11-19-2013 09:15 AM - edited 03-07-2019 04:40 PM
Ok.. Good day, I have an ASA 5510 and a 2921 -
My ASA is used for VPN and Internet
My 2921 is used to connect different subnets
I also have an attached diagram
I have a directly connected interface on 2921-10.10.10.1 to the ASA 10.10.10.2
Also on the 2921 i have a subnet 192.168.2.0 and 10.20.30.0
I have trunk link on my switch 2950 from the 2921... The ASA is aslo connected to the switch
on the ASA
Int0/0 66.xxx.xxx.xxx internet
Int0/1 10.20.60.2 - Gateway for computers
Int0/2 10.10.10.2 - connected to 2921
on the 2921
gig0/1 10.10.10.1 - connected to ASA
gig0/1.20 sub-if 192.168.2.1
gig0/1.30 sub-if 10.20.30.1
I have connected some static routes to get from 10.20.60.0 to 192.168.2.0
I cannot ping 10.10.10.2 from my PC
I cannot ping 10.20.60.2 from my 2921
I would appreciate any ideas for configuration help... And redesign...
What cannot happen is for us to use the 2921 for vpn and internet..
Thanks,,, see image.
Solved! Go to Solution.
11-27-2013 01:19 PM
Roger
I think the way you have it now is the way to do it ie. use the 2921 to route the internal vlans and only use the ASA when you need to go to the internet or use the vpn. If you wanted to use the ASA to route the vlans then you would need additional configuration on it and i can't see the advantage of doing that unless you have security issues ?
Does this make sense ?
Jon
11-19-2013 09:36 AM
Hi Roger,
The config from routing perspective looks good, now since in both cases you are trying to ping the IP configured on the ASA firewall I wonder if there is a stealth rule thats dropping that traffic.(I am not an expert though with ASA, I would check that first).
Also if you have set the rule to allow ICMP between these subnets can you try
1> Pinging from your PC to 10.10.10.1
2> From 2921 to ping your PC
Another suggestion would be since this probles is related to ASA you could post this in the Security section to get the security experts to help you.
HTH
Regards
Umesh
11-19-2013 11:48 AM
Roger
I cannot ping 10.10.10.2 from my PC
I cannot ping 10.20.60.2 from my 2921
You won't be able to because on the ASA this is a restriction by design ie you cannot ping another interface across the ASA. You can obviously ping through the ASA ie. in one interface and out another (as long as your rulebase allows it) but if the destination IP of the packet is another ASA interface this will be blocked.
So what you are seeing is correct behaviour. Do you have a connectivity problem or was it just a query you had ?
Jon
11-20-2013 09:23 AM
Not connectivity issues but probems with provisioning some avaya phones using DHCP on W2K8 server . Just basically needed to do intervlan routing with the 2921 but we still need the ASA connected as default gateway. Sooooooooo....... i need lots of help. Maybe on a different forum. But thats how this all started.
11-20-2013 10:00 AM
Roger
Maybe on a different forum
If it's a problem with the phones then maybe the VOIP forums but if it is the network layout then this is the right forum.
If it is network layout etc. can you perhaps specify exactly what you want to be able to do and then we may be able to help you.
Jon
11-27-2013 12:50 PM
I got everything working. That "untagpvidonly" is a avaya command.
My real issue is I can ping anything on the 192.168.2.0 subnet but I cant actually login to any devices. If I can resolve that, it'll be great. Take another look at the attached diagram and tell what can I do. If I put my pc with a gateway address of 10.20.60.1 I can log into my phone call server, If I put my pc with 10.20.60.2 , it just hangs there
11-27-2013 01:01 PM
Roger
What is 10.20.60.1 ?
Jon
11-27-2013 01:11 PM
sorry I forgot to include 10.20.60.1. Its a sub interface on the 2921, and its dot1q is 10. Vlan 10. I coudnt see how else I colud have routed to the 192.168.2.0 network. and both subnet has ip helper pointing to a dhcp server.
11-27-2013 01:19 PM
Roger
I think the way you have it now is the way to do it ie. use the 2921 to route the internal vlans and only use the ASA when you need to go to the internet or use the vpn. If you wanted to use the ASA to route the vlans then you would need additional configuration on it and i can't see the advantage of doing that unless you have security issues ?
Does this make sense ?
Jon
11-29-2013 10:40 AM
Perfect sense... Thanks again jon....
12-03-2013 09:54 AM
Hey Jon,
I got another Issue. How can I use the 2921 for the internet ,my ASA has the 10.20.60.2 <-- as the gateway for my computers and also my 2921 has the interface 10.20.60.1 interface also?
i appreciate any information given.
12-03-2013 10:33 AM
Roger
This could get a bit complicated but not necessarily.
Your ASA has 2 internal connections, one to the switch and one to the 2921. But it only really needs the one connection to the 2921. So all vlans internally are routed off the 2921 and you only go to the firewall for VPN and internet.
However that would mean changes to the 2921 and more importantly the ASA. The current ASA inside interface is on the 10.20.60.x network whereas it would move to the 10.10.10.0/31. This would mean a route change on the 2921 but potentially a fair bit more config on the ASA.
Before you did any of that thoug, on the ASA you have this route -
172.20.2.0 255.255.255.0 172.20.16.11 inside
what is the 172.20.2.x network and what device is 172.20.16.11 ?
Jon
12-03-2013 10:38 AM
thats a network on the other side on the vpn. I couldnt get to it from the 2921
12-03-2013 10:50 AM
Roger
If it is a network on the other side of the VPN then why does the ASA have a route pointing back into your network ie. the route is reachable via the inside interface of the ASA not the outside.
Not trying to be difficult but if i am to suggest changes i need to make sure i don't stop things working.
Jon
12-03-2013 10:55 AM
Sorry Jon, my apologeeez.. that was an experimentl route... it does not serve a perpose. I do and will appreciate if i can get this task done. It would solve my problems. (well at least the ones here)
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide