Connecting Three Networks....

woodjl1650 · ‎09-12-2011

Seems like I spend more and more time in here (Cisco Forums)....

I was talking to a guy today that was trying to help me link my three networks together, so each is sperate but able to talk to each other. Right now I have them all connect via my ASA, but not able to ping or talk to any of the. He mention that I could connect them all via a switch and then they should work.

I am new to this world, and having a hard time trying to figure out how to accomplish this.

Right now my network is as follows:

Like I stated before, I want to keep each network seperate, but want to be able to access each device no matter what network I am on.

Please HELP!!!

I have extra equipment if needed (old but the work)... Cisco 3660, Cisco 2600, Cisco 2900XL, Netgear FS518

Thanks in advance...

cadet alain · ‎09-13-2011

Hi Jonathan,

Do you really think that starting multiple threads about the same subject will help to resolve your problem.

I think that this will have the advert effect because multiple solutions will all get spread across these threads and I think some people may end up tired of seeing you start a new subject as they are already trying to help you for the same problem. post the routes on the routers

Anyway if you want to use the network as it is using the ASA instead of the 3660 to conncet to the cloud it is gonna be more work to configure but it will be more secure indeed.

What model of ASA have you got ? How many interfaces ? What licence? is the Belkin a wireless AP?

Post the config of the ASA and the routes on the routers.

Alain.

Don't forget to rate helpful posts.

woodjl1650 · ‎09-13-2011

ASA 5505 - Basic License 8 ports on the ASA. The Belkin is a a gigabit wireless router, no APs.

Here is the current running config of the ASA...

R1

IP Address = 192.168.1.1

Default Gateway = 192.168.5.1

WAN IP Address = 192.168.5.3

R2

IP Adress 192.168.2.1

Default Gateway = 192.168.5.1

WAN IP Adress = 192.168.5.4

R3

IP Adress = 192.168.3.1

Default Gateway = 192.168.5.1

WAN IP Adress = 192.168.5.2

Internet IP = 68.108.12.XXX

ASA Version 8.2(3)

!

hostname ciscoasa

enable password DQucN59Njn0OjpJL encrypted

passwd 2KFQnbNIdI.2KYOU encrypted

names

!

interface Ethernet0/0

switchport access vlan 2

!

interface Ethernet0/1

!

interface Ethernet0/2

!

interface Ethernet0/3

!

interface Ethernet0/4

!

interface Ethernet0/5

!

interface Ethernet0/6

!

interface Ethernet0/7

!

interface Vlan1

nameif inside

security-level 100

ip address 192.168.5.1 255.255.255.0

!

interface Vlan2

nameif outside

security-level 0

ip address dhcp setroute

!

ftp mode passive

same-security-traffic permit intra-interface

access-list 100 extended permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0

access-list 100 extended permit ip 192.168.2.0 255.255.255.0 192.168.1.0 255.255.255.0

access-list 100 extended permit ip 192.168.1.0 255.255.255.0 192.168.3.0 255.255.255.0

access-list 100 extended permit ip 192.168.3.0 255.255.255.0 192.168.1.0 255.255.255.0

access-list 100 extended permit ip 192.168.2.0 255.255.255.0 192.168.3.0 255.255.255.0

access-list 100 extended permit ip 192.168.3.0 255.255.255.0 192.168.2.0 255.255.255.0

pager lines 24

logging enable

logging list IP level informational

logging asdm informational

mtu outside 1500

mtu inside 1500

icmp unreachable rate-limit 1 burst-size 1

no asdm history enable

arp timeout 14400

nat-control

global (outside) 1 interface

nat (inside) 1 0.0.0.0 0.0.0.0

route inside 192.168.1.0 255.255.255.0 192.168.5.1 1

route inside 192.168.1.0 255.255.255.0 192.168.2.1 1

route inside 192.168.1.0 255.255.255.0 192.168.3.1 1

route inside 192.168.2.0 255.255.255.0 192.168.5.1 1

route inside 192.168.2.0 255.255.255.0 192.168.1.1 1

route inside 192.168.2.0 255.255.255.0 192.168.3.1 1

route inside 192.168.3.0 255.255.255.0 192.168.5.1 1

route inside 192.168.3.0 255.255.255.0 192.168.1.1 1

route inside 192.168.3.0 255.255.255.0 192.168.2.1 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

dynamic-access-policy-record DfltAccessPolicy

http server enable

http 192.168.5.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

telnet timeout 5

ssh timeout 5

console timeout 0

dhcpd auto_config outside

!

dhcpd address 192.168.5.5-192.168.5.36 inside

dhcpd enable inside

!

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

webvpn

!

class-map inspection_default

match default-inspection-traffic

!

policy-map type inspect dns preset_dns_map

parameters

message-length maximum client auto

message-length maximum 512

policy-map global_policy

class inspection_default

inspect dns preset_dns_map

inspect ftp

inspect h323 h225

inspect h323 ras

inspect rsh

inspect rtsp

inspect esmtp

inspect sqlnet

inspect skinny

inspect sunrpc

inspect xdmcp

inspect sip

inspect netbios

inspect tftp

inspect ip-options

!

service-policy global_policy global

prompt hostname context

Cryptochecksum:66f2eef4d48f50be6c3100c5d6349e7c

: end

ciscoasa(config)#

(sorry for the multiple threads, just trying to find answers and desperate to get this all working)

Thanks for your help.

cadet alain · ‎09-13-2011

Hi,

The Belkin is a a gigabit wireless router, no APs. if it is wireless then it is an AP.

1) get rid of DHCP server on ASA for routers

no dhcpd address 192.168.5.5-192.168.5.36 inside

no dhcpd enable inside

because i'm not sure your routers are DHCP clients and it is best practice to configure static IP on router, DHCP should be for hosts so you'll configure the pools on each router for the hosts on its segments.

2) concerning static routes on ASA: do this

no route inside 192.168.1.0 255.255.255.0 192.168.5.1 1

no route inside 192.168.1.0 255.255.255.0 192.168.2.1 1

route inside 192.168.1.0 255.255.255.0 192.168.5.3 1

no route inside 192.168.1.0 255.255.255.0 192.168.3.1 1

no route inside 192.168.2.0 255.255.255.0 192.168.5.1 1

route inside 192.168.2.0 255.255.255.0 192.168.5.4 1

no route inside 192.168.2.0 255.255.255.0 192.168.1.1 1

no route inside 192.168.2.0 255.255.255.0 192.168.3.1 1

no route inside 192.168.3.0 255.255.255.0 192.168.5.1 1

route inside 192.168.3.0 255.255.255.0 192.168.5.2 1

no route inside 192.168.3.0 255.255.255.0 192.168.1.1 1

no route inside 192.168.3.0 255.255.255.0 192.168.2.1 1

I've bolded the correct routes.

3) if you want to ping from inside to outside you'll have to permit ICMP replies on outside interface inbound with an ACL or inspect icmp which I find more secure.

policy-map global_policy

class inspection_default

inspect icmp

4) if you configure same interface traffic then no need for these ACLs which you didn't apply on any interface anyway

no access-list 100 extended permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0

no access-list 100 extended permit ip 192.168.2.0 255.255.255.0 192.168.1.0 255.255.255.0

no access-list 100 extended permit ip 192.168.1.0 255.255.255.0 192.168.3.0 255.255.255.0

no access-list 100 extended permit ip 192.168.3.0 255.255.255.0 192.168.1.0 255.255.255.0

no access-list 100 extended permit ip 192.168.2.0 255.255.255.0 192.168.3.0 255.255.255.0

no access-list 100 extended permit ip 192.168.3.0 255.255.255.0 192.168.2.0 255.255.255.0

Now for your routers:

on R1 put a default route pointing to 192.168.5.1 and do the same on the other 2 routers.

configure your DHCP scopes

Let us know if pings are working now.

Regards.

Alain.

Don't forget to rate helpful posts.

woodjl1650 · ‎09-13-2011

I loaded that config, but now I lost the internet connection to the routers... Also on the Cisco M10 Router, I tired to set the default route but was unable:

Destination IP - 192.168.5.1

Subnet - 255.255.255.0

Gateway - ??? I tried the 192.168.5.1, but it said it couldn't be the same as the IP Address

DHCP is enabled on each router, as before and in the diagram.

ASA show ip

System IP Addresses:

Interface Name IP address Subnet mask Method

Vlan1 inside 192.168.5.1 255.255.255.0 CONFIG

Vlan2 outside 68.108.12.252 255.255.255.0 DHCP

Current IP Addresses:

Interface Name IP address Subnet mask Method

Vlan1 inside 192.168.5.1 255.255.255.0 CONFIG

Vlan2 outside 68.108.12.252 255.255.255.0 DHCP

ASA running config

ASA Version 8.2(3)

!

hostname ciscoasa

enable password DQucN59Njn0OjpJL encrypted

passwd 2KFQnbNIdI.2KYOU encrypted

names

!

interface Ethernet0/0

switchport access vlan 2

!

interface Ethernet0/1

!

interface Ethernet0/2

!

interface Ethernet0/3

!

interface Ethernet0/4

!

interface Ethernet0/5

!

interface Ethernet0/6

!

interface Ethernet0/7

!

interface Vlan1

nameif inside

security-level 100

ip address 192.168.5.1 255.255.255.0

!

