We have added to our existing network an HP v1910 switch with the purpose of adding two VLANS. The computers in these two VLANS will need internet access, to communicate between the two VLANS and also to be able to contact computers that are still in the current network segment.
I have configured the VLANS on the HP switch and added a test computer in each VLAN. The following is what works and doesn't work. I have also included screenshots of relevant information and a diagram of the physical layout.
Devices in VLAN2(computer A) and VLAN3(computer B) can communicate with each other and access the internet without problems. I had to add the two static routes (as seen in the diagram) on the ASA 5505 to make this work. The problem is that devices on VLAN2 and VLAN3 cannot connect to devices on the original network outside of the HP v1910 switch. (as illustrated by computer C and the DHCP server) My feeling is there is another static route or routes that need to be configured either on the ASA or the HP switch. Advanced network routing is not my expertise but I do understand the basic concepts and can usually manage, but this has had me confused for days. Also, I'm not sure if I have the ports tagged right since I don't have a good understanding of that purpose so I just left everything as default untagged. Any help would be appreciated as I have scoured the internet for help to no avail. I'll try to attach images below if I can figure out how.
Best Answer
The computers (computer C and the DHCP server) will send traffic destined for the 192.168.x.0/24 blocks to the ASA, and apparently the ASA is not hair-pinning that traffic or sending ICMP redirects, which would not be terribly surprising for a firewall (or the computers aren't paying attention to the ICMP redirects).
A few options...
1) Put static routes on the DHCP server and computer C (and any other computers on that network) similar to the ones you put in the ASA.
2) Re-IP computer C and the DHCP server into a VLAN4 (or whatever) on the v1910 so that the v1910 is handling all of the internal routing...all of your endpoints can just use default routes, that point toward the v1910, and you would only have to put static routes on the ASA pointing towards the v1910. If you've got enough ports on the v1910 for your needs, you could ditch the unmanaged switch if you do this. (I like Procurves...if you've got enough ports, this or option 2a would be the way to go IMO)
2a) Re-IP the ASA in a similar way to option 2, meaning computer C and the DHCP server can keep their IP addresses.
3) There may be a way to get the ASA to issue ICMP redirects on the 172.16.3.x network so that the computers on that network can learn about the existence of the v1910. Alternatively, maybe there's a way to get the ASA to hair-pin the traffic...I don't know enough about ASA's to be able to answer that.
4) Move the v1910 to another port on the ASA, instead of daisy-chaining it off the unmanaged switch and route the traffic through the ASA as well. That would mean configuring whatever policy would be needed to get the traffic through the ASA appropriately.