Solved

intervlan routing with ASA and data router issue

Posted on 2010-11-29
13
1,114 Views
Last Modified: 2012-05-10
dear experts

appreciate your kind support to assist me in the following as it is currently affecting my production network , our core switch is currently connectedto ASA

and data router ( bcc-plant-rtr)
the data router forwards inside traffic and to other remote sites
- the ASA is the default gateway for internal ad remote sites

the data router has 2 interfaces assigned and intervlan routing with the core switch
- 10.232.124.0/22 for routing inside network from remote sites
- 10.232.104.0/22 for routing for routing guest network from remote site
we assume that the remote networks are the loopback address of data router ( as in my lab ) 10.232.0.0/22( for lan users) , 10.232.4.0/22 for remote guest

network

on the ASA

interface eth 1 - for inside vpn  networks 10.232.100.0/22 , 10.232.124.0/22 and 10.232.0.1

ethrenet  2 -on stick for attached networks on core
ethernet 3 - for external sites connecting guest users

ASA config
======
interface Ethernet1

 speed 100

 nameif inside

 security-level 100

 ip address 10.232.132.1 255.255.252.0

!

interface Ethernet2

 speed 100

 duplex full

 nameif visitors

 security-level 100

 no ip address

!

interface Ethernet2.4

 vlan 4

 nameif visior

 security-level 100

 ip address 10.232.128.2 255.255.252.0

!

interface Ethernet3

 nameif remguest

 security-level 100

 ip address 10.232.108.1 255.255.252.0


route inside 10.232.136.0 255.255.252.0 10.232.124.2 1

route inside 10.232.124.0 255.255.252.0 10.232.132.2 1

route inside 10.232.0.0 255.255.252.0 10.232.132.2 1

route inside 10.232.100.0 255.255.252.0 10.232.124.2 1

route inside 10.232.104.0 255.255.252.0 10.232.108.2 1

route inside 10.232.4.0 255.255.252.0 10.232.108.2 1



core switch config
==================

interface FastEthernet0/1
 description to ASA inside interface ethernet1
 no switchport
 ip address 10.232.132.2 255.255.252.0
 
!
interface FastEthernet0/3
 description  to ASA visitor interface ethernet2
 switchport trunk encapsulation dot1q
 switchport mode trunk
 switchport nonegotiate
 spanning-tree portfast trunk
 
!
interface FastEthernet0/5
 description to bcc-plant-rtr
 no switchport
 ip address 10.232.104.2 255.255.252.0 secondary
 ip address 10.232.124.2 255.255.252.0

!
interface FastEthernet0/12
description to ASA remguest interface ethernet 3
 no switchport
 ip address 10.232.108.2 255.255.252.0
 

!
interface Vlan1
 ip address 10.232.103.1 255.255.252.0
!
interface Vlan4
 ip address 10.232.128.1 255.255.252.0
 no ip mroute-cache

!
ip classless
ip route 0.0.0.0 0.0.0.0 10.232.132.1
ip route 10.232.0.0 255.255.252.0 10.232.124.1
ip route 10.232.4.0 255.255.252.0 10.232.104.1
ip http server
ip http secure-server

ccess-list 10 permit 10.232.104.0 0.0.3.255
access-list 10 permit 10.232.4.0 0.0.3.255
route-map internet permit 10
 match ip address 10
 set ip next-hop 10.232.108.1
!
===========================
on bcc-plant-rtr
===========================
interface Loopback0
 ip address 10.232.0.1 255.255.252.0
!
interface Loopback1
 ip address 20.20.20.1 255.255.255.255
!
interface Loopback2
 ip address 10.232.4.1 255.255.252.0
!
interface FastEthernet0/0
description to core switch
 ip address 10.232.104.1 255.255.252.0 secondary
 ip address 10.232.124.1 255.255.252.0
!
ip route 0.0.0.0 0.0.0.0 10.232.124.2

========================
 for some reason the source  IP  10.232.104.1 does not ping destination interfaCce ethernet 3 ( 10.232.108.2 ) , 10.232.104.0/22 should be theip  connecting

guests from remote network ( lke 10.232.4.0/22 lo )  to bcc-plant-rtr while bcc-plant-rtr should route these networks to ASA ( internet gatewaya ) via

ethernet 3 ( 10.232.108.2)

- source 10.232.104.1 can ping routed interface 10.232.108.1 but cannot ping ASA ethernet 3 ( with extended ping )
-source 10.232.4.1 can ping 10.232.104.1 and 10.232.108.2 but cannot ping 10.232.108.2 !
- source 10.232.124.1 can ping ASA ethernet 1 10.232.132.1
==========================================


