intervlan routing with ASA and data router issue
dear experts
appreciate your kind support to assist me in the following as it is currently affecting my production network , our core switch is currently connectedto ASA
and data router ( bcc-plant-rtr)
the data router forwards inside traffic and to other remote sites
- the ASA is the default gateway for internal ad remote sites
the data router has 2 interfaces assigned and intervlan routing with the core switch
- 10.232.124.0/22 for routing inside network from remote sites
- 10.232.104.0/22 for routing for routing guest network from remote site
we assume that the remote networks are the loopback address of data router ( as in my lab ) 10.232.0.0/22( for lan users) , 10.232.4.0/22 for remote guest
network
on the ASA
interface eth 1 - for inside vpn networks 10.232.100.0/22 , 10.232.124.0/22 and 10.232.0.1
ethrenet 2 -on stick for attached networks on core
ethernet 3 - for external sites connecting guest users
ASA config
======
interface Ethernet1
speed 100
nameif inside
security-level 100
ip address 10.232.132.1 255.255.252.0
!
interface Ethernet2
speed 100
duplex full
nameif visitors
security-level 100
no ip address
!
interface Ethernet2.4
vlan 4
nameif visior
security-level 100
ip address 10.232.128.2 255.255.252.0
!
interface Ethernet3
nameif remguest
security-level 100
ip address 10.232.108.1 255.255.252.0
route inside 10.232.136.0 255.255.252.0 10.232.124.2 1
route inside 10.232.124.0 255.255.252.0 10.232.132.2 1
route inside 10.232.0.0 255.255.252.0 10.232.132.2 1
route inside 10.232.100.0 255.255.252.0 10.232.124.2 1
route inside 10.232.104.0 255.255.252.0 10.232.108.2 1
route inside 10.232.4.0 255.255.252.0 10.232.108.2 1
core switch config
==================
interface FastEthernet0/1
description to ASA inside interface ethernet1
no switchport
ip address 10.232.132.2 255.255.252.0
!
interface FastEthernet0/3
description to ASA visitor interface ethernet2
switchport trunk encapsulation dot1q
switchport mode trunk
switchport nonegotiate
spanning-tree portfast trunk
!
interface FastEthernet0/5
description to bcc-plant-rtr
no switchport
ip address 10.232.104.2 255.255.252.0 secondary
ip address 10.232.124.2 255.255.252.0
!
interface FastEthernet0/12
description to ASA remguest interface ethernet 3
no switchport
ip address 10.232.108.2 255.255.252.0
!
interface Vlan1
ip address 10.232.103.1 255.255.252.0
!
interface Vlan4
ip address 10.232.128.1 255.255.252.0
no ip mroute-cache
!
ip classless
ip route 0.0.0.0 0.0.0.0 10.232.132.1
ip route 10.232.0.0 255.255.252.0 10.232.124.1
ip route 10.232.4.0 255.255.252.0 10.232.104.1
ip http server
ip http secure-server
ccess-list 10 permit 10.232.104.0 0.0.3.255
access-list 10 permit 10.232.4.0 0.0.3.255
route-map internet permit 10
match ip address 10
set ip next-hop 10.232.108.1
!
==========================
on bcc-plant-rtr
==========================
interface Loopback0
ip address 10.232.0.1 255.255.252.0
!
interface Loopback1
ip address 20.20.20.1 255.255.255.255
!
interface Loopback2
ip address 10.232.4.1 255.255.252.0
!
interface FastEthernet0/0
description to core switch
ip address 10.232.104.1 255.255.252.0 secondary
ip address 10.232.124.1 255.255.252.0
!
ip route 0.0.0.0 0.0.0.0 10.232.124.2
========================
for some reason the source IP 10.232.104.1 does not ping destination interfaCce ethernet 3 ( 10.232.108.2 ) , 10.232.104.0/22 should be theip connecting
guests from remote network ( lke 10.232.4.0/22 lo ) to bcc-plant-rtr while bcc-plant-rtr should route these networks to ASA ( internet gatewaya ) via
ethernet 3 ( 10.232.108.2)
- source 10.232.104.1 can ping routed interface 10.232.108.1 but cannot ping ASA ethernet 3 ( with extended ping )
-source 10.232.4.1 can ping 10.232.104.1 and 10.232.108.2 but cannot ping 10.232.108.2 !
- source 10.232.124.1 can ping ASA ethernet 1 10.232.132.1
==========================
Router#ping 10.232.108.1 source 10.232.104.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.232.108.1, timeout is 2 seconds:
Packet sent with a source address of 10.232.104.1
.....
Success rate is 0 percent (0/5)
==========================
Switch#ping 10.232.108.1 source 10.232.104.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.232.108.1, timeout is 2 seconds:
Packet sent with a source address of 10.232.104.2
.....
Success rate is 0 percent (0/5)
Switch#
==========================
core switch# sh ip route
Gateway of last resort is 10.232.132.1 to network 0.0.0.0
10.0.0.0/22 is subnetted, 9 subnets
C 10.232.128.0 is directly connected, Vlan4
C 10.232.132.0 is directly connected, FastEthernet0/1
C 10.232.100.0 is directly connected, Vlan1
C 10.232.104.0 is directly connected, FastEthernet0/5
C 10.232.108.0 is directly connected, FastEthernet0/12
C 10.232.116.0 is directly connected, Vlan5
C 10.232.124.0 is directly connected, FastEthernet0/5
S 10.232.0.0 [1/0] via 10.232.124.1
S 10.232.4.0 [1/0] via 10.232.104.1
S* 0.0.0.0/0 [1/0] via 10.232.132.1
==========================
if i make PBR on the routed interface connected to ASA ethernet 3 , nothing happens , and if i do it on the routed interface connected to router , ASA cannot ping 10.232.104.1 or 10.232.4.1
on the ASA side , i can ping 10.232.104.1 and 10.232.4.1 ( bcc-plant-rtr)
========================
ASA(config)# ping 10.232.4.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.232.4.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms
ASA(config)# ping 10.232.104.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.232.104.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/10 ms
appreciate your kind support in advance
appreciate your kind support to assist me in the following as it is currently affecting my production network , our core switch is currently connectedto ASA
and data router ( bcc-plant-rtr)
the data router forwards inside traffic and to other remote sites
- the ASA is the default gateway for internal ad remote sites
the data router has 2 interfaces assigned and intervlan routing with the core switch
- 10.232.124.0/22 for routing inside network from remote sites
- 10.232.104.0/22 for routing for routing guest network from remote site
we assume that the remote networks are the loopback address of data router ( as in my lab ) 10.232.0.0/22( for lan users) , 10.232.4.0/22 for remote guest
network
on the ASA
interface eth 1 - for inside vpn networks 10.232.100.0/22 , 10.232.124.0/22 and 10.232.0.1
ethrenet 2 -on stick for attached networks on core
ethernet 3 - for external sites connecting guest users
ASA config
======
interface Ethernet1
speed 100
nameif inside
security-level 100
ip address 10.232.132.1 255.255.252.0
!
interface Ethernet2
speed 100
duplex full
nameif visitors
security-level 100
no ip address
!
interface Ethernet2.4
vlan 4
nameif visior
security-level 100
ip address 10.232.128.2 255.255.252.0
!
interface Ethernet3
nameif remguest
security-level 100
ip address 10.232.108.1 255.255.252.0
route inside 10.232.136.0 255.255.252.0 10.232.124.2 1
route inside 10.232.124.0 255.255.252.0 10.232.132.2 1
route inside 10.232.0.0 255.255.252.0 10.232.132.2 1
route inside 10.232.100.0 255.255.252.0 10.232.124.2 1
route inside 10.232.104.0 255.255.252.0 10.232.108.2 1
route inside 10.232.4.0 255.255.252.0 10.232.108.2 1
core switch config
==================
interface FastEthernet0/1
description to ASA inside interface ethernet1
no switchport
ip address 10.232.132.2 255.255.252.0
!
interface FastEthernet0/3
description to ASA visitor interface ethernet2
switchport trunk encapsulation dot1q
switchport mode trunk
switchport nonegotiate
spanning-tree portfast trunk
!
interface FastEthernet0/5
description to bcc-plant-rtr
no switchport
ip address 10.232.104.2 255.255.252.0 secondary
ip address 10.232.124.2 255.255.252.0
!
