Martin,

Thank you for the response - After reading through the manual you referenced, it seems that the longer I'm in this business the less I actually know.

It's hard to believe that I have been a one person IT department for almost 20 years and don't really seem to know anything.  Our networks are both very small with minimal hierarchy at all.

The two companies share a single "server room" so all of the wiring is located in the same place.

Network 1 (the 10.10 network has it's internet connection coming in via cable to a Cisco ASA 5512x

10.10.10.1 - which is the gateway of the entire 10.10 network.  Most of the 10.10 systems have static ip addresses as do the 4 10.10 Novell Suse Linux OES servers.  Novell clients on the workstations handle the pure ip networking to connect everything, and the traffic flows through a few later 3 switches that currently have everything in a single vlan.

A remote office connects to the 5512x via a point to point vpn from an ASA 5505 in PA (a 10.10.30.xx network)

Network 2 (the Windows 2003 domain with the 192.168.x.x addresses) gets it's internet through an AT&T T-1 line connected to an ASA 5505 which acts as the gateway for the 192.168 network that has about a dozen hard coded ip workstations.  We would just change the IP addresses of these dozen systems, but the windows domain is the more dynamic of the networks.  He has more remote users and a second location that connects to his 5505 through an mpls line.  All of his users need to connect to the domain controller for network mapping and policy,  as opposed to the Novell file services that seem (to me) to be much easier to manage.  He has several virtual servers and runs multiple web sites under his domain.  I kinda figured that forcing him to change his whole ip scheme would be more difficult than just connecting the two separate networks to allow file sharing.  Our intent is to eventually move all of his Windows server data over to the Sles/OES servers on the 10.10 network, and have his people use our internet gateway.

It would be easy enough to have his internal people just add a second network card bound to the 10.10 network and install the Novell client on their systems, but that would still leave his remote users out in left field.  My 10.10 users also would like to share his 192.168 ip printers, if possible.

If we need to re design the whole network to make this work, we will, but the boss is in a "we need this done yesterday" mindset

Thanks

Dennis

Martin,

Thank you, I think I've got it now.  Will be setting it up over the weekend.

I'll let you know if anything goes "south"

Dennis

South is where it seems to be going - turns out that the "other guy's network" doesn't have an ASA 5505, it has a Cisco RUS4000 and the 5505 is just sitting there with nothing connected to it. - Any way I can use the "free" 5505 to connect two internal networks that wouldn't need to "see" the internet through the 5505?  i.e.  put 10.10 network on the "outside" and 192.168 on the "inside"?  or would that open a bigger can of worms?

Or - looking at your diagram - I have 5 unused layer 3 switches, if I were to use two of them as your switch 1 and switch 2 what would I be able to leave the two networks "inside" addresses at their .1 and set the vlan ip addresses at say dot 2 to just provide crossover connectivity?  or have I just screwed up more than I'm trying to fix?

Dennis

Sorry to hear that. You can either use the free ASA for Inter-VLAN routing but there are definitely some gotchas you need to be aware of. Have a look at this post: http://blog.braini.ac/?p=38

Another option would be to do the Inter-VLAN routing on the RVS4000. This is probably the easiest option.

Finally you could enable those L3 switches (Switch 1 and 2 from the diagram) for IP routing and perform Inter-VLAN routing directly on them, using SVI. Here's a short tutorial how to do it: http://www.cisco.com/c/en/us/support/docs/lan-switching/inter-vlan-routing/41860-howto-L3-intervlanrouting.html

In any case the simplest would be to route between the VLANs on the devices that are currently your default gateways in both networks.That would spare you from the pain of having to change the default gateway IP on all the clients or having to add static routes and complicating things further.

Best regards,
Martin

Martin,

Thank You - Am going to try and tackle this over the weekend.  I'll try to let you know the final outcome.

Dennis

Ok, after taking the weekend to clear my head and re think it all, here is what I hope will work.  below is a rough drawing of my setup

          Outside                                                                  Outside
                 |                                                                              |
         ASA 5512x _                                                      _ RUS4000
                              |                                                    |
                    10.10.10.1                                      192.168.3.1
            _________|                                                    |__________
          Layer 2 switch                                                  Layer 2 switch______
           |                    |                                                    |                             |
           |           10.10.10.252                                 192.168.3.252               |
           |               (vlan1)                                             (vlan2)                     |
           |                     |                                                     |                           |
           |       Both vlan 1 and 2 connected in L3 switch with intervlan        |
           |                                       Traffic allowed                                         |
           |                                                                                                       |
           |                                                                                                       |
           |                                                                                                       |
     10.10.10.0/24 network                                                 192,168.3.0/24 network
      system using 10.10.10.1                                       systems using 192.168.3.1
      as gateway                                                                         as gateway

Question 1: - Do I put route statements in both asa and rus stating
"for 192.168.3.0/24 use 10.10.10.252" in the asa and
"for 10.10.10.0/24 use 192.168.3.252" in the rus
or do I actually need to have interfaces for the other network defined on those gateways?

