cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
4494
Views
0
Helpful
12
Replies
Beginner

Router on a Stick Configuration, Plugged into ASA 5505 for Internet Help!

Good Day All,

I have been working on a solution for a few days and have not been able to figure out the resolution. The basic premise is to have 3 inside vlan networks controlled by a 1900 series router. Then have that primary LAN router connect to the inside of my ASA5505 Basic, then go out to my ISP Gateway.

I have tried hundreds of different static route configurations on my router and asa. I have tried equally as many NAT and PAT configurations, but nothing seems to work.

I have even tried using all the commands (specific to my topography of course) on this weblink from cisco:

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a0080b1ee95.shtml#ND

Please see the attached topography and the red notes under each network segement.

I will be posting my run-config on here later today.

Thanks,

Nate

************ I have added the device configs **************

12 REPLIES 12
Highlighted
Contributor

Re: Router on a Stick Configuration, Plugged into ASA 5505 for I

The Asa needs a static route for each subnet serviced by the 1900 router such as 10.3.3.0/24 -> 192.168.88.2

Sent from Cisco Technical Support iPad App

Highlighted
Beginner

Re: Router on a Stick Configuration, Plugged into ASA 5505 for I

Cisco ASA 5505 Base License OS 8.4

--------------------------------------------------------------

object network OBJ_GENERIC_ALL

subnet 0.0.0.0 0.0.0.0

nat (inside,outside) source dynamic OBJ_GENERIC_ALL interface

route inside 10.3.3.0 255.255.255.0 192.168.88.2 1

route inside 10.41.10.0 255.255.255.0 192.168.88.2 1

route outside 0.0.0.0 0.0.0.0 65.255.80.1   

Cisco Router 1900 Base License

------------------------------------------------------

route outside 0.0.0.0 0.0.0.0 192.168.88.2

Highlighted
Participant

Re: Router on a Stick Configuration, Plugged into ASA 5505 for I

Hello Nate.

the link between the 5505 and the router is it a layer 2 trunk or an access port?

Do you have connectivity from any vlan to the 5505?

Do you have connectivity from the 5505 to the internet?

If the link between between the 5505 and the router is a access port then you just need a static route in the router pointing everything unknown to the asa, then make sure you have you have for every single inside subnet a static route pointing back to the router.

Regards.

Wilson B.

Highlighted
Beginner

Router on a Stick Configuration, Plugged into ASA 5505 for Inter

>Link between ASA and Router

On the Router the link is Trunk, However on ASA 5505 the port is Access.

When I tried to change the inside interface to trunk, it said this is not an option with my current license.

>From Any Vlan to the 5505

I can ping the inside interface on the ASA 192.168.88.1 from any vlan in my topography and from the router.

I cannot ping the outside interface on the ASA from the vlans behind the router, but i can from the inside interface network of the ASA

>5505 to the internet

Yes, I connect a laptop to a ASA switchport I have internet.

>If the link between between the 5505 and the router is a access port then you just need a static route in the router >pointing everything unknown to the asa, then make sure you have you have for every single inside subnet a static route >pointing back to the router.

Will my inside routes on my ASA suffice, look at above post and reply. So now I have to so is change my router's ports to access mode, or just the outside on the router ?

Thanks you for helping.

Highlighted
Beginner

Router on a Stick Configuration, Plugged into ASA 5505 for Inter

I have added the configs to the Starting Post, please review the rtf files

Highlighted
Participant

Router on a Stick Configuration, Plugged into ASA 5505 for Inter

Could you post the following outputs:

from  the router:

Show ip interface br | ex una

Show run inter fast0/1

Show run interface fast0/0

Show run interface fast0/0.10

Show runinterface fast0/0.47

Show ip route

from the ASA.

Show route

Show run route

Show inter ip br

Show run inter gig0/1

I'm looking forward to hearing from you

Wilson B.

Highlighted
Beginner

Re: Router on a Stick Configuration, Plugged into ASA 5505 for I

I have attached the show commands in the original starting post.

Highlighted
Participant

Re: Router on a Stick Configuration, Plugged into ASA 5505 for I

Nate.

Look at the show route in the ASA,

RENOASA# Show route

Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP

       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area

       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2

       E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP

       i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area

       * - candidate default, U - per-user static route, o - ODR

       P - periodic downloaded static route

Gateway of last resort is not set

It doesn't know how to reach the inside vlans (those configured in the router) even when they are manually configured and appear in the running config we still don't see them in the routing table, the reason why is because the interface vlan is down, also notice from the show interface ip br that vlan 10 which ip address is 192.168.88.1 is down down, it's a configuration problem.

the requirements for the interface vlan to be up are:

It needs to have a nameif.

It needs to have a ip address

it needs to be no shutdown.

and at least one of the PHYSICAL interfaces associated to the interface vlan MUST be up. <--I have doubts with this one.

Make sure that the physical interface connected to the router is up and let me know.

Highlighted
Beginner

Router on a Stick Configuration, Plugged into ASA 5505 for Inter

Wilson, Thanks for the assistance so far.

We resetup the router and ASA. For some reason the ASA doesn't want to save commands. But I think we go them to stick.

In the original post I have attached 2 NEW SHOW RUN CONFIG for ASA and ROUTER. Docs are Version 2

I also did the suggested commands again. Show route gave a better response this time, but still unable to get internet.

Any other ideas.

Highlighted
Beginner

Router on a Stick Configuration, Plugged into ASA 5505 for Inter

I tried something interesting...

I moved the WAN Line down to the routers0/0 port. Totally removing the ASA 5505 from the network.

I configure the router's 0/0 interface to be 65.255.80.227 (MY STATIC IP FROM ISP)

I set a default route to 65.255.80.1 (My ISP GW)

And I tried to ping from 10.3.3.0 Vlan 10 and my ping from my pc said no route to host.

So then I connected my laptop to the router0/1 interface and did an ping and stll no route to host.

I have a route of ip route 0.0.0.0 0.0.0.0 65.255.80.1

How do I get a VLAN on a subinterface to see the outside interface on the WAN.

Highlighted
Participant

Router on a Stick Configuration, Plugged into ASA 5505 for Inter

Do the following test:

Make sure the laptop has its gateway pointing to the subinterfaces or the router.

Make sure the gateway is reachable from the laptop.

Make sure the internet is reachable from the ip address of the gateway.

Make sure the static route is configured properly and pointing to the internet address.

If all pings works fine, then you need but you stil can't get to the internet, you either need to enable "ip routing" from global configuration mode on the router, or the the ICMP is reaching the internet, but the internet doesn't know how to respond back. an ACL to see hitcounts could help you to figure out that.

Wilson B.         

Highlighted
Beginner

Router on a Stick Configuration, Plugged into ASA 5505 for Inter

Wilson,

I finally found the issue with my topography and configuration. The error was with the ASA. I didn't permit any of the internal vlan traffic through the wall, just the inside/24 network. I changed the permits to be (INTERFACE INSIDE) and it allowed the packets out. I am guessing that the 192.168.88.0/24 on the firewall worked everytime for that reason. However 10.3.3.0/24 network failed because it wasn't being NAT-ed on the router so the packet was still tagged with 10.3.3.0.

**** SO PINGING FAILED FROM VLANS BUT NOT FROM ROUTER OR INSIDE NETWORK ON ASA*****

Second issue, was I left of the DNS Servers in the DHCP Scope on the routers. Resulted in no being able to see google or yahoo for internet verification.

**** WEBSITE VERIFICATION FAILED EVERYTIME *****

I have a working configuration. Now on to the QOS settings to optimize the voice traffic to the WAN. We are trying to use the Cloud Voice over IP from Velocity.

Thanks for the help again.

Nate

CreatePlease to create content
Content for Community-Ad