cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2476
Views
10
Helpful
4
Replies

Multi-subnet routing

daverutz58
Level 1
Level 1

I am running out of IP address on our internal LAN (10.165.11.0/24). I cannot simply change the net mask to /23 since we are already using 10.165.10.0/24 in the DMZ. So, to be able to get the extra IPs needed, I've created a superscope on the Windows 2012 R2 DHCP server (10.165.11.13). The extra scope is 10.165.21.0/24...

 

Scope 1

  • Range: 10.165.11.70 - 10.165.11.239
  • Router: 10.165.11.1
  • DNS: 10.165.11.13

Scope 2

  • Range: 10.165.21.60 - 10.165.21.250
  • Router: 10.165.21.1
  • DNS: 10.165.21.13

All devices are connected to the same VLAN and belong to the same domain. There is no need to have separate VLANs.

 

We are using (for now) a Cisco ASA-5510 as our router/firewall. All network traffic up until now has been going through the e0/1 interface (10.165.11.1 - security 100). I have created an extra interface e0/1.2 (10.165.21.1 - security 100).

 

I have also assigned a 2nd IP to the same LAN connection in the DHCP server (10.165.21.13) and set an extra gateway (10.165.21.1).

 

Clients can get an IP in the .21 range but they can’t ping any of the .11 resources. Nor can they surf the net. They can ping all other .21 address except for 10.165.21.1.

 

Clients in the .11 subnet can’t ping anything in the .21 subnet.

 

We are using Dell N3048 switches and VLAN1 is configured with 10.165.11.2. I have set a secondary address (10.165.21.2) for that VLAN. The port that the ASA is connected to is an Access port. Need it be a Trunk port instead?

 

The ASA syslog is showing the following error when I try to ping a .21 address from a .11 computer:

10.165.21.2   portmap translation creation failed for icmp src inside1:10.165.11.175 dst inside2:10.165.21.2 (type 8, code 0)

 

I’m not a Cisco guru but I’m pretty sure that routing is the issue. I have attached the config for the ASA and Dell switches

Any assistance would be very welcome! Thanks

Dave

1 Accepted Solution

Accepted Solutions

Hello

Wouldnt the simpliest solution be to use the spare port on the ASA for this new ip range and attach it to an access port on the switch in same vlan of the primary subnet

 

res

Paul


Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

View solution in original post

4 Replies 4

Hello,

the easiest way would be to create a second VLAN on the Dell, then configure the uplink to the ASA as a trunk, and set up a second subinterface:

 

interface Ethernet0/1.1

vlan 2
nameif inside1
security-level 100
ip address 10.165.11.1 255.255.255.0
!
interface Ethernet0/1.2
vlan 1
nameif inside2
security-level 100
ip address 10.165.21.1 255.255.255.0

 

If this is not possible, you can configure a secondary IP address for your main interface. It takes a bit of creativity, but is fairly easy to achieve. Check the link below for the procedure:

 

http://www.ducea.com/2008/05/31/adding-a-secondary-ip-address-on-a-cisco-asa-ethernet-interface/

Thanks Georg...
I will keep this solution in mind should I need that extra ASA port for something else!

Dave

Hello

Wouldnt the simpliest solution be to use the spare port on the ASA for this new ip range and attach it to an access port on the switch in same vlan of the primary subnet

 

res

Paul


Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

Thanks for the suggestion!

I had thought about using the extra port on the ASA but was thinking about keeping it available should there be any kind of addition to the network.

Nonetheless, I configured it for the .21 network and got rid of the 0/1.2 subinterface. Since I had ACLs on the inside1 interface, I had to add the following entries:

access-list inside1_to_inside2 extended permit ip inside-network1 255.255.255.0 inside-network2 255.255.255.0 
access-list inside_nat0_outbound_1 extended permit ip inside-network1 255.255.255.0 inside-network2 255.255.255.0 
access-list inside2_to_inside1 extended permit ip inside-network2 255.255.255.0 inside-network1 255.255.255.0 access-list inside2_nat0_outbound extended permit ip inside-network2 255.255.255.0 inside-network1 255.255.255.0
nat (inside2) 0 access-list inside2_nat0_outbound
nat (inside2) 1 0.0.0.0 0.0.0.0 dns

 Clients get a .21 DHCP address and they can surf the web. They can ping the .11 subnet (except 10.165.11.1) and the .11 clients can ping the .21 addresses (except 10.165.21.1).

One thing that a .21 client can't do is access shares on the 11.13 file server...

 

Thanks,

Dave

 

Update #1: I have opened ports UDP 137 & 138, tcp 139, tcp/udp 445 & 53 in both directions but still no go as far as access to shared folders located on the 11.13 server.

 

Update #2: I created a share (everyone - read access) on a .11 computer as well as one on a .21 computer. Each computer can successfully access the share on the other computer using their respective IP addresses.

 

After I remove the permissions for everyone, leaving just my domain account with r/w permissions, I can still access the shared folders' contents (logged into all computers and servers with the same domain account).

 

After removing the ports previously opened on the ASA, I can still access the shared folders.

 

I created a share on the file server (11.13) and shared it with everyone. From the .21 computer, I cannot access the folder contents using its .11 address (ping is successful). I can access the content with the server's 21.13 address.

 

From the .21 computer, I can access the share folders hosted on other domain servers (11.6 or 11.7). Actually, I can access all shares, even adminisrative ones, on all .11 computers/servers. The only thing different with the 11.13 server is that I also gave it a 21.13 LAN address and a 21.1 gateway.

 

After removing those IPs, leaving the server with just its original 11.13 and 11.1 addresses, all shares are now accessible!