07-19-2011 07:04 AM - edited 03-11-2019 02:00 PM
I am attaching a basic diagram of what I am trying to do, but I will try and explain in detail in the post.
I have an AT&T Router that is my gateway to the internet, I have no access to it. I do have the inside ip address of it which is on my private LAN. Just for shiggles we will call it 10.25.240.1 255.255.248.0. That is my gateway address for all of my current devices.
I have this shiny new ASA that I want to throw in there to eliminate a proventia and a sidewinder.
The diagram shows two stacks, these are my virtual server clusters with 3560X switches with the vlans configured, and several more switches all configured with vlan 832, connected to a 2950, which is connected to my internal 2600 router. I have 4 Vlans running on 4 different ip ranges, all controlled by the internal router, with only one vlan, let's say 832 that is trunked to the outside world. That vlan has 172.16.1.x 255.255.0.0 network attached to it. All is well, and traffic is routing behind the internal router, but I cannot seem to figure out how to get the traffic to pass thru the ASA.
Gateway 10.25.240.1
Outside of the ASA 10.25.240.25
Inside of the ASA 172.16.1.25
Eth0/0 on the router 172.16.1.1
Eth0/0.1 on the router 172.16.1.2 832
Encapsulation is dot1q
This might be just a bunch of babble, if you need more information just let me know what to throw at you.
Crash
Solved! Go to Solution.
07-20-2011 08:42 AM
I did a write erase reload, then factory-default so it is new again. I am about to apply this config. Is it right?
int eth0/0
ip address 10.25.240.248 255.255.255.0
nameif outside
no shut
int eth0/1
ip address 10.25.241.25 255.255.255.0
nameif inside
nat (inside) 1 0.0.0.0 0.0.0.0
global (outside) 1 interface
route outside 0.0.0.0 0.0.0.0 10.25.240.1 1
access-list out_in permit icmp any any
access-group out_in in interface outside
icmp permit any inside
logging enable
logging buffered 7
access-list cap permit ip host 10.25.241.2 host 10.25.240.1
access-list cap permit ip host 10.25.240.1 host 10.25.241.2
access-list cap permit ip host 10.25.240.25 host 10.25.240.1
access-list cap permit ip host 10.25.240.1 host 10.25.240.25
cap capin access-list cap interface inside
cap capo access-list cap interface outside
debug icmp trace
07-20-2011 08:54 AM
I applied that config, and it works now. Se the BFH route always works!!
07-20-2011 09:02 AM
Wow ...... I have started believing it too great work .... let me know if you get stuck anywhere.....
-Varun
07-20-2011 11:21 AM
okie dokie. What I have now is PC <-->(inside)<-->outside<-->Internet
what I need to have is
PC<--->Switch<-->Router<--->ASA<---> Internet
The tools we have to work with, a 3590X Switch and a 2600 Cisco
What I have done, I have configured Router on a stick with all 4 of my VLANS that I need, assigned IP addresses on eth0/0.x respectivley. Set encapsulation to dot1q, and did no shut on all of the sub interfaces (see attached file), Set the switch ports up with trunking and access. When I plug 10.25.241.2 up on the 804 VLAN, all I can ping is my router sub, nothing past. sh ip route shows gateway of last resort not set, with no connected networks. Do I need OSPF on a connected network? Then there is a question of physical layer, does the asa plug into the switch (my 1st choice) or the router?
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide