Solved

Routing between Vlans

Posted on 2008-09-29
16
1,107 Views
Last Modified: 2008-12-27
Setup:

VLAN1: 192.168.8.0 255.255.252.0
VLAN2: 192.168.100.0 255.255.252.0

On VLAN 1:
  Default Gateway is 192.168.10.2 (Cisco ASA 5510)
    or 192.168.10.1 (Cisco 2611)

On VLAN 2:
   Default Gateway is 192.168.100.1(Cisco 3560) (VLAN1 IP 192.168.11.10)


I've configure the Cisco 3560 to Route 0.0.0.0 traffic to 192.168.10.2.

I've configured the Cisco 2611 to Route 192.168.100.0 traffic to 192.168.11.10 (Cisco 3560)

I've configure the Cisco ASA 5510 to route 192.168.100.0 traffic to 192.168.11.10, however:

On VLAN 1 when using 10.1 (Cisco 2611) as my def. gateway everything works.  However when using 10.2 (Cisco ASA 5510) as the def. gateway I can not see the 192.168.100.0 network.

From the CLI of the ASA 5510 I can ping the 100.0 network without issue.  However I can not see the 100.0 network from any workstation or servers that use 10.2 as their def. gateway.

On the ASA 5510 I added the command:

route inside 192.168.100.0 255.255.252.0 192.168.11.10 1

Any suggestions?

Andrew
0
Comment
Question by:ARSCO
  • 8
  • 7
16 Comments
 
LVL 13

Expert Comment

by:Quori
ID: 22600531
Able to provide running configs, stripped of passwords and any sensitive info, please?
0
 
LVL 32

Expert Comment

by:harbor235
ID: 22603874


The 3560 IP address for vlan 1 is not in the same IP block as the other VLAN 1 IP assignments for the ASA and the 2611.  The other thing is that if you route traffic to the inside interface of the firewall and that traffic is sourced from a network that is different from the inside interface IP range it is not going to like it.
Remember, the inside interface is trusted not some other IP range. Turn off reverse path forwarding if you have it on, turn up logging to see why it does not like it.

from config mode
logging on
logging buffered informational

View the logs, it will tell you why it is blocking

To turn off reverse path forwarding;

no ip verify reverse-path interface inside

harbor235 ;}
0
 

Author Comment

by:ARSCO
ID: 22604817
Ok I turned on logging and when I try to ping I get this message:

Deny inbound icmp src inside 192.168.10.240 dst inside 192.168.100.1 (type 8, code 0)

I'm guessing I need to modify the firewall some how, but I don't know how.

Thanks in advance,

Andrew
0
3 Use Cases for Connected Systems

Our Dev teams are like yours. They’re continually cranking out code for new features/bugs fixes, testing, deploying, testing some more, responding to production monitoring events and more. It’s complex. So, we thought you’d like to see what’s working for us.

 
LVL 32

Expert Comment

by:harbor235
ID: 22604837
To turn off reverse path forwarding;

no ip verify reverse-path interface inside

harbor235 ;}
0
 

Author Comment

by:ARSCO
ID: 22604865
Sorry forgot to mention I did that.  Still not working.

Andrew
0
 
LVL 32

Expert Comment

by:harbor235
ID: 22604906

Do you have an access-list configured on teh inside inerface? POST it please if there is one

harbor235 ;}
0
 
LVL 32

Expert Comment

by:harbor235
ID: 22604926


Also, do you have a route for the 192.168.100.0 network on the ASA? It also may be complaining if there is not route back.

harbor235 ;}
0
 

Author Comment

by:ARSCO
ID: 22605017
Here is the running conf of the ASA 5510.

