ARSCO
asked on
Routing between Vlans
Setup:
VLAN1: 192.168.8.0 255.255.252.0
VLAN2: 192.168.100.0 255.255.252.0
On VLAN 1:
Default Gateway is 192.168.10.2 (Cisco ASA 5510)
or 192.168.10.1 (Cisco 2611)
On VLAN 2:
Default Gateway is 192.168.100.1(Cisco 3560) (VLAN1 IP 192.168.11.10)
I've configure the Cisco 3560 to Route 0.0.0.0 traffic to 192.168.10.2.
I've configured the Cisco 2611 to Route 192.168.100.0 traffic to 192.168.11.10 (Cisco 3560)
I've configure the Cisco ASA 5510 to route 192.168.100.0 traffic to 192.168.11.10, however:
On VLAN 1 when using 10.1 (Cisco 2611) as my def. gateway everything works. However when using 10.2 (Cisco ASA 5510) as the def. gateway I can not see the 192.168.100.0 network.
From the CLI of the ASA 5510 I can ping the 100.0 network without issue. However I can not see the 100.0 network from any workstation or servers that use 10.2 as their def. gateway.
On the ASA 5510 I added the command:
route inside 192.168.100.0 255.255.252.0 192.168.11.10 1
Any suggestions?
Andrew
VLAN1: 192.168.8.0 255.255.252.0
VLAN2: 192.168.100.0 255.255.252.0
On VLAN 1:
Default Gateway is 192.168.10.2 (Cisco ASA 5510)
or 192.168.10.1 (Cisco 2611)
On VLAN 2:
Default Gateway is 192.168.100.1(Cisco 3560) (VLAN1 IP 192.168.11.10)
I've configure the Cisco 3560 to Route 0.0.0.0 traffic to 192.168.10.2.
I've configured the Cisco 2611 to Route 192.168.100.0 traffic to 192.168.11.10 (Cisco 3560)
I've configure the Cisco ASA 5510 to route 192.168.100.0 traffic to 192.168.11.10, however:
On VLAN 1 when using 10.1 (Cisco 2611) as my def. gateway everything works. However when using 10.2 (Cisco ASA 5510) as the def. gateway I can not see the 192.168.100.0 network.
From the CLI of the ASA 5510 I can ping the 100.0 network without issue. However I can not see the 100.0 network from any workstation or servers that use 10.2 as their def. gateway.
On the ASA 5510 I added the command:
route inside 192.168.100.0 255.255.252.0 192.168.11.10 1
Any suggestions?
Andrew
Quori
Able to provide running configs, stripped of passwords and any sensitive info, please?
The 3560 IP address for vlan 1 is not in the same IP block as the other VLAN 1 IP assignments for the ASA and the 2611. The other thing is that if you route traffic to the inside interface of the firewall and that traffic is sourced from a network that is different from the inside interface IP range it is not going to like it.
Remember, the inside interface is trusted not some other IP range. Turn off reverse path forwarding if you have it on, turn up logging to see why it does not like it.
from config mode
logging on
logging buffered informational
View the logs, it will tell you why it is blocking
To turn off reverse path forwarding;
no ip verify reverse-path interface inside
harbor235 ;}
ASKER
Ok I turned on logging and when I try to ping I get this message:
Deny inbound icmp src inside 192.168.10.240 dst inside 192.168.100.1 (type 8, code 0)
I'm guessing I need to modify the firewall some how, but I don't know how.
Thanks in advance,
Andrew
Deny inbound icmp src inside 192.168.10.240 dst inside 192.168.100.1 (type 8, code 0)
I'm guessing I need to modify the firewall some how, but I don't know how.
Thanks in advance,
Andrew
To turn off reverse path forwarding;
no ip verify reverse-path interface inside
harbor235 ;}
no ip verify reverse-path interface inside
harbor235 ;}
ASKER
Sorry forgot to mention I did that. Still not working.
Andrew
Andrew
Do you have an access-list configured on teh inside inerface? POST it please if there is one
harbor235 ;}
Also, do you have a route for the 192.168.100.0 network on the ASA? It also may be complaining if there is not route back.
harbor235 ;}
ASKER
Here is the running conf of the ASA 5510.
Andrew
Andrew
: Saved
:
ASA Version 7.0(7)
!
hostname CISCO-ASA
domain-name DOMAIN.Local
names
dns-guard
!
interface Ethernet0/0
description Time Warner
nameif outside
security-level 0
ip address xxx.xxx.xxx.119 255.0.0.0
!
interface Ethernet0/1
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet0/2
description DOMAIN.Local
nameif inside
security-level 100
ip address 192.168.10.2 255.255.252.0
!
interface Management0/0
nameif management
security-level 100
ip address 192.168.1.1 255.255.255.0
management-only
!
