Solved: Connecting two subnets

dataIP · ‎11-13-2012

I have a problem with linking two seperate subnets which contain a individual small business networks.

Setup is each network has an ASA5505 and a 887 to provide internet connectivity. A variety of Cisco small business and one enterprise switch provide the switching. Each network contains its own servers and clients.

As a temporary measure I need to be able to access resources 'cross subnets'. (It is one business that has split in to two business units, so no privacy/security issues). The router will be removed once all relevant data has been migrated between networks.

Networks are 192.168.88.0 and 192.168.0.0, both with netmasks of 255.255.255.0

So, as a simple example a server on the .88 network needs to access information on a server at 192.168.0.128

We have the two segments linked with a Cisco E1000 router (was using a 871, but that seemed to cause more issues). IPs are 88.253 and 0.253 on each side.

I have enabled RIP on the E1000 and both ASA.

Both ASA have same-security-traffic permit intra-interface

From the 88.128 server, I can ping everything on the .88 network plus the far side of the E1000 (at 0.253) and the far side ASA (at 0.254), but not the far side server (at 0.128).

Maybe going back to the 871 may be a good plan, at least I should be able to debug things a bit easier from the command line?

I am sure there is something fundamental I am missing here.

kcnajaf · ‎11-15-2012

Hi,

Please try this configurations. This configuration is based on the assumption that you already has ICMP reachability between two networks as you have mentioned on previous posts. If you dont have ICMP reachability please use the static routes on 871 as mentioned below. Ensure that you have ICMP reachability before applying my configuration

ASA1

---------

interface vlan 1

nameif inside

security-level 100

ip address 192.168.88.254 255.255.255.0

!

same-security-traffic permit intra-interface

!

access-list tcp_bypass extended permit tcp 192.168.88.0 255.255.255.0 any

!

router rip

network 192.168.88.0

version 2

no auto-summary

!

class-map tcp_bypass

description "TCP traffic that bypasses stateful firewall"

match access-list tcp_bypass

!

policy-map tcp_bypass_policy

class tcp_bypass

set connection advanced-options tcp-state-bypass

!

service-policy tcp_bypass_policy interface inside

!

ASA2

--------

interface vlan 1

nameif inside

security-level 100

ip address 192.168.0.254 255.255.255.0

!

router rip

network 192.168.0.0

version 2

no auto-summary

!

same-security-traffic permit intra-interface

!

access-list tcp_bypass extended permit tcp 192.168.0.0 255.255.255.0 any

!

class-map tcp_bypass

description "TCP traffic that bypasses stateful firewall"

match access-list tcp_bypass

!

policy-map tcp_bypass_policy

class tcp_bypass

set connection advanced-options tcp-state-bypass

!

service-policy tcp_bypass_policy interface inside

!

871

---

ip route 192.168.0.0 255.255.255.0 192.168.0.254

ip route 192.168.88.0 255.255.255.0 192.168.88.254

!

IMPORTANT NOTE:

Believe me, I’m not an expert on ASA. To be frank this is the first time I'm playing around with ASA (with my GNS3) like this. I hope the above solution may fix the telnet or http access issue between two networks but not sure whether my proposed configuration will have any other impact on a real production network. So just be cautious about that.

After applying the configuration please confirm back that status and if the solution is working I can write up brief explanation of my solution.

Regards

Najaf

View solution in original post

kcnajaf · ‎11-13-2012

Hi,

It would help all of us if you could get a digram which details how your network (may be sketch only ASA and E1000 part) is physically connected along with ip address.

Regards

Najaf

dataIP · ‎11-13-2012

Hi Najaf,

Diagram now added.

Some things are temporary*, just to facilitate the migration of data.

*Temporary here means for some months... the client has to choose which data they want to move and this will take them some time.

The 4 port switch in the 'LAN side' of the E1000 will be replaced with an SG300-28 as soon as it is freed up in another part of the network. Some of the 'old' client machines will then move over too.

Abzal · ‎11-13-2012

Hi,

As they are connected to the same router there should be no problem with connectivity between them.

Check firewall on the server might something blocking connection.

