04-22-2010 11:06 AM - edited 03-06-2019 10:45 AM
I have a 3750 stack as my aggregation point (10.10.10.3). Outbound traffic goes to ASA5510 (10.10.10.1) as do all my client gateways. I recently received a 1910 (10.10.10.10) to use as VPN router from an ISP vendor. I simply want to route traffic destined for 208.28.64.0 255.255.255.0 to the 1910 to go thru a VPN tunnel to the vendor. I used CNA to enable IP routing, and set a static map of 208.28.64.0 255.255.255.0 ->10.10.10.10, but I can't get traffic to flow. If I use windows routing commands, traffic goes fine. What am I missing? Do I need to point all my gateways to the 3750? Shouldn't the traffic that passes thru the 3750 to the ASA get sent to the 1910?
Sure, I could send out a GPO to do the routing, but isn't that what all this equipment is supposed to handle
04-22-2010 11:25 AM
How do you have the 1910 connected?
04-22-2010 11:27 AM
One of the 48 switches on the 3750
04-22-2010 11:27 AM
Hello Aaron,
is new 1910 router IP address 10.10.10.10 in the same subnet as 10.10.10.3 or it is behind the ASA?
also you need to configure the return path: the C1910 has to be configured to send trafffic for internal IP subnets instead of ASA.
so you will need on the C1910 the correct static routes with next-hop 10.10.10.3
to work well 10.10.10.10 and 10.10.10.3 have to be in the same subnet broadcast domain, so switch port connecting to C1910 LAN interface has to be on the same interface.
The ip address 10.10.10.3 has to be given to an SVI = Switched Virtual Inteface
example:
L2 broadcast domain is 10 = vlan-id
you need to configure
interface Vlan 10
ip address 10.10.10.3 255.255.255.0
no shut
int gi1/0/x
switchport
desc to C1910
switchport mode access
switchport access vlan 10
int gi1/0/y
switchport
desc to aSA
switchport mode access
switchport access vlan 10
ip route 0.0.0.0. 0.0.0.0 10.10.10.1
! one or more specific routes as needed towards remote destinations if using a tunnel on C1910
ip route
Another important point: if the C1910 implements a VPN tunnel you need to create static routes not for the tunnel remote endpoint but for the remote internal networks that typically are private IP addresses (RFC 1918 like 10/8, 172.16-31.0.0/16, 192.168.x.0/24)
Hope to help
Giuseppe
04-22-2010 02:16 PM
I had to point my client gateway to the 3750, then configure the default route on 3750 to go to the ASA.
04-22-2010 03:02 PM
If your PC is on 10.10.10.x network then you can have one of scenario or any new scenario
Scenario 1
Scenario 2
Scenario 3
Scenario 4
Hope this will help you to some extend and share your scenario.
04-22-2010 04:03 PM
I basically went with scenario 1, except that the 3750 sends 208 data to the 1910. Scenario 2 didn't work as I couldn't get the ASA to do the routing back to the inside network, even with that allow same security intra-interface option enabled. Scenario 3 didn't work because it's a very specialized route path only for one application that I want going thru the 1910 tunnel.
04-23-2010 05:32 AM
Gr8! can you please share step by step problem and your own view on the problem
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide