Solved

Routing back from Cisco ASA

Posted on 2013-10-29
22
381 Views
Last Modified: 2013-11-04
I have 11 computers on a layer 3 switch plus an Cisco ASA. They are all on vlan 1. This works with no issues.

However recently I moved 1 computer to port 12 that is configured for vlan 40. It can't access the internet though. The computer has an ip  192.168.4.10, but it can ping the below 192.168.4.1 svi for vlan 40.

VLAN 40 - Configuration
int vlan 40
ip address 192.168.4.1 255.255.255.0

Port 12
switchport access vlan 40

ip routing
ip route 0.0.0.0 0.0.0.0 192.168.0.1

I can't ping 192.168.0.1 from this computer on vlan 40. I was able to ping it from the layer 3 switch console itself.

I believe the issue is that Cisco ASA doesn't know what to do with the packet. However I'm at a loss of what I need to do to make it work. I thought with ip routing enabled it would route between vlan 40 and vlan 1?
0
Comment
Question by:jasonmohan
  • 9
  • 6
  • 4
  • +2
22 Comments
 
LVL 20

Expert Comment

by:rauenpc
Comment Utility
You probably need to add a route on the ASA to let it know how to get to the new subnet

route inside 192.168.4.0 255.255.255.0 192.168.0.x (ip address of the L3 switch vlan 1 interface)
0
 
LVL 35

Expert Comment

by:Ernie Beek
Comment Utility
Let's see:

-Is the ASA set up for both VLANs?
-Is the switchport connected to the ASA trunked so it carries both VLANS?

Could you post (sanitized) relevant parts of the switch and ASA config so we can have a closer look?
0
 

Author Comment

by:jasonmohan
Comment Utility
ciscoasa# sh run
: Saved
:
ASA Version 8.4(2)
!
hostname ciscoasa
domain-name bridgelanegroup.local
names
!
interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
 switchport access vlan 13
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
interface Vlan1
 nameif inside
 security-level 100
 ip address 192.168.0.1 255.255.255.0
!
interface Vlan2
 nameif outside
 security-level 0
 ip address 23.30.93.89 255.255.255.0
!
interface Vlan13
 nameif backupisp
 security-level 0
 ip address 192.168.2.10 255.255.255.0
!
boot system disk0:/asa842-k8.bin
ftp mode passive
clock timezone CST -6
clock summer-time CDT recurring
dns domain-lookup inside
dns domain-lookup outside
dns server-group DefaultDNS
 name-server 192.168.0.12
 name-server 192.168.0.13
 domain-name bridgelanegroup.local
http server enable
http 192.168.0.0 255.255.255.0 inside
sla monitor 1
 type echo protocol ipIcmpEcho 8.8.8.8 interface outside
sla monitor schedule 1 life forever start-time now
sla monitor 123
 type echo protocol ipIcmpEcho 8.8.8.8 interface outside
sla monitor schedule 123 life forever start-time now
track 1 rtr 123 reachability
telnet 192.168.0.0 255.255.255.0 inside
telnet timeout 60
ssh 0.0.0.0 0.0.0.0 inside
ssh timeout 60
console timeout 0

ciscoasa#
0
 

Author Comment

by:jasonmohan
Comment Utility
See above. I'm using the vlan13 for a backup ISP connection.
0
 

Author Comment

by:jasonmohan
Comment Utility
Here is my layer 3 switch config

Building configuration...

Current configuration : 2579 bytes
!
version 12.2
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname switchl3
!
boot-start-marker
boot-end-marker
!

!
!
aaa new-model
!
!
!
!
!
aaa session-id common
system mtu routing 1500
ip routing
ip domain-name bridgelanegroup.local
!
!
!
!
!
!
!
!
spanning-tree mode pvst
spanning-tree extend system-id
!
vlan internal allocation policy ascending
!
!
!
interface FastEthernet0/1
 description ASA-Uplink
 switchport trunk encapsulation dot1q
 switchport mode trunk
!
interface FastEthernet0/2
!
interface FastEthernet0/3
!
interface FastEthernet0/4
!
interface FastEthernet0/5
!
interface FastEthernet0/6
!
interface FastEthernet0/7
!
interface FastEthernet0/8
!
interface FastEthernet0/9
!
interface FastEthernet0/10
!
interface FastEthernet0/11
!
interface FastEthernet0/12
switchport access vlan 40
!
interface FastEthernet0/13
!
interface FastEthernet0/14
!
interface FastEthernet0/15
!
interface FastEthernet0/16
!
interface FastEthernet0/17
!
interface FastEthernet0/18
!
interface FastEthernet0/19
!
interface FastEthernet0/20
!
interface FastEthernet0/21
!
interface FastEthernet0/22
!
interface FastEthernet0/23
!
interface FastEthernet0/24
!
interface GigabitEthernet0/1
 description L2-Uplink
 switchport trunk encapsulation dot1q
 switchport mode trunk
!
interface GigabitEthernet0/2
!
interface GigabitEthernet0/3
!
interface GigabitEthernet0/4
!
interface Vlan1
 ip address 192.168.0.3 255.255.255.0
!
interface Vlan40
 ip address 192.168.4.1 255.255.255.0
!
ip classless
ip route 0.0.0.0 0.0.0.0 192.168.0.1
ip http server
ip http secure-server
!
!
!
line con 0
line vty 5 15
!
end
0
 
