cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2361
Views
10
Helpful
9
Replies

ASA 5520 8.3 multiple vlan routing

mhobart2
Level 1
Level 1

I'm back again with another question.  The diagram below is the layout I'm working with.  The ASA and Bordermanger are running side by side for now until I can phase everything over to the ASA, so it makes everything a little complicated right now. 

Anyway,  I have machines on the 10.0.0.0  and 172.16.160.0 network connecting to the interernet and I have basic static NAT working throught the ASA to machines on those two networks.  However those are the only two networks that I have physical connections to ports on the ASA.   All the routing between vlans is being done on the 3560 switch.   Is there a way to have one physical link to the ASA and still be able to NAT to all the vlans?  I tried enabling the port on the 3560 as a 802.1Q trunk port but I lost connectivity and couldn't get it back until I set it back to static access.  Here is the diagram and below is the config.   All the NAT and access rules are working except for the static NAT pointing 208.125.74.17 to the internal ip 172.16.128.8.   That is on one of the vlans that doesn't have a physical connection to the ASA.   Any help is greatly appreciated!

Network.jpg

SH RUN

interface GigabitEthernet0/0
nameif inside
security-level 100
ip address 10.12.47.54 255.0.0.0
!
interface GigabitEthernet0/1
nameif Office
security-level 100
ip address 172.16.160.40 255.255.240.0
!
interface GigabitEthernet0/2
shutdown
nameif Outside2
security-level 100
ip address 24.213.128.219 255.255.255.248
!
interface GigabitEthernet0/3
nameif outside
security-level 100
ip address 208.125.74.19 255.255.255.248
!
interface Management0/0
shutdown
nameif management
security-level 100
no ip address
management-only
!
boot system disk0:/asa831-k8.bin
ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
same-security-traffic permit inter-interface
object network 10.0.0.0
subnet 10.0.0.0 255.0.0.0
object network RemoteWorkstation
host 172.16.160.15
object network .20test
host 208.125.74.20
object network Discipline
host 10.42.43.95
object network .21Discipline
host 208.125.74.21
object network OffieVLAN
subnet 172.16.160.0 255.255.255.0
object network M86
host 10.12.47.51
object network HeatingSystem
host 172.16.128.8
object network .17Heating
host 208.125.74.17
object-group protocol TCPUDP
protocol-object udp
protocol-object tcp
object-group network obj_any
access-list outside_in extended permit ip any object HeatingSystem
access-list outside_in extended permit ip any object RemoteWorkstation
access-list outside_in extended permit ip any object Discipline
access-list outside_in extended permit ip any object M86
access-list outside_in extended deny ip any any
access-list inside_access_in extended permit ip host 10.12.37.62 any
access-list inside_access_in extended permit ip host 10.12.41.61 any
access-list inside_access_in extended deny ip any any
access-list Office_access_in remark Paul Mann
access-list Office_access_in extended permit ip host 172.16.160.3 any
access-list Office_access_in remark Kevin Smith
access-list Office_access_in extended permit ip host 172.16.160.109 any
access-list Office_access_in remark Remote Workstation
access-list Office_access_in extended permit ip host 172.16.160.15 any
access-list Office_access_in remark M86
access-list Office_access_in extended permit ip host 172.16.160.113 any
access-list Office_access_in remark Conference RM B Netbook
access-list Office_access_in extended permit ip host 172.16.160.112 any
access-list Office_access_in remark iSCSI in MS A Closet
access-list Office_access_in extended permit ip host 172.16.160.111 any
access-list Office_access_in remark HS Athletic Trainer
access-list Office_access_in extended permit ip host 172.16.160.110 any
access-list Office_access_in remark Leon from BOCES laptop
access-list Office_access_in extended permit ip host 172.16.160.104 any
access-list Office_access_in remark A4 Smartboard Workstation
access-list Office_access_in extended permit ip host 172.16.160.103 any
access-list Office_access_in remark Matt Hobart
access-list Office_access_in extended permit ip host 172.16.160.4 any
access-list Office_access_in remark E4 Smartboard Workstation
access-list Office_access_in extended permit ip host 172.16.160.102 any
access-list Office_access_in remark MAC Keyboarding Lab C2
access-list Office_access_in extended permit ip host 172.16.160.100 any
access-list Office_access_in remark Board Room Laptop
access-list Office_access_in extended permit ip host 172.16.160.99 any
access-list Office_access_in remark Amy Castricone
access-list Office_access_in extended permit ip host 172.16.160.83 any inactive

