Solved

Routing between Vlans

Posted on 2008-09-29
16
1,101 Views
Last Modified: 2008-12-27
Setup:

VLAN1: 192.168.8.0 255.255.252.0
VLAN2: 192.168.100.0 255.255.252.0

On VLAN 1:
  Default Gateway is 192.168.10.2 (Cisco ASA 5510)
    or 192.168.10.1 (Cisco 2611)

On VLAN 2:
   Default Gateway is 192.168.100.1(Cisco 3560) (VLAN1 IP 192.168.11.10)


I've configure the Cisco 3560 to Route 0.0.0.0 traffic to 192.168.10.2.

I've configured the Cisco 2611 to Route 192.168.100.0 traffic to 192.168.11.10 (Cisco 3560)

I've configure the Cisco ASA 5510 to route 192.168.100.0 traffic to 192.168.11.10, however:

On VLAN 1 when using 10.1 (Cisco 2611) as my def. gateway everything works.  However when using 10.2 (Cisco ASA 5510) as the def. gateway I can not see the 192.168.100.0 network.

From the CLI of the ASA 5510 I can ping the 100.0 network without issue.  However I can not see the 100.0 network from any workstation or servers that use 10.2 as their def. gateway.

On the ASA 5510 I added the command:

route inside 192.168.100.0 255.255.252.0 192.168.11.10 1

Any suggestions?

Andrew
0
Comment
Question by:ARSCO
  • 8
  • 7
16 Comments
 
LVL 13

Expert Comment

by:Quori
ID: 22600531
Able to provide running configs, stripped of passwords and any sensitive info, please?
0
 
LVL 32

Expert Comment

by:harbor235
ID: 22603874


The 3560 IP address for vlan 1 is not in the same IP block as the other VLAN 1 IP assignments for the ASA and the 2611.  The other thing is that if you route traffic to the inside interface of the firewall and that traffic is sourced from a network that is different from the inside interface IP range it is not going to like it.
Remember, the inside interface is trusted not some other IP range. Turn off reverse path forwarding if you have it on, turn up logging to see why it does not like it.

from config mode
logging on
logging buffered informational

View the logs, it will tell you why it is blocking

To turn off reverse path forwarding;

no ip verify reverse-path interface inside

harbor235 ;}
0
 

Author Comment

by:ARSCO
ID: 22604817
Ok I turned on logging and when I try to ping I get this message:

Deny inbound icmp src inside 192.168.10.240 dst inside 192.168.100.1 (type 8, code 0)

I'm guessing I need to modify the firewall some how, but I don't know how.

Thanks in advance,

Andrew
0
 
LVL 32

Expert Comment

by:harbor235
ID: 22604837
To turn off reverse path forwarding;

no ip verify reverse-path interface inside

harbor235 ;}
0
 

Author Comment

by:ARSCO
ID: 22604865
Sorry forgot to mention I did that.  Still not working.

Andrew
0
 
LVL 32

Expert Comment

by:harbor235
ID: 22604906

Do you have an access-list configured on teh inside inerface? POST it please if there is one

harbor235 ;}
0
 
LVL 32

Expert Comment

by:harbor235
ID: 22604926


Also, do you have a route for the 192.168.100.0 network on the ASA? It also may be complaining if there is not route back.

harbor235 ;}
0
 

Author Comment

by:ARSCO
ID: 22605017
Here is the running conf of the ASA 5510.

