Solved: ASA5505 Asymmetrical Routing Issue? (I Think)

Jon Boyer · ‎02-03-2014

Good Evening All,

I am looking for suggestions for a solutoion I've ran into today.. I'm trying to install a new router and firewall into an existing network. The router is an Edgewater VOIP router going to a cable connection with static IP's. The firewall is an ASA5505 (Security Plus). There is a third router in the mix (Cisco 1841) which has a PTP connection going to another site. I'll try to verbally explain the network architecture:

Unfortunately, the existing network was flattened on a /19 on which I'm not allowed to change so:

VLAN 1 = Data Network (they used a large /19)

VLAN 40 = Voice (For VOIP Phones)

Edgewater Port 4 > untag 1, tag 40 > ASA5505 Port 0

Edgewater WAN Port > Cable Modem

Edgewater DHCP Server for VLAN 40

ASA5505 Port 0 > untag 1, tag 40 > Edgewater Router

ASA5505 Port 1 > untag 1, tag 40 > Cisco 2950A FE0/4 (had to manually set native vlan 1 for the 2950 to work)

ASA5505 Port 2 > untag 1, tag 40 > Cisco SG300 Gig1

ASA5505 route voice 0.0.0.0 0.0.0.0 VLAN40_IP_OF_EDGEWATER

ASA5505 route data 0.0.0.0 0.0.0;0 VLAN1_IP_OF_EDGEWATER

ASA5505 DHCPD for VLAN 1 (Small Subnet, the rest is all set to static with a gateway of the Cisco 1841 (existing infrastructure))

Cisco 2950A FE4 > untag 1, tag 40 > ASA5505 Port 1

Cisco 2950A GIg1 > untag 1, tag 40 > Cisco 2950B

Cisco 2950A DG = IP of Cisco 1841

Cisco 2950B Gig1 > untag 1, tag 40 > Cisco 2950A Gig1 (MM Fiber uplinks)

Cisco 2950B FE11 > untag 1, tag 40 > Cisco 1841 FE0/0

Cisco 2950B DG = IP of Cisco 1841

Cisco 1841 FE0/0 0/0.1 dot1q native 0/0.40 dot1q 40 > Cisco 2950B FE11

Cisco 1841 ip route 0.0.0.0 0.0.0.0 Firewall VLAN 1 Interface IP (Changed to ip route VLAN1_NETWORK VLAN1_IP_TO_ASA5505 and ip route VLAN40_NETWORK VLAN40_IP_OF_EDGEWATER)

Cisco also has internal IP routes going through the private point to point connection to another site....

What I'm replacing out of their existing connection is a sonicwall firewall and adding a few new POE switches for VOIP phones, a VOIP Router, and a ASA5505. I can't get them to play nice no matter what I've tried. It seems i'm running into Asymetrical routing issues (ASA Giving me

Deny TCP (no connection) on VLAN 1 both static and dhcp given VLAN40 DHCP handed from the Edgewater works fine,I can browse out without any issue)...

I'm not sure what the best approach is for this. They need to keep the 1841 for now until a STS VPN connection can be set up with the ASA5505 to their ASA5510 at the other site (months down the road per their budget). All their PC's are statically assigned and using their default gateway as the C1841.

If you need outputs of any configs I've created so far or havy any suggestions on how to fix my issue, I'd love to hear about them. I've tried everything short of re-structuring their whole network or removing my VOIP router which is handling alot of the PBX configurations for the VOIP Phones.

Thanks!

Jon Marshall · ‎02-04-2014

Jon

Apologies, but that is a very confusing description of how it is setup. A diagram would probably have helped.

If the new VoIP router is the DHCP server for vlan 40 where are the clients in relation to that ?

You have two routes on the ASA pointing the VoIP router, what is the reasoning behind that ?

Why are you trunking from the ASA to the VoIP router ?

Can the VoIP router hand out DHCP addresses for a network it is not directly connected to or is that why you have extended vlan 40 all the way out to the VoIP router ?

Does the VoIP router have to hand out the vlan 40 IPs.

I guess it may be to do with my lack of understanding as to exactly what a VoIP router does (as opposed to a normal router).

So perhaps you could clarify ?

Jon

View solution in original post

Jon Marshall · ‎02-04-2014

Jon

Apologies, but that is a very confusing description of how it is setup. A diagram would probably have helped.

If the new VoIP router is the DHCP server for vlan 40 where are the clients in relation to that ?

You have two routes on the ASA pointing the VoIP router, what is the reasoning behind that ?

Why are you trunking from the ASA to the VoIP router ?

Can the VoIP router hand out DHCP addresses for a network it is not directly connected to or is that why you have extended vlan 40 all the way out to the VoIP router ?

Does the VoIP router have to hand out the vlan 40 IPs.

I guess it may be to do with my lack of understanding as to exactly what a VoIP router does (as opposed to a normal router).

So perhaps you could clarify ?

Jon

Jon Boyer · ‎02-11-2014

I fixed my issue. Sorry for the confusion and delay. Here's what I did:

I removed the client's 1841's from both sites. I set the IP of the 1841 at the site I was working on as the VLAN1 IP for the ASA. I created a transition VLAN between the ASA and Edgemarc VOIP Router (made it simple, called it VLAN1 with a /30 PTP Internal IP). I set the port to access and not trunk between the ASA and VOIP router to VLAN2. I then trunked the ports from the ASA5505 to the C2950 and manually typed (switchport trunk native vlan 1) on the ASA going to the 2950 as it seems newer devices tag native traffic and the 2950's do not have this ability to do so which causes inoperability. I then plugged in a separate port from the Edgemarc router going to the same 2950 tagging vlan 40 only (access port allowing 40 traffic). I did not allow 40 to hit the ASA as this is pure voice traffic and the ALG's and QoS settings for 40 are pre-built in the Edgemarc. For the removed PTP link to the sister site, I created a Site to Site VPN in the ASA5505 to the sister site's ASA5510. In the edgemarc, I set the same VLAN on its side in correspondance to the IP scheme I set up between the two devices. I then set static routes from the Edgemarc to the ASA for all the subnets it currently carries for the Data Network.

Site is fully operational and working as planned. VLAN 40 (VOIP) traffic is not being inspected by the ASA. It's going right to the VOIP router for several reasons and handicaps of how the Edgemarc works.

Thanks!

Jon