access-list Office_access_in extended permit ip host 172.16.160.82 any
access-list Office_access_in extended permit ip host 172.16.160.29 any
access-list Office_access_in extended permit ip host 172.16.160.24 any
access-list Office_access_in remark ES Social Worker WAP E7
access-list Office_access_in extended permit ip host 172.16.160.18 any
access-list Office_access_in remark A/V Editing Station
access-list Office_access_in extended permit ip host 172.16.160.11 any
access-list Office_access_in remark Credit Union WAP
access-list Office_access_in extended permit ip host 172.16.160.10 any
access-list Office_access_in remark Mark Vanacore
access-list Office_access_in extended permit ip host 172.16.160.8 any
access-list Office_access_in extended permit ip host 172.16.160.5 any
access-list Office_access_in extended deny ip any any
pager lines 24
logging asdm informational
mtu inside 1500
mtu outside 1500
mtu management 1500
mtu Office 1500
mtu Outside2 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-631.bin
no asdm history enable
arp timeout 14400
!
object network 10.0.0.0
nat (inside,outside) dynamic interface
object network RemoteWorkstation
nat (Office,any) static .20test
object network Discipline
nat (inside,any) static .21Discipline
object network OffieVLAN
nat (Office,outside) dynamic interface
object network M86
nat (inside,any) static 208.125.74.18
object network HeatingSystem
nat (any,any) static .17Heating
access-group inside_access_in in interface inside
access-group outside_in in interface outside
access-group Office_access_in in interface Office
route outside 0.0.0.0 0.0.0.0 208.125.74.22 1
route Office 172.16.0.0 255.255.0.0 172.16.160.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 172.16.160.0 255.255.255.0 management
http 172.16.160.0 255.255.255.0 Office
http 10.0.0.0 255.0.0.0 Office
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
telnet 10.0.0.0 255.0.0.0 inside
telnet 172.16.160.0 255.255.255.0 management
telnet 172.16.160.0 255.255.255.0 Office
telnet timeout 5
ssh timeout 5
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
  message-length maximum 512
policy-map global_policy
class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
  inspect ip-options
  inspect icmp
!
service-policy global_policy global
prompt hostname context
call-home
profile CiscoTAC-1
  no active
  destination address http https://tools.cisco.com/its/service/oddce/services/DD
CEService
  destination address email callhome@cisco.com
  destination transport-method http
  subscribe-to-alert-group diagnostic
  subscribe-to-alert-group environment
  subscribe-to-alert-group inventory periodic monthly
  subscribe-to-alert-group configuration periodic monthly
  subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:6be26dac2adbbb186fbd3d26d42408c2
: end

9 Replies 9

mhobart2
Level 1
Level 1

Sorry the diagram is showing completely.  If you click on it, it will show the entire diagram.

Jennifer Halim
Cisco Employee
Cisco Employee

Base on your diagram as well as the routing configured on the ASA (route Office 172.16.0.0 255.255.0.0 172.16.160.1 1) to reach the 172.16.128.8 host, you are currently routing it via the ASA office interface towards the 3560 switch.

Question that I have is, what is the default gateway configured on the switch? Is the default gateway configured to be 10.12.47.54 or 172.16.160.40, because the routing needs to be symmetric (ie: in and out of the ASA via the same interface), ie: if it's coming into the outside interface towards office interface and the switch, the return packet needs to follow the same route, ie: via the ASA office interface and outside interface. If the switch default gateway is configured to be the ASA inside interface (10.12.47.54) then the traffic becomes assymetric.

Jennifer,

The default gateway on the switch was set to 10.10.1.2.  That is so all our existing clients can still reach the outside through the filtered BorderManager server.  I added a second default gateway to the switch of 172.16.160.40 (as you suggested) and the NAT rules for any of the 172.16.0.0 subnets now work!  So thank you!

However,  I still can not get the 10.0.0.0 to do any NAT translations though the "office" interface when I disable or unplug the "inside" interface".  I tried adding the static route to the ASA (route Office 10.0.0.0 255.0.0.0 10.12.17.57 1)  but it gives me an error saying the route ip address cannot contain "10.0.0.0"

My objective is to eliminate one of the physical connections from the ASA to the 3560 switch.  Just to clarify, NAT translations to the 10.0.0.0 network are working now as long as I have the physical connection enabled on the "inside" interface.  I would just like to free up any ports if possible. 