Andrew
: Saved
:
ASA Version 7.0(7) 
!
hostname CISCO-ASA
domain-name DOMAIN.Local
 
names
dns-guard
!
interface Ethernet0/0
 description Time Warner
 nameif outside
 security-level 0
 ip address xxx.xxx.xxx.119 255.0.0.0 
!
interface Ethernet0/1
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Ethernet0/2
 description DOMAIN.Local
 nameif inside
 security-level 100
 ip address 192.168.10.2 255.255.252.0 
!
interface Management0/0
 nameif management
 security-level 100
 ip address 192.168.1.1 255.255.255.0 
 management-only
!
 
clock timezone EST -5
clock summer-time EDT recurring
object-group service WEB_ACCESS tcp
 port-object eq www
 port-object eq https
object-group service ASMITH tcp
 port-object eq 22144
 port-object eq 7176
access-list inside_pnat_inbound extended permit ip any any 
access-list out extended permit tcp any host xxx.xxx.xxx.126 eq smtp 
access-list out extended permit tcp any host xxx.xxx.xxx.117 object-group WEB_ACCESS 
access-list out extended permit gre any host xxx.xxx.xxx.118 
access-list out extended permit tcp any host xxx.xxx.xxx.118 eq pptp 
access-list out extended permit tcp any host xxx.xxx.xxx.120 object-group WEB_ACCESS 
access-list out extended permit tcp any host xxx.xxx.xxx.121 object-group WEB_ACCESS 
access-list out extended permit tcp any host xxx.xxx.xxx.122 object-group WEB_ACCESS 
access-list out extended permit icmp any any 
access-list out extended permit gre any host xxx.xxx.xxx.124 
access-list out extended permit tcp any host xxx.xxx.xxx.124 object-group ASMITH 
pager lines 24
logging enable
logging timestamp
logging monitor debugging
logging buffered informational
logging asdm informational
logging from-address it@domain.com
logging recipient-address it@domain.com level errors
mtu outside 1500
mtu inside 1500
mtu management 1500
asdm image disk0:/asdm-507.bin
no asdm history enable
arp timeout 14400
nat-control
global (outside) 200 interface
nat (inside) 10 access-list inside_pnat_inbound outside
nat (inside) 200 0.0.0.0 0.0.0.0
static (inside,outside) xxx.xxx.xxx.124 192.168.10.240 netmask 255.255.255.255 
static (inside,outside) xxx.xxx.xxx.126 192.168.10.15 netmask 255.255.255.255 
static (inside,outside) xxx.xxx.xxx.117 192.168.10.10 netmask 255.255.255.255 
static (inside,outside) xxx.xxx.xxx.118 192.168.10.20 netmask 255.255.255.255 
static (inside,outside) xxx.xxx.xxx.120 192.168.10.32 netmask 255.255.255.255 
static (inside,outside) xxx.xxx.xxx.121 192.168.10.31 netmask 255.255.255.255 
static (inside,outside) xxx.xxx.xxx.122 192.168.10.33 netmask 255.255.255.255 
access-group out in interface outside
route outside 0.0.0.0 0.0.0.0 xxx.xxx.xxx.113 1
route inside 192.168.100.0 255.255.252.0 192.168.11.10 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00
timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
!
!
aaa authentication ssh console LOCAL 
http server enable
http 192.168.8.0 255.255.252.0 inside
http 192.168.10.56 255.255.255.255 inside
http 192.168.1.0 255.255.255.0 management
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
telnet timeout 5
ssh 192.168.8.0 255.255.252.0 inside
ssh timeout 60
console timeout 0
dhcpd address 192.168.1.2-192.168.1.254 management
dhcpd lease 3600
dhcpd ping_timeout 50
dhcpd enable management
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map global_policy
 class inspection_default
  inspect dns maximum-length 512 
  inspect ftp 
  inspect h323 h225 
  inspect h323 ras 
  inspect rsh 
  inspect rtsp 
  inspect esmtp 
  inspect sqlnet 
  inspect skinny 
  inspect sunrpc 
  inspect xdmcp 
  inspect sip 
  inspect netbios 
  inspect tftp 
!
service-policy global_policy global
ntp server 192.168.10.24
smtp-server 192.168.10.10
Cryptochecksum:7af7b76f5fe3e8daee67cfd1518d5166
: end

Open in new window

0
 
LVL 32

Expert Comment

by:harbor235
ID: 22605660
ok,

Deny inbound icmp src inside 192.168.10.240 dst inside 192.168.100.1 (type 8, code 0)

So this says on the inside interface the ASA received a icmp packet sourced from 192.168.10.240
and that the destination was 192.168.100.1, looks like 192.168.10.240 is misconfigured, shouldn't this guy point to 192.168.11.10 for the 192.168.100.0/22 network? 192.168.10.240 has its default route or that specific rotue misconfigured. This route for the 192.168.100.0/22 network is pointing to 192.168.11.10, i assume this is correct.

harbor235 ;}
0
 

Author Comment

by:ARSCO
ID: 22606562
10.240 (My Computer) has a def. gateway of 192.168.10.2 (ASA 5510).  Obviously 10.240 does not know where the 192.168.100.0/22 network is; so it sends the request to 10.2; which in theory should forward the request to 192.168.11.10.

However as the error message states the ASA 5510 is denying the request.

The router for the 192.168.100.0/22 network is a 3560 at ip 192.168.11.10 with VLAN routing enabled.

Andrew
0
 
LVL 32

Assisted Solution

by:harbor235
harbor235 earned 500 total points
ID: 22606714

Thats not how a firewall works or how a router should work, a router will send and icmp redirect however, it is still a kludge or misconfiguration. The 192.168.100.0/22 network is reachable via the 192.168.11.10 which is on the same network as 192.168.10.2. 192.168.10.240 should route to 192.168.11.10 for the network 192.168.100.0/22, why be less efficent and go up and then back down, makes no sense. Add a specific route for 192.168.100.0/22 point to 192.168.11.10 like this;

route -p add 192.168.100.0 mask 255.255.252.0 192.168.11.10

harbor235 ;}
0
 

Author Comment

by:ARSCO
ID: 22606862
Are you adding this route to an individual workstation?  I know I can do this and have done it to make sure it's not a problem with the 3560 routing.  Works fine.

However this is highly inefficient to do on a domain wide basis, unless I am missing something, like a really easy way to do this domain wide?
0
 
LVL 32

Accepted Solution

by:
harbor235 earned 500 total points
ID: 22607095


I understand, however, you have to remember a firewall does not behave like a router, if a packet sourced from a network different than the interface it arrived on (exception, outside interface which is considered untrusted) the firewall will not like it, it most certainly is not go a send a redirect to the originating host telling it where to go, the firewall is a security device.

so yes add it to the workstation, or replace the firewall with a router and move the firewall up. Even though you could make it work with a router i still would never approach it like that. You want traffic flow to be efficent.

Hope all this helps;

harbor235 ;}

0
 

Author Comment

by:ARSCO
ID: 22607640
Another option that would work is to make VLAN 1 workstations def. gateway 192.168.11.10.

Thanks for the help.
0
 
LVL 32

Expert Comment

by:harbor235
ID: 22607738

Correct, I assumed that you wanted all other traffic going to the firewall and only 192.168.100.0/22 traffic going in the other direction

harbor235 ;}
0
 

Author Comment

by:ARSCO
ID: 22607766
Well 192.168.11.10 has a default gateway of 192.168.10.2 so, it's just another "step" for the 192.168.8.0/22 network.  Just need to think about placement of the device, because if it goes down, it takes all internet traffic down.

Andrew
0

Featured Post

3 Use Cases for Connected Systems

Our Dev teams are like yours. They’re continually cranking out code for new features/bugs fixes, testing, deploying, testing some more, responding to production monitoring events and more. It’s complex. So, we thought you’d like to see what’s working for us.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

AWS has developed and created its highly available global infrastructure allowing users to deploy and manage their estates all across the world through the use of the following geographical components   RegionsAvailability ZonesEdge Locations  Wh…
Microservice architecture adoption brings many advantages, but can add intricacy. Selecting the right orchestration tool is most important for business specific needs.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

809 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question