Solved

ASA5520 trunking problem

Posted on 2010-09-23
4
926 Views
Last Modified: 2012-06-27
We're moving to a different firewall set and I'm trying to set up a connection from an inside host to a remote server.
The inside host can ping but is getting remote host not reponding error when using browser from the inside of the network.
When I connect a laptop directly into a switchport in the correct vlan outside the firewall I can connect to the http page of the remote server.
I've done packet traces and spanned the connections from the router and confirmed that ACK packets are being sent back from the remote server to the correct NAT'd address on the FW, but ASDM and logs show that the ACKs are not reaching the FW.
I think the problem is to do with the trunking between the ASA and the switch uplinks but from reading all the blurb it looks ok to me.
I do need the trunking to work as additional sub-ints will be coming on line soon, can anyone help?
I've included a diagram, the FW config and some diags from both the swtich and the ASA.
I've had some experience with PIX and ASA but this is the first time I've used trunking and sub-ints on the ASA - what have I done wrong?   EE-Diag.vsd Gateway-FW-Config.txt
0
Comment
Question by:NPA_ICT
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
  • 2
4 Comments
 
LVL 79

Expert Comment

by:lrmoore
ID: 33749829
Where is the VLan 903 L3 interface? On the router?
Is the 3rd switch in the middle trunked to the router?
Can you post the config from the switch port that connects to the ASA's ?

Probably need to see the config of the router xx.xx.98.177 also.

So, when you connect to either one of the 2 switches in a vlan 903 port (access port?), with an IP address xx.xx.98.yy, default gateway of xx.xx.98.177, you can then browse xx.xx.10.24 ?
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 33749837
>route Gateway xx.xx.0.0 255.255.0.0 xx.xx.98.177 1

Also, make sure that this mask is correct to match the server
Try it with a default route:
 route Gateway 0.0.0.0 0.0.0.0 xx.xx.98.177
0
 

Author Comment

by:NPA_ICT
ID: 33751758
VLAN 903 is just a layer 2 entity. The only L3 VLAN on the swtich set is for mgmt (172.18.0.0/24) and is trunked into ASA5520 (port G0/2)
You're correct in that I can browse to the server from access ports on VLAN 903 on any of the switches, using xx.xx.98.yy.
The 3rd switch isn't trunked to the router, the switchport to the router is just in the same L2 VLAN, namely 903 (see config below) The router only deals with requests to and from the xx.xx.98.176/29 subnet.
I can't get the config of the 98.177 device I'm afraid, it's not ours - though I have been told from the providers that as long as requests come from and to the xx.xx.98.177/29 subnet it should be fine.
I must stress at this point that the solution has been in place for some years, we're just moving our architecture to ASA.

Tried the default route option on the ASA. No joy I'm afraid, ping still working though.
Here is the relevant portion of the switch the FW connects into (G0/22)

interface GigabitEthernet0/22
 description Outside Gateway FW Int g0/0
 switchport trunk allowed vlan 903
 switchport mode trunk

interface Vlan903
 description Gateway VLAN 903
 no ip address
 ip directed-broadcast
 no ip route-cache

Here is the sh int output from G0/22:
GigabitEthernet0/22 is up, line protocol is up (connected)
  Hardware is Gigabit Ethernet, address is 18ef.6369.6c16 (bia 18ef.6369.6c16)
  Description: Outside Gateway FW Int g0/0
  MTU 1500 bytes, BW 1000000 Kbit, DLY 10 usec,
     reliability 255/255, txload 1/255, rxload 1/255
  Encapsulation ARPA, loopback not set
  Keepalive not set
  Full-duplex, 1000Mb/s, link type is auto, media type is 10/100/1000BaseTX
  input flow-control is off, output flow-control is unsupported
  ARP type: ARPA, ARP Timeout 04:00:00
  Last input never, output 00:00:00, output hang never
  Last clearing of "show interface" counters never
  Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0
  Queueing strategy: fifo
  Output queue: 0/40 (size/max)
  5 minute input rate 0 bits/sec, 0 packets/sec
  5 minute output rate 0 bits/sec, 0 packets/sec
     1031 packets input, 105673 bytes, 0 no buffer
     Received 60 broadcasts (6 multicasts)
     18 runts, 0 giants, 0 throttles
     18 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored
     0 watchdog, 6 multicast, 0 pause input
     0 input packets with dribble condition detected
     709082 packets output, 86140620 bytes, 0 underruns
     0 output errors, 0 collisions, 3 interface resets
     0 babbles, 0 late collision, 0 deferred
     0 lost carrier, 0 no carrier, 0 PAUSE output
     0 output buffer failures, 0 output buffers swapped out

For your understanding, here is the output from the router uplink interface (g0/2)

interface GigabitEthernet0/2
 description Gateway ROuter uplink
 switchport access vlan 903
 speed 10
 duplex full
I really appreciate your help so far. Many Thanks.






0
 

Accepted Solution

by:
NPA_ICT earned 0 total points
ID: 33936830
Problem was logged with Cisco and they advised that it was because of the feature set.
ASA software 8.2 has a feature that prevents asymetric routing through the ASA - this is the problem we were having.
For those wanting to, read all about it here:

http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/conns_tcpstatebypass.pdf 

0

Featured Post

Connect further...control easier

With the ATEN CE624, you can now enjoy a high-quality visual experience powered by HDBaseT technology and the convenience of a single Cat6 cable to transmit uncompressed video with zero latency and multi-streaming for dual-view applications where remote access is required.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Stack 2x HP ProCurve 5406zl Switches 9 50
Cisco VOIP Question 1 69
Layer 3 Switch Configuration 12 85
connect to cisco 2690 series 6 73
This article offers some helpful and general tips for safe browsing and online shopping. It offers simple and manageable procedures that help to ensure the safety of one's personal information and the security of any devices.
Many of the companies I’ve worked with have embraced cloud solutions due to their desire to “get out of the datacenter business.” The ability to achieve better security and availability, and the speed with which they are able to deploy, is far grea…
Both in life and business – not all partnerships are created equal. As the demand for cloud services increases, so do the number of self-proclaimed cloud partners. Asking the right questions up front in the partnership, will enable both parties …
Both in life and business – not all partnerships are created equal. Spend 30 short minutes with us to learn:   • Key questions to ask when considering a partnership to accelerate your business into the cloud • Pitfalls and mistakes other partners…

734 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question