Solved

ASA5520 trunking problem

Posted on 2010-09-23
4
918 Views
Last Modified: 2012-06-27
We're moving to a different firewall set and I'm trying to set up a connection from an inside host to a remote server.
The inside host can ping but is getting remote host not reponding error when using browser from the inside of the network.
When I connect a laptop directly into a switchport in the correct vlan outside the firewall I can connect to the http page of the remote server.
I've done packet traces and spanned the connections from the router and confirmed that ACK packets are being sent back from the remote server to the correct NAT'd address on the FW, but ASDM and logs show that the ACKs are not reaching the FW.
I think the problem is to do with the trunking between the ASA and the switch uplinks but from reading all the blurb it looks ok to me.
I do need the trunking to work as additional sub-ints will be coming on line soon, can anyone help?
I've included a diagram, the FW config and some diags from both the swtich and the ASA.
I've had some experience with PIX and ASA but this is the first time I've used trunking and sub-ints on the ASA - what have I done wrong?   EE-Diag.vsd Gateway-FW-Config.txt
0
Comment
Question by:NPA_ICT
  • 2
  • 2
4 Comments
 
LVL 79

Expert Comment

by:lrmoore
Comment Utility
Where is the VLan 903 L3 interface? On the router?
Is the 3rd switch in the middle trunked to the router?
Can you post the config from the switch port that connects to the ASA's ?

Probably need to see the config of the router xx.xx.98.177 also.

So, when you connect to either one of the 2 switches in a vlan 903 port (access port?), with an IP address xx.xx.98.yy, default gateway of xx.xx.98.177, you can then browse xx.xx.10.24 ?
0
 
LVL 79

Expert Comment

by:lrmoore
Comment Utility
>route Gateway xx.xx.0.0 255.255.0.0 xx.xx.98.177 1

Also, make sure that this mask is correct to match the server
Try it with a default route:
 route Gateway 0.0.0.0 0.0.0.0 xx.xx.98.177
0
 

Author Comment

by:NPA_ICT
Comment Utility
VLAN 903 is just a layer 2 entity. The only L3 VLAN on the swtich set is for mgmt (172.18.0.0/24) and is trunked into ASA5520 (port G0/2)
You're correct in that I can browse to the server from access ports on VLAN 903 on any of the switches, using xx.xx.98.yy.
The 3rd switch isn't trunked to the router, the switchport to the router is just in the same L2 VLAN, namely 903 (see config below) The router only deals with requests to and from the xx.xx.98.176/29 subnet.
I can't get the config of the 98.177 device I'm afraid, it's not ours - though I have been told from the providers that as long as requests come from and to the xx.xx.98.177/29 subnet it should be fine.
I must stress at this point that the solution has been in place for some years, we're just moving our architecture to ASA.

Tried the default route option on the ASA. No joy I'm afraid, ping still working though.
Here is the relevant portion of the switch the FW connects into (G0/22)

interface GigabitEthernet0/22
 description Outside Gateway FW Int g0/0
 switchport trunk allowed vlan 903
 switchport mode trunk

interface Vlan903
 description Gateway VLAN 903
 no ip address
 ip directed-broadcast
 no ip route-cache

Here is the sh int output from G0/22:
GigabitEthernet0/22 is up, line protocol is up (connected)
  Hardware is Gigabit Ethernet, address is 18ef.6369.6c16 (bia 18ef.6369.6c16)
  Description: Outside Gateway FW Int g0/0
  MTU 1500 bytes, BW 1000000 Kbit, DLY 10 usec,
     reliability 255/255, txload 1/255, rxload 1/255
  Encapsulation ARPA, loopback not set
  Keepalive not set
  Full-duplex, 1000Mb/s, link type is auto, media type is 10/100/1000BaseTX
  input flow-control is off, output flow-control is unsupported
  ARP type: ARPA, ARP Timeout 04:00:00
  Last input never, output 00:00:00, output hang never
  Last clearing of "show interface" counters never
  Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0
  Queueing strategy: fifo
  Output queue: 0/40 (size/max)
  5 minute input rate 0 bits/sec, 0 packets/sec
  5 minute output rate 0 bits/sec, 0 packets/sec
     1031 packets input, 105673 bytes, 0 no buffer
     Received 60 broadcasts (6 multicasts)
     18 runts, 0 giants, 0 throttles
     18 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored
     0 watchdog, 6 multicast, 0 pause input
     0 input packets with dribble condition detected
     709082 packets output, 86140620 bytes, 0 underruns
     0 output errors, 0 collisions, 3 interface resets
     0 babbles, 0 late collision, 0 deferred
     0 lost carrier, 0 no carrier, 0 PAUSE output
     0 output buffer failures, 0 output buffers swapped out

For your understanding, here is the output from the router uplink interface (g0/2)

interface GigabitEthernet0/2
 description Gateway ROuter uplink
 switchport access vlan 903
 speed 10
 duplex full
I really appreciate your help so far. Many Thanks.






0
 

Accepted Solution

by:
NPA_ICT earned 0 total points
Comment Utility
Problem was logged with Cisco and they advised that it was because of the feature set.
ASA software 8.2 has a feature that prevents asymetric routing through the ASA - this is the problem we were having.
For those wanting to, read all about it here:

http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/conns_tcpstatebypass.pdf

0

Featured Post

Highfive Gives IT Their Time Back

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

Join & Write a Comment

This tutorial will go through the steps required to write a script that will back up the configuration settings of a HP-ProCurve switch. You will need to get the following things to follow this tutorial: Telnet Scripting Tool e.g. TST10.exe …
Hi All,  Recently I have installed and configured a Sonicwall NS220 in the network as a firewall and Internet access gateway. All was working fine until users started reporting that they cannot use the Cisco VPN client to connect to the customer'…
This video discusses moving either the default database or any database to a new volume.
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.

744 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

16 Experts available now in Live!

Get 1:1 Help Now