing would take place behind the inside interface Gig0/1

You say you want to route between 192.168.1.0/24 and 192.168.100.0/24. Can you clarify where you want this routing to take place ie. on the L3 switch or the ASA ?

If it is the ASA then you either need -

1) an interface per vlan

or

2) if you don't have a spare interface you need to use subinterfaces

the native vlan doesn't come into this ie. you have two separate subnets and you want to route between them so you need two layer 3 interfaces (or subinterfaces) on the ASA.

Alternatively you could route between the vlans on the L3 switch and then only use a single interface on the ASA. In this setup traffic going to the ASA is only for internet ie. it is not used for inter vlan routing. It would mean less complication on the ASA but you would not be firewalling between the DC and the local LAN.

Is it a requirement to firewall between vlans ?

Jon

New Member

Re:Unsure on how to configure static routes properly

Jon,

No firewall would be needed between the internal vlan networks. I want to do all routing via the L3 switch, only using the inside interface of the ASA for Internet traffic.
My problem is that our main production network is the native Vlan 1 as is the inside interface of the ASA. I have created a vlan for use in between the switch stack and the ASA. Is there a way of making this work without having to change my production vlan 1 (major upset) or rebuilding my ASA on a subinterface?
I have all the vlan routing defined on the L3 switch, and everything is working except the Internet. Currently users use the 192.168.1.1 inside interface as their gateway. I was hoping to change the IP and default vlan of the inside interface, but it looks like it only uses the native vlan untagged only with subinterfaces defined?

Peter


Sent from Cisco Technical Support Android App

Hall of Fame Super Blue

Re:Unsure on how to configure static routes properly

Pete

It is a good idea to have a dedicated vlan for connecting the L3 switch to the ASA and it sounds like that is what you are trying to do.

Unfortunately what you would need to do is readdress your inside interface on the ASA to the new vlan 4 IP subnet. This may not be an issue because NAT/access lists refer to the interface name and not the IP address although you would need to fo through the ASA config to make sure.

If you only use vlan 4 to connect the L3 switch to the ASA then you simply assign the L3 switchport into vlan 4 and the ASA simply receives untagged packets ie. the connection between the switch and ASA is not a trunk link so the native vlan does not come into it.

Does this make sense ?

Jon

New Member

Re:Unsure on how to configure static routes properly

Yes it make sense except for changing the vlan for the inside interface of the ASA. The only option I seem to have is "native".
It seem that I would have to create a subinterface 1.4 for vlan 4, and then change my NAT and rules to this new one?

Peter


Sent from Cisco Technical Support Android App

Hall of Fame Super Blue

Unsure on how to configure static routes properly

Peter

I'm not sure what you mean about the "native" option. You certainly don't need to create a subinterface. Subinterfaces would be used if the connection from the switch was a trunk link (as would the native option). But you don't need a trunk link ie. on the switch the port connecting to the ASA the configuration would be -

int gi0/0

switchport mode access

switchport access vlan 4

a port in access mode does not send any tagged packets ie. they are all untagged. So then all you would need to do is change the IP of the ASA inside interface to an IP from the subnet used for vlan 4.

If this is still not clear can you perhaps post the config you are unsure of ?

Jon

New Member

Unsure on how to configure static routes properly

Any update on this? I have a similar setup that I set up a while ago and it works well, so it's fresh in my mind.

New Member

Re:Unsure on how to configure static routes properly

Jon, Brad,

Thanks for your help so far.
Jon, I'd tried access and trunking to the inside of the ASA before with no joy. I've now tried placing a laptop on another port on the same switch as the ASA is plugged into. I statically assigned it 192.168.4.5, and from here I can ping the inside of the ASA. Ports are configured identically, on same vlan. The local vlan interface on the L3 switch is the gateway in all cases.
From the domain network, I can ping the laptop is on the remote subnet, but not the ASA on that same subnet.
ICMP is enabled on the inside interface.

Peter


Sent from Cisco Technical Support Android App

New Member

Unsure on how to configure static routes properly

Pete,

Do you have a return route defined on the ASA?

I would enable logging on the inside interface, and try pinging the ASA again from your domain network and watch what is logged. I don't think the ASA is blocking ICMP as you said you can get through with the laptop on the same vlan. If you then see traffic going in, but there is no reply, then see if the ASA knows about the domain network on the other side of the router.

Brad

New Member

Unsure on how to configure static routes properly

You know what guys? I had no route from the ASA back to the L3 switch. I was looking at the laptop config just a few mins ago, and it had the L3 switch on VLAN 4 as it's default gateway.

I created a static route on the ASA inside interface with the L3 switches VLAN 4 interface of 192.168.4.254 to get it to the domain network of 192.168.1.x network, and now the ping test works.

Domain clients with the L3 switch as the default gateway can now get to the Internet, and to the data center network.

Thank you both for all of your help. I understand a little more now.

Peter

New Member

Unsure on how to configure static routes properly

You also may want to create an additional static route on the ASA to allow Internet traffic back to the datacenter subnet, unless you already have Internet access there.

994
Views
0
Helpful
20
Replies
CreatePlease login to create content