Solved: Unsure on how to configure static routes properly - Page 2

Paradera72 · ‎01-06-2014

This is a newb question from a routing newb, but I'm not sure how to properly set up specific static routes using a new 1921 cli
The client network is 192.168.1.0, the current gateway is 192.168.1.1 (inside interface of ASA).
I now need to put the 1921 between, and also route the 192.168.1.0 network to the 192.168.100.0 data center network.
So in short I need to route traffic between the 192.168.1.0 and 192.168.100.0 networks and both of these networks need to reach the Internet through the ASA.

How do I accomplish this? Sorry for the junior question, I'm still learning

Peter

Sent from Cisco Technical Support Android App

Jon Marshall · ‎01-28-2014

Peter

I'm not sure what you mean about the "native" option. You certainly don't need to create a subinterface. Subinterfaces would be used if the connection from the switch was a trunk link (as would the native option). But you don't need a trunk link ie. on the switch the port connecting to the ASA the configuration would be -

int gi0/0

switchport mode access

switchport access vlan 4

a port in access mode does not send any tagged packets ie. they are all untagged. So then all you would need to do is change the IP of the ASA inside interface to an IP from the subnet used for vlan 4.

If this is still not clear can you perhaps post the config you are unsure of ?

Jon

Brad Hodgins · ‎01-29-2014

Any update on this? I have a similar setup that I set up a while ago and it works well, so it's fresh in my mind.

Paradera72 · ‎01-29-2014

Jon, Brad,

Thanks for your help so far.
Jon, I'd tried access and trunking to the inside of the ASA before with no joy. I've now tried placing a laptop on another port on the same switch as the ASA is plugged into. I statically assigned it 192.168.4.5, and from here I can ping the inside of the ASA. Ports are configured identically, on same vlan. The local vlan interface on the L3 switch is the gateway in all cases.
From the domain network, I can ping the laptop is on the remote subnet, but not the ASA on that same subnet.
ICMP is enabled on the inside interface.

Peter

Sent from Cisco Technical Support Android App

Brad Hodgins · ‎01-29-2014

Pete,

Do you have a return route defined on the ASA?

I would enable logging on the inside interface, and try pinging the ASA again from your domain network and watch what is logged. I don't think the ASA is blocking ICMP as you said you can get through with the laptop on the same vlan. If you then see traffic going in, but there is no reply, then see if the ASA knows about the domain network on the other side of the router.

Brad

Paradera72 · ‎01-30-2014

You know what guys? I had no route from the ASA back to the L3 switch. I was looking at the laptop config just a few mins ago, and it had the L3 switch on VLAN 4 as it's default gateway.

I created a static route on the ASA inside interface with the L3 switches VLAN 4 interface of 192.168.4.254 to get it to the domain network of 192.168.1.x network, and now the ping test works.

Domain clients with the L3 switch as the default gateway can now get to the Internet, and to the data center network.

Thank you both for all of your help. I understand a little more now.

Peter

Brad Hodgins · ‎01-30-2014

You also may want to create an additional static route on the ASA to allow Internet traffic back to the datacenter subnet, unless you already have Internet access there.