07-21-2009 02:04 AM - edited 03-06-2019 06:52 AM
I have cisco 3560 switch and I configured vlans on it,
my switch is attached with Cisco ASA 5510
in the ASA there are 3 interfaces, DMZ, Inside and Outside
I configured default route on switch towards cisco ASA,
Internet is attached with cisco router which is connected very next to ASA,,
I want to use another internet connection on cisco switch,
to do so, I attached my DSL internet on a free port and added another default route towards DSL modem
this route is towards ASA
ip route 0.0.0.0 0.0.0.0 192.168.20.2
this route is towards DSL Modem
ip route 0.0.0.0 0.0.0.0 192.168.95.1
as soon I add second default route, I disconnects with my internal network + gets very poor response from DSL modem
Please advise
07-21-2009 02:09 AM
Hello Junais,
you should add specific static routes for your internal network pointing to ASA or other next-hop towards internal network
like
ip route 10.0.0.0 255.0.0.0 192.168.20.2
Hope to help
Giuseppe
07-21-2009 02:29 AM
Giuseppe thanks for your urgent reply,
I tried to add static routes for my internal network and default route for Internet but it shows me error message (inconsistent address and mask)
My Switch port attached with ASA 192.168.20.2
ASA port attached with switch 192.168.20.1
DMZ interface on ASA 192.168.1.18
servers are on DMZ
servers ip address range (192.168.1.4-15)
Outside interface on ASA connected with cisco 2811 router 192.168.74.2
Cisco 2811 router connected wit ASA 192.168.74.1
Vlans are configured on switch 2-10
vlan 2 ip address 192.168.2.1
vlan 3 ip address 192.168.3.1
and so on
when I add a static route on switch
ip route 192.168.1.18 255.255.255.0 192.168.20.1
it shows me a error message (inconsistent address and mask)
Please advise
Regards,
Junaid
07-21-2009 05:43 AM
The mask is inconsistent- are you trying to add a route for a single host, or the subnet?
try ip route 192.168.1.0 255.255.255.0 192.168.20.1
The switch was confused because in you route statement you've mentioned two different things- point the route for a particular host (192.168.1.18) with a subnet mask indicating a /24 - 255.255.255.0
You want to either point everything starting with 192.168.1.x towards this route (use a 255.255.255.0 mask) or just the single address 192.168.1.18 (255.255.255.255) towards this next hop.
I'd revisit your dual-attached interenet strategy and describe what it is you're trying to accomplish. You're going to load balance connections through the ASA and the DSL connection to the internet, and the ASA isn't going to be happy about it.
Some traffic will start by establishing a connection to the DSL router, and get a NATed address- then the next packet in this conversation might go out the ASA. Two things are going to happen:
The ASA is going to think, "I don't have this connection in my table. Drop the packet."
Even if the ASA did let the packet out, your 2811 would then NAT the packet and send it out to the destination- but now the recieving web page isn't going to realize that this packet (with a different NAT address) is any way related to your other session- and stuff is going to break and get really miserable.
If you have a valid need for the DSL router, you need to figure out what it is, and set up some sort of policy route for it.
If the goal is a 'backup connection', then I'd move it outside the ASA, and set up policy routing on the ASA to pick one, then the other.
If the goal is something else... you've got your work cut out for you. :)
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide