Solved: Unsure on how to configure static routes properly

Paradera72 · ‎01-06-2014

This is a newb question from a routing newb, but I'm not sure how to properly set up specific static routes using a new 1921 cli
The client network is 192.168.1.0, the current gateway is 192.168.1.1 (inside interface of ASA).
I now need to put the 1921 between, and also route the 192.168.1.0 network to the 192.168.100.0 data center network.
So in short I need to route traffic between the 192.168.1.0 and 192.168.100.0 networks and both of these networks need to reach the Internet through the ASA.

How do I accomplish this? Sorry for the junior question, I'm still learning

Peter

Sent from Cisco Technical Support Android App

Jon Marshall · ‎01-28-2014

Pete

It is a good idea to have a dedicated vlan for connecting the L3 switch to the ASA and it sounds like that is what you are trying to do.

Unfortunately what you would need to do is readdress your inside interface on the ASA to the new vlan 4 IP subnet. This may not be an issue because NAT/access lists refer to the interface name and not the IP address although you would need to fo through the ASA config to make sure.

If you only use vlan 4 to connect the L3 switch to the ASA then you simply assign the L3 switchport into vlan 4 and the ASA simply receives untagged packets ie. the connection between the switch and ASA is not a trunk link so the native vlan does not come into it.

Does this make sense ?

Jon

View solution in original post

Brad Hodgins · ‎01-29-2014

Pete,

Do you have a return route defined on the ASA?

I would enable logging on the inside interface, and try pinging the ASA again from your domain network and watch what is logged. I don't think the ASA is blocking ICMP as you said you can get through with the laptop on the same vlan. If you then see traffic going in, but there is no reply, then see if the ASA knows about the domain network on the other side of the router.

Brad

View solution in original post

Brad Hodgins · ‎01-07-2014

What is the connection to the 192.168.100.0 network?

Jon Marshall · ‎01-07-2014

Pete

It's not clear how the network is laid out so it's difficult to provide an answer.

Can you provide a quick diagram showing how things are connected up and where the DC connection is, in relation to the new router.

Because you are putting the 1921 between the 192.168.1.x subnet and the ASA is it safe to assume you are going to readdress the inside interface of the ASA ?

Jon

Paradera72 · ‎01-07-2014

Thanks for your reply, sorry i wasn't so clear in my first post. The 1941 is not yet implemented, but this is how we'd like to place it. The link to the Data Center is transparent LAN service.

Brad Hodgins · ‎01-07-2014

why not use a sub interface on the ASA to route to the data centre VLAN?

For example on the third port create the 3.12 subinterface with the ip of 192.168.100.254, then route the internal network through there.

Jon Marshall · ‎01-08-2014

Pete

Couple of questions / points -

1) The interface on the 1921 that connects to the DC - is that going to have a 192.168.100.x address ie. is the 1921 going to route for the DC servers as well ?

2) Are you adding another interface to the 1921 as it only comes with two inbuilt interfaces ?

3) You can't have the same vlan/IP subnet on two interfaces of the router (unless you bridge and there is no need here). So if 192.168.1.x is for the clients then you need to use a different subnet to connect the ASA to the router. They cannot be the same subnet. This means either -

a) using a different subnet for the clients

or

b) readdressing the ASA inside interface

As Brad says, an alternative is to use a subinterface on the ASA and not use the router at all but unless you have strict security requirements i generally don't like using ASAs as routers.

Can you please answer the above and then we can provide the routing details you need.

Jon

Paradera72 · ‎01-08-2014

Brad: We don't want to overload the ASA with routing.

Jon:

1. - Yes, the 1921 would route for the DC servers as well.

2. - Is there a way we can do it without purchasing more hardware or expansion cards? Can't we do subinterfaces like Brad suggested only on the 1921?

3. readdressing the ASA inside interface would be the least disruptive for us.

Peter

Jon Marshall · ‎01-08-2014

Peter

You can use subinterfaces one of the 1921 inbuilt interfaces yes but you then need to be aware you are sharing the bandwidth of the interface with multiple vlans. So you need to decide which two vlans/IP subnets you want on one interface.

If you are happy to readdress the ASA inside interface then choose an unused subnet for the 1921 to ASA link and configure the new addressing on the both the 1921 interface (or subinterface) and the ASA. Your routing would then be -

1921

====

ip route 0.0.0.0 0.0.0.0

ASA

====

route inside 192.168.1.0 255.255.255.0 <1921 interface/subinterface IP> <-- this is the new IP you have configured for the 1921 to ASA connection

route inside 192.168.100.0 255.255.255.0 <1921 interface/subinterface IP>

I'm assuming you already have a default route for the ASA pointing upstream to the ISP.

One last point. Depending on the amount of traffic between the client vlan and the DC + the general internet traffic you may find that a future upgrade would be a L3 switch in place of the router as L3 switches have much greater throughput than an equivalent cost router but at the expense of not having such a rich feature set eg. most switches don't support NAT, have a limited QOS toolset compared with routers etc.

It all depends on whether you need the additional features of the router and whether you router can handle the traffic load. Just something worth bearing in mind.

Jon

Paradera72 · ‎01-24-2014

Jon, Brad,

Thanks for your replies.

I've been away from work unexpectedly for a while, but I am back to working on this now.
We actually have a layer 3 switch, and I am having a tough time with the routing configuration still.
I have enabled routing,
Vlan 1 IP is 192.168.1.254
Vlan 4 IP is 192.168.4.254
Vlan 100 IP is 192.168.100.254

I've created a static route 0.0.0.0 0.0.0.0 192.168.4.1

I can ping both above Vlan IPs from the PCs on the network. Now I want to change the inside interface of the ASA from 192.168.1.1 to 192.168.4.1, but the inside interface where all the rules are applied is the physical interface, using the native Vlan 1, not a sub-interface.
The native Vlan for the network is the default 1. If I create a sub-interface on the ASA of 1.4 for Vlan 4, I guess it would work, but there has to be an easier way. I don't want to mess around with the ASA very much.
The switch port connected to the inside interface of the ASA is trunking NN, vlans 1 and 4.

Peter

Sent from Cisco Technical Support Android App

Jon Marshall · ‎01-26-2014

Pete

Where do you want to route between vlans ie. is it on the ASA or do you want to route between vlans on the L3 switch and just use the firewall for internet access ?

If you want to route on the L3 switch then there is no need for a trunk to the ASA. If you want to route on the ASA then you probably will need to create subinterfaces on the ASA.

So before we try and help with any configuration we need to know where you want to route the vlans within your network ?

Jon

Paradera72 · ‎01-26-2014

Jon,.

All vlan routing would take place behind the inside interface Gig0/1. So even if I assign Gig0/1's switchport on the switch as access, and have no subinterfaces on the ASA's port., wouldn't the ASA's be expecting traffic on the connected switch's native vlan 1?

Or can I change the switchport's native vlan to 4 and have it untag all traffic from vlan 4 and send it to the ASA's?

Thanks again,

Peter

Sent from Cisco Technical Support Android App

Jon Marshall · ‎01-27-2014

Peter

All vlan routing would take place behind the inside interface Gig0/1

You say you want to route between 192.168.1.0/24 and 192.168.100.0/24. Can you clarify where you want this routing to take place ie. on the L3 switch or the ASA ?

If it is the ASA then you either need -

1) an interface per vlan

or

2) if you don't have a spare interface you need to use subinterfaces

the native vlan doesn't come into this ie. you have two separate subnets and you want to route between them so you need two layer 3 interfaces (or subinterfaces) on the ASA.

Alternatively you could route between the vlans on the L3 switch and then only use a single interface on the ASA. In this setup traffic going to the ASA is only for internet ie. it is not used for inter vlan routing. It would mean less complication on the ASA but you would not be firewalling between the DC and the local LAN.

Is it a requirement to firewall between vlans ?

Jon

Paradera72 · ‎01-27-2014

Jon,

No firewall would be needed between the internal vlan networks. I want to do all routing via the L3 switch, only using the inside interface of the ASA for Internet traffic.
My problem is that our main production network is the native Vlan 1 as is the inside interface of the ASA. I have created a vlan for use in between the switch stack and the ASA. Is there a way of making this work without having to change my production vlan 1 (major upset) or rebuilding my ASA on a subinterface?
I have all the vlan routing defined on the L3 switch, and everything is working except the Internet. Currently users use the 192.168.1.1 inside interface as their gateway. I was hoping to change the IP and default vlan of the inside interface, but it looks like it only uses the native vlan untagged only with subinterfaces defined?

Peter

Sent from Cisco Technical Support Android App

Jon Marshall · ‎01-28-2014

Pete

It is a good idea to have a dedicated vlan for connecting the L3 switch to the ASA and it sounds like that is what you are trying to do.

Unfortunately what you would need to do is readdress your inside interface on the ASA to the new vlan 4 IP subnet. This may not be an issue because NAT/access lists refer to the interface name and not the IP address although you would need to fo through the ASA config to make sure.

If you only use vlan 4 to connect the L3 switch to the ASA then you simply assign the L3 switchport into vlan 4 and the ASA simply receives untagged packets ie. the connection between the switch and ASA is not a trunk link so the native vlan does not come into it.

Does this make sense ?

Jon

Paradera72 · ‎01-28-2014

Yes it make sense except for changing the vlan for the inside interface of the ASA. The only option I seem to have is "native".
It seem that I would have to create a subinterface 1.4 for vlan 4, and then change my NAT and rules to this new one?

Peter

Sent from Cisco Technical Support Android App