ISP------3560------ASAoutside-----ASAinside------3560------VLAN1(L2)-------hosts/servers

Note in the above that the ASA's inside interface is conn to this same 3560.  I have ip routing enabled.

The problem is that a packet which arrives on an L2 switchport from an internal host has to have a route to the ASA's inside interface - I need an ip route 0.0.0.0 0.0.0.0 172.16.1.1 for this, but have to have the 0.0.0.0 0.0.0.0 24.100.100.65 to route to the ISP.

I've shutdown interfaceVlan1, just to eliminate any 172.16.1.x IP on the switch, since I can access the switch on either of the public routed interfaces.

I am remote (not physically on site) and am working with my customer.

I'm not sure I can accomplish what is needed if I have both the inside and outside interface of the ASA conn to this same switch.

Phil

Undoubtedly a second internal switch would be the easiest solution. However you may also want to consider vrf-lite which is supported on the 3560. You could in effect have 2 vrfs which could each have their own default-route and then use the ASA itself to route between the vrf's so in effect -

vrf1 would consist of your internal vlan ie. vlan 1 + the internal interface of the ASA and it would have a default-route pointing to the inside interface of the ASA.

vrf2 would consist of the external interface of your ASA, your routed port on the 3560 connecting back to the ASA, and the routed connection to the ISP. vrf2 would then have a default-route pointing to the ISP next-hop address.

Couple of things to note -

1) i've never done this type of setup so it would need testing and it may not work. Vrf-lite certainly works on 35xx switches because i have done it but not with an ASA

2) Having said all the above it is not good practice to have the same switch on the outside of the firewall and the inside especially if that switch has ip routing enabled. It is too easy to make a mistake and the potential for a misconfiguration that allows the firewall to be bypassed is too great. In addition if the same switch is being used for outside and inside if a  DOS for example was to affect the switch because it is directly exposed to the internet this could cripple your internal LAN as well.

I would strongly recommend using a separate switch for the internal network. Actually it would make more sense to use the existing 3560 for the LAN. You only actually need a L2 switch for the ISP termination.

Jon

I believe I will have to cable it up like this:

ISP------3560------ASAoutsideASAinside-----SomeOtherSwitch------hosts/servers

i.e. - I make the 3560 a 2-port router and don't connect anything to it except the ISP and outside interface of the ASA.

I'm waiting for my customer to arrive this morning so we can set this up

The ASA has all this setup already - it was being used before for this customer with a different ISP feed.

Hi,

   Please explain your testing to connect 172.16.0.0 network in detail. Please post a configuration on ASA.

Toshi

No can do - customer will not allow it.

Hi,

   First off,to connect 172.16.1.0/24 network. Where are you testing from? Internet? I'd explain this.

1. Customer decided to use 172.16.1.0 network for clients. They are behind a firewall ASA. Inside interface of ASA is used.

2. ASA is used to be a firewall. ASA is assigned a public IP address on outside interface. ASA has a default route pointing to C3560.

3. C3560 is used to terminate a media of ISP which is ethernet. C3560 has a default route to ISP.

4. From the internet,you can connect 3560 and ASA via Public IP Addresses. It's true.

5. From the internet, we cannot connect to 172.16.1.0 network(Private IP Address)

6. If we want to connect,we should have static NAT(or specific ports) to connect them.

    6.1 Just create a static NAT(or specific ports)  24.25.26.83 to 172.16.1.10.

    6.2 Cofigure Outside-to-Inside policies to allow traffic to connect 24.25.26.83

    6.3 I'd connect host-172.16.1.10 from the Internet by using 24.25.26.83

   I'm not sure that I understand your question correctly. If not,please explain it in detail

HTH,

Toshi

Long story short - customer had incorrect gateway on all servers.

The Cat3560 config as stated works as required, but not when hosts have gateway to non-existant IP.

I'll look at the VFR-lite for some uses in the future.

Sorry for taking up everyone's time.