cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
3139
Views
0
Helpful
18
Replies

Connecting routers. ASA and 2921

Roger Richards
Level 1
Level 1

Here is a link to the previous post to explain where we were. https://supportforums.cisco.com/message/4133793#4133793

OK..

I have an ASA 5510 and a 2921.

The ASA is used and vpn/firewall and and internet,

The 2921 is used for inter-vlan routing..

My  primary scenario, take a look at the image . https://supportforums.cisco.com/servlet/JiveServlet/download/4096848-15371310/router_net.gif

My data network  is 10.20.60.0

My Voice network is 192.168.2.0

The problem; with this setup, I cannot get the 192.168.2.0 network to browse the web. And I cannot get to access my VOICE mail server unless I use a 192 address.

The solution:

Roger

so remember the plan was to remove the 2921 interface and use 10.10.10.2 on the inter with 10.20.60.2...

1) shutdown the 2921 interface on the ASA and remove the address from the config.

2) remove the cable from the inside interface of the ASA that i think still connects to a switch.

3) take the cable that is in the 2921 interface on the ASA and connect it to the inside interface of the ASA.

Now the 2921 router physical connection runs from gi0/2 on the router to the inside interface of the ASA.

4) remove the 10.20.60.2 address from the inside interface on the ASA and add the 10.10.10.2 address that was previously on the 2921 ASA interface.

5) these routes on the ASA need changing  -

a) remove these -

no route 2921 10.20.30.0 255.255.254.0 10.10.10.1 1

no route 2921 192.168.2.0 255.255.255.0 10.10.10.1 1

b) add these

route inside 10.20.30.0 255.255.254.0 10.10.10.1 1

route inside 192.168.2.0 255.255.255.0 10.10.10.1 1

6) add this route to the 2921

ip route 0.0.0.0 0.0.0.0 10.10.10.2

That should do it. As i say you will need downtime but once done all internal vlans should route via the 2921 and the ASA should only be used for internet. The ASA NAT statements reference the inside interface so it should just work.

And Still no connection.. If you follow the thread post on top you will get a better Idea..

Basically I want to be able to get the 10.20.60.0 network  and use the asa for vpn and internet while use the 2921 for routing.

1 Accepted Solution

Accepted Solutions

Roger

No problem, really glad you got it working and thanks for letting me know.

Jon

View solution in original post

18 Replies 18

Jon Marshall
Hall of Fame
Hall of Fame

Roger

Can you just clarify something.

In your existing setup you have on the ASA -

1) a connection from the ASA inside interface to the switch

2) a direct connection from the ASA to the 2921

regarding 2) is that literally a cable that goes direct between the two devices. If it is are the interfaces showing up/up on both devices ?

And when you tried to move to the new setup did you use the same cable as in 2) or did you use the cable in 1) to make the new connection ?

Thanks for starting a new thread.

Jon

Jon,

1 and 2 is correct in the existing setup and regarding 2 yes.

In the new setup: The direct connection the was moved to the inside interface on the (ASA) and IP changed to 10.10.10.2.

The cable was removed from ASA to switch.

When changed, computers cannot browse the web.

Roger

Okay, i though it might be an issue with the cable ie. straight thru vs cross over.

When you tried to browse the web did you check that the interfaces on the 2921 and the ASA were both up ?

As long as the routes were adding ie, the default route on the 2921 to the ASA inside interface and routes on the ASA pointing back to the 2921 then it should have worked.

If it is not the cable then the only other things i can think of are -

1) the default gateway on the PCs is not set correctly but then the PC in different vlans would not be able to talk to each other.

In your diagram you say the gateway for the internet is now 10.10.10.2. But that is only on the router ie. the default route. The PCs should have their default gateways set to the respective subinterface IP on the 2921 - is this how you did it ?

2) some misconfiguration on your ASA.

In addition you say you cannot get to the voice server unless you use a 192.168.x.x address. What subnet is the voice server on ?

Did you manage to save the configs when you did the upgrade or are you back to where you were before without the configs ?

Jon

I am back to the orginal config.

Yes interfaces were both up on ASA and 2921...

Yes the 10.10.10.2 is only on the ASA and the PC are using there respectinve gateways.

Let me correct that with the Voice server.  I can get to it sorry for the confusion. All the inter vlan routing works once I change my gw address to 10.20.60.1 . Just cant get to internet and the network on the other side of the VPN.

Roger

Assuming the default route was set on the 2921 it looks like there may be an issue with the ASA config then. Can you remember the exact changes you made on the ASA and can you post the current config of the ASA ?

Jon

Ok

The only changes i made to the ASA..

1.) Change the inside interface to 10.10.10.2

2.) Moved the cable to the inside interface of the ASA

Added the necessary routes in ASA. (basically all the sub-ifs from the 2921)

Can you post config of the ASA so i can check it again ?

Jon

This config is what is currently working right now. Before the changes.

Roger

I still can't see anything wrong. You have a dynamic NAT statement for the inside interface which should still apply and your acls permit ip any any so that should not stop traffic.

I'm assuming you cleared the arp tables on the 2921 and ASA when you did the change ?

The only thing i can suggest is to try again but this time -

Before making the changes  -

1) do a "sh ip arp" on the 2921 and a "sh arp" on the ASA and save them.

make the changes and then

2) make a copy of all the configs as you are testing and then post them

3) do the arp commands in 1) and save them

4) post a "sh ip route" from the 2921 and a "sh route" from the ASA

5) do a traceroute to an internet site from a client and see where it gets to

Jon

Ok... gonna work on this today.... lets see what the outcome will be

WORKED!!! I did the exact same things as before :/ ..

I just made sure I changed the gateway on the DNS servers too. Thats the only thing I believe was different... I can access every thing as normal , but faster...

Jon .. Thanks for all your help//

Roger

No problem, really glad you got it working and thanks for letting me know.

Jon

Got another issue,, I made this changes on the other side of the VPN . same router scenario and setup. But now I cant manage either VPN devices. I will start another thread..

My ASA is 10.10.10.2 2921 is 10.10.10.1

the other side of the VPN was 172.20.16.11 - (used to manage it until after the change)

Now the other side is  10.10.20.2

other side 2921 10.10.20.1 -

I now its a simple but i just can't figure it out.

Roger

It's probably to do with routing.

Can you start new thread with network diagram ?

Jon

Review Cisco Networking for a $25 gift card