lowah
asked on
vlan routing through 3750G connect to ASA inside to DMZ
I am trying to get the two stations, one connected to DMZ, and one connected to L3 switch to communicate.
I am at a loss of configuring that.
firewall.doc
I am at a loss of configuring that.
firewall.doc
ASKER
I cannot ping to 172.21.0.252. That is where I got stuck in setting up the routing.
Can you show me the routing table on the L3SW switch?
show ip route
Thanks
Darrell
show ip route
Thanks
Darrell
ASKER
show ip route returns only the following:
172.20.0.0l/24 is subnetted, 3 subnets
C 172.20.2.0 is directly connected, Vlan203
C 172.20.3.0 is directly connected, Vlan303
C 172.20.4.0 is directly connected, Vlan403
It did not show 172.21.0.0 network.
172.20.0.0l/24 is subnetted, 3 subnets
C 172.20.2.0 is directly connected, Vlan203
C 172.20.3.0 is directly connected, Vlan303
C 172.20.4.0 is directly connected, Vlan403
It did not show 172.21.0.0 network.
ASKER
I setup up the incoming on L3 from vlan 203 port as follows:
switchport access vlan 203
switchport trunk encapsulation dot1q
switchport mode access
from L3 outgoing port to ASA
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 203
switchport mode trunk
I think this is where I am not sure if that is correct.
switchport access vlan 203
switchport trunk encapsulation dot1q
switchport mode access
from L3 outgoing port to ASA
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 203
switchport mode trunk
I think this is where I am not sure if that is correct.
ASKER
Does the outgoing port from L3 to ASA need to be no switchport so I can assign ip address of 172.21.0.253? Thanks.
Are you trunking on your firewall? I doubt that your link should be a trunk port to your firewall (unless you know for sure that you are trunking).
The 172.21.0.253 IP Address should be binded to your vlan interface you created on the L3SW.
Example:
interface Vlan203
description vlan 203 subnet
ip address 172.21.0.253 255.255.255.0
no shut
than on the port that connects to the firewall I would configure like
int <port>
desc Connection to Firewall
switchport mode access
switchport access vlan 203
Things will change a bit if you indeed are trunking on the ASA.
It may be helpful for you to post the full config of your L3SW and include an output of "show vlan".
Darrell
The 172.21.0.253 IP Address should be binded to your vlan interface you created on the L3SW.
Example:
interface Vlan203
description vlan 203 subnet
ip address 172.21.0.253 255.255.255.0
no shut
than on the port that connects to the firewall I would configure like
int <port>
desc Connection to Firewall
switchport mode access
switchport access vlan 203
Things will change a bit if you indeed are trunking on the ASA.
It may be helpful for you to post the full config of your L3SW and include an output of "show vlan".
Darrell
ASKER
I need to do trunking for the other vlan 303, and 403 later.
I already setup on ASA with subinterface for vlan 203.
I am just not sure about the port configuration for L3 that connects to ASA.
I am not at work now, but will later. I will send config when I get there.
Thanks.
I already setup on ASA with subinterface for vlan 203.
I am just not sure about the port configuration for L3 that connects to ASA.
I am not at work now, but will later. I will send config when I get there.
Thanks.
ASKER
Here's the config. I am sure I am not configuring correctly.
L3-capture.TXT
L3-capture.TXT
ASKER
I think I need to start over. I need to connect from 172.20.2.51 connect to a L2, then L3, through ASA to get to L2 that connects to 172.20.2.68.
ASKER
Darrell,
Is today not a good day to get answers?
Please let me know if that is so.
Thanks.
Is today not a good day to get answers?
Please let me know if that is so.
Thanks.
From the switch are you able to ping the firewall?
For your connection to the firewall you setup a routed interface. I normally do not do that in those types of configs. Why did you not setup a vlan for the 172.21.0.0/24 segment and just place the connection to the firewall as an access port?
If it was me setting this up I would have all the segments as vlan's the connection to the ASA I would setup the link to it as an access port. You mentioned earlier you will eventually trunk to the ASA, but I am not sure at this point that I see the value in doing that.
For your connection to the firewall you setup a routed interface. I normally do not do that in those types of configs. Why did you not setup a vlan for the 172.21.0.0/24 segment and just place the connection to the firewall as an access port?
If it was me setting this up I would have all the segments as vlan's the connection to the ASA I would setup the link to it as an access port. You mentioned earlier you will eventually trunk to the ASA, but I am not sure at this point that I see the value in doing that.
ASKER
I removed the subinterface from firewall, now I can ping from DMZ L2 switch to firewall.
What you said is I should setup another vlan (vlan 2) and set that as an access port in addition to the existing vlan 203 that I tried to route, is that correct?
Does that mean that I need to setup subinterface on firewall so I can add vlan to each port, vlan 2 to INSIDE?