Is E1000 default gateway for these subnets 192.168.88.0/192.168.0.0?

Please rate helpful posts.

Best regards,
Abzal

dataIP · ‎11-13-2012

Default gateway for all clients and servers is the ASA at 192.168.x.254

this is as it was before adding the router.

As far as I understand it RIP should make the ASA learna route for the 192.16.88.0 and 192.168.0.0 networks.

Default route at each ASA is the 877 router out to the internet.

kcnajaf · ‎11-13-2012

Hi,

This diagram really helps.

So what you are saying here is

1) From server 192.168.88.128 you can ping 192.168.88.xx, 192.16192.168.0.253 and 192.168.0.254.

2) From server 192.168.88.128 you can not ping 192.168.0.128

So the question is whether 192.168.0.128 is only ip address if you are not able to ping or are there other ip address as well? Is this is single ip address which you are not able to reach then verify following

a)what is default gateway connfigured on 192.168.0.128 (it should be 192.168.0.253)

b) windows firewall is turned off

c) if the server connected port is configured with correct vlan number is on the switch port.

If you are not able to reach any ip address on 192.168.0.x network other than 192.168.0.128 then please provide the configuration on E1000 router.

Regards

Najaf

dataIP · ‎11-13-2012

Hi Najaf,

Thanks for the suggestions... investigating now but I can confirm I have discovered that I can actually ping other machines on the 0.0 network.... but not the server.

ServerA (88.0 network) can ping 192.168.0.1 (a UPS), .10 (a switch), .130 (another server)... but not .128 (serverB), .129 (serverB iLO interface).

Default gateway is as above post.

I believed that turning on RIP, I could use the default gateway of the ASA unmodified, the ASA finding a route for the traffic that was for the other local network.

About to do more tests... (not actually on site at present...doing checks via a remote connection and I really don't want to cut my self off).

kcnajaf · ‎11-13-2012

Hi,

To be frank for Server A to reach Server B the traffic does not have to go to ASA as both servers (A&B) has the default gateway configured with the ip address on E1000. Also you wouldn't need RIP aswell in order to make this communication happen.

Also verify if any other devices on 192.168.0.x network can reach Server B. This will conclude if the issue is with server or switching or routing..

Regards

Najaf

dataIP · ‎11-13-2012

Just tried a test from another server at 192.168.0.130... it CAN ping ServerB at 192.168.0.128 as we would expect.

Noticing something really odd..

From ServerB at 192.168.0.128 I can ping;

192.168.0.1

.2

.5

.6

.10

.16

.18

.128 (itself)

.129 (its iLO interface)

.130 (HP server C)

.131 (iLO)

.132 (HP Server D)

.133 (iLO)

So all of those are responding properly to pings

(Don't worry about the gaps... network isn't using every address)

Going back to the .88 network for a moment;

From ServerA I can ping as above EXCEPT

.16 & .18 (Cisco access points)

.128 & .129 (HP server)

.132

Can't see why some are 'special'

kcnajaf · ‎11-13-2012

Hi,

Hopefully you dont have any ACL on your E1000 router. Also verify arp table (sh arp) on router and see if you are able to see the MAC address of the non pinging device as well.

Regards

Najaf

dataIP · ‎11-13-2012

No ACL on the router.

Problem is that router is so simple it only has a web interface. I can't get console access to it. Unless you know a trick to get in.

That is why I may go over and put the 871 back in circuit. At least I can get more info to debug the problem.

I just thought it was going to be trivial, throw in a simple router and be done.

kcnajaf · ‎11-13-2012

Which brand of router is this? I'm affraid to say that i have not heard of it before :-)

dataIP · ‎11-13-2012

Sorry, should have been clearer... it is a Cisco Linksys unit.

Very simple, just thought it would be easy to throw this in as a tempory solution. As I said before, I may go to site tomorrow and deploy an 871, at least we can get more information via the commandline.

SATISH KATTIKA · ‎11-13-2012

Plz verfiy the Subnetmask on the server.

SATISH KATTIKA · ‎11-13-2012

Is E1000 will support L3 VLAN's What is the configuration on E1000

Is Ip routing enabled on the router.. ?