Andrew
: Saved

:

ASA Version 7.0(7) 

!

hostname CISCO-ASA

domain-name DOMAIN.Local
 

names

dns-guard

!

interface Ethernet0/0

 description Time Warner

 nameif outside

 security-level 0

 ip address xxx.xxx.xxx.119 255.0.0.0 

!

interface Ethernet0/1

 shutdown

 no nameif

 no security-level

 no ip address

!

interface Ethernet0/2

 description DOMAIN.Local

 nameif inside

 security-level 100

 ip address 192.168.10.2 255.255.252.0 

!

interface Management0/0

 nameif management

 security-level 100

 ip address 192.168.1.1 255.255.255.0 

 management-only

!
 

clock timezone EST -5

clock summer-time EDT recurring

object-group service WEB_ACCESS tcp

 port-object eq www

 port-object eq https

object-group service ASMITH tcp

 port-object eq 22144

 port-object eq 7176

access-list inside_pnat_inbound extended permit ip any any 

access-list out extended permit tcp any host xxx.xxx.xxx.126 eq smtp 

access-list out extended permit tcp any host xxx.xxx.xxx.117 object-group WEB_ACCESS 

access-list out extended permit gre any host xxx.xxx.xxx.118 

access-list out extended permit tcp any host xxx.xxx.xxx.118 eq pptp 

access-list out extended permit tcp any host xxx.xxx.xxx.120 object-group WEB_ACCESS 

access-list out extended permit tcp any host xxx.xxx.xxx.121 object-group WEB_ACCESS 

access-list out extended permit tcp any host xxx.xxx.xxx.122 object-group WEB_ACCESS 

access-list out extended permit icmp any any 

access-list out extended permit gre any host xxx.xxx.xxx.124 

access-list out extended permit tcp any host xxx.xxx.xxx.124 object-group ASMITH 

pager lines 24

logging enable

logging timestamp

logging monitor debugging

logging buffered informational

logging asdm informational

logging from-address it@domain.com

logging recipient-address it@domain.com level errors

mtu outside 1500

mtu inside 1500

mtu management 1500

asdm image disk0:/asdm-507.bin

no asdm history enable

arp timeout 14400

nat-control

global (outside) 200 interface

nat (inside) 10 access-list inside_pnat_inbound outside

nat (inside) 200 0.0.0.0 0.0.0.0

static (inside,outside) xxx.xxx.xxx.124 192.168.10.240 netmask 255.255.255.255 

static (inside,outside) xxx.xxx.xxx.126 192.168.10.15 netmask 255.255.255.255 

static (inside,outside) xxx.xxx.xxx.117 192.168.10.10 netmask 255.255.255.255 

static (inside,outside) xxx.xxx.xxx.118 192.168.10.20 netmask 255.255.255.255 

static (inside,outside) xxx.xxx.xxx.120 192.168.10.32 netmask 255.255.255.255 

static (inside,outside) xxx.xxx.xxx.121 192.168.10.31 netmask 255.255.255.255 

static (inside,outside) xxx.xxx.xxx.122 192.168.10.33 netmask 255.255.255.255 

access-group out in interface outside

route outside 0.0.0.0 0.0.0.0 xxx.xxx.xxx.113 1

route inside 192.168.100.0 255.255.252.0 192.168.11.10 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00

timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

!

!

aaa authentication ssh console LOCAL 

http server enable

http 192.168.8.0 255.255.252.0 inside

http 192.168.10.56 255.255.255.255 inside

http 192.168.1.0 255.255.255.0 management

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

telnet timeout 5

ssh 192.168.8.0 255.255.252.0 inside

ssh timeout 60

console timeout 0

dhcpd address 192.168.1.2-192.168.1.254 management

dhcpd lease 3600

dhcpd ping_timeout 50

dhcpd enable management

!

class-map inspection_default

 match default-inspection-traffic

!

!

policy-map global_policy

 class inspection_default

  inspect dns maximum-length 512 

  inspect ftp 

  inspect h323 h225 

  inspect h323 ras 

  inspect rsh 

  inspect rtsp 

  inspect esmtp 

  inspect sqlnet 

  inspect skinny 

  inspect sunrpc 

  inspect xdmcp 

  inspect sip 

  inspect netbios 

  inspect tftp 

!