clock timezone EST -5
clock summer-time EDT recurring
object-group service WEB_ACCESS tcp
port-object eq www
port-object eq https
object-group service ASMITH tcp
port-object eq 22144
port-object eq 7176
access-list inside_pnat_inbound extended permit ip any any
access-list out extended permit tcp any host xxx.xxx.xxx.126 eq smtp
access-list out extended permit tcp any host xxx.xxx.xxx.117 object-group WEB_ACCESS
access-list out extended permit gre any host xxx.xxx.xxx.118
access-list out extended permit tcp any host xxx.xxx.xxx.118 eq pptp
access-list out extended permit tcp any host xxx.xxx.xxx.120 object-group WEB_ACCESS
access-list out extended permit tcp any host xxx.xxx.xxx.121 object-group WEB_ACCESS
access-list out extended permit tcp any host xxx.xxx.xxx.122 object-group WEB_ACCESS
access-list out extended permit icmp any any
access-list out extended permit gre any host xxx.xxx.xxx.124
access-list out extended permit tcp any host xxx.xxx.xxx.124 object-group ASMITH
pager lines 24
logging enable
logging timestamp
logging monitor debugging
logging buffered informational
logging asdm informational
logging from-address it@domain.com
logging recipient-address it@domain.com level errors
mtu outside 1500
mtu inside 1500
mtu management 1500
asdm image disk0:/asdm-507.bin
no asdm history enable
arp timeout 14400
nat-control
global (outside) 200 interface
nat (inside) 10 access-list inside_pnat_inbound outside
nat (inside) 200 0.0.0.0 0.0.0.0
static (inside,outside) xxx.xxx.xxx.124 192.168.10.240 netmask 255.255.255.255
static (inside,outside) xxx.xxx.xxx.126 192.168.10.15 netmask 255.255.255.255
static (inside,outside) xxx.xxx.xxx.117 192.168.10.10 netmask 255.255.255.255
static (inside,outside) xxx.xxx.xxx.118 192.168.10.20 netmask 255.255.255.255
static (inside,outside) xxx.xxx.xxx.120 192.168.10.32 netmask 255.255.255.255
static (inside,outside) xxx.xxx.xxx.121 192.168.10.31 netmask 255.255.255.255
static (inside,outside) xxx.xxx.xxx.122 192.168.10.33 netmask 255.255.255.255
access-group out in interface outside
route outside 0.0.0.0 0.0.0.0 xxx.xxx.xxx.113 1
route inside 192.168.100.0 255.255.252.0 192.168.11.10 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00
timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
!
!
aaa authentication ssh console LOCAL
http server enable
http 192.168.8.0 255.255.252.0 inside
http 192.168.10.56 255.255.255.255 inside
http 192.168.1.0 255.255.255.0 management
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
telnet timeout 5
ssh 192.168.8.0 255.255.252.0 inside
ssh timeout 60
console timeout 0
dhcpd address 192.168.1.2-192.168.1.254 management
dhcpd lease 3600
dhcpd ping_timeout 50
dhcpd enable management
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map global_policy
class inspection_default
inspect dns maximum-length 512
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
!
service-policy global_policy global
ntp server 192.168.10.24
smtp-server 192.168.10.10
Cryptochecksum:7af7b76f5fe3e8daee67cfd1518d5166
: end
ok,
Deny inbound icmp src inside 192.168.10.240 dst inside 192.168.100.1 (type 8, code 0)
So this says on the inside interface the ASA received a icmp packet sourced from 192.168.10.240
and that the destination was 192.168.100.1, looks like 192.168.10.240 is misconfigured, shouldn't this guy point to 192.168.11.10 for the 192.168.100.0/22 network? 192.168.10.240 has its default route or that specific rotue misconfigured. This route for the 192.168.100.0/22 network is pointing to 192.168.11.10, i assume this is correct.
harbor235 ;}
Deny inbound icmp src inside 192.168.10.240 dst inside 192.168.100.1 (type 8, code 0)
So this says on the inside interface the ASA received a icmp packet sourced from 192.168.10.240
and that the destination was 192.168.100.1, looks like 192.168.10.240 is misconfigured, shouldn't this guy point to 192.168.11.10 for the 192.168.100.0/22 network? 192.168.10.240 has its default route or that specific rotue misconfigured. This route for the 192.168.100.0/22 network is pointing to 192.168.11.10, i assume this is correct.
harbor235 ;}
ASKER
10.240 (My Computer) has a def. gateway of 192.168.10.2 (ASA 5510). Obviously 10.240 does not know where the 192.168.100.0/22 network is; so it sends the request to 10.2; which in theory should forward the request to 192.168.11.10.
However as the error message states the ASA 5510 is denying the request.
The router for the 192.168.100.0/22 network is a 3560 at ip 192.168.11.10 with VLAN routing enabled.
Andrew
However as the error message states the ASA 5510 is denying the request.
The router for the 192.168.100.0/22 network is a 3560 at ip 192.168.11.10 with VLAN routing enabled.
Andrew
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Are you adding this route to an individual workstation? I know I can do this and have done it to make sure it's not a problem with the 3560 routing. Works fine.
However this is highly inefficient to do on a domain wide basis, unless I am missing something, like a really easy way to do this domain wide?
However this is highly inefficient to do on a domain wide basis, unless I am missing something, like a really easy way to do this domain wide?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Another option that would work is to make VLAN 1 workstations def. gateway 192.168.11.10.
Thanks for the help.
Thanks for the help.
Correct, I assumed that you wanted all other traffic going to the firewall and only 192.168.100.0/22 traffic going in the other direction
harbor235 ;}
ASKER
Well 192.168.11.10 has a default gateway of 192.168.10.2 so, it's just another "step" for the 192.168.8.0/22 network. Just need to think about placement of the device, because if it goes down, it takes all internet traffic down.
Andrew
Andrew