LVL 18

Expert Comment

by:Akinsd
Comment Utility
Issue Show route command on ASA

You may need to add 4 subnet on the acl for the inside interface inbound also
0
 
LVL 45

Expert Comment

by:Craig Beck
Comment Utility
If you don't need the VLANs to see eachother it may be a better option to configure an interface on VLAN40 on the ASA instead of configuring routing between the ASA and L3 switch.
0
 
LVL 35

Accepted Solution

by:
Ernie Beek earned 500 total points
Comment Utility
Looks like you have an ASA5505?
You'll need the security plus license to be able to create trunk ports on the ASA, but if you have that you can give that a try.
Have a look at: http://www.cisco.com/en/US/docs/security/asa/asa84/configuration/guide/interface_start_5505.html#wp1422895
This shows an example on how to set up a trunk port on a 5505.
0
 
LVL 45

Expert Comment

by:Craig Beck
Comment Utility
Just use a new interface on the ASA if you don't have the Sec+ license...

interface Ethernet0/2
 switchport access vlan 40
0
 
LVL 35

Expert Comment

by:Ernie Beek
Comment Utility
Craig,  remember there are limitations (regarding VLANs) when you don't have a sec+ license.
0
 

Author Comment

by:jasonmohan
Comment Utility
Erniebeek,
I tried what you stated, and now I'm able to ping the ASA, however I can't get out past that point. I tried ping 8.8.8.8 and no response, also checked internet and it doesn't work. I decided to make ethernet 0/3 the ASA uplink from the Layer 3 switch fa0/2. Also I had to changed the vlan to 30, and ip range 192.168.3.X. I got further however I'm not sure why I'm not routing to the internet. I'm attaching the ASA and layer 3 sh runs.
0
PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

 

Author Comment

by:jasonmohan
Comment Utility
Switch L 3



switchl3#sh run
Building configuration...

Current configuration : 2663 bytes
!
version 12.2
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname switchl3
!
boot-start-marker
boot-end-marker
!
!
!
!
!
aaa session-id common
system mtu routing 1500
ip routing
ip domain-name bridgelanegroup.local
!
!
!
!
!
!
!
!
spanning-tree mode pvst
spanning-tree extend system-id
!
vlan internal allocation policy ascending
!
!
!
interface FastEthernet0/1
!
interface FastEthernet0/2
 description ASA-Uplink
 switchport trunk encapsulation dot1q
 switchport mode trunk
!
interface FastEthernet0/3
!
interface FastEthernet0/4
!
interface FastEthernet0/5
!
interface FastEthernet0/6
!
interface FastEthernet0/7
!
interface FastEthernet0/8
!
interface FastEthernet0/9
!
interface FastEthernet0/10
!
interface FastEthernet0/11
!
interface FastEthernet0/12
!
interface FastEthernet0/13
!
interface FastEthernet0/14
!
interface FastEthernet0/15
!
interface FastEthernet0/16
!
interface FastEthernet0/17
!
interface FastEthernet0/18
!
interface FastEthernet0/19
!
interface FastEthernet0/20
!
interface FastEthernet0/21
!
interface FastEthernet0/22
!
interface FastEthernet0/23
!
interface FastEthernet0/24
!
interface FastEthernet0/25
!
interface FastEthernet0/26
!
interface FastEthernet0/27
!
interface FastEthernet0/28
!
interface FastEthernet0/29
!
interface FastEthernet0/30
!
interface FastEthernet0/31
!
interface FastEthernet0/32
!
interface FastEthernet0/33
 description Backyard Camera
!
interface FastEthernet0/34
 description Front Driveway
!
interface FastEthernet0/35
 description Front Entry
!
interface FastEthernet0/36
 description Backyard Gate
!
interface FastEthernet0/37
!
interface FastEthernet0/38
!
interface FastEthernet0/39
!
interface FastEthernet0/40
!
interface FastEthernet0/41
!
interface FastEthernet0/42
!
interface FastEthernet0/43
!
interface FastEthernet0/44
!
interface FastEthernet0/45
!
interface FastEthernet0/46
!
interface FastEthernet0/47
!
interface FastEthernet0/48
!
interface GigabitEthernet0/1
 description L2-Uplink
 switchport trunk encapsulation dot1q
 switchport mode trunk
!
interface GigabitEthernet0/2
!
interface GigabitEthernet0/3
!
interface GigabitEthernet0/4
!
interface Vlan1
 ip address 192.168.0.3 255.255.255.0
!
interface Vlan30
 ip address 192.168.3.1 255.255.255.0
!
ip classless
ip route 0.0.0.0 0.0.0.0 192.168.3.2
ip http server
ip http secure-server
!
!
!
line con 0
line vty 5 15
!
end

switchl3#
0
 

Author Comment

by:jasonmohan
Comment Utility
Cisco ASA 5505 security plus

ciscoasa# sh run
: Saved
:
ASA Version 8.4(2)
!
hostname ciscoasa
domain-name bridgelanegroup.local
names
!
interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
 switchport access vlan 13
!
interface Ethernet0/2
!
interface Ethernet0/3
 switchport trunk allowed vlan 30
 switchport mode trunk
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
interface Vlan1
 nameif inside
 security-level 100
 ip address 192.168.0.1 255.255.255.0
!
interface Vlan2
 nameif outside
 security-level 0
 ip address 23.30.93.89 255.255.255.0
!
interface Vlan13
 nameif backupisp
 security-level 0
 ip address 192.168.2.10 255.255.255.0
!
interface Vlan30
 nameif vlan-storage
 security-level 100
 ip address 192.168.3.2 255.255.255.0
!
boot system disk0:/asa842-k8.bin
ftp mode passive
clock timezone CST -6
clock summer-time CDT recurring
dns domain-lookup inside
dns domain-lookup outside
dns server-group DefaultDNS
 name-server 192.168.0.12
 name-server 192.168.0.13
 domain-name bridgelanegroup.local
object network obj_any
 subnet 0.0.0.0 0.0.0.0
nat (inside,outside) source static NETWORK_OBJ_192.168.0.0_24 NETWORK_OBJ_192.168.0.0_24 destination static NETWORK_OBJ_192.168.0.192_27 NETWORK_OBJ_192.168.0.192_27 no-proxy-arp route-lookup
nat (inside,outside) source static NETWORK_OBJ_192.168.0.0_24 NETWORK_OBJ_192.168.0.0_24 destination static NETWORK_OBJ_192.168.0.128_26 NETWORK_OBJ_192.168.0.128_26 no-proxy-arp route-lookup
nat (inside,backupisp) source dynamic any interface
nat (vlan-storage,outside) source static any any no-proxy-arp route-lookup
!
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 23.30.93.94 128 track 1
route backupisp 0.0.0.0 0.0.0.0 192.168.2.1 254
!
track 1 rtr 123 reachability
telnet 192.168.0.0 255.255.255.0 inside
telnet timeout 60
ssh 0.0.0.0 0.0.0.0 inside
ssh timeout 60
console timeout 0
!
threat-detection basic-threat
threat-detection statistics
threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
ciscoasa#
0
 
LVL 45

Expert Comment

by:Craig Beck
Comment Utility
Agreed, Ernie.  Which is why I said...
"If you don't need the VLANs to see eachother"
:-)
0
 
LVL 18

Expert Comment

by:Akinsd
Comment Utility
packet-tracer input inside tcp 192.168.3.2 4444 8.8.8.8 4444 detailed

check results to see where the packet is dropping

Also check the statements in acl outside_access_in
show access-list outside_access_in
0
 

Assisted Solution

by:jasonmohan
jasonmohan earned 0 total points
Comment Utility
I found out what the issue was. I had to remove a nat statement and add a different one. I'm including that below for anyone who comes across this.

no nat (vlan-storage,outside) source static any any no-proxy-arp route-lookup
object network obj-vlan-storage
subnet 0 0
nat (vlan-storage,outside) dynamic interface
show run nat
0
 
LVL 35

Expert Comment

by:Ernie Beek
Comment Utility
I just started typing but saw your comment (2 fast 4 me :)

So, are you getting there?
0
 
LVL 35

Expert Comment

by:Ernie Beek
Comment Utility
@Craig: doh...

Remind me to get a new pair of glasses ;)
0
 
LVL 45

Expert Comment

by:Craig Beck
Comment Utility
Too quick for me too... ;-)
0
 

Author Comment

by:jasonmohan
Comment Utility
Yes it worked thanks Erine. I got Cisco TAC involved on the nat problem, but after that your post and there NAT statement helped fix the problem. Thanks.
0
 
LVL 35

Expert Comment

by:Ernie Beek
Comment Utility
My pleasure,  thx for the points :)
0
 

Author Closing Comment

by:jasonmohan
Comment Utility
Ernie solution was halfway correct. I needed to create the trunk port, however that allowed it to make it to the ASA, but a NAT rule needed to be created to get it from the ASA to the internet, and back into the vlan.
0

Featured Post

What Should I Do With This Threat Intelligence?

Are you wondering if you actually need threat intelligence? The answer is yes. We explain the basics for creating useful threat intelligence.

Join & Write a Comment

So, you're experiencing issues on your network and you've decided that you need to perform some tests to determine whether your cabling is good.  You're likely thinking that you may need to spend money which you probably don't have on hiring/purchas…
#Citrix #Citrix Netscaler #HTTP Compression #Load Balance
Viewers will learn how to properly install and use Secure Shell (SSH) to work on projects or homework remotely. Download Secure Shell: Follow basic installation instructions: Open Secure Shell and use "Quick Connect" to enter credentials includi…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

771 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

13 Experts available now in Live!

Get 1:1 Help Now