[Webinar] Streamline your web hosting managementRegister Today

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 706
  • Last Modified:

routing problem

Hi
I hope you guys can help me find the problem

I can't access a network beyond the ASA. The setup is like this..

ASA 5520 with 3 networks
if1 internet (outside)
if2 192.168.100.1 /24 (inside)
if3 172.16.200.2 /24 (the network I can't access from client network)

if2 on ASA is connected to a PC6248 with several vlans. The PC6248 is handling the routing of vlans.

if3 on ASA is connected to our ISP's cisco router wich has interface ip 172.16.200.1 /24


As far I can tell everything works fine except from the clients vlans on the PC6248 I cannot ping any 172.16.200.0 address. It is possible to ping the entire 172.16.200.0 network from within the ASA but not from an client computer.

What could be the problem? I think I got all the routes right. The PC6248 has a ip route to 192.168.100.1 (ASA) and the ASA has a ip route to 172.16.200.1 (ISP router)

Ideas?
0
Bes4dmin
Asked:
Bes4dmin
  • 16
  • 6
  • 5
  • +2
3 Solutions
 
pclinuxguruCommented:
mind posting a sanitized config or at least the routes, nat, and interface/vlan stuff?
0
 
Bes4dminAuthor Commented:
ASA5520
interface GigabitEthernet0/0
 nameif outside
 security-level 0
 ip address xxx.xxx.xxx.xxx. 255.255.240.0 
!
interface GigabitEthernet0/1
 nameif LAN
 security-level 90
 ip address 192.168.100.1 255.255.255.0 
!
interface GigabitEthernet0/2
 nameif resource
 security-level 70
 ip address 172.16.200.2 255.255.2550.0

route resource 172.16.96.0 255.255.255.0 172.16.200.1 1

static (LAN,resource) 192.168.100.0 192.168.100.0 netmask 255.255.255.0

Open in new window


PC2648
vlan database
vlan 3-6,100
vlan routing 5 1
vlan routing 4 2
vlan routing 3 4
vlan routing 6 6
vlan routing 100 7

ip routing
ip route 0.0.0.0 0.0.0.0 192.168.100.1

interface vlan 3
name "floor3"
routing
ip address 192.168.130.1 255.255.255.0
ip helper-address 192.168.100.50
exit

interface vlan 4
name "floor4"
routing
ip address 192.168.140.1 255.255.255.0
ip helper-address 192.168.100.50
exit

interface vlan 5
name "floor5"
routing
ip address 192.168.150.1 255.255.255.0
ip helper-address 192.168.100.50
exit

interface vlan 6
name "floor6"
routing
ip address 192.168.160.1 255.255.255.0
ip helper-address 192.168.100.50
exit

interface vlan 100
name "serverLAN"
routing
ip address 192.168.100.2 255.255.255.0
exit
!
interface ethernet 1/g1
switchport access vlan 100   #This port is connected to the ASA GigabitEthernet0/1 interface#
exit
!

Open in new window

0
 
SEWS-ECommented:
Hi,

There could be a number of reasons why the ping is failing to reach the subnet 172.16.200.0/24, routing being one of them. It could be an ACL blocking the traffic, or missing/misconfigured NAT statement.

It would be useful to see the entire ASA config to check all parts of the config are in place.

Alternatively, you can run Packet Tracer from the ASDM which will simulate the ping as it passes through the ASA and tell you why it is being dropped.

Regards,

Paul
0
Never miss a deadline with monday.com

The revolutionary project management tool is here!   Plan visually with a single glance and make sure your projects get done.

 
Marius GunnerudSenior Systems EngineerCommented:
are you able to ping the 200.0/24 network from the PC6248 switch?

Could you post the complete list of ACLs for both the ASA and the PC6248. And also post the routing table for the PC6248.
0
 
Bes4dminAuthor Commented:
The PC6248 can't ping the 200.0/24 network. Routing table looks like this

PC6248#show ip route

S      0.0.0.0/0 [1/0] via 192.168.100.1,   vlan 100
C      192.168.100.0/24 [0/1] directly connected,   vlan 100
C      192.168.130.0/24 [0/1] directly connected,   vlan 3
C      192.168.140.0/24 [0/1] directly connected,   vlan 4
C      192.168.150.0/24 [0/1] directly connected,   vlan 5
C      192.168.160.0/24 [0/1] directly connected,   vlan 6

The PC6248 doesn't have any ACL's. I'm thinking since the static route is sending everything to the ASA shouldn't it include the 200.0/24 network as well?
Basically I cannot ping any other interface of the ASA beside the one directly attached to the PC6248.

The ASA has some ACL rules but they are just blocking some clients accessing some resources on the other end of a VPN tunnel.
0
 
Marius GunnerudSenior Systems EngineerCommented:
From PC6248 are you able to ping the 200.0 network when specifying a source of 192.168.100.2

ping 192.168.200.X source 192.168.100.2

the reason the other VLANs cannot connect to the 200.0 network is because they need to be trunked to the ASA.
0
 
Bes4dminAuthor Commented:
nope, I cannot ping anything on the 200.0 network from the 100.0 network.
0
 
SEWS-ECommented:
Does the ASA have routes for the 192.168.x.x subnets?
0
 
Bes4dminAuthor Commented:
yes and the ASA can ping all networks
0
 
Marius GunnerudSenior Systems EngineerCommented:
The problem is that interface ethernet 1/g1 is a layer 2 interface and the interface on the ASA is a layer 3 interface.  Add an ip address to that interface and see if you can now ping to the 200.0 network.

The other option would be to trunk the link between the ASA and PC6248.
0
 
Bes4dminAuthor Commented:
the routing table on the ASA looks like this

PC6248#sh route

Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area 
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP
       i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
       * - candidate default, U - per-user static route, o - ODR
       P - periodic downloaded static route

Gateway of last resort is xxx.xxx.xxx.xxx to network 0.0.0.0


S    192.168.150.0 255.255.255.0 [1/0] via 192.168.100.2, LAN
S    192.168.130.0 255.255.255.0 [1/0] via 192.168.100.2, LAN
S    192.168.160.0 255.255.255.0 [1/0] via 192.168.100.2, LAN
S    192.168.140.0 255.255.255.0 [1/0] via 192.168.100.2, LAN
C    192.168.100.0 255.255.255.0 is directly connected, LAN
C    192.168.0.0 255.255.255.0 is directly connected, Lab
C    xxx.xxx.xxx.xxx 255.255.255.240 is directly connected, outside
S*   0.0.0.0 0.0.0.0 [1/0] via xxx.xxx.xxx.xxx, outside

Open in new window

0
 
Bes4dminAuthor Commented:
The PC6248 is a layer 3 switch and has a vlan interface configured (vlan 100 has 192.168.100.2). As stated earlier port 1/g1 on switch goes to ASA interface (192.168.100.1)
And yeah all ports on switch and ASA are access ports.

How do I change my setup to having a trunk port between the PC6248 and the ASA. Do I need to create the vlans on the ASA aswell? Change routes? This is a production environment so I don't want cut down the testing to a minimal.

Basically what I want to achieve is that all vlans on the PC6248 have access to a foreign network that is connected to the ASA on another port.
0
 
Marius GunnerudSenior Systems EngineerCommented:
on PC6248

int eth1/g1
switchport mode trunk
switchport trunk encapsulation dot1q

on the ASA
int gig0/1
no ip add

int gig0/1.100
description VLAN 100
nameif LAN
ip add 192.168.100.2 255.255.255.0
security-level 90

create subinterfaces for the other VLANs as well.
0
 
Marius GunnerudSenior Systems EngineerCommented:
ASA works much like routers when it comes to trunking VLANs.  Just keep in mind that they only support 802.1q trunking.
0
 
Bes4dminAuthor Commented:
Thanks MAG03
Just to check, changing to trunk port, do I need to delete the static routes on the ASA that points back to the PC6248 for my client vlans? Since they now would be trundled the ASA would see those networks as directly attached right so won't need the static routes. Am I right?
0
 
Marius GunnerudSenior Systems EngineerCommented:
That is correct
0
 
Bes4dminAuthor Commented:
Ok two more things, the PC6248 will still have routing vlans right and do you know if there is a significant difference using a trunked port comparing to just using an access port, I mean in performance
0
 
Bes4dminAuthor Commented:
I didn't get it to work. I reconfigured the 0/1 interface on the ASA like this

CiscoASA#
Interface gigabitethernet 0/1
no ip address
!
Interface gigabitethernet 0/1.100
ip address 192.168.100.1 255.255.255.0
vlan 100
nameif vlan100
securit-level 90
!
Interface gigabitethernet 0/1.6
ip address 192.168.160.1 255.255.255.0
vlan 6
nameif vlan6
securit-level 90
!
Interface gigabitethernet 0/1.5
ip address 192.168.150.1 255.255.255.0
vlan 5
nameif vlan5
securit-level 90
!
Interface gigabitethernet 0/1.4
ip address 192.168.140.1 255.255.255.0
vlan 4
nameif vlan4
securit-level 90
!
Interface gigabitethernet 0/1.3
ip address 192.168.130.1 255.255.255.0
vlan 3
nameif vlan3
securit-level 90

no ip route LAN 192.168.160.0 /24 192.168.100.2
no ip route LAN 192.168.150.0 /24 192.168.100.2
no ip route LAN 192.168.140.0 /24 192.168.100.2
no ip route LAN 192.168.130.0 /24 192.168.100.2

Since the subif's now have 160.1, 150.1 etc I changed the vlan interface ip on the PC6248 to 160.2 150.2 etc.