Question 2: - Should I change the workstations to use the .252 addresses as their gateways?

Or am I still too confused, and need to start over again? (Or find someone local who can do this cisco configurations in their sleep)

Thanks for hanging with me

Dennis

Hello Dennis

Question 1 - yes, the static route on the ASA would direct traffic destined to 192.168.3.0/24 from the ASA to the L3 switch and that one (I assume) will have the 192.168.3.0/24 directly connected on interface vlan2. And in the opposite direction traffic destined to 10.10.10.0/24 would be received on the RVS and forwarded to the L3 switch which then has 10.10.10.0/24 directly connected on interface vlan1. It should work.

Question 2 - I wouldn't change the default gateway on the hosts to avoid issues when routing towards the Internet. I would just enable their current default gateway (ASA/RVS) to reach the network on the other side of the interconnection (via the static route you proposed over the L3 switch and both 192.168.3.0/24 and 10.10.10.0/24 are directly connected on the L3 switch).

Best regards,
Martin

Thank You,  I think I have it, now I just need to wait until the network traffic is slow enough to implement.

In looking at this tho, I do have one final question.

Would it be possible to eliminate the L3 switch entirely by configuring eth0/3 on the 5512x (where 10.1 is the inside interface) for ip 192.168.3.252 and hard wire that to interface eth0/3 on the cisco RVS4000 (with eth0/1 at 192.168.3.1) and configure the RVS eth0/3 at 10.10.10.252 ?

If that would work, then everything could be done with the two gateways and a single network cable - or are there other things that would be needed?

Or would I just connect each eth0/2 port to it's networks switch (the 10.10 to the 10.10.10.0/24 switch and the 192.168.3 to the 192.168.3.0/24 switch) instead of directly to the 0/2 ports?

The more I look at it, the more confused I get - I apologize for all the hassle

Dennis

Hello Dennis

You could also do it like you propose but then you'd have to have a trunk between the two networks (L2 line terminating on the L3 switch) which would carry two VLANs. Because in fact you would be extending the VLANs to remote sites, which I wouldn't recommend. Ideally we should keep a VLAN local to the network and have IP routing between distant networks/VLANs. It should work though as long as you don't run into any issues on the ASA (due security policy and traffic flow between inside and outside interfaces).

Yet another option would be to create a transit VLAN, like the VLAN 200 I proposed originally which would terminate on the ASA on one side and the RVS on the other side. Then it's just a matter of configuring static routes to reach the other side over the transit VLAN.

To keep things simple I would recommend you go with the option you proposed previously with the diagram, in my opinion there's little risk and it should work fine.

Best regards,
Martin

Hello Dennis

Good job, I think this state is normal for such a project. I'd expect some things not to work immediately and it would be suspicious if everything worked from the start :)

It seems the connectivity is there (you said you could ping the web server 10.10.10.9, but not connect via HTTP). So from a routing point of view I think you are OK - no issues on the L3 switch or the static routes. It's possible that the issue is on the ASA that is dropping TCP sessions because the 3-way handshake packets don't arrive on the expected interfaces. In the log message you actually see that it's the reply from the web server 10.10.10.9 (SYN+ACK) that is being dropped. I think you need to configure a TCP state bypass on the ASA: http://www.cisco.com/c/en/us/td/docs/security/asa/asa82/configuration/guide/config/conns_tcpstatebypass.html Have a look also at this article: http://www.matthewjwhite.co.uk/2012/02/13/asymmetric-routing-with-cisco-asa-firewalls/

At the same time you said that you could reach 10.10.10.18 via HTTP so it's a little confusing why this is allowed but not 10.10.10.9. It's probably a good idea to compare the configuration of the two servers, maybe you notice some discrepancies.

Do you have any NAT configured on the ASA?

For the few PCs that you cannot ping from the other network, I recommend that you investigate their IP configuration - if they have the correct default gateway and can reach the other network back (also check if the network masks are correct).

Best regards,
Martin

Will check the server configurations today and will be trying to get this finished up over this weekend (boss wants a good report on Monday)

The 10.10.10.18 server does have some nat rules while the 10.10.10.9 does not

My next task was going to be to clean up the ASA config because we will be getting rid of some of the older servers and need to do nat for some of the newer ones, but if you would like to look at my config and see if there is anything that glares out at you, it would be appreciated. - Config attached

I'm thinking that I need to re define all of my "service" ip addresses as network objects and rework some of the rules anyway

I'm also wondering if I'm still missing something in the ASA to define the vlan

Thanks

Dennis