interface Vlan2

nameif outside

security-level 0

ip address dhcp setroute

!

ftp mode passive

same-security-traffic permit intra-interface

pager lines 24

logging enable

logging list IP level informational

logging asdm informational

mtu inside 1500

mtu outside 1500

icmp unreachable rate-limit 1 burst-size 1

no asdm history enable

arp timeout 14400

nat-control

global (outside) 1 interface

nat (inside) 1 0.0.0.0 0.0.0.0

route inside 192.168.1.0 255.255.255.0 192.168.5.3 1

route inside 192.168.2.0 255.255.255.0 192.168.5.4 1

route inside 192.168.3.0 255.255.255.0 192.168.5.2 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

dynamic-access-policy-record DfltAccessPolicy

http server enable

http 192.168.5.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

telnet timeout 5

ssh timeout 5

console timeout 0

dhcpd auto_config outside

!

dhcpd address 192.168.5.5-192.168.5.36 inside

dhcpd enable inside

!

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

webvpn

!

class-map inspection_default

match default-inspection-traffic

!

policy-map type inspect dns preset_dns_map

parameters

message-length maximum client auto

message-length maximum 512

policy-map global_policy

class inspection_default

inspect dns preset_dns_map

inspect ftp

inspect h323 h225

inspect h323 ras

inspect rsh

inspect rtsp

inspect esmtp

inspect sqlnet

inspect skinny

inspect sunrpc

inspect xdmcp

inspect sip

inspect netbios

inspect tftp

inspect ip-options

inspect icmp

!

service-policy global_policy global

prompt hostname context

Cryptochecksum:057b2b766126b5aedae8bc23152ba705

From the ISP:

Subnet Mask

255.255.255.0

Wan IP

68.108.9.226

Default Gateway

68.108.9.1

DNS Address

68.105.28.12

Condition

Connected

WAN IP different than what the ASA says because I have to us a backup router to get back on the internet, so new IP since it is dynamic.

cadet alain · ‎09-13-2011

Hi,

Destination IP - 192.168.5.1

Subnet - 255.255.255.0

Gateway - ??? I tried the 192.168.5.1, but it said it couldn't be the same as the IP Address

the destination IP for a default route is 0.0.0.0 and mask is 0.0.0.0

You left DHCP scope on the ASA !

What does the show route on ASA says. Can you ping the routers IP in 5.0 network from the ASA?

Can you ping the subnets 1.0-2.0-3.0 from the ASA ? and vice-versa?

Regards.

Alain.

Don't forget to rate helpful posts.

woodjl1650 · ‎09-13-2011

Oooppss....I thought I took DHCPD out...it's gone now....

Here is the show route:

ciscoasa# show route

Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP

D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area

N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2

E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP

i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area

* - candidate default, U - per-user static route, o - ODR

P - periodic downloaded static route

Gateway of last resort is not set

C 192.168.5.0 255.255.255.0 is directly connected, inside

S 192.168.1.0 255.255.255.0 [1/0] via 192.168.5.3, inside

S 192.168.2.0 255.255.255.0 [1/0] via 192.168.5.4, inside

S 192.168.3.0 255.255.255.0 [1/0] via 192.168.5.2, inside

ciscoasa#

And not able to ping between the three....

woodjl1650 · ‎09-13-2011

For this:

"Now for your routers:

on R1 put a default route pointing to 192.168.5.1 and do the same on the other 2 routers.

configure your DHCP scopes"

I need to go into the router setup and do this corrent? That is what I tried to do and got this:

"Destination IP - 192.168.5.1

Subnet - 255.255.255.0

Gateway - ??? I tried the 192.168.5.1, but it said it couldn't be the same as the IP Addre"

cadet alain · ‎09-13-2011

Hi,

as I said above a default route is address = 0.0.0.0 and mask = 0.0.0.0

do this on each router ans also don't forget hosts must have their default gateway as IP address of router in their subnet.

You have no default route from your ISP so you won't get to the internet for sure.

adde this on the ASA: route outside 0.0.0.0 0.0.0.0 68.108.9.1

Regards.

Alain.

Don't forget to rate helpful posts.

woodjl1650 · ‎09-13-2011

Here is what on one of my routers, no internet access....

Router 3

Router IP - 192.168.3.1

WAN PORT - Static IP

Internet IP Address: 192.168.5.2

Subnet Mask: 255.255.255.0

Default Gateway: 192.168.5.1

DNS 1: 8.8.8.8

DNS 2 (Optional): 8.8.4.4

DNS 3 (Optional):

The routing table - I haven't changed anything here....

