Good Day All,
I have been working on a solution for a few days and have not been able to figure out the resolution. The basic premise is to have 3 inside vlan networks controlled by a 1900 series router. Then have that primary LAN router connect to the inside of my ASA5505 Basic, then go out to my ISP Gateway.
I have tried hundreds of different static route configurations on my router and asa. I have tried equally as many NAT and PAT configurations, but nothing seems to work.
I have even tried using all the commands (specific to my topography of course) on this weblink from cisco:
Please see the attached topography and the red notes under each network segement.
I will be posting my run-config on here later today.
************ I have added the device configs **************
Cisco ASA 5505 Base License OS 8.4
object network OBJ_GENERIC_ALL
subnet 0.0.0.0 0.0.0.0
nat (inside,outside) source dynamic OBJ_GENERIC_ALL interface
route inside 10.3.3.0 255.255.255.0 192.168.88.2 1
route inside 10.41.10.0 255.255.255.0 192.168.88.2 1
route outside 0.0.0.0 0.0.0.0 220.127.116.11
Cisco Router 1900 Base License
route outside 0.0.0.0 0.0.0.0 192.168.88.2
the link between the 5505 and the router is it a layer 2 trunk or an access port?
Do you have connectivity from any vlan to the 5505?
Do you have connectivity from the 5505 to the internet?
If the link between between the 5505 and the router is a access port then you just need a static route in the router pointing everything unknown to the asa, then make sure you have you have for every single inside subnet a static route pointing back to the router.
>Link between ASA and Router
On the Router the link is Trunk, However on ASA 5505 the port is Access.
When I tried to change the inside interface to trunk, it said this is not an option with my current license.
>From Any Vlan to the 5505
I can ping the inside interface on the ASA 192.168.88.1 from any vlan in my topography and from the router.
I cannot ping the outside interface on the ASA from the vlans behind the router, but i can from the inside interface network of the ASA
>5505 to the internet
Yes, I connect a laptop to a ASA switchport I have internet.
>If the link between between the 5505 and the router is a access port then you just need a static route in the router >pointing everything unknown to the asa, then make sure you have you have for every single inside subnet a static route >pointing back to the router.
Will my inside routes on my ASA suffice, look at above post and reply. So now I have to so is change my router's ports to access mode, or just the outside on the router ?
Thanks you for helping.
Could you post the following outputs:
from the router:
Show ip interface br | ex una
Show run inter fast0/1
Show run interface fast0/0
Show run interface fast0/0.10
Show runinterface fast0/0.47
Show ip route
from the ASA.
Show run route
Show inter ip br
Show run inter gig0/1
I'm looking forward to hearing from you
Look at the show route in the ASA,
RENOASA# Show route
Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP
i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
* - candidate default, U - per-user static route, o - ODR
P - periodic downloaded static route
Gateway of last resort is not set
It doesn't know how to reach the inside vlans (those configured in the router) even when they are manually configured and appear in the running config we still don't see them in the routing table, the reason why is because the interface vlan is down, also notice from the show interface ip br that vlan 10 which ip address is 192.168.88.1 is down down, it's a configuration problem.
the requirements for the interface vlan to be up are:
It needs to have a nameif.
It needs to have a ip address
it needs to be no shutdown.
and at least one of the PHYSICAL interfaces associated to the interface vlan MUST be up. <--I have doubts with this one.
Make sure that the physical interface connected to the router is up and let me know.
Wilson, Thanks for the assistance so far.
We resetup the router and ASA. For some reason the ASA doesn't want to save commands. But I think we go them to stick.
In the original post I have attached 2 NEW SHOW RUN CONFIG for ASA and ROUTER. Docs are Version 2
I also did the suggested commands again. Show route gave a better response this time, but still unable to get internet.
Any other ideas.
I tried something interesting...
I moved the WAN Line down to the routers0/0 port. Totally removing the ASA 5505 from the network.
I configure the router's 0/0 interface to be 18.104.22.168 (MY STATIC IP FROM ISP)
I set a default route to 22.214.171.124 (My ISP GW)
And I tried to ping from 10.3.3.0 Vlan 10 and my ping from my pc said no route to host.
So then I connected my laptop to the router0/1 interface and did an ping and stll no route to host.
I have a route of ip route 0.0.0.0 0.0.0.0 126.96.36.199
How do I get a VLAN on a subinterface to see the outside interface on the WAN.
Do the following test:
Make sure the laptop has its gateway pointing to the subinterfaces or the router.
Make sure the gateway is reachable from the laptop.
Make sure the internet is reachable from the ip address of the gateway.
Make sure the static route is configured properly and pointing to the internet address.
If all pings works fine, then you need but you stil can't get to the internet, you either need to enable "ip routing" from global configuration mode on the router, or the the ICMP is reaching the internet, but the internet doesn't know how to respond back. an ACL to see hitcounts could help you to figure out that.
I finally found the issue with my topography and configuration. The error was with the ASA. I didn't permit any of the internal vlan traffic through the wall, just the inside/24 network. I changed the permits to be (INTERFACE INSIDE) and it allowed the packets out. I am guessing that the 192.168.88.0/24 on the firewall worked everytime for that reason. However 10.3.3.0/24 network failed because it wasn't being NAT-ed on the router so the packet was still tagged with 10.3.3.0.
**** SO PINGING FAILED FROM VLANS BUT NOT FROM ROUTER OR INSIDE NETWORK ON ASA*****
Second issue, was I left of the DNS Servers in the DHCP Scope on the routers. Resulted in no being able to see google or yahoo for internet verification.
**** WEBSITE VERIFICATION FAILED EVERYTIME *****
I have a working configuration. Now on to the QOS settings to optimize the voice traffic to the WAN. We are trying to use the Cloud Voice over IP from Velocity.
Thanks for the help again.