The 1/g1 port on the PC6248 I tried with both
switchport mode trunk
and
switchport mode general
switchport general allow vlan add 7,6,5,4,3
switchport general acceptable-frame-type tagged-only


With this I lost all connection between the PC6248 and the ASA
Ideas?
0
 
Bes4dminAuthor Commented:
I really need to get my users to access those networks guys hit me with hints. Here's a network map that shows how it is connected maybe it gives some ideas. I need to be able to get to the networks
172.16.200.0 /24
172.16.400.0 /24
172.16.600.0 /24
network map
0
 
Feroz AhmedSenior Network EngineerCommented:
Hi,

Try configuring access-list on ASA to access inside network from outside network the command should be as below :

ASA(config)#access-list 101 permit icmp any any
ASA(Config)#access-group 101 in interface outside

By just configuring these commands you should be able to access inside network from outside.
0
 
Bes4dminAuthor Commented:
Thanks but why would I want to do that?
0
 
SEWS-ECommented:
As I mentioned before, I would use the packet-tracer tool on the ASA to simulate traffic from the client vlans passing through the ASA to the 172.16.x.x subnets, and also the return traffic.

This will tell you if there are any issues with the ASA config that is causing the ASA to drop the traffic. If no issues are reported by the ASA, you know the problem lies elsewhere.
0
 
Bes4dminAuthor Commented:
ok, when I run packet trace through ASDM with source 192.168.160.52 to destination 172.16.400.25 I get this deny

NAT
nat (LAN) 101 0.0.0.0 0.0.0.0
match ip LAN any Resource any
dynamic translation to pool 101 (No matching global)
translate_hits = 19, untranslate_hits = 0
0
 
Bes4dminAuthor Commented:
Is it required that the Cisco 3825 holding the 400.0, 600.0 have a route to another ASA interface?
0
 
SEWS-ECommented:
Ideally, the Cisco 3825 should have routes to all other networks, or a default route pointing towards the ASA.
0
 
Bes4dminAuthor Commented:
The Cisco 3825 has a direct connected route to the ASA on the 172.16.200.0 network but would it help if it also has static routes to our internal networks 192.16.100.0 and 192.168.130.0 etc..?
0
 
SEWS-ECommented:
Yes definitely!

A connected route and a default route are two different things. The connected route of 172.16.200.0/24 will not tell the Cisco 3825 what subnets are beyond the next hop (ASA). For the Cisco 3825 to know what subnets are beyond the ASA, it needs to have the relevant routes in it's routing table.

So on the Cisco 3825, you would need these routes:

192.168.100.0/24 via 172.16.200.2
192.168.130.0/24 via 172.16.200.2
192.168.140.0/24 via 172.16.200.2

On the ASA you need:

172.16.400.0/24 via 172.16.200.1/24
172.16.600.0/24 via 172.16.200.1/24

You also need routes on the ASA to the 192.168.0.0 subnets, but from your diagram, I can't work out what the default gateway for the 192.168.0.0 subnets is. If the default gateway is the ASA, then all the routes should be connected if you've used VLANs, or if the default gateway is the PowerConnect 6248, then you need the relevant static routes on the ASA.
0
 
Bes4dminAuthor Commented:
Thanx Paul for working with me on this. Yes, that sounds relevant. I will tell my ISP to put those routes on the 3825.

As for the 192.168.0.0 subnet I did'nt put it on the diagram just to simplify things since it has the same function as the 192.168.100.0 subnet and I can apply whatever solution to this subnet as soon as I get the 100.0 subnet working.
0
 
Bes4dminAuthor Commented:
That was it. Traffic from all my vlans was indeed reaching the 400 and 600 networks but since the router "holding" those network didn't have a route to the ASA the traffic never found it's way back.
0

Featured Post

The new generation of project management tools

With monday.com’s project management tool, you can see what everyone on your team is working in a single glance. Its intuitive dashboards are customizable, so you can create systems that work for you.

  • 16
  • 6
  • 5
  • +2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now