jasonmohan
asked on
Routing back from Cisco ASA
I have 11 computers on a layer 3 switch plus an Cisco ASA. They are all on vlan 1. This works with no issues.
However recently I moved 1 computer to port 12 that is configured for vlan 40. It can't access the internet though. The computer has an ip 192.168.4.10, but it can ping the below 192.168.4.1 svi for vlan 40.
VLAN 40 - Configuration
int vlan 40
ip address 192.168.4.1 255.255.255.0
Port 12
switchport access vlan 40
ip routing
ip route 0.0.0.0 0.0.0.0 192.168.0.1
I can't ping 192.168.0.1 from this computer on vlan 40. I was able to ping it from the layer 3 switch console itself.
I believe the issue is that Cisco ASA doesn't know what to do with the packet. However I'm at a loss of what I need to do to make it work. I thought with ip routing enabled it would route between vlan 40 and vlan 1?
However recently I moved 1 computer to port 12 that is configured for vlan 40. It can't access the internet though. The computer has an ip 192.168.4.10, but it can ping the below 192.168.4.1 svi for vlan 40.
VLAN 40 - Configuration
int vlan 40
ip address 192.168.4.1 255.255.255.0
Port 12
switchport access vlan 40
ip routing
ip route 0.0.0.0 0.0.0.0 192.168.0.1
I can't ping 192.168.0.1 from this computer on vlan 40. I was able to ping it from the layer 3 switch console itself.
I believe the issue is that Cisco ASA doesn't know what to do with the packet. However I'm at a loss of what I need to do to make it work. I thought with ip routing enabled it would route between vlan 40 and vlan 1?
Let's see:
-Is the ASA set up for both VLANs?
-Is the switchport connected to the ASA trunked so it carries both VLANS?
Could you post (sanitized) relevant parts of the switch and ASA config so we can have a closer look?
-Is the ASA set up for both VLANs?
-Is the switchport connected to the ASA trunked so it carries both VLANS?
Could you post (sanitized) relevant parts of the switch and ASA config so we can have a closer look?
ASKER
ciscoasa# sh run
: Saved
:
ASA Version 8.4(2)
!
hostname ciscoasa
domain-name bridgelanegroup.local
names
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
switchport access vlan 13
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
interface Vlan1
nameif inside
security-level 100
ip address 192.168.0.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address 23.30.93.89 255.255.255.0
!
interface Vlan13
nameif backupisp
security-level 0
ip address 192.168.2.10 255.255.255.0
!
boot system disk0:/asa842-k8.bin
ftp mode passive
clock timezone CST -6
clock summer-time CDT recurring
dns domain-lookup inside
dns domain-lookup outside
dns server-group DefaultDNS
name-server 192.168.0.12
name-server 192.168.0.13
domain-name bridgelanegroup.local
http server enable
http 192.168.0.0 255.255.255.0 inside
sla monitor 1
type echo protocol ipIcmpEcho 8.8.8.8 interface outside
sla monitor schedule 1 life forever start-time now
sla monitor 123
type echo protocol ipIcmpEcho 8.8.8.8 interface outside
sla monitor schedule 123 life forever start-time now
track 1 rtr 123 reachability
telnet 192.168.0.0 255.255.255.0 inside
telnet timeout 60
ssh 0.0.0.0 0.0.0.0 inside
ssh timeout 60
console timeout 0
ciscoasa#
: Saved
:
ASA Version 8.4(2)
!
hostname ciscoasa
domain-name bridgelanegroup.local
names
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
switchport access vlan 13
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
interface Vlan1
nameif inside
security-level 100
ip address 192.168.0.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address 23.30.93.89 255.255.255.0
!
interface Vlan13
nameif backupisp
security-level 0
ip address 192.168.2.10 255.255.255.0
!
boot system disk0:/asa842-k8.bin
ftp mode passive
clock timezone CST -6
clock summer-time CDT recurring
dns domain-lookup inside
dns domain-lookup outside
dns server-group DefaultDNS
name-server 192.168.0.12
name-server 192.168.0.13
domain-name bridgelanegroup.local
http server enable
http 192.168.0.0 255.255.255.0 inside
sla monitor 1
type echo protocol ipIcmpEcho 8.8.8.8 interface outside
sla monitor schedule 1 life forever start-time now
sla monitor 123
type echo protocol ipIcmpEcho 8.8.8.8 interface outside
sla monitor schedule 123 life forever start-time now
track 1 rtr 123 reachability
telnet 192.168.0.0 255.255.255.0 inside
telnet timeout 60
ssh 0.0.0.0 0.0.0.0 inside
ssh timeout 60
console timeout 0
ciscoasa#
ASKER
See above. I'm using the vlan13 for a backup ISP connection.
ASKER
Here is my layer 3 switch config
Building configuration...
Current configuration : 2579 bytes
!
version 12.2
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname switchl3
!
boot-start-marker
boot-end-marker
!
!
!
aaa new-model
!
!
!
!
!
aaa session-id common
system mtu routing 1500
ip routing
ip domain-name bridgelanegroup.local
!
!
!
!
!
!
!
!
spanning-tree mode pvst
spanning-tree extend system-id
!
vlan internal allocation policy ascending
!
!
!
interface FastEthernet0/1
description ASA-Uplink
switchport trunk encapsulation dot1q
switchport mode trunk
!
interface FastEthernet0/2
!
interface FastEthernet0/3
!
interface FastEthernet0/4
!
interface FastEthernet0/5
!
interface FastEthernet0/6
!
interface FastEthernet0/7
!
interface FastEthernet0/8
!
interface FastEthernet0/9
!
interface FastEthernet0/10
!
interface FastEthernet0/11
!
interface FastEthernet0/12
switchport access vlan 40
!
interface FastEthernet0/13
!
interface FastEthernet0/14
!
interface FastEthernet0/15
!
interface FastEthernet0/16
!
interface FastEthernet0/17
!
interface FastEthernet0/18
!
interface FastEthernet0/19
!
interface FastEthernet0/20
!
interface FastEthernet0/21
!
interface FastEthernet0/22
!
interface FastEthernet0/23
!
interface FastEthernet0/24
!
interface GigabitEthernet0/1
description L2-Uplink
switchport trunk encapsulation dot1q
switchport mode trunk
!
interface GigabitEthernet0/2
!
interface GigabitEthernet0/3
!
interface GigabitEthernet0/4
!
interface Vlan1
ip address 192.168.0.3 255.255.255.0
!
interface Vlan40
ip address 192.168.4.1 255.255.255.0
!
ip classless
ip route 0.0.0.0 0.0.0.0 192.168.0.1
ip http server
ip http secure-server
!
!
!
line con 0
line vty 5 15
!
end
Building configuration...
Current configuration : 2579 bytes
!
version 12.2
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname switchl3
!
boot-start-marker
boot-end-marker
!
!
!
aaa new-model
!
!
!
!
!
aaa session-id common
system mtu routing 1500
ip routing
ip domain-name bridgelanegroup.local
!
!
!
!
!
!
!
!
spanning-tree mode pvst
spanning-tree extend system-id
!
vlan internal allocation policy ascending
!
!
!
interface FastEthernet0/1
description ASA-Uplink
switchport trunk encapsulation dot1q
switchport mode trunk
!
interface FastEthernet0/2
!
interface FastEthernet0/3
!
interface FastEthernet0/4
!
interface FastEthernet0/5
!
interface FastEthernet0/6
!
interface FastEthernet0/7
!
interface FastEthernet0/8
!
interface FastEthernet0/9
!
interface FastEthernet0/10
!
interface FastEthernet0/11
!
interface FastEthernet0/12
switchport access vlan 40
!
interface FastEthernet0/13
!
interface FastEthernet0/14
!
interface FastEthernet0/15
!
interface FastEthernet0/16
!
interface FastEthernet0/17
!
interface FastEthernet0/18
!
interface FastEthernet0/19
!
interface FastEthernet0/20
!
interface FastEthernet0/21
!
interface FastEthernet0/22
!
interface FastEthernet0/23
!
interface FastEthernet0/24
!
interface GigabitEthernet0/1
description L2-Uplink
switchport trunk encapsulation dot1q
switchport mode trunk
!
interface GigabitEthernet0/2
!
interface GigabitEthernet0/3
!
interface GigabitEthernet0/4
!
interface Vlan1
ip address 192.168.0.3 255.255.255.0
!
interface Vlan40
ip address 192.168.4.1 255.255.255.0
!
ip classless
ip route 0.0.0.0 0.0.0.0 192.168.0.1
ip http server
ip http secure-server
!