service-policy global_policy global

ntp server 192.168.10.24

smtp-server 192.168.10.10

Cryptochecksum:7af7b76f5fe3e8daee67cfd1518d5166

: end

Open in new window

0
How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

 
LVL 32

Expert Comment

by:harbor235
ID: 22605660
ok,

Deny inbound icmp src inside 192.168.10.240 dst inside 192.168.100.1 (type 8, code 0)

So this says on the inside interface the ASA received a icmp packet sourced from 192.168.10.240
and that the destination was 192.168.100.1, looks like 192.168.10.240 is misconfigured, shouldn't this guy point to 192.168.11.10 for the 192.168.100.0/22 network? 192.168.10.240 has its default route or that specific rotue misconfigured. This route for the 192.168.100.0/22 network is pointing to 192.168.11.10, i assume this is correct.

harbor235 ;}
0
 

Author Comment

by:ARSCO
ID: 22606562
10.240 (My Computer) has a def. gateway of 192.168.10.2 (ASA 5510).  Obviously 10.240 does not know where the 192.168.100.0/22 network is; so it sends the request to 10.2; which in theory should forward the request to 192.168.11.10.

However as the error message states the ASA 5510 is denying the request.

The router for the 192.168.100.0/22 network is a 3560 at ip 192.168.11.10 with VLAN routing enabled.

Andrew
0
 
LVL 32

Assisted Solution

by:harbor235
harbor235 earned 500 total points
ID: 22606714

Thats not how a firewall works or how a router should work, a router will send and icmp redirect however, it is still a kludge or misconfiguration. The 192.168.100.0/22 network is reachable via the 192.168.11.10 which is on the same network as 192.168.10.2. 192.168.10.240 should route to 192.168.11.10 for the network 192.168.100.0/22, why be less efficent and go up and then back down, makes no sense. Add a specific route for 192.168.100.0/22 point to 192.168.11.10 like this;

route -p add 192.168.100.0 mask 255.255.252.0 192.168.11.10

harbor235 ;}
0
 

Author Comment

by:ARSCO
ID: 22606862
Are you adding this route to an individual workstation?  I know I can do this and have done it to make sure it's not a problem with the 3560 routing.  Works fine.

However this is highly inefficient to do on a domain wide basis, unless I am missing something, like a really easy way to do this domain wide?
0
 
LVL 32

Accepted Solution

by:
harbor235 earned 500 total points
ID: 22607095


I understand, however, you have to remember a firewall does not behave like a router, if a packet sourced from a network different than the interface it arrived on (exception, outside interface which is considered untrusted) the firewall will not like it, it most certainly is not go a send a redirect to the originating host telling it where to go, the firewall is a security device.

so yes add it to the workstation, or replace the firewall with a router and move the firewall up. Even though you could make it work with a router i still would never approach it like that. You want traffic flow to be efficent.

Hope all this helps;

harbor235 ;}

0
 

Author Comment

by:ARSCO
ID: 22607640
Another option that would work is to make VLAN 1 workstations def. gateway 192.168.11.10.

Thanks for the help.
0
 
LVL 32

Expert Comment

by:harbor235
ID: 22607738

Correct, I assumed that you wanted all other traffic going to the firewall and only 192.168.100.0/22 traffic going in the other direction

harbor235 ;}
0
 

Author Comment

by:ARSCO
ID: 22607766
Well 192.168.11.10 has a default gateway of 192.168.10.2 so, it's just another "step" for the 192.168.8.0/22 network.  Just need to think about placement of the device, because if it goes down, it takes all internet traffic down.

Andrew
0

Featured Post

IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

Join & Write a Comment

Shadow IT is coming out of the shadows as more businesses are choosing cloud-based applications. It is now a multi-cloud world for most organizations. Simultaneously, most businesses have yet to consolidate with one cloud provider or define an offic…
PRTG Network Monitor lets you monitor your bandwidth usage, so you know who is using up your bandwidth, and what they're using it for.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Here's a very brief overview of the methods PRTG Network Monitor (https://www.paessler.com/prtg) offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…

746 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

9 Experts available now in Live!

Get 1:1 Help Now