Showing results for 
Search instead for 
Did you mean: 

Connecting routers. ASA and 2921

Roger Richards

Here is a link to the previous post to explain where we were.


I have an ASA 5510 and a 2921.

The ASA is used and vpn/firewall and and internet,

The 2921 is used for inter-vlan routing..

My  primary scenario, take a look at the image .

My data network  is

My Voice network is

The problem; with this setup, I cannot get the network to browse the web. And I cannot get to access my VOICE mail server unless I use a 192 address.

The solution:


so remember the plan was to remove the 2921 interface and use on the inter with

1) shutdown the 2921 interface on the ASA and remove the address from the config.

2) remove the cable from the inside interface of the ASA that i think still connects to a switch.

3) take the cable that is in the 2921 interface on the ASA and connect it to the inside interface of the ASA.

Now the 2921 router physical connection runs from gi0/2 on the router to the inside interface of the ASA.

4) remove the address from the inside interface on the ASA and add the address that was previously on the 2921 ASA interface.

5) these routes on the ASA need changing  -

a) remove these -

no route 2921 1

no route 2921 1

b) add these

route inside 1

route inside 1

6) add this route to the 2921

ip route

That should do it. As i say you will need downtime but once done all internal vlans should route via the 2921 and the ASA should only be used for internet. The ASA NAT statements reference the inside interface so it should just work.

And Still no connection.. If you follow the thread post on top you will get a better Idea..

Basically I want to be able to get the network  and use the asa for vpn and internet while use the 2921 for routing.

1 Accepted Solution

Accepted Solutions


No problem, really glad you got it working and thanks for letting me know.


View solution in original post

18 Replies 18

Jon Marshall
VIP Community Legend VIP Community Legend
VIP Community Legend


Can you just clarify something.

In your existing setup you have on the ASA -

1) a connection from the ASA inside interface to the switch

2) a direct connection from the ASA to the 2921

regarding 2) is that literally a cable that goes direct between the two devices. If it is are the interfaces showing up/up on both devices ?

And when you tried to move to the new setup did you use the same cable as in 2) or did you use the cable in 1) to make the new connection ?

Thanks for starting a new thread.



1 and 2 is correct in the existing setup and regarding 2 yes.

In the new setup: The direct connection the was moved to the inside interface on the (ASA) and IP changed to

The cable was removed from ASA to switch.

When changed, computers cannot browse the web.


Okay, i though it might be an issue with the cable ie. straight thru vs cross over.

When you tried to browse the web did you check that the interfaces on the 2921 and the ASA were both up ?

As long as the routes were adding ie, the default route on the 2921 to the ASA inside interface and routes on the ASA pointing back to the 2921 then it should have worked.

If it is not the cable then the only other things i can think of are -

1) the default gateway on the PCs is not set correctly but then the PC in different vlans would not be able to talk to each other.

In your diagram you say the gateway for the internet is now But that is only on the router ie. the default route. The PCs should have their default gateways set to the respective subinterface IP on the 2921 - is this how you did it ?

2) some misconfiguration on your ASA.

In addition you say you cannot get to the voice server unless you use a 192.168.x.x address. What subnet is the voice server on ?

Did you manage to save the configs when you did the upgrade or are you back to where you were before without the configs ?


I am back to the orginal config.

Yes interfaces were both up on ASA and 2921...

Yes the is only on the ASA and the PC are using there respectinve gateways.

Let me correct that with the Voice server.  I can get to it sorry for the confusion. All the inter vlan routing works once I change my gw address to . Just cant get to internet and the network on the other side of the VPN.


Assuming the default route was set on the 2921 it looks like there may be an issue with the ASA config then. Can you remember the exact changes you made on the ASA and can you post the current config of the ASA ?



The only changes i made to the ASA..

1.) Change the inside interface to

2.) Moved the cable to the inside interface of the ASA

Added the necessary routes in ASA. (basically all the sub-ifs from the 2921)

Can you post config of the ASA so i can check it again ?


This config is what is currently working right now. Before the changes.


I still can't see anything wrong. You have a dynamic NAT statement for the inside interface which should still apply and your acls permit ip any any so that should not stop traffic.

I'm assuming you cleared the arp tables on the 2921 and ASA when you did the change ?

The only thing i can suggest is to try again but this time -

Before making the changes  -

1) do a "sh ip arp" on the 2921 and a "sh arp" on the ASA and save them.

make the changes and then

2) make a copy of all the configs as you are testing and then post them

3) do the arp commands in 1) and save them

4) post a "sh ip route" from the 2921 and a "sh route" from the ASA

5) do a traceroute to an internet site from a client and see where it gets to


Ok... gonna work on this today.... lets see what the outcome will be

WORKED!!! I did the exact same things as before :/ ..

I just made sure I changed the gateway on the DNS servers too. Thats the only thing I believe was different... I can access every thing as normal , but faster...

Jon .. Thanks for all your help//


No problem, really glad you got it working and thanks for letting me know.


Got another issue,, I made this changes on the other side of the VPN . same router scenario and setup. But now I cant manage either VPN devices. I will start another thread..

My ASA is 2921 is

the other side of the VPN was - (used to manage it until after the change)

Now the other side is

other side 2921 -

I now its a simple but i just can't figure it out.


It's probably to do with routing.

Can you start new thread with network diagram ?


Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Recognize Your Peers