cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
662
Views
1
Helpful
7
Replies

Need help getting a 10.1.6.2 address to talk to 192.168.0.0/24

Alkemyst1971
Level 1
Level 1

I inherited a rather overly complex setup. They used to have an ASA 5505 that just died to provide POE and phone/internet access to just a security desk that the previous team decided was best to exclude from the main 10.1.x.x network. The problem is that security desk has to be on 192.168.0.x since the elevators, cameras, door access, etc all live on it internally.

Call Manager is on 10.1.6.2 with the ASA they set up a nat first for 192 to the 10 network as it passed to the egress router. The ASA died and I am trying to duplicate all this with just the router and switch left. Internet is working fine now, but I cannot reach the call manager and never in my 20+ years did something like this.

The old config from the asa looked like this:

!

interface Vlan1

nameif inside

security-level 100

ip address 192.168.0.1 255.255.255.0

!

interface Vlan2

nameif outside

security-level 0

ip address PUBLIC_IP.166 255.255.255.252

!

interface Ethernet0/0

description to router

switchport access vlan 2

!

access-list inside_nat0_outbound extended permit ip 192.168.0.0 255.255.255.0 10.0.0.0 255.0.0.0

access-list INBOUND extended permit ip any any

global (outside) 1 interface

nat (inside) 0 access-list inside_nat0_outbound

nat (inside) 1 0.0.0.0 0.0.0.0

access-group INBOUND in interface outside

route outside 0.0.0.0 0.0.0.0 PUBLIC_IP.165 1

 

 

 

This is what is working for internet on the Router alone without the ASA:

interface GigabitEthernet0/0.168

description Security Desk

encapsulation dot1Q 168

ip address 192.168.0.1 255.255.255.0

ip flow ingress

ip flow egress

ip nat inside

ip virtual-reassembly in

!

interface GigabitEthernet0/2.423

description Causeway Sec_desk Handoff

encapsulation dot1Q 423

ip address PUBLIC_IP.162 255.255.255.252

ip nat outside

ip virtual-reassembly in

!

ip nat inside source route-map SECURITY_DESK interface GigabitEthernet0/2.423 overload

route-map SECURITY_DESK permit 10

match ip address 168

ip route 192.168.0.0 255.255.255.0 PUBLIC_IP.161

access-list 168 permit ip 192.168.0.0 0.0.0.255 any

Is it possible to give Call Manager a 192.168.0.x secondary address? or do I have to do something else way different?

 

 

 

7 Replies 7

balaji.bandi
Hall of Fame
Hall of Fame
access-list inside_nat0_outbound extended permit ip 192.168.0.0 255.255.255.0 10.0.0.0 255.0.0.0

nat (inside) 0 access-list inside_nat0_outbound

You have this command on ASA, this means there is no NAT between this subnet.

In your network where do the Call Manager located or 10.0.0.0/8 located.

interface GigabitEthernet0/0 Interface connected to Switch and same subnet also connected to switch. you can another sub-interface with ip in the range 10.0.0.0/8 that should able to route between 192.x.x.x and 10.x.x.x network.

example :

interface GigabitEthernet0/0.2

description Security Desk

encapsulation dot1Q 2

ip address 10.0.0.X  255.0.0.0

ip flow ingress

ip flow egress

ip nat inside

ip virtual-reassembly in

 

or as you mentioned if call manager can able to add 192.168.x.x IP, that also can work routing point of view.

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Interesting you posted that as there was a G0/0.2 interface but with another public IP

nterface GigabitEthernet0/0.2

description Security Desk

encapsulation dot1Q 2

ip vrf forwarding ver-1001

ip address PUBLIC_IP.165  255.255.255.252

ip flow ingress

ip flow egress

It's a screwy setup and now I am stuck having to figure it out. 

 

that means you are not showing us the full configuration.

Show run  and show ip interface brief (removing any password)

how is your Router connected to switch ?

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Hello @Alkemyst1971 ,

BB is right nat_0 means no NAT is happening on the old ASA between 192.168.0.0/24 and 10.0.0.0/8.

Adding a NIC in another subnet for the call manager is not possible.

Adding a subif can be a way to achieve this.

So in the new router you need to route between above prefixes.

Hope to help

Giuseppe

 

Alkemyst1971
Level 1
Level 1

ASA config.  interface 0 went to the switch 23 and the phone/PC hung off interface 3

: Written by enable_15 at 00:24:15.081 UTC Mon Aug 21 2006
!
ASA Version 7.2(4)
!
hostname ASA5505-CSWY
domain-name ugonet2003.local
enable password sOAITdH6fJokmxEg encrypted
passwd sOAITdH6fJokmxEg encrypted
no names
!
interface Vlan1
nameif inside
security-level 100
ip address 192.168.0.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address PUBLIC_IP.166 255.255.255.252
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
ftp mode passive
dns server-group DefaultDNS
domain-name ugonet2003.local
access-list outside_20_cryptomap extended permit ip 192.168.1.0 255.255.255.0 10.0.0.0 255.0.0.0
access-list inside_nat0_outbound extended permit ip any 192.168.50.0 255.255.255.128
access-list inside_nat0_outbound extended permit ip 192.168.0.0 255.255.255.0 10.0.0.0 255.0.0.0
access-list inside_nat0_outbound extended permit ip 192.168.0.0 255.255.255.0 192.168.50.0 255.255.255.128
access-list UCVPN_splitTunnelAcl standard permit 192.168.0.0 255.255.255.0
access-list INBOUND extended permit ip any any
access-list outside_cryptomap_causeway extended permit ip 192.168.0.0 255.255.255.0 10.0.0.0 255.0.0.0
pager lines 24
logging console debugging
logging buffered debugging
logging asdm informational
mtu inside 1500
mtu outside 1500
ip local pool VPNPOOL 192.168.50.0-192.168.50.100 mask 255.255.255.0
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-522.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) tcp interface smtp 192.168.1.8 smtp netmask 255.255.255.255
access-group INBOUND in interface outside
route outside 0.0.0.0 0.0.0.0 PUBLIC_IP.165 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
aaa authentication ssh console LOCAL
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto dynamic-map outside_dyn_map 1 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 20 set pfs
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-DES-SHA
crypto dynamic-map outside_dyn_map 40 set pfs
crypto dynamic-map outside_dyn_map 40 set transform-set ESP-DES-SHA
crypto map to_tab 20 match address outside_cryptomap_causeway
crypto map to_tab 20 set pfs group1
crypto map to_tab 20 set peer 64.140.99.106 PUBLIC_IP.194
crypto map to_tab 20 set transform-set ESP-DES-MD5
crypto map to_tab interface outside
crypto isakmp identity address
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption des
hash md5
group 2
lifetime 86400
crypto isakmp policy 30
authentication pre-share
encryption des
hash sha
group 2
lifetime 86400
crypto isakmp policy 65535
authentication pre-share
encryption des
hash sha
group 2
lifetime 86400
crypto isakmp nat-traversal 20
telnet 0.0.0.0 0.0.0.0 inside
telnet 0.0.0.0 0.0.0.0 outside
telnet timeout 5
ssh SSH_IP 255.255.255.0 outside
ssh 0.0.0.0 0.0.0.0 outside
ssh timeout 5
console timeout 0
management-access outside
dhcpd dns 192.168.1.8
dhcpd auto_config outside
dhcpd option 6 ip 192.168.1.1
dhcpd option 150 ip 10.1.5.2
!
dhcpd address 192.168.0.20-192.168.0.51 inside
dhcpd dns 8.8.8.8 interface inside
dhcpd lease 50000 interface inside
dhcpd domain tab interface inside
dhcpd enable inside
!

group-policy test internal
group-policy UCVPN internal
group-policy UCVPN attributes
dns-server value 198.6.1.2
vpn-tunnel-protocol IPSec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value UCVPN_splitTunnelAcl
default-domain value tab
username UGOVPN password Wjuez/mq/shCI7wA encrypted privilege 0
username UGOVPN attributes
vpn-group-policy UGOVPN
username admin password .e3aQgH7zrL9wUO/ encrypted
username tab password VkPaU1hpQuAIjRD0 encrypted privilege 15
username UCVPN password vjjwIqBCu8CIorsE encrypted privilege 0
username UCVPN attributes
vpn-group-policy UCVPN
tunnel-group TUNNEL_IP type ipsec-l2l
tunnel-group TUNNEL_IP ipsec-attributes
pre-shared-key tab
tunnel-group test type ipsec-ra
tunnel-group test general-attributes
address-pool VPNPOOL
default-group-policy test
tunnel-group UCVPN type ipsec-ra
tunnel-group UCVPN general-attributes
address-pool VPNPOOL
default-group-policy UCVPN
tunnel-group UCVPN ipsec-attributes
pre-shared-key tab
tunnel-group TUNNEL_IP2 type ipsec-l2l
tunnel-group TUNNEL_IP2 ipsec-attributes
pre-shared-key taubC)12s2!
tunnel-group PUBLIC_IP.194 type ipsec-l2l
tunnel-group PUBLIC_IP.194 ipsec-attributes
pre-shared-key taubC)12s2!
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:67501064d5f92f5616062bfdf9defd37
: end

 

Switch:


causewaysq-flr1-c2960#
causewaysq-flr1-c2960#show run
Building configuration...

Current configuration : 7002 bytes
!
! Last configuration change at 06:55:02 EDT Fri Jun 7 2024 by ver
! NVRAM config last updated at 06:00:19 EDT Fri Jun 7 2024 by ver
!
version 15.2
no service pad
service timestamps debug datetime msec localtime
service timestamps log datetime msec localtime
service password-encryption
!
hostname csy-flr1-c2960
!
boot-start-marker
boot-end-marker
!
enable secret 5 $1$YX6k$IxCpSpzKesHYyTRfgCKvR0
!
username ver privilege 15 secret 5 $1$Fb1o$Gxy9DFcIUh93fi9u8o/it0
no aaa new-model
clock timezone EST -5 0
clock summer-time EDT recurring
switch 1 provision ws-c2960x-24ps-l
!
!
!
!
ip routing
!
!
ip domain-name csy
!
!
!
!
!
!
mls qos map policed-dscp 0 10 18 24 46 to 8
mls qos map cos-dscp 0 8 16 24 32 46 48 56
mls qos srr-queue output cos-map queue 1 threshold 3 4 5
mls qos srr-queue output cos-map queue 2 threshold 1 2
mls qos srr-queue output cos-map queue 2 threshold 2 3
mls qos srr-queue output cos-map queue 2 threshold 3 6 7
mls qos srr-queue output cos-map queue 3 threshold 3 0
mls qos srr-queue output cos-map queue 4 threshold 3 1
mls qos srr-queue output dscp-map queue 1 threshold 3 32 33 40 41 42 43 44 45
mls qos srr-queue output dscp-map queue 1 threshold 3 46 47
mls qos srr-queue output dscp-map queue 2 threshold 1 16 17 18 19 20 21 22 23
mls qos srr-queue output dscp-map queue 2 threshold 1 26 27 28 29 30 31 34 35
mls qos srr-queue output dscp-map queue 2 threshold 1 36 37 38 39
mls qos srr-queue output dscp-map queue 2 threshold 2 24
mls qos srr-queue output dscp-map queue 2 threshold 3 48 49 50 51 52 53 54 55
mls qos srr-queue output dscp-map queue 2 threshold 3 56 57 58 59 60 61 62 63
mls qos srr-queue output dscp-map queue 3 threshold 3 0 1 2 3 4 5 6 7
mls qos srr-queue output dscp-map queue 4 threshold 1 8 9 11 13 15
mls qos srr-queue output dscp-map queue 4 threshold 2 10 12 14
mls qos queue-set output 1 threshold 1 100 100 50 200
mls qos queue-set output 1 threshold 2 125 125 100 400
mls qos queue-set output 1 threshold 3 100 100 100 400
mls qos queue-set output 1 threshold 4 60 150 50 200
mls qos queue-set output 1 buffers 15 25 40 20
mls qos
!
!
!
spanning-tree mode pvst
spanning-tree extend system-id
spanning-tree vlan 375 priority 24576
auto qos srnd4
!
!
!
!
!
!
class-map match-all AUTOQOS_VOIP_VIDEO_CLASS
match ip dscp af41
class-map match-all AUTOQOS_VOIP_DATA_CLASS
match ip dscp ef
class-map match-all AUTOQOS_DEFAULT_CLASS
match access-group name AUTOQOS-ACL-DEFAULT
class-map match-all AUTOQOS_VOIP_SIGNAL_CLASS
match ip dscp cs3
!
policy-map AUTOQOS-SRND4-CISCOPHONE-POLICY
class AUTOQOS_VOIP_DATA_CLASS
set dscp ef
police 128000 8000 exceed-action policed-dscp-transmit
class AUTOQOS_VOIP_VIDEO_CLASS
set dscp af41
police 10000000 8000 exceed-action policed-dscp-transmit
class AUTOQOS_VOIP_SIGNAL_CLASS
set dscp cs3
police 32000 8000 exceed-action policed-dscp-transmit
class AUTOQOS_DEFAULT_CLASS
set dscp default
police 10000000 8000 exceed-action policed-dscp-transmit
!
!
!
!
!
!
!
!
!
!
!
interface Port-channel1
switchport mode trunk
!
interface Port-channel2
switchport mode trunk
!
interface FastEthernet0
no ip address
no ip route-cache
shutdown
!
interface GigabitEthernet1/0/1
description COMCAST BB
switchport access vlan 444
switchport mode access
load-interval 30
!
interface GigabitEthernet1/0/2
description TO-2951-Gi0/2
switchport trunk allowed vlan 168,423-425,428-430,432-442
switchport mode trunk
load-interval 30
!
interface GigabitEthernet1/0/3
description Security Desk
switchport access vlan 168
switchport mode access
spanning-tree portfast edge
!
interface GigabitEthernet1/0/4
description cradle
switchport access vlan 446
switchport mode access
!
interface GigabitEthernet1/0/5
description comcast-second-handoff
shutdown
!
interface GigabitEthernet1/0/6
description NOT IN USE
shutdown
!
interface GigabitEthernet1/0/7
description NOT IN USE
shutdown
!
interface GigabitEthernet1/0/8
description NOT IN USE
shutdown
!
interface GigabitEthernet1/0/9
description TEST INTERFACE
switchport access vlan 375
switchport mode access
load-interval 30
!
interface GigabitEthernet1/0/10
description NOT IN USE
shutdown
!
interface GigabitEthernet1/0/11
description NOT IN USE
shutdown
!
interface GigabitEthernet1/0/12
description NOT IN USE
shutdown
!
interface GigabitEthernet1/0/13
description NOT IN USE
shutdown
!
interface GigabitEthernet1/0/14
description NOT IN USE
shutdown
!
interface GigabitEthernet1/0/15
description NOT IN USE
shutdown
!
interface GigabitEthernet1/0/16
description NOT IN USE
shutdown
!
interface GigabitEthernet1/0/17
description NOT IN USE
shutdown
!
interface GigabitEthernet1/0/18
description Floor 1 UPS
switchport access vlan 375
switchport mode access
!
interface GigabitEthernet1/0/19
description feed to 3rd floor
shutdown
!
interface GigabitEthernet1/0/20
description feed to 4th floor
switchport mode trunk
shutdown
!
interface GigabitEthernet1/0/21
description Handoff-1stFlr
switchport access vlan 331
switchport mode access
load-interval 30
no cdp enable
!
interface GigabitEthernet1/0/22
description CROWN CASTLE NID
switchport trunk allowed vlan 168,423-425,428-430,432-442
switchport mode trunk
load-interval 30
no cdp enable
!
interface GigabitEthernet1/0/23
description tab asa handoff
switchport access vlan 2
switchport mode access
!
interface GigabitEthernet1/0/24
description edge router handoff
switchport mode trunk
!
interface GigabitEthernet1/0/25
description UPLINK TO 4TH FLR
switchport mode trunk
channel-group 2 mode on
!
interface GigabitEthernet1/0/26
description UPLINK TO 3RD FLOOR
switchport mode trunk
channel-group 1 mode on
!
interface GigabitEthernet1/0/27
!
interface GigabitEthernet1/0/28
!
interface Vlan1
ip address 172.27.0.97 255.255.255.0
no ip route-cache
no ip mroute-cache
!
interface Vlan168
ip address 192.168.0.2 255.255.255.0
!
ip default-gateway 172.27.0.1
!
no ip http server
no ip http secure-server
ip route 0.0.0.0 0.0.0.0 172.27.0.1
!
ip access-list extended AUTOQOS-ACL-DEFAULT
permit ip any any
kron occurrence BACKUP_OCCURENCE at 1:01 14 recurring
policy-list CONFIG_BACKUP
!
kron policy-list CONFIG_BACKUP
cli write memory
!
!
!
snmp-server community vpi RO
snmp-server community vernoc RO
snmp-server contact ver
snmp-server chassis-id causewaysq-flr1-c2960
snmp mib flash cache
!
line con 0
login local
line vty 0 4
logging synchronous
login local
length 0
transport input all
line vty 5
logging synchronous
login local
transport input all
line vty 6 15
logging synchronous
login local
transport input ssh
!
ntp server 192.5.41.40
ntp server 216.239.35.0
ntp server 198.6.1.2
!
end

 

 

 

i am more interested your Router config which you replaced ASA with Cisco router ( good you provided the Switch configuration, )

where is your 10.0.0.0/8 network resides ?

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

I will have to clean that router of public IP info since it's a BBS/COLO in itself.

Thanks for the help so far.

 

 

Review Cisco Networking for a $25 gift card