Thanks again for your help!

Matt

Hi Matt,

May I know the Proxy server for web traffic only or all Internet access traffic? If web traffic only, your web browser have been configured and pointing to it, no need default gateway pointing to.

Tim

The reason why you can't add "route Office 10.0.0.0 255.0.0.0" is because your inside interface is in that subnet:

interface GigabitEthernet0/0
nameif inside
security-level 100
ip address 10.12.47.54 255.0.0.0
!

And since it's directly connected subnet to the ASA, you can configure static route at the same time too.

If you would like to move the physical connection of your ASA inside interface to be a routed interface towards the Office interface, then you would need to remove the ip address on the ASA inside interface first:

interface GigabitEthernet0/0

     shut

     no ip address

Once you remove the ip address for the inside interface, you should be able to add "route Office 10.0.0.0 255.0.0.0.0" to the next hop.

Hope that helps.

Jennifer,

I have a new issue now.  I'm trying to move some of NAT translations off of BorderManager onto the ASA.   I setup a second WAN interface on the ASA with ip 24.213.128.219/29.  Initially there were two subnets on Bordermanger connecting to one modem from our ISP.  Each with a range of 5 ip addresses.  I removed all ip bindings and translations from Bordermanager that were using the subnet 24.213.128.216/29 and moved in to the ASA.  However I setup a new NAT translation as you can see in the SH RUN I have pasted below on the ASA using 24.213.128.220 and I can't get it to work.  The default gateway of the ASA is still set to 208.125.74.22.   Is there a way to add a second default route or is that not my issue here?  Any help would be greatly appreciated once again!  Also, I have rebooted Bordermanager, the ASA, both modems, and even our layer 3 switch doing the routing.  Thanks.

interface GigabitEthernet0/0
nameif inside
security-level 100
ip address 10.10.1.1 255.0.0.0
!
interface GigabitEthernet0/1
nameif Office
security-level 100
ip address 172.16.160.40 255.255.240.0
!
interface GigabitEthernet0/2
nameif Outside2
security-level 100
ip address 24.213.128.219 255.255.255.248
!
interface GigabitEthernet0/3
nameif outside
security-level 100
ip address 208.125.74.19 255.255.255.248
!
interface Management0/0
shutdown
nameif management
security-level 100
no ip address
management-only
!
boot system disk0:/asa831-k8.bin
ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
same-security-traffic permit inter-interface
object network 10.0.0.0
subnet 10.0.0.0 255.0.0.0
object network RemoteWorkstation
host 172.16.160.15
object network .20test
host 208.125.74.20
object network Discipline
host 10.42.43.95
object network .21Discipline
host 208.125.74.21
object network OffieVLAN
subnet 172.16.0.0 255.255.0.0
object network M86
host 10.12.47.51
object network .17Heating
host 208.125.74.17
object network WeatherStation
host 10.10.20.45
object network Heating
host 172.16.128.8
object network test
host 10.12.37.62
object-group protocol TCPUDP
protocol-object udp
protocol-object tcp
object-group network obj_any
access-list outside_in extended permit ip any object Discipline
access-list outside_in extended permit ip any object RemoteWorkstation
access-list outside_in extended permit ip any object Heating
access-list outside_in extended permit ip any object M86
access-list outside_in extended deny ip any any
access-list Office_access_in remark Paul Mann
access-list Office_access_in extended permit ip host 172.16.160.3 any
access-list Office_access_in remark Kevin Smith
access-list Office_access_in extended permit ip host 172.16.160.109 any
access-list Office_access_in remark Remote Workstation
access-list Office_access_in extended permit ip host 172.16.160.15 any
access-list Office_access_in remark M86
access-list Office_access_in extended permit ip host 172.16.160.113 any
access-list Office_access_in remark Conference RM B Netbook
access-list Office_access_in extended permit ip host 172.16.160.112 any
access-list Office_access_in remark iSCSI in MS A Closet
access-list Office_access_in extended permit ip host 172.16.160.111 any
access-list Office_access_in remark HS Athletic Trainer
access-list Office_access_in extended permit ip host 172.16.160.110 any
access-list Office_access_in remark Leon from BOCES laptop
access-list Office_access_in extended permit ip host 172.16.160.104 any
access-list Office_access_in remark A4 Smartboard Workstation
access-list Office_access_in extended permit ip host 172.16.160.103 any
access-list Office_access_in remark Matt Hobart
access-list Office_access_in extended permit ip host 172.16.160.4 any
access-list Office_access_in remark E4 Smartboard Workstation
access-list Office_access_in extended permit ip host 172.16.160.102 any
access-list Office_access_in remark MAC Keyboarding Lab C2
access-list Office_access_in extended permit ip host 172.16.160.100 any
access-list Office_access_in remark Board Room Laptop
access-list Office_access_in extended permit ip host 172.16.160.99 any
access-list Office_access_in remark Amy Castricone
access-list Office_access_in extended permit ip host 172.16.160.83 any inactive

access-list Office_access_in extended permit ip host 172.16.160.82 any
access-list Office_access_in extended permit ip host 172.16.160.29 any
access-list Office_access_in extended permit ip host 172.16.160.24 any
access-list Office_access_in remark ES Social Worker WAP E7
access-list Office_access_in extended permit ip host 172.16.160.18 any
access-list Office_access_in remark A/V Editing Station
access-list Office_access_in extended permit ip host 172.16.160.11 any
access-list Office_access_in remark Credit Union WAP
access-list Office_access_in extended permit ip host 172.16.160.10 any
access-list Office_access_in remark Mark Vanacore
access-list Office_access_in extended permit ip host 172.16.160.8 any
access-list Office_access_in remark Greg Staines
access-list Office_access_in extended permit ip host 172.16.160.5 any
access-list Office_access_in extended permit ip host 172.16.128.8 any
access-list Office_access_in extended deny ip any any
access-list Outside2_access_in extended permit ip any object WeatherStation
access-list Outside2_access_in extended permit ip any object test
access-list Outside2_access_in extended deny ip any any
pager lines 24
logging asdm informational
mtu inside 1500
mtu Office 1500
mtu Outside2 1500
mtu outside 1500
mtu management 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-631.bin
no asdm history enable
arp timeout 14400
!
object network 10.0.0.0
nat (inside,outside) dynamic interface
object network RemoteWorkstation
nat (Office,outside) static .20test
object network Discipline
nat (inside,any) static .21Discipline
object network OffieVLAN
nat (Office,outside) dynamic interface
object network M86
nat (inside,outside) static 208.125.74.18
object network WeatherStation
nat (inside,Outside2) static 24.213.128.220
object network Heating
nat (Office,outside) static .17Heating
object network test
nat (inside,Outside2) static 24.213.128.217
access-group Office_access_in in interface Office
access-group Outside2_access_in in interface Outside2
access-group outside_in in interface outside
route outside 0.0.0.0 0.0.0.0 208.125.74.22 1
route Office 172.16.0.0 255.255.0.0 172.16.160.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 172.16.160.0 255.255.255.0 management
http 172.16.160.0 255.255.255.0 Office
http 10.0.0.0 255.0.0.0 Office
http 0.0.0.0 0.0.0.0 outside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
telnet 10.0.0.0 255.0.0.0 inside
telnet 172.16.160.0 255.255.255.0 Office
telnet 0.0.0.0 0.0.0.0 outside
telnet 172.16.160.0 255.255.255.0 management
telnet timeout 5
ssh timeout 5
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
  message-length maximum 512
policy-map global_policy
class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
  inspect ip-options
  inspect icmp
!
service-policy global_policy global
prompt hostname context
call-home
profile CiscoTAC-1
  no active
  destination address http https://tools.cisco.com/its/service/oddce/services/DD
CEService
  destination address email callhome@cisco.com
  destination transport-method http
  subscribe-to-alert-group diagnostic
  subscribe-to-alert-group environment
  subscribe-to-alert-group inventory periodic monthly
  subscribe-to-alert-group configuration periodic monthly
  subscribe-to-alert-group telemetry periodic daily

You are spot on. You can't have 2 default route configured on the ASA, it is not a supported configuration. You can only have 2 default route if it's active and backup default route, not both active at the same time.

I only want some Static NAT translations to go throught the one WAN interface, all other translations and general internet traffic will go through the default route interface.  Is that possible?  Thanks again.

Matt

The problem is not with the static NAT configuration, the issue is with the default route. You can't have 2 default routes configured on the ASA and both active at the same time.

Unless you know exactly the destination ip address for the host that you are configuring the static nat translation on the new WAN interface, then you can configure static route to route to those destination via the new WAN interface. Otherwise, if you are relying on default route to route the traffic because it could be any destination, then it is not supported.

Review Cisco Networking for a $25 gift card