Solved: Confused and need some advice - Page 2

crash5050 · ‎07-19-2011

I am attaching a basic diagram of what I am trying to do, but I will try and explain in detail in the post.

I have an AT&T Router that is my gateway to the internet, I have no access to it. I do have the inside ip address of it which is on my private LAN. Just for shiggles we will call it 10.25.240.1 255.255.248.0. That is my gateway address for all of my current devices.

I have this shiny new ASA that I want to throw in there to eliminate a proventia and a sidewinder.

The diagram shows two stacks, these are my virtual server clusters with 3560X switches with the vlans configured, and several more switches all configured with vlan 832, connected to a 2950, which is connected to my internal 2600 router. I have 4 Vlans running on 4 different ip ranges, all controlled by the internal router, with only one vlan, let's say 832 that is trunked to the outside world. That vlan has 172.16.1.x 255.255.0.0 network attached to it. All is well, and traffic is routing behind the internal router, but I cannot seem to figure out how to get the traffic to pass thru the ASA.

Gateway 10.25.240.1

Outside of the ASA 10.25.240.25

Inside of the ASA 172.16.1.25

Eth0/0 on the router 172.16.1.1

Eth0/0.1 on the router 172.16.1.2 832

Encapsulation is dot1q

This might be just a bunch of babble, if you need more information just let me know what to throw at you.

Crash

crash5050 · ‎07-20-2011

I did a write erase reload, then factory-default so it is new again. I am about to apply this config. Is it right?

int eth0/0
ip address 10.25.240.248 255.255.255.0
nameif outside
no shut

int eth0/1
ip address 10.25.241.25 255.255.255.0
nameif inside

nat (inside) 1 0.0.0.0 0.0.0.0
global (outside) 1 interface
route outside 0.0.0.0 0.0.0.0 10.25.240.1 1
access-list out_in permit icmp any any
access-group out_in in interface outside
icmp permit any inside
logging enable
logging buffered 7

access-list cap permit ip host 10.25.241.2 host 10.25.240.1
access-list cap permit ip host 10.25.240.1 host 10.25.241.2
access-list cap permit ip host 10.25.240.25 host 10.25.240.1
access-list cap permit ip host 10.25.240.1 host 10.25.240.25
cap capin access-list cap interface inside
cap capo access-list cap interface outside
debug icmp trace

crash5050 · ‎07-20-2011

I applied that config, and it works now. Se the BFH route always works!!

varrao · ‎07-20-2011

Wow ...... I have started believing it too great work .... let me know if you get stuck anywhere.....

-Varun

Thanks,
Varun Rao

crash5050 · ‎07-20-2011

okie dokie. What I have now is PC <-->(inside)<-->outside<-->Internet

what I need to have is

PC<--->Switch<-->Router<--->ASA<---> Internet

The tools we have to work with, a 3590X Switch and a 2600 Cisco

What I have done, I have configured Router on a stick with all 4 of my VLANS that I need, assigned IP addresses on eth0/0.x respectivley. Set encapsulation to dot1q, and did no shut on all of the sub interfaces (see attached file), Set the switch ports up with trunking and access. When I plug 10.25.241.2 up on the 804 VLAN, all I can ping is my router sub, nothing past. sh ip route shows gateway of last resort not set, with no connected networks. Do I need OSPF on a connected network? Then there is a question of physical layer, does the asa plug into the switch (my 1st choice) or the router?