I also need to remove router RIP for network 172.20.2.0 and 172.21.0.0, is that correct?
Thanks.
What you said is I should setup another vlan (vlan 2) and set that as an access port in addition to the existing vlan 203 that I tried to route, is that correct?
Does that mean that I need to setup subinterface on firewall so I can add vlan to each port, vlan 2 to INSIDE?
I also need to remove router RIP for network 172.20.2.0 and 172.21.0.0, is that correct?
Thanks.
ASKER
L2 conf on DMZ side
interface GigabitEthernet0/1
switchport access vlan 2
switchport mode access
interface Vlan2
ip address 172.20.2.81 255.255.255.0
no ip route-cache
ASA
interface Ethernet0/1
nameif DMZ
security-level 50
ip address 172.20.2.254 255.255.255.0
interface Ethernet0/2
nameif INSIDE
security-level 100
ip address 172.21.0.252 255.255.255.0
L3 switch connect to INSIDE of ASA
interface GigabitEthernet0/1
desc from stations 51
switchport access vlan 203
switchport mode access
interface GigabitEthernet0/10
desc to ASA
switchport access vlan 901
switchport mode access
interface Vlan203
ip address 172.20.2.253
no ip route-cache
interface Vlan901
ip address 172.21.0.253
no ip route-cache
Will that do it?
Thanks.
interface GigabitEthernet0/1
switchport access vlan 2
switchport mode access
interface Vlan2
ip address 172.20.2.81 255.255.255.0
no ip route-cache
ASA
interface Ethernet0/1
nameif DMZ
security-level 50
ip address 172.20.2.254 255.255.255.0
interface Ethernet0/2
nameif INSIDE
security-level 100
ip address 172.21.0.252 255.255.255.0
L3 switch connect to INSIDE of ASA
interface GigabitEthernet0/1
desc from stations 51
switchport access vlan 203
switchport mode access
interface GigabitEthernet0/10
desc to ASA
switchport access vlan 901
switchport mode access
interface Vlan203
ip address 172.20.2.253
no ip route-cache
interface Vlan901
ip address 172.21.0.253
no ip route-cache
Will that do it?
Thanks.
ASKER
I can now ping from 172.20.2.51 to 172.21.0.252
and ping from 172.20.2.68 to 172.20.2.254
and ping from 172.20.2.68 to 172.20.2.254
Odd - I posted a follow-up question last night but it is not showing.
Lowah,
What is the next issue we need to tackle? Access to the DMZ?
Darrell
Lowah,
What is the next issue we need to tackle? Access to the DMZ?
Darrell
ASKER
Yes, the DMZ is the next issue.
Can you provide me an updated "show ip route". In the layer 3 config you posted above I seen you had a default route. Is that still present?
ASKER
PCNL3SW902#sh ip route
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route
Gateway of last resort is not set
172.21.0.0/24 is subnetted, 1 subnets
C 172.21.0.0 is directly connected, Vlan2
172.20.0.0/24 is subnetted, 3 subnets
C 172.20.2.0 is directly connected, Vlan203
C 172.20.3.0 is directly connected, Vlan303
C 172.20.4.0 is directly connected, Vlan403
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route
Gateway of last resort is not set
172.21.0.0/24 is subnetted, 1 subnets
C 172.21.0.0 is directly connected, Vlan2
172.20.0.0/24 is subnetted, 3 subnets
C 172.20.2.0 is directly connected, Vlan203
C 172.20.3.0 is directly connected, Vlan303
C 172.20.4.0 is directly connected, Vlan403
Okay it appears as if your default route is missing you should put in a route as follows on the L3 Switch
ip route 0.0.0.0 0.0.0.0 172.21.0.252
After you add that route can you provide an updated show ip route
ip route 0.0.0.0 0.0.0.0 172.21.0.252
After you add that route can you provide an updated show ip route
ASKER
Gateway of last resort is 172.21.0.252 to network 0.0.0.0
172.21.0.0/24 is subnetted, 1 subnets
C 172.21.0.0 is directly connected, Vlan2
172.20.0.0/24 is subnetted, 3 subnets
C 172.20.2.0 is directly connected, Vlan203
C 172.20.3.0 is directly connected, Vlan303
C 172.20.4.0 is directly connected, Vlan403
S* 0.0.0.0/0 [1/0] via 172.21.0.252
172.21.0.0/24 is subnetted, 1 subnets
C 172.21.0.0 is directly connected, Vlan2
172.20.0.0/24 is subnetted, 3 subnets
C 172.20.2.0 is directly connected, Vlan203
C 172.20.3.0 is directly connected, Vlan303
C 172.20.4.0 is directly connected, Vlan403
S* 0.0.0.0/0 [1/0] via 172.21.0.252
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Let me know,
Darrell