My inside interface of the ASA is 10.10.10.1. Some of the servers have the private IP address of 192.168.100.0. Other servers have another private IP address 172.16.20.0. Is it possible to configure so that these servers communicate to each other? For example, I want to be able to ping from Server A with the private IP address of 192.168.100.10 to the Server B with IP address 172.16.20.5. Also, is it possible to configure these servers so that they can get on the internet?
Yes, you can definitely configure the different internal subnets to communicate with each other, and also for those networks to access the internet.
How is each of the internal subnet connected at the moment? Is their default gateway configured as the ASA interface, or you have an internal router or L3 switch to do the routing?
Thanks for your prompt response, Halijenn. All internal subnets are connected to Cisco 6509. The default gateway of each internal network is configured on the Cisco 3750. The Cisco 3750 does the routing. The default gateway of the ASA is configured on Cisco 3750. Let me know if I still have not answered your questions or need additional information. Thanks.
internal networks ----> Cisco 6509 ---> Cisco 3750
Thanks for the description. It's clear now.
For communication between internal networks as per the current design, it should already be working (ie: all internal networks should be able to communicate with each other through the inter vlan routing on the 3750).
For internet access from all the internal networks, you would need to configure the following on the ASA:
1) Routes for all the internal subnets towards the 3750.
2) NAT statement for all the internal subnets so it gets PAT to either a spare public ip address or the outside interface ip address for internet access.
3) If you have ACL configured on the inside interface, you would also need to allow all the internal subnets access to the Internet.
Hope that helps.
Here is what can be configured on the ASA:
1) Routes for all the internal subnets towards the 3750:
Below 10.10.10.x should be substituted with the 3750 ip address which is connected to the ASA inside of 10.10.10.1
route inside 192.168.100.0 255.255.255.0 10.10.10.x
route inside 172.16.20.0 255.255.255.0 10.10.10.x
2) NAT statement for all the internal subnets so it gets PAT to either a spare public ip address or the outside interface ip address for internet access:
-- If you already have "nat (inside) 1 0 0" and "global (outside) 1 interface", you don't have to configure anything anymore.
-- If you haven't had the above, then you can configure the following accordingly:
nat (inside) 1 192.168.100.0 255.255.255.0
nat (inside) 1 172.16.20.0 255.255.255.0
global (outside) 1 interface
3) If you have ACL configured on the inside interface, you would also need to allow all the internal subnets access to the Internet:
-- Check "sh run access-group", and see if there is any access-list applied to the inside interface. If there is, configure ACL to add the new subnets:
Here is a sample config that might help too: