R1

IP Address = 192.168.1.1

Default Gateway = 192.168.5.1

WAN IP Address = 192.168.5.3

R2

IP Adress 192.168.2.1

Default Gateway = 192.168.5.1

WAN IP Adress = 192.168.5.4

R3

IP Adress = 192.168.3.1

Default Gateway = 192.168.5.1

WAN IP Adress = 192.168.5.2

Internet IP = 68.108.12.XXX

Hello Jonathan,

What I mean is that you have 4 diferent networks on the same interface, the only way to set this up is with Layer 3 devices  splitting the broadcast domains and the networks.

but to do this each router will need to have a default route pointing to the ASA.

Do you understand what I mean

192.168.1.1 ---R1--192.168.2.2----192.168.2.1---R2------192.168.3.2----192.168.3.1--R3--192.168.5.2----192.168.5.1-ASA--

I hope this show you my point of view,

Can you explain the 192.168.1.1 R1 192.168.2.2....and so on, I don't get where those IP are supposed to go.

Maybe is that  I dont understand the topology....

At this moment are you able to ping the interface from all the PCs in the diferent networks?

I can not ping, but all have internet access.

Here is the running config:

ASA Version 8.2(3)

!

hostname ciscoasa

enable password DQucN59Njn0OjpJL encrypted

passwd 2KFQnbNIdI.2KYOU encrypted

names

!

interface Ethernet0/0

switchport access vlan 2

!

interface Ethernet0/1

!

interface Ethernet0/2

!

interface Ethernet0/3

!

interface Ethernet0/4

!

interface Ethernet0/5

!

interface Ethernet0/6

!

interface Ethernet0/7

!

interface Vlan1

nameif inside

security-level 100

ip address 192.168.5.1 255.255.255.0

!

interface Vlan2

nameif outside

security-level 0

ip address dhcp setroute

!

ftp mode passive

same-security-traffic permit intra-interface

access-list 100 extended permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0

access-list 100 extended permit ip 192.168.2.0 255.255.255.0 192.168.1.0 255.255.255.0

access-list 100 extended permit ip 192.168.1.0 255.255.255.0 192.168.3.0 255.255.255.0

access-list 100 extended permit ip 192.168.3.0 255.255.255.0 192.168.1.0 255.255.255.0

access-list 100 extended permit ip 192.168.2.0 255.255.255.0 192.168.3.0 255.255.255.0

access-list 100 extended permit ip 192.168.3.0 255.255.255.0 192.168.2.0 255.255.255.0

pager lines 24

logging asdm informational

mtu outside 1500

mtu inside 1500

icmp unreachable rate-limit 1 burst-size 1

no asdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 1 0.0.0.0 0.0.0.0

route inside 192.168.1.0 255.255.255.0 192.168.5.1 1

route inside 192.168.1.0 255.255.255.0 192.168.2.1 1

route inside 192.168.1.0 255.255.255.0 192.168.3.1 1

route inside 192.168.2.0 255.255.255.0 192.168.5.1 1

route inside 192.168.2.0 255.255.255.0 192.168.1.1 1

route inside 192.168.2.0 255.255.255.0 192.168.3.1 1

route inside 192.168.3.0 255.255.255.0 192.168.5.1 1

route inside 192.168.3.0 255.255.255.0 192.168.1.1 1

route inside 192.168.3.0 255.255.255.0 192.168.2.1 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

dynamic-access-policy-record DfltAccessPolicy

http server enable

http 192.168.5.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

telnet timeout 5

ssh timeout 5

console timeout 0

dhcpd auto_config outside

!

dhcpd address 192.168.5.5-192.168.5.36 inside

dhcpd enable inside

!

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

webvpn

!

class-map inspection_default

match default-inspection-traffic

!

!

policy-map type inspect dns preset_dns_map

parameters

  message-length maximum client auto

  message-length maximum 512

policy-map global_policy

class inspection_default

  inspect dns preset_dns_map

  inspect ftp

  inspect h323 h225

  inspect h323 ras

  inspect rsh

  inspect rtsp

  inspect esmtp

  inspect sqlnet

  inspect skinny

  inspect sunrpc

  inspect xdmcp

  inspect sip

  inspect netbios

  inspect tftp

  inspect ip-options

!

service-policy global_policy global

prompt hostname context

Cryptochecksum:8c43eed321b244660819baf3ee4e5368

: end

ciscoasa#

Yeah my biggest doubt is that you are telling the ASA that if he wants to get into  192.168.1.0 he has 3 different next hops. and the same thing for 192.168.2.0 and 192.168.3.0 but checking the Diagram that is not possible.

Regards,

So this is a no go?

At least for me Know, maybe someone has another opinion but in my case I would rather use a Switch connected directly to the ASA and then split the network into 192.168.1.0 192.168.2.0 192.168.3.0

I hope this help you Jonathan

Regards

How do you do that, I have a 2900xl switch.....

Sent from my iPhone

Thanks for all the help thus far.  LIke I said a littl bit ago, I have a 2900XL and  NetGear FS518 switch.  Could you please tell me how to configure it with switches?

Thanks