Thanks for that, it makes sense. I'm going to pick your brain a little bit more, I'm trying to do something a little bit different. I'll lay it out for you because I want to try and make something else work.

So the modem - > Firewall then the firewall connects to two different ISRs, the reason why two is because I'm running HSRP on them and the second ISR is for redundancy only which are both hooked up into a switch. Right now, I'm only trying to ping the main ISR and I can ping the gateway but when I try to ping the exit port I don't get anything back.

Experimental setup here.

On switch:

Interfance G1/0/35

Switchport mode trunk

VLAN 250

192.168.0.2 255.255.255.0

On Router: (HSRP isn't setup yet but will be)

Interface G0/0.1

Encapsulation DOTQ1 VLAN 250

192.168.0.1 255.255.255.0

Interface G0/1

208.165.100.2 255.255.255.252

IP Route 0.0.0.0 0.0.0.0 208.165.100.1

IP Route 192.168.0.0 208.165.100.1

On Firewall:

Interface E0/3

208.165.100.1 255.255.255.252

Route Inside 0.0.0.0 0.0.0.0 208.165.100.2

then after it goes through the firewall I want it to go to the modem which is bridged. Lets say E0/1 interface is 68.36.235.5 255.255.252.0

Network: 68.36.232.0

Gateway: 68.36.232.1

Should I configure the Firewall to hand out DHCP or the ISR, which would be recommended?

Now i'm still trying to learn how to configure the firewall properly but I cannot ping the routers exit interface and the firewalls interface from the VLAN 250 within the switch. What am I doing wrong or missing?

Hi,

   Are you trying to ping from the switch which is in front of the firewall, across the firewall to the ISR's behind the firewall? You need to allow that traffic through the ASA, but i would not open this "hole" in the firewall, if the design is as i described.

   For which users do you want to use DHCP? For the users attached to the ASA (WiFi) or for internal users (behind ISR's i believe)?

Regards,

Cristian Matei.

I'm trying to ping from the switch to the Firewalls Interface that's connected to the ISR and afterwards I'd like to be able to ping past the firewall but I'm not sure if I have the routing correct and how to allow traffic.

I was thinking of creating multiple DHCP pools, one for the Guest WiFi, one for the Main WiFi then another for our main ethernet network. Should I have the Router hand out DHCP which is after the firewall or should I just have the Firewall do it? Everything device before the DHCP will just be statically configured like the interfaces between the firewall and the modem.

Hi,

   1. As said, i would not allow that traffic through; but if you want to do it (if it's ASA firewall, you can only ping the interface closest to you from touting perspective, your ICMP packets cannot cross the ASA and land on it):

           access-list OUTSIDE_IN extended permit icmp host switch host ISR"

           access-group OUTSIDE_IN in interface outside

   2. I would go simple, as the ASA DHCP Relay functionality has some restrictions; i would leave the ASA run as DHCP server for your WiFi users for which it will also be default gateway, and have the ISR routers run as DHCP server for your internal users.

Regards,

Cristian Matei.

That actually does make a lot of sense and is a lot more simple, thank you for clearing that up.

As far as things with the routing table, do I have that correct so far? Or does it need something additional?

Hi,

    Post a diagram with the devices, how are they connected, which IP subnets are where, where is the ISP, what is the ISP interconnect?

Regards,

Cristian Matei.