HSRP routing problem

zhaoxu_hao · ‎01-09-2012

Topology:

Internet—ASA5550—Cisco4503—Cisco2960—PC

| |

Cisco4503—Cisco2960—PC

Probably the same with this.

Dynamic routing to avoid,Here I do not know how ASA to write a static route

ASA is used to connect two Cisco4503 router interface and configure IP, which is a different network segment.

Please enlighten me！thanks.

The rookie from China—郝朝旭

cadet alain · ‎01-10-2012

Hi,

What do you want to know exactly ?

Regards.

Alain

Don't forget to rate helpful posts.

zhaoxu_hao · ‎01-10-2012

Hi, Alain

ASA Connection 4503, ASA interface IP address are:192.168.100.1,192.168.200.1

The first 4503 points to 192.168.100.1 Default Gateway

Another 4503 points to 192.168.200.1 Default Gateway

ASA to 4503 in both the static route how to write?

My English sucks, some expression is not very clear, please understand what

郝

Reza Sharifi · ‎01-10-2012

No, your English doesn't suck.

A couple of questions:

1-Are you using the 2960 and 4503 switches as layer-2 devices?

2-What device is the default gateway for your PCs (4503 or ASA)?

If the ASA is the default gateway for your PCs, you don't need any static route toward the inside of your network. You just need a default router towards the outside

HTH

zhaoxu_hao · ‎01-10-2012

Hi

Here the 2960 is a Layer 2 access devices, 4503 is a Layer 3 core devices

All PC's default gateway point to the HSRP virtual IP address.

Hao

Reza Sharifi · ‎01-10-2012

Ok, so you need a static route on the ASA pointing to the 4503 for the lan subnet and also a default route towards the Internet

Here is the config guide on how to configure static routes:

http://www.cisco.com/en/US/docs/security/asa/asa72/configuration/guide/ip.html#wp1047894

HTH

zhaoxu_hao · ‎01-10-2012

The PC Network segment is 192 168. 0.0 / 24,ASA Connection 4503, 4503 interface IP address are:192.168.100.2,192.168.200.2

Write in the 4503

4503_ative:

interface Vlan10

ip address 192.168.0.3 255.255.255.0

standby 1 ip 192.168.0.1

standby 1 priority 200

standby 1 preempt

ip route 0.0.0.0 0.0.0.0 192.168.100.1

4503_standby:

interface Vlan10

ip address 192.168.0.2 255.255.255.0

standby 1 ip 192.168.0.1

standby 1 preempt

ip route 0.0.0.0 0.0.0.0 192.168.200.1

PC:

ip 192.168.0.10

mask 255.255.255.0

gateway 192.168.0.1

Write in the ASA

route ative 192.168.0.0 255.255.255.0 192.168.100.2

route standby 192.168.0.0 255.255.255.0 192.168.200.2

route outside 0.0.0.0 0.0.0.0 *.*.*.* 1

So write right？

If, 192.168 100. 0 / 24 link down

Data flow will be from 192 168. 200.0 / 24 go?

Hao

mcollaery · ‎01-10-2012

Could you create VLAN 20 on the ASA, put both ASA "inside" interfaces in VLAN20, configure VLAN20 on both 4503s, and then use only 192.168.100.... as the subnet for the link in to your 4503s?

Also, your 2960s are inter-connected, right?

binoj.savariyar · ‎01-11-2012

The Routes on ASA can be created by.

Route .

Please create VLANs In ASA itself.

interface Ethernet4.10

description *** Test***

vlan 10

nameif Test

security-level 80

ip address 192.168.100.x 255.255.255.0

interface Ethernet4.20

description *** Test***

vlan 20

nameif Test

security-level 80

ip address 192.168.200.x 255.255.255.0

Create it and if you want inter vlan communication permit under interface using ACLs and use same security-level traffic permit intra-interface to avoid NAT.

binoj.savariyar · ‎01-11-2012

The Routes on ASA can be created by.

Route .

Please create VLANs In ASA itself.

interface Ethernet4.10

description *** Test***

vlan 10

nameif Test

security-level 80

ip address 192.168.100.x 255.255.255.0

interface Ethernet4.20

description *** Test***

vlan 20

nameif Test

security-level 80

ip address 192.168.200.x 255.255.255.0

Create it and if you want inter vlan communication permit under interface using ACLs and use same security-level traffic permit intra-interface to avoid NAT.