Is the trouble I am having relating to the fact that the 2 Subnets are already established and the Cisco wants to be the “server”? 

In your original post you correctly state that for the 2 subnets to communicate that you need a L3 device to forward traffic between them. Through the following discussion I have been assuming that the most logical solution would be to have your ASA5508 perform that function. The ASA is a L3 device that is forwarding traffic and it is already in the path used by the smaller routers. Now I have looked at the configuration of the ASA that you posted and realize that the situation is more complicated than I had realized. It appears that the smaller routers are performing address translation as they forward traffic toward their default gateway (which is the ASA). So the ASA does not know anything about subnets 10.0.1 or 10.0.2. So in the current situation the ASA can not perform the routing between those subnets.

I believe that there are several approaches that you could use, but each of the approaches has difficulty associated with it.

1) you could change the configuration of the smaller routers and have them not do address translation on traffic they are forwarding to their default gateway. This would allow the ASA to have visibility to those subnets and to forward traffic between them. But changing the configuration of the smaller routers may be more complicated than you want to undertake.

2) you could establish a connection directly between the smaller routers (which seems to be what you have in the drawing that you posted). This would allow traffic between the subnets to flow directly between the smaller routers and bypass the ASA and the address translation of the smaller routers. But this would require configuring new interfaces on the smaller routers and require changing the routing logic to forward traffic for the subnets differently than it forwards other traffic and might be more complicated than you want to undertake.

Given the architecture that you started with where the 2 smaller routers each have its own subnet and doing address translation as they forward traffic toward their default gateway, I do not see a solution that does not require significant changes in the smaller routers.

HTH

Rick

I thank you for the information. It does make sense.. Just by going over my Router 1 GUI I can see that it has absolutely no configuration options for what you mention.. Router 2 does as it’s a DDWRT custom Firmware and can do a lot but without both being able to it seems to be a done deal. 

The reality of the situation is that it can not be done and I accept that but my inquisitive mind doesn’t know why.

what is the reason that, let’s say a L3 Switch and remove the complexity of a router, I can’t have 2 interfaces be programmed 1 with an ip from 1 subnet and 1 be programmed with an ip from another subnet and then have nat say this interfaces crosses over to this interface? Isn’t that the nature of nat?

i ask out of ignorance so I hope I come across as curious and not stubborn. I just thought a switch would “switch” from one subnet to another via nat.

Hi,

what is the reason that, let’s say a L3 Switch and remove the complexity of a router, I can’t have 2 interfaces be programmed 1 with an ip from 1 subnet and 1 be programmed with an ip from another subnet and then have nat say this interfaces crosses over to this interface? Isn’t that the nature of nat?

Where you want to perform NAT? On Switch? The NAT is not available on all switches. It is available on a few higher level switches (NX Series)

Regards,

Deepak Kumar 

Perhaps I have missed something or am not understanding something in what you are asking. Where is it that you suggest substituting a L3 switch for a router?

The essential part of the current problem is that you have 2 small routers/home routers. Each of them has a connected subnet. Each of them is the default gateway for the devices connected in that subnet. Each of them is doing address translation as it forwards traffic from its connected devices. And it appears that at least one of them does not support making changes in the packet forwarding logic or the address translation logic.

If you are willing to give up the 2 small routers/home routers then connecting those devices in 2 vlans on a switch would be easy and would make it easy for devices in one subnet to communicate with devices in the other subnet. It could be a layer 3 switch to do the routing. Or it could be a layer 2 switch and let the ASA do the routing.

The reason that the ASA can not do the routing in your current environment is that the source addresses have already been translated by the time the packet gets to the ASA. So the ASA has no visibility of where 10.0.1 or 10.0.2 are and is not able to route between them.

HTH

Rick

[edit] Just to be clear about your statement

"My 5508-X can not be set the way I want with 2 independent Interfaces"

It is not an issue about ASA with 2 independent interfaces. The ASA certainly can be configured with 2 independent interfaces. The issue is that the ASA has no visibility about where the subnets are. If a device sends a request to the NAS, when it gets to the ASA then the ASA has no idea where that destination address is or how to forward to it.

Good Morning

Let me respond to the edit first... I understand what you mean that the ASA can be independent but how does it know?

That is why I thought by doing an IP Route or a NAT from Interface 7 (10.0.1.115) to Interface 8 (10.0.2.115) that they would then have a route between themselves. 

I assumed that assigning each designated Interface an IP from their respective Subnets that those Interfaces would then become part of their Networks then by adding NAT or IP Route that that would be their (ASA) “how does it know”. 

With the first part.. I meant instead of going back into the 5508 could I just have a Switch, like the nexus (or any L3 Switch I can configure) and connect each subnet then configure it like “incoming from 10.0.1.115 will translate to 10.0.2.115 and then follow its path to the 10.0.2.111 NAS. Maybe this isn’t even practical, logical or capable in any circumstance. 