!
!
line con 0
line vty 5 15
!
end
Issue Show route command on ASA
You may need to add 4 subnet on the acl for the inside interface inbound also
You may need to add 4 subnet on the acl for the inside interface inbound also
If you don't need the VLANs to see eachother it may be a better option to configure an interface on VLAN40 on the ASA instead of configuring routing between the ASA and L3 switch.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Just use a new interface on the ASA if you don't have the Sec+ license...
interface Ethernet0/2
switchport access vlan 40
interface Ethernet0/2
switchport access vlan 40
Craig, remember there are limitations (regarding VLANs) when you don't have a sec+ license.
ASKER
Erniebeek,
I tried what you stated, and now I'm able to ping the ASA, however I can't get out past that point. I tried ping 8.8.8.8 and no response, also checked internet and it doesn't work. I decided to make ethernet 0/3 the ASA uplink from the Layer 3 switch fa0/2. Also I had to changed the vlan to 30, and ip range 192.168.3.X. I got further however I'm not sure why I'm not routing to the internet. I'm attaching the ASA and layer 3 sh runs.
I tried what you stated, and now I'm able to ping the ASA, however I can't get out past that point. I tried ping 8.8.8.8 and no response, also checked internet and it doesn't work. I decided to make ethernet 0/3 the ASA uplink from the Layer 3 switch fa0/2. Also I had to changed the vlan to 30, and ip range 192.168.3.X. I got further however I'm not sure why I'm not routing to the internet. I'm attaching the ASA and layer 3 sh runs.
ASKER
Switch L 3
switchl3#sh run
Building configuration...
Current configuration : 2663 bytes
!
version 12.2
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname switchl3
!
boot-start-marker
boot-end-marker
!
!
!
!
!
aaa session-id common
system mtu routing 1500
ip routing
ip domain-name bridgelanegroup.local
!
!
!
!
!
!
!
!
spanning-tree mode pvst
spanning-tree extend system-id
!
vlan internal allocation policy ascending
!
!
!
interface FastEthernet0/1
!
interface FastEthernet0/2
description ASA-Uplink
switchport trunk encapsulation dot1q
switchport mode trunk
!
interface FastEthernet0/3
!
interface FastEthernet0/4
!
interface FastEthernet0/5
!
interface FastEthernet0/6
!
interface FastEthernet0/7
!
interface FastEthernet0/8
!
interface FastEthernet0/9
!
interface FastEthernet0/10
!
interface FastEthernet0/11
!
interface FastEthernet0/12
!
interface FastEthernet0/13
!
interface FastEthernet0/14
!
interface FastEthernet0/15
!
interface FastEthernet0/16
!
interface FastEthernet0/17
!
interface FastEthernet0/18
!
interface FastEthernet0/19
!
interface FastEthernet0/20
!
interface FastEthernet0/21
!
interface FastEthernet0/22
!
interface FastEthernet0/23
!
interface FastEthernet0/24
!
interface FastEthernet0/25
!
interface FastEthernet0/26
!
interface FastEthernet0/27
!
interface FastEthernet0/28
!
interface FastEthernet0/29
!
interface FastEthernet0/30
!
interface FastEthernet0/31
!
interface FastEthernet0/32
!
interface FastEthernet0/33
description Backyard Camera
!
interface FastEthernet0/34
description Front Driveway
!
interface FastEthernet0/35
description Front Entry
!
interface FastEthernet0/36
description Backyard Gate
!
interface FastEthernet0/37
!
interface FastEthernet0/38
!
interface FastEthernet0/39
!
interface FastEthernet0/40
!
interface FastEthernet0/41
!
interface FastEthernet0/42
!
interface FastEthernet0/43
!
interface FastEthernet0/44
!
interface FastEthernet0/45
!
interface FastEthernet0/46
!
interface FastEthernet0/47
!
interface FastEthernet0/48
!
interface GigabitEthernet0/1
description L2-Uplink
switchport trunk encapsulation dot1q
switchport mode trunk
!
interface GigabitEthernet0/2
!
interface GigabitEthernet0/3
!
interface GigabitEthernet0/4
!
interface Vlan1
ip address 192.168.0.3 255.255.255.0
!
interface Vlan30
ip address 192.168.3.1 255.255.255.0
!
ip classless
ip route 0.0.0.0 0.0.0.0 192.168.3.2
ip http server
ip http secure-server
!
!
!
line con 0
line vty 5 15
!
end
switchl3#
switchl3#sh run
Building configuration...
Current configuration : 2663 bytes
!
version 12.2
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname switchl3
!
boot-start-marker
boot-end-marker
!
!
!
!
!
aaa session-id common
system mtu routing 1500
ip routing
ip domain-name bridgelanegroup.local
!
!
!
!
!
!
!
!
spanning-tree mode pvst
spanning-tree extend system-id
!
vlan internal allocation policy ascending
!
!
!
interface FastEthernet0/1
!
interface FastEthernet0/2
description ASA-Uplink
switchport trunk encapsulation dot1q
switchport mode trunk
!
interface FastEthernet0/3
!
interface FastEthernet0/4
!
interface FastEthernet0/5
!
interface FastEthernet0/6
!
interface FastEthernet0/7
!
interface FastEthernet0/8
!
interface FastEthernet0/9
!
interface FastEthernet0/10
!
interface FastEthernet0/11
!
interface FastEthernet0/12
!
interface FastEthernet0/13
!
interface FastEthernet0/14
!
interface FastEthernet0/15
!
interface FastEthernet0/16
!
interface FastEthernet0/17
!
interface FastEthernet0/18
!
interface FastEthernet0/19
!
interface FastEthernet0/20
!
interface FastEthernet0/21
!
interface FastEthernet0/22
!
interface FastEthernet0/23
!
interface FastEthernet0/24
!
interface FastEthernet0/25
!
interface FastEthernet0/26
!
interface FastEthernet0/27
!
interface FastEthernet0/28
!
interface FastEthernet0/29
!
interface FastEthernet0/30
!
interface FastEthernet0/31
!
interface FastEthernet0/32
!
interface FastEthernet0/33
description Backyard Camera
!
interface FastEthernet0/34
description Front Driveway
!
interface FastEthernet0/35
description Front Entry
!
interface FastEthernet0/36
description Backyard Gate
!
interface FastEthernet0/37
!
interface FastEthernet0/38
!
interface FastEthernet0/39
!
interface FastEthernet0/40
!
interface FastEthernet0/41
!
interface FastEthernet0/42
!
interface FastEthernet0/43
!
interface FastEthernet0/44
!
interface FastEthernet0/45
!
interface FastEthernet0/46
!
interface FastEthernet0/47
!
interface FastEthernet0/48
!
interface GigabitEthernet0/1
description L2-Uplink
switchport trunk encapsulation dot1q
switchport mode trunk
!
interface GigabitEthernet0/2
!
interface GigabitEthernet0/3
!
interface GigabitEthernet0/4
!
interface Vlan1
ip address 192.168.0.3 255.255.255.0
!
interface Vlan30
ip address 192.168.3.1 255.255.255.0
!
ip classless
ip route 0.0.0.0 0.0.0.0 192.168.3.2
ip http server
ip http secure-server
!
!
!
line con 0
line vty 5 15
!
end
switchl3#
ASKER
Cisco ASA 5505 security plus
ciscoasa# sh run
: Saved
:
ASA Version 8.4(2)
!
hostname ciscoasa
domain-name bridgelanegroup.local
names
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
switchport access vlan 13
!
interface Ethernet0/2
!
interface Ethernet0/3
switchport trunk allowed vlan 30
switchport mode trunk
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
interface Vlan1
nameif inside
security-level 100
ip address 192.168.0.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address 23.30.93.89 255.255.255.0
!
interface Vlan13
nameif backupisp
security-level 0
ip address 192.168.2.10 255.255.255.0
!
