cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2283
Views
0
Helpful
9
Replies

Drop 'N Go subnet within pre-existing network - Help with routing please

janderson.IRS
Level 1
Level 1

Hello All,

I would consider myself entry level at best when it comes to the Cisco ASA 5505, and I appreciate any help or direction that anyone would be able to provide regarding this issue I am having. I am sure there is something out there for this but I have not yet been able to figure this out with what I have found.

 

So we currently have our infrastructure setup like this: modem(69.14.72.6/255.255.255.248)->ASA(192.168.1.1)->Switch->Hosts and Servers(192.168.0.X\24).

What I am trying to do is drop in a small router somewhere within this network with its own subnet and be able to communicate back and forth to it from the 192.168.0.X network, so it will look something like this: modem->ASA->Switch->Hosts and Servers(192.168.0.X\24) && Hosts and Servers(192.168.1.X\24).

 

I would like to allow this traffic flow hopefully while only having 2 interfaces configured on the ASA (Outside 0/0, and Inside 0/1-0/5) and without modifying the configuration on the Switch. A few key phrases that come to mind from my search thus far are "Hair Pinning" and "same-security-traffic permit intra-interface". Also I am aware of port-forwarding, and as I understand it this would not be practical as I would have to configure a rule for every device connected to the 192.168.1.X\24 network.

I hope someone will be able to help me with this issue, I have been at this for 3 weeks now.

 

Thanks again everyone!

EDIT: Here are is a diagram to help explain what I am trying to do. The area shown in red is what I am trying to add to the rest of which I already have.

 

1 Accepted Solution

Accepted Solutions

Hi James,

 

To route between 2 networks you'll need to either use a Layer 3 switch or a "Router on a stick"

Installing a layer 3 switch would cause the least interruption to your existing network. 

You would then have ASA 'inside' interface -->Layer3 Distribution Switch-->2 or more Access Switches

View solution in original post

9 Replies 9

Ian Walker
Level 1
Level 1

Hi,

I've made this in packet tracer (I had to use a router instead of ASA - but same principle applies.)

This is the classic "Router on a stick" topology.

Note: You'll need to create a trunk between the switch and R1 now that there are 2 VLANs.

## I've used 192.168.0.2 as the gateway address for the 192.168.0.x network, but you could in fact set up the router R1 with 192.168.0.1 as the subinterface, get everything configured, and then install the router and change the current internal address of the ASA (192.168.0.1) as per my example, at the very last minute. ##

The ASA will need a route added for traffic back to the 192.168.0.x and 192.168.1.x networks.

The 192.168.1.x network -- gateway will be 192.168.1.1

The 192.168.0.x network -- gateway will be 192.168.0.2

*There's no need for any of the subjects you mentioned:

 "Hair Pinning" and "same-security-traffic permit intra-interface" or port-forwarding.

HTH

Ian

 

 

 

 

Hello Ian and thank you for your reply.

Let me see if I understand what you are suggesting...

So, from your diagram I see the two networks connected via two separate VLANS at the switch. Is this correct? So you are suggesting that we have the switch do the routing between the 2 internal subnets?

Thanks again,

James

Hi James,

 

No, the router will route between the 2 VLANs.

I've assumed you want to introduce a router rather than replace the current switch with a layer 3 switch which would be the more elegant solution.

Did you want to use a router because you have one spare?

A new layer 3 switch could simply replace your current switch, create 2 VLANS on it, and route between the 2 VLANs, much neater.

We are capable of setting up a VLAN for this additional network on the switch, however I am trying to see if there is anyway around this.(something simpler) I suppose what I am looking for is the easiest way to route traffic between those 2 networks. Maybe a simpler diagram will help.

So lets say I have my Cisco ASA 5505(192.168.0.254) connected to the internet through my modem on VLAN 0 on int0/0.

and VLAN 1 is on int0/1-int0/7 and this is my internal interface.

On int0/1 I have a client connected with a manual IP address assigned (say 192.168.0.10).

On int0/2 I have a (SOHO)router(192.168.0.100>WAN, 192.168.1.1<LAN) connected to the internet through the CISCO, via the SOHO router WAN port. This router is serving up DHCP and there is a client on its network(192.168.1.20).

How would I setup routing between the two clients/clients on each network?

I hope this helps better describe what I am after.

 

Thanks for your help Ian.

 

Are you able to get rid of the SOHO router?

Connecting both networks to the ASA (via switches where required).

You could then set the ASA to be DHCP server for each network.

 With 2 "Inside" network interfaces, level 100, you would then be looking at

"same-security-traffic permit inter-interface"

HTH

Ian.

 

I would like to ignore VLAN as an option. I say this because I believe our 5505 is currently only licensed to support 2 VLAN's (Outside, Inside) and I believe a DMZ type VLAN(limited VLAN).

Is it possible to do this as is, with just the outside and inside interfaces configured on the 5505 and with the SOHO router as mentioned in the minimal scenario above?

FYI, I was able to get it working using the DMZ as a VLAN to the SOHO router. However this is not ideal as I would need to run cable out to where I would like to drop the SOHO router back to the VLAN interface on the router.

I am wondering if it is possible to just drop the router onto a cable that is run back to the same interface as the other network. The term 'inter-VLAN' routing comes to mind...

Sincerely thanks,

James

Hi James,

 

To route between 2 networks you'll need to either use a Layer 3 switch or a "Router on a stick"

Installing a layer 3 switch would cause the least interruption to your existing network. 

You would then have ASA 'inside' interface -->Layer3 Distribution Switch-->2 or more Access Switches

Hello Ian,

Thanks for at the very least letting me know that what I am trying to do is not possible. Theres nothing worse than searching for a solution that does not exist.

Also, thanks for identifying other alternative solutions for my scenario.

I sincerely appreciate the time you have spent with me on this issue. I wish you and yours the best.

James

Thanks for your kind comments!

Let me know what solution you implement!

Best regards,

 

Ian.