Router#ping 10.232.108.1 source 10.232.104.1

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.232.108.1, timeout is 2 seconds:
Packet sent with a source address of 10.232.104.1
.....
Success rate is 0 percent (0/5)
================================
Switch#ping 10.232.108.1 source 10.232.104.2

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.232.108.1, timeout is 2 seconds:
Packet sent with a source address of 10.232.104.2
.....
Success rate is 0 percent (0/5)
Switch#
===============================
core switch# sh ip route
Gateway of last resort is 10.232.132.1 to network 0.0.0.0

     10.0.0.0/22 is subnetted, 9 subnets
C       10.232.128.0 is directly connected, Vlan4
C       10.232.132.0 is directly connected, FastEthernet0/1
C       10.232.100.0 is directly connected, Vlan1
C       10.232.104.0 is directly connected, FastEthernet0/5
C       10.232.108.0 is directly connected, FastEthernet0/12
C       10.232.116.0 is directly connected, Vlan5
C       10.232.124.0 is directly connected, FastEthernet0/5
S       10.232.0.0 [1/0] via 10.232.124.1
S       10.232.4.0 [1/0] via 10.232.104.1
S*   0.0.0.0/0 [1/0] via 10.232.132.1
==============================
if i make PBR on the routed interface connected to ASA ethernet 3 , nothing happens , and if i do it on the routed interface connected to router , ASA cannot ping 10.232.104.1 or 10.232.4.1

on the ASA side , i can ping 10.232.104.1 and 10.232.4.1 ( bcc-plant-rtr)
========================
ASA(config)# ping 10.232.4.1

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 10.232.4.1, timeout is 2 seconds:

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms


ASA(config)# ping 10.232.104.1

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 10.232.104.1, timeout is 2 seconds:

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/10 ms


appreciate your kind support in advance



0
Comment
Question by:oelolemy
  • 7
  • 4
13 Comments
 
LVL 29

Expert Comment

by:pwindell
Comment Utility
- the ASA is the default gateway for internal ad remote sites

That is the problem part.  Everything must use the LAN Router as the Default Gateway,...or use whatever LAN Router is appropriate depending on the complexity of the LAN.  The only thing that should use the ASA as the Default Gateway is the LAN Router that directly faces the ASA.  This keep the routing scheme of the LAN Symmetrical,...as it should be.

The diagram below illustrates this.  The firewall in the diagram is ISA,...but the principle is the same.

 3 Segment LAN
0
 

Author Comment

by:oelolemy
Comment Utility
Please refer to my  network diagram scenario

the issue is that iam not able to route  local guest vlan (4 )  which should be directly connected on core switch to the remguest interface on ASA  , if iam able to do this then prehaps i should be able to add remote guest networks on site 1 as well to the ACL 10

if i add vlan 4 on the ACL 10 -  ( access-list 10 permit 10.232.128.0 0.0.3.255 ) and apply PBR on vlan 4 , iam able to ping the routed interface 10.232.108.2 but iam not able to ping the remguest interface on ASA - 10.232.108.2/22 using source 10.232.128.1 ( vlan 4 )


Router#ping 10.232.108.1 source 10.232.104.1

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.232.108.1, timeout is 2 seconds:
Packet sent with a source address of 10.232.104.1
.....
Success rate is 0 percent (0/5)
===============================
although on the  " debug ip policy " the output shows that the poicy is routed
=============================
1d00h: IP: s=10.232.128.1 (local), d=10.232.108.1, len 100, policy match
1d00h: IP: route map bar, item 10, permit
1d00h: IP: s=10.232.128.1 (local), d=10.232.108.1 (FastEthernet0/12), len 100, p
olicy routed <<<<<<<<<<
=======
i can also see traffic passing through the guest interface 3 on asa  for VLAN 4

Switch#sh route-map internet
route-map bar, permit, sequence 10
  Match clauses:
    ip address (access-lists): 10
  Set clauses:
    ip next-hop 10.232.108.1
  Policy routing matches: 543 packets, 55620 bytes <<<<<<<<<<<<<<<<<<<<<<<

any advise ?
labs.jpg
0
 
LVL 29

Expert Comment

by:pwindell
Comment Utility
The ASA has to have all subnets of the entire LAN and the remote site listed as part of its Trusted Network.  The ASA will interpret all of those as one big network.   Then the ASA must have a Static Route (or Routes) added that tell it to use the Core Router as the "gateway" to get to all other parts other LAN and Remote Sites that are on the opposite side of the Core Router from 10.232.132.x.

The rest is just getting your LAN's Routing Scheme correct (which has nothing to do with the ASA itself).
0
 
LVL 29

Expert Comment

by:pwindell
Comment Utility
That is exactly what my diagram explains if you look closely at it.
0
 

Author Comment

by:oelolemy
Comment Utility
i undestand the theory , but it looks that i have some issues with the configuration
and  i've configured exactly the same , i have no issues routing the inside networks ( local and remote ) to the default gateway 10.232.132.1 on ASA ( inside interface eth1 ), my only problem comes when i try to route the  local directly connected and remote guest network to the ASA eth3 interface via PBR

i ve configured he following static routes on ASA and still im not able t reach the guest interface

 

route inside 10.232.128.0 255.255.252.0 10.232.108.2  
route inside 10.232.4.0 255.255.252.0 10.232.104.1
route inside 10.232.104.0 255.255.252.0 10.232.108.2  

waiting for feedback , i would also like you to state me with configuration examples ?




0
Threat Intelligence Starter Resources

Integrating threat intelligence can be challenging, and not all companies are ready. These resources can help you build awareness and prepare for defense.

 
LVL 29

Expert Comment

by:pwindell
Comment Utility
I see no reason for the 10.132.108.x segment to be going in a Loop.

It should come off of Fas 0/12 on the Core Router,...OR,...eth3 on the ASA,...but not both.  I personally think you should branch if off the Core Router at fas 0/12 instead of the ASA.

The ASA should be running with only two Nics  (Internal, External,...no DMZ)

All of your networks are also overloaded.  The mask should not be lower than /24,...there should never be more than 254 Hosts on a single Ethernet Segment.

The segment between the core Router and the ASA could also be a Two-Host Point-to-Point segment with a /30bit mask if there are no other Hosts on it.
0
 

Author Comment

by:oelolemy
Comment Utility
could you show me how to acheive this with configuration  ,  i know that the  vrf-lite can be used for such solution but i have no idea how t o do this with such case scenario  !
any advise ?
0
 
LVL 29

Expert Comment

by:pwindell
Comment Utility
I don't know what I can show you.  I would look just like the diagram I gave.  The router in the center of my diagram would be the Core Router, the firewall in the diagram would be that ASA.   The segments you have of:

10.232.108.x
10.232.124.x
10.232.103.x

...would just be segments branching off the Core Router

The 10.232.132.x  would just be the segment between the Core Router and the Firewall.

You almost have that already,...just remove 10.232.108.x from the third Firewall Interface and let it run solely off the Core Router interface,...or do the flip of that and keep in on the Firewall's 3rd Nic and separate it from the Core Router.  Either way,...but the point is to get rid of the loop.

 I look at the over-all design and make my decisions at that level. I can't get into individual config of individual devices,...I'd have to have a room full of manuals for everything that is out there. I don't even know what a "vrf-lite" even is.
0
 
LVL 29

Accepted Solution

by:
pwindell earned 500 total points
Comment Utility
Remember that
The Core Router must have  routes telling it to use the Data Router Bcc Plant (10.232.124.1) as the gateway to get to 10.232.0.x and 10.232.4.x

The Firewall must have a route telling it to use the Core Router for all the segments.  You can bas the route on 10.232.x.x and cover all of them,...or you'll have to have a separate route for each.

Then the Data Router BCC must use the Core Router as its Defualt Gateway

Then the Core Router uses the Firewall as the Default Gateway.

Clients at Site1 will probably use their VPN Device as their Default Gateway but their can be unusual circumstances depending on exactly how they use the Internet and whether or not their VPN Device is also their Internet Firewall at the same time.
0
 

Author Closing Comment

by:oelolemy
Comment Utility
that dd not finx the issue , it wasa miss configuration issue in the ASA, i showed my configs from the very begining but the answers ihave been getting from the expert was all theoritical !
0
 
LVL 29

Expert Comment

by:pwindell
Comment Utility
What was the misconfiguration?  

Theoretical is where all answers begin.  They lead you to the place to find the specific issues.   Posting config files directly in the question often do not help and only make the post impossible to read an understand. The Config file may also not help when the person trying to help has no full context  to interpret the settings in to be able to even know what is correct of not.  Config files are better if given as attachments to the message when asked for.
0

Featured Post

How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

Join & Write a Comment

Phishing is at the top of most security top 10 efforts you should be pursuing in 2016 and beyond. If you don't have phishing incorporated into your Security Awareness Program yet, now is the time. Phishers, and the scams they use, are only going to …
David Varnum recently wrote up his impressions of PRTG, based on a presentation by my colleague Christian at Tech Field Day at VMworld in Barcelona. Thanks David, for your detailed and honest evaluation!
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.
This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're looking for how to monitor bandwidth using netflow or packet s…

772 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now