Destination LAN IP Subnet Mask Gateway Interface

192.168.5.0 255.255.255.0 192.168.5.5 Internet (WAN)

192.168.3.0 255.255.255.0 192.168.3.1 LAN & Wireless

0.0.0.0 0.0.0.0 192.168.5.1 Internet (WAN)

cadet alain · ‎09-13-2011

Hi,

the default route is ok:

0.0.0.0 0.0.0.0 192.168.5.1

But as our IP is 192.168.5.5 so on the ASA the route must be like this:

route inside 192.168.3.0 255.255.255.0 192.168.5.5

Verify your routers IP in the 5.0 network and change the routes accordingly on the ASA and don't forget the default to the ISP gateway as you didn't receive it via DHCP as it seems.

Regards.

Alain.

Don't forget to rate helpful posts.

woodjl1650 · ‎09-13-2011

Finally got the internet, had a bad route. From the ASA I am not able to ping the router nor can I see any other network devices on the 192.168.2.0 or the .3.0 networkl

Here is the running config:

ASA Version 8.2(3)

!

hostname ciscoasa

enable password DQucN59Njn0OjpJL encrypted

passwd 2KFQnbNIdI.2KYOU encrypted

names

!

interface Ethernet0/0

switchport access vlan 2

!

interface Ethernet0/1

!

interface Ethernet0/2

!

interface Ethernet0/3

!

interface Ethernet0/4

!

interface Ethernet0/5

!

interface Ethernet0/6

!

interface Ethernet0/7

!

interface Vlan1

nameif inside

security-level 100

ip address 192.168.5.1 255.255.255.0

!

interface Vlan2

nameif outside

security-level 0

ip address dhcp setroute

!

interface Vlan3

no nameif

no security-level

no ip address

!

ftp mode passive

same-security-traffic permit intra-interface

pager lines 24

logging enable

logging list IP level informational

logging asdm informational

mtu inside 1500

mtu outside 1500

icmp unreachable rate-limit 1 burst-size 1

no asdm history enable

arp timeout 14400

nat-control

global (outside) 1 interface

nat (inside) 1 0.0.0.0 0.0.0.0

route outside 0.0.0.0 255.255.255.0 0.0.0.0 1

route inside 192.168.1.0 255.255.255.0 192.168.5.3 1

route inside 192.168.2.0 255.255.255.0 192.168.5.4 1

route inside 192.168.3.0 255.255.255.0 192.168.5.2 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

dynamic-access-policy-record DfltAccessPolicy

http server enable

http 192.168.5.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

telnet timeout 5

ssh timeout 5

console timeout 0

dhcpd auto_config outside

!

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

webvpn

!

class-map inspection_default

match default-inspection-traffic

!

policy-map type inspect dns preset_dns_map

parameters

message-length maximum client auto

message-length maximum 512

policy-map global_policy

class inspection_default

inspect dns preset_dns_map

inspect ftp

inspect h323 h225

inspect h323 ras

inspect rsh

inspect rtsp

inspect esmtp

inspect sqlnet

inspect skinny

inspect sunrpc

inspect xdmcp

inspect sip

inspect netbios

inspect tftp

inspect ip-options

inspect icmp

!

service-policy global_policy global

prompt hostname context

Cryptochecksum:54d46a5e9207aac89651df334cde9b1d

: end

cadet alain · ‎09-13-2011

Hi,

route outside 0.0.0.0 255.255.255.0 0.0.0.0 1 not good should be route outside 0.0.0.0 0.0.0.0

route inside 192.168.1.0 255.255.255.0 192.168.5.3 1

route inside 192.168.2.0 255.255.255.0 192.168.5.4 1

route inside 192.168.3.0 255.255.255.0 192.168.5.2 1

Verify those IP addresses are correct ones on each router

then verify your default routes on the router all point to the ASA 192.168.5.1 ip address

verify your hosts have default gateway as ip address of router in same subnet( for 3.0 it should be 3.1 and so on)

then ping router adressses in 5.0 from ASA, if it works then ping 1.1,2.1,3.1 from ASA, if it works ping from hosts to ASA 5.1

If non works then post results and then do traceroute and post results

Regards.

Alain.

Don't forget to rate helpful posts.

woodjl1650 · ‎09-13-2011

I've gone through every menu on the Belkin Router and I can't seem to find the routing table to make sure that the router is routing to the ASA. The only way I can get internet to the Belking is making a static WAN port with the address 192.168.5.3 default gateway of 192.168.5.1. I believe this is were my problem is.....But even from the ASA I still can not ping the routers..... Any Idea?

cadet alain · ‎09-13-2011

Hi,

yes doing it this way on the router should be ok for default route.

So on ASA you ping 192.168.5.3 and the pings timeout?

post sh route and sh arp on ASA after the ping fails then do this command:

packet-tracer input inside icmp 192.168.5.1 192.168.5.3 detailed

post result

Alain.

Don't forget to rate helpful posts.