My thought was to configure interfaces with an IP from their subnet and then just translate one to the other. 

It seems the end of your first post before the edit answers this all together that the NAT has already been done by the smaller routers for 10.0.1.x just can’t see 10.0.2.x.

I would absolutely love to remove both smaller routers and create a vlan so all devices are same same subnet but there are 2 devices on the 10.0.2.x that absolutely need to be on that VPN at all times and the VPN I use requires OpenVPN/DDWRT. It’s a privacy VPN. 

My only othet way way to do this, which is not the path i want, is to merge everything onto the VPN router and create an access list of which IP’s I want on the vpn and not.. But I have heard stories of this failing at times and the VPN dropping. 

Hopes this makes sense. 

Hi,

My only othet way way to do this, which is not the path i want, is to merge everything onto the VPN router and create an access list of which IP’s I want on the vpn and not.. But I have heard stories of this failing at times and the VPN dropping. 

No, If both ends configured properly then you will not face this issue.

Regards,

Deepak Kumar

There are a couple of things that I would like to clarify. And then I will try to explain a bit differently what I see as the key issue here.

1) you have mentioned several times using a switch (probably layer 3 but perhaps layer 2). Where would that switch be? What would it connect to?

The arrow between subnets in your drawing seems to suggest that the switch might be there. But how would that work? Would the PCs and servers connect to the switch or to the wireless router? How would the switches interact with the routing being down by the residential wireless routers?

2) you have mentioned connecting interfaces 7 (10.0.1.115) and 8 (10.0.2.115). Am I correct in assuming that these are interfaces on the ASA? If so what are they connecting to? Are you suggesting that they would connect to ports on the residential wireless routers? You could certainly do this, but how would they interact with the routing being done by the residential wireless routers?

So let me try to explain the issue this way. Let us assume that there is a PC with IP address 10.0.1.59 and it wants to communicate with the NAS at 10.0.2.111. The PC will determine that the destination is remote and that it needs to forward the packet to its default gateway, which is the residential wireless router 1. router 1 will determine that the destination (10.0.2.111) is remote and that it does not have a route to that network, so it forwards the packet to its default route, which is the ASA and as it forwards the packet it does address translation on the source address. The packet gets to the ASA which looks at the destination address (10.0.2.115) and determines that it does not know a route to that network so it will attempt to forward that packet out its outside interface and goes out into the Internet where it eventually gets dropped.

The issue that I see is that neither 1) nor 2) have any way to change that routing logic.

HTH

Rick

Hello

Alright, I see where you are getting.

First of all yes this L3 Switch would sit between both residential routers.  Nothing would be plugged into it except 1 going to each residential routers, being only used as a bridge between residential routers. Let’s say, port 1 would be configured as 10.0.1.115 as an extension/device such as a PC from the 10.0.1.1 subnet and then port 2 would be configured as 10.0.2.115 from its 10.0.2.1 subnet. 

I thought maybe it was possible to bridge the 2. 

For example, in this L3 Switch make a NAT entry or the likes saying “anything coming in on port 1 10.0.1.115 from 10.0.1.0 would be redirected to 10.0.2.115 (more specifically 10.0.2.111) and then onto that subnet. And then on the 10.0.1.1 Router create an IP route through the hops.

This may have you smacking your forehead if it’s just laughable an not even a capability of Routers but that was my thought process. I am just explaining my questions of cannot be done and won’t press on if it’s just something that can’t be done.

Good Evening

Thank you for your continued assistance with this.

What I gather is that on said L3 Switch(I was thinking about my SG350) and creating 2 vlans and assigning an IP from each subnet to each vlan and then the vlans to an Interface on the switch. So Interface 1 on switch will be associated to a vlan100 w/ an IP of 10.0.1.115 and with Interface 2 it would be 10.0.2.115 but with vlan200.

Now if 10.0.1.x is the initiating Subnet would I also need an IP Route on the 10.0.2.x? I ask because with the current firmware of DDWRT my ability to add an IP Route does not function. If I absolutely do need to do an IP route for some reversal reason, I will find a modified firmware that does support it.

You mention the next hop... So on my 10.0.1.x would I have an IP Route such 10.0.2.0 255.255.255.0 10.0.2.115? Or would I need to specify 10.0.2.111 255.255.255.0 10.0.2.115? Or does it need to hit the Router IP to communicate with the other IP's so 10.0.2.1 255.255.255.0 10.0.2.115.

With the TPLink it goes : Destination, Subnet Mask, Gateway, Interface (LAN or WAN) which I know for my ASA would be "route 'interface' 'network'  'Subnet' 'Gateway' and 'Metric" (hops?)