interface FastEthernet0/12
description to ASA remguest interface ethernet 3
no switchport
ip address 10.232.108.2 255.255.252.0
!
interface Vlan1
ip address 10.232.103.1 255.255.252.0
!
interface Vlan4
ip address 10.232.128.1 255.255.252.0
no ip mroute-cache
!
ip classless
ip route 0.0.0.0 0.0.0.0 10.232.132.1
ip route 10.232.0.0 255.255.252.0 10.232.124.1
ip route 10.232.4.0 255.255.252.0 10.232.104.1
ip http server
ip http secure-server
ccess-list 10 permit 10.232.104.0 0.0.3.255
access-list 10 permit 10.232.4.0 0.0.3.255
route-map internet permit 10
match ip address 10
set ip next-hop 10.232.108.1
!
==========================
on bcc-plant-rtr
==========================
interface Loopback0
ip address 10.232.0.1 255.255.252.0
!
interface Loopback1
ip address 20.20.20.1 255.255.255.255
!
interface Loopback2
ip address 10.232.4.1 255.255.252.0
!
interface FastEthernet0/0
description to core switch
ip address 10.232.104.1 255.255.252.0 secondary
ip address 10.232.124.1 255.255.252.0
!
ip route 0.0.0.0 0.0.0.0 10.232.124.2
========================
for some reason the source IP 10.232.104.1 does not ping destination interfaCce ethernet 3 ( 10.232.108.2 ) , 10.232.104.0/22 should be theip connecting
guests from remote network ( lke 10.232.4.0/22 lo ) to bcc-plant-rtr while bcc-plant-rtr should route these networks to ASA ( internet gatewaya ) via
ethernet 3 ( 10.232.108.2)
- source 10.232.104.1 can ping routed interface 10.232.108.1 but cannot ping ASA ethernet 3 ( with extended ping )
-source 10.232.4.1 can ping 10.232.104.1 and 10.232.108.2 but cannot ping 10.232.108.2 !
- source 10.232.124.1 can ping ASA ethernet 1 10.232.132.1
==========================
Router#ping 10.232.108.1 source 10.232.104.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.232.108.1, timeout is 2 seconds:
Packet sent with a source address of 10.232.104.1
.....
Success rate is 0 percent (0/5)
==========================
Switch#ping 10.232.108.1 source 10.232.104.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.232.108.1, timeout is 2 seconds:
Packet sent with a source address of 10.232.104.2
.....
Success rate is 0 percent (0/5)
Switch#
==========================
core switch# sh ip route
Gateway of last resort is 10.232.132.1 to network 0.0.0.0
10.0.0.0/22 is subnetted, 9 subnets
C 10.232.128.0 is directly connected, Vlan4
C 10.232.132.0 is directly connected, FastEthernet0/1
C 10.232.100.0 is directly connected, Vlan1
C 10.232.104.0 is directly connected, FastEthernet0/5
C 10.232.108.0 is directly connected, FastEthernet0/12
C 10.232.116.0 is directly connected, Vlan5
C 10.232.124.0 is directly connected, FastEthernet0/5
S 10.232.0.0 [1/0] via 10.232.124.1
S 10.232.4.0 [1/0] via 10.232.104.1
S* 0.0.0.0/0 [1/0] via 10.232.132.1
==========================
if i make PBR on the routed interface connected to ASA ethernet 3 , nothing happens , and if i do it on the routed interface connected to router , ASA cannot ping 10.232.104.1 or 10.232.4.1
on the ASA side , i can ping 10.232.104.1 and 10.232.4.1 ( bcc-plant-rtr)
========================
ASA(config)# ping 10.232.4.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.232.4.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms
ASA(config)# ping 10.232.104.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.232.104.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/10 ms
appreciate your kind support in advance
ASKER
Please refer to my network diagram scenario
the issue is that iam not able to route local guest vlan (4 ) which should be directly connected on core switch to the remguest interface on ASA , if iam able to do this then prehaps i should be able to add remote guest networks on site 1 as well to the ACL 10
if i add vlan 4 on the ACL 10 - ( access-list 10 permit 10.232.128.0 0.0.3.255 ) and apply PBR on vlan 4 , iam able to ping the routed interface 10.232.108.2 but iam not able to ping the remguest interface on ASA - 10.232.108.2/22 using source 10.232.128.1 ( vlan 4 )
Router#ping 10.232.108.1 source 10.232.104.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.232.108.1, timeout is 2 seconds:
Packet sent with a source address of 10.232.104.1
.....
Success rate is 0 percent (0/5)
==========================
although on the " debug ip policy " the output shows that the poicy is routed
==========================
1d00h: IP: s=10.232.128.1 (local), d=10.232.108.1, len 100, policy match
1d00h: IP: route map bar, item 10, permit
1d00h: IP: s=10.232.128.1 (local), d=10.232.108.1 (FastEthernet0/12), len 100, p
olicy routed <<<<<<<<<<
=======
i can also see traffic passing through the guest interface 3 on asa for VLAN 4
Switch#sh route-map internet
route-map bar, permit, sequence 10
Match clauses:
ip address (access-lists): 10
Set clauses:
ip next-hop 10.232.108.1
Policy routing matches: 543 packets, 55620 bytes <<<<<<<<<<<<<<<<<<<<<<<
any advise ?
labs.jpg
the issue is that iam not able to route local guest vlan (4 ) which should be directly connected on core switch to the remguest interface on ASA , if iam able to do this then prehaps i should be able to add remote guest networks on site 1 as well to the ACL 10
if i add vlan 4 on the ACL 10 - ( access-list 10 permit 10.232.128.0 0.0.3.255 ) and apply PBR on vlan 4 , iam able to ping the routed interface 10.232.108.2 but iam not able to ping the remguest interface on ASA - 10.232.108.2/22 using source 10.232.128.1 ( vlan 4 )
Router#ping 10.232.108.1 source 10.232.104.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.232.108.1, timeout is 2 seconds:
Packet sent with a source address of 10.232.104.1
.....
Success rate is 0 percent (0/5)
==========================
although on the " debug ip policy " the output shows that the poicy is routed
==========================
1d00h: IP: s=10.232.128.1 (local), d=10.232.108.1, len 100, policy match
1d00h: IP: route map bar, item 10, permit
1d00h: IP: s=10.232.128.1 (local), d=10.232.108.1 (FastEthernet0/12), len 100, p
olicy routed <<<<<<<<<<
=======
i can also see traffic passing through the guest interface 3 on asa for VLAN 4
Switch#sh route-map internet
route-map bar, permit, sequence 10
Match clauses:
ip address (access-lists): 10
Set clauses:
ip next-hop 10.232.108.1
Policy routing matches: 543 packets, 55620 bytes <<<<<<<<<<<<<<<<<<<<<<<
any advise ?
labs.jpg
The ASA has to have all subnets of the entire LAN and the remote site listed as part of its Trusted Network. The ASA will interpret all of those as one big network. Then the ASA must have a Static Route (or Routes) added that tell it to use the Core Router as the "gateway" to get to all other parts other LAN and Remote Sites that are on the opposite side of the Core Router from 10.232.132.x.
The rest is just getting your LAN's Routing Scheme correct (which has nothing to do with the ASA itself).
The rest is just getting your LAN's Routing Scheme correct (which has nothing to do with the ASA itself).
That is exactly what my diagram explains if you look closely at it.
ASKER
i undestand the theory , but it looks that i have some issues with the configuration
and i've configured exactly the same , i have no issues routing the inside networks ( local and remote ) to the default gateway 10.232.132.1 on ASA ( inside interface eth1 ), my only problem comes when i try to route the local directly connected and remote guest network to the ASA eth3 interface via PBR
i ve configured he following static routes on ASA and still im not able t reach the guest interface
route inside 10.232.128.0 255.255.252.0 10.232.108.2
route inside 10.232.4.0 255.255.252.0 10.232.104.1
route inside 10.232.104.0 255.255.252.0 10.232.108.2
waiting for feedback , i would also like you to state me with configuration examples ?
and i've configured exactly the same , i have no issues routing the inside networks ( local and remote ) to the default gateway 10.232.132.1 on ASA ( inside interface eth1 ), my only problem comes when i try to route the local directly connected and remote guest network to the ASA eth3 interface via PBR
i ve configured he following static routes on ASA and still im not able t reach the guest interface
route inside 10.232.128.0 255.255.252.0 10.232.108.2
route inside 10.232.4.0 255.255.252.0 10.232.104.1
route inside 10.232.104.0 255.255.252.0 10.232.108.2
waiting for feedback , i would also like you to state me with configuration examples ?