interface Vlan30
nameif vlan-storage
security-level 100
ip address 192.168.3.2 255.255.255.0
!
boot system disk0:/asa842-k8.bin
ftp mode passive
clock timezone CST -6
clock summer-time CDT recurring
dns domain-lookup inside
dns domain-lookup outside
dns server-group DefaultDNS
name-server 192.168.0.12
name-server 192.168.0.13
domain-name bridgelanegroup.local
object network obj_any
subnet 0.0.0.0 0.0.0.0
nat (inside,outside) source static NETWORK_OBJ_192.168.0.0_24
nat (inside,outside) source static NETWORK_OBJ_192.168.0.0_24
nat (inside,backupisp) source dynamic any interface
nat (vlan-storage,outside) source static any any no-proxy-arp route-lookup
!
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 23.30.93.94 128 track 1
route backupisp 0.0.0.0 0.0.0.0 192.168.2.1 254
!
track 1 rtr 123 reachability
telnet 192.168.0.0 255.255.255.0 inside
telnet timeout 60
ssh 0.0.0.0 0.0.0.0 inside
ssh timeout 60
console timeout 0
!
threat-detection basic-threat
threat-detection statistics
threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
ciscoasa#
ciscoasa# sh run
: Saved
:
ASA Version 8.4(2)
!
hostname ciscoasa
domain-name bridgelanegroup.local
names
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
switchport access vlan 13
!
interface Ethernet0/2
!
interface Ethernet0/3
switchport trunk allowed vlan 30
switchport mode trunk
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
interface Vlan1
nameif inside
security-level 100
ip address 192.168.0.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address 23.30.93.89 255.255.255.0
!
interface Vlan13
nameif backupisp
security-level 0
ip address 192.168.2.10 255.255.255.0
!
interface Vlan30
nameif vlan-storage
security-level 100
ip address 192.168.3.2 255.255.255.0
!
boot system disk0:/asa842-k8.bin
ftp mode passive
clock timezone CST -6
clock summer-time CDT recurring
dns domain-lookup inside
dns domain-lookup outside
dns server-group DefaultDNS
name-server 192.168.0.12
name-server 192.168.0.13
domain-name bridgelanegroup.local
object network obj_any
subnet 0.0.0.0 0.0.0.0
nat (inside,outside) source static NETWORK_OBJ_192.168.0.0_24
nat (inside,outside) source static NETWORK_OBJ_192.168.0.0_24
nat (inside,backupisp) source dynamic any interface
nat (vlan-storage,outside) source static any any no-proxy-arp route-lookup
!
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 23.30.93.94 128 track 1
route backupisp 0.0.0.0 0.0.0.0 192.168.2.1 254
!
track 1 rtr 123 reachability
telnet 192.168.0.0 255.255.255.0 inside
telnet timeout 60
ssh 0.0.0.0 0.0.0.0 inside
ssh timeout 60
console timeout 0
!
threat-detection basic-threat
threat-detection statistics
threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
ciscoasa#
Agreed, Ernie. Which is why I said...
"If you don't need the VLANs to see eachother":-)
packet-tracer input inside tcp 192.168.3.2 4444 8.8.8.8 4444 detailed
check results to see where the packet is dropping
Also check the statements in acl outside_access_in
show access-list outside_access_in
check results to see where the packet is dropping
Also check the statements in acl outside_access_in
show access-list outside_access_in
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
I just started typing but saw your comment (2 fast 4 me :)
So, are you getting there?
So, are you getting there?
@Craig: doh...
Remind me to get a new pair of glasses ;)
Remind me to get a new pair of glasses ;)
Too quick for me too... ;-)
ASKER
Yes it worked thanks Erine. I got Cisco TAC involved on the nat problem, but after that your post and there NAT statement helped fix the problem. Thanks.
My pleasure, thx for the points :)
ASKER
Ernie solution was halfway correct. I needed to create the trunk port, however that allowed it to make it to the ASA, but a NAT rule needed to be created to get it from the ASA to the internet, and back into the vlan.
route inside 192.168.4.0 255.255.255.0 192.168.0.x (ip address of the L3 switch vlan 1 interface)