I see no reason for the 10.132.108.x segment to be going in a Loop.
It should come off of Fas 0/12 on the Core Router,...OR,...eth3 on the ASA,...but not both. I personally think you should branch if off the Core Router at fas 0/12 instead of the ASA.
The ASA should be running with only two Nics (Internal, External,...no DMZ)
All of your networks are also overloaded. The mask should not be lower than /24,...there should never be more than 254 Hosts on a single Ethernet Segment.
The segment between the core Router and the ASA could also be a Two-Host Point-to-Point segment with a /30bit mask if there are no other Hosts on it.
It should come off of Fas 0/12 on the Core Router,...OR,...eth3 on the ASA,...but not both. I personally think you should branch if off the Core Router at fas 0/12 instead of the ASA.
The ASA should be running with only two Nics (Internal, External,...no DMZ)
All of your networks are also overloaded. The mask should not be lower than /24,...there should never be more than 254 Hosts on a single Ethernet Segment.
The segment between the core Router and the ASA could also be a Two-Host Point-to-Point segment with a /30bit mask if there are no other Hosts on it.
ASKER
could you show me how to acheive this with configuration , i know that the vrf-lite can be used for such solution but i have no idea how t o do this with such case scenario !
any advise ?
any advise ?
I don't know what I can show you. I would look just like the diagram I gave. The router in the center of my diagram would be the Core Router, the firewall in the diagram would be that ASA. The segments you have of:
10.232.108.x
10.232.124.x
10.232.103.x
...would just be segments branching off the Core Router
The 10.232.132.x would just be the segment between the Core Router and the Firewall.
You almost have that already,...just remove 10.232.108.x from the third Firewall Interface and let it run solely off the Core Router interface,...or do the flip of that and keep in on the Firewall's 3rd Nic and separate it from the Core Router. Either way,...but the point is to get rid of the loop.
I look at the over-all design and make my decisions at that level. I can't get into individual config of individual devices,...I'd have to have a room full of manuals for everything that is out there. I don't even know what a "vrf-lite" even is.
10.232.108.x
10.232.124.x
10.232.103.x
...would just be segments branching off the Core Router
The 10.232.132.x would just be the segment between the Core Router and the Firewall.
You almost have that already,...just remove 10.232.108.x from the third Firewall Interface and let it run solely off the Core Router interface,...or do the flip of that and keep in on the Firewall's 3rd Nic and separate it from the Core Router. Either way,...but the point is to get rid of the loop.
I look at the over-all design and make my decisions at that level. I can't get into individual config of individual devices,...I'd have to have a room full of manuals for everything that is out there. I don't even know what a "vrf-lite" even is.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
that dd not finx the issue , it wasa miss configuration issue in the ASA, i showed my configs from the very begining but the answers ihave been getting from the expert was all theoritical !
What was the misconfiguration?
Theoretical is where all answers begin. They lead you to the place to find the specific issues. Posting config files directly in the question often do not help and only make the post impossible to read an understand. The Config file may also not help when the person trying to help has no full context to interpret the settings in to be able to even know what is correct of not. Config files are better if given as attachments to the message when asked for.
Theoretical is where all answers begin. They lead you to the place to find the specific issues. Posting config files directly in the question often do not help and only make the post impossible to read an understand. The Config file may also not help when the person trying to help has no full context to interpret the settings in to be able to even know what is correct of not. Config files are better if given as attachments to the message when asked for.
That is the problem part. Everything must use the LAN Router as the Default Gateway,...or use whatever LAN Router is appropriate depending on the complexity of the LAN. The only thing that should use the ASA as the Default Gateway is the LAN Router that directly faces the ASA. This keep the routing scheme of the LAN Symmetrical,...as it should be.
The diagram below illustrates this. The firewall in the diagram is ISA,...but the principle is the same.