Routing back from Cisco ASA

I have 11 computers on a layer 3 switch plus an Cisco ASA. They are all on vlan 1. This works with no issues.

However recently I moved 1 computer to port 12 that is configured for vlan 40. It can't access the internet though. The computer has an ip  192.168.4.10, but it can ping the below 192.168.4.1 svi for vlan 40.

VLAN 40 - Configuration
int vlan 40
ip address 192.168.4.1 255.255.255.0

Port 12
switchport access vlan 40

ip routing
ip route 0.0.0.0 0.0.0.0 192.168.0.1

I can't ping 192.168.0.1 from this computer on vlan 40. I was able to ping it from the layer 3 switch console itself.

I believe the issue is that Cisco ASA doesn't know what to do with the packet. However I'm at a loss of what I need to do to make it work. I thought with ip routing enabled it would route between vlan 40 and vlan 1?
jasonmohanAsked:
Who is Participating?

Improve company productivity with a Business Account.Sign Up

x
 
Ernie BeekConnect With a Mentor ExpertCommented:
Looks like you have an ASA5505?
You'll need the security plus license to be able to create trunk ports on the ASA, but if you have that you can give that a try.
Have a look at: http://www.cisco.com/en/US/docs/security/asa/asa84/configuration/guide/interface_start_5505.html#wp1422895 
This shows an example on how to set up a trunk port on a 5505.
0
 
rauenpcCommented:
You probably need to add a route on the ASA to let it know how to get to the new subnet

route inside 192.168.4.0 255.255.255.0 192.168.0.x (ip address of the L3 switch vlan 1 interface)
0
 
Ernie BeekExpertCommented:
Let's see:

-Is the ASA set up for both VLANs?
-Is the switchport connected to the ASA trunked so it carries both VLANS?

Could you post (sanitized) relevant parts of the switch and ASA config so we can have a closer look?
0
NEW Internet Security Report Now Available!

WatchGuard’s Threat Lab is a group of dedicated threat researchers committed to helping you stay ahead of the bad guys by providing in-depth analysis of the top security threats to your network.  Check out this quarters report on the threats that shook the industry in Q4 2017.

 
jasonmohanAuthor Commented:
ciscoasa# sh run
: Saved
:
ASA Version 8.4(2)
!
hostname ciscoasa
domain-name bridgelanegroup.local
names
!
interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
 switchport access vlan 13
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
interface Vlan1
 nameif inside
 security-level 100
 ip address 192.168.0.1 255.255.255.0
!
interface Vlan2
 nameif outside
 security-level 0
 ip address 23.30.93.89 255.255.255.0
!
interface Vlan13
 nameif backupisp
 security-level 0
 ip address 192.168.2.10 255.255.255.0
!
boot system disk0:/asa842-k8.bin
ftp mode passive
clock timezone CST -6
clock summer-time CDT recurring
dns domain-lookup inside
dns domain-lookup outside
dns server-group DefaultDNS
 name-server 192.168.0.12
 name-server 192.168.0.13
 domain-name bridgelanegroup.local
http server enable
http 192.168.0.0 255.255.255.0 inside
sla monitor 1
 type echo protocol ipIcmpEcho 8.8.8.8 interface outside
sla monitor schedule 1 life forever start-time now
sla monitor 123
 type echo protocol ipIcmpEcho 8.8.8.8 interface outside
sla monitor schedule 123 life forever start-time now
track 1 rtr 123 reachability
telnet 192.168.0.0 255.255.255.0 inside
telnet timeout 60
ssh 0.0.0.0 0.0.0.0 inside
ssh timeout 60
console timeout 0

ciscoasa#
0
 
jasonmohanAuthor Commented:
See above. I'm using the vlan13 for a backup ISP connection.
0
 
jasonmohanAuthor Commented:
Here is my layer 3 switch config

Building configuration...

Current configuration : 2579 bytes
!
version 12.2
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname switchl3
!
boot-start-marker
boot-end-marker
!

!
!
aaa new-model
!
!
!
!
!
aaa session-id common
system mtu routing 1500
ip routing
ip domain-name bridgelanegroup.local
!
!
!
!
!
!
!
!
spanning-tree mode pvst
spanning-tree extend system-id
!
vlan internal allocation policy ascending
!
!
!
interface FastEthernet0/1
 description ASA-Uplink
 switchport trunk encapsulation dot1q
 switchport mode trunk
!
interface FastEthernet0/2
!
interface FastEthernet0/3
!
interface FastEthernet0/4
!
interface FastEthernet0/5
!
interface FastEthernet0/6
!
interface FastEthernet0/7
!
interface FastEthernet0/8
!
interface FastEthernet0/9
!
interface FastEthernet0/10
!
interface FastEthernet0/11
!
interface FastEthernet0/12
switchport access vlan 40
!
interface FastEthernet0/13
!
interface FastEthernet0/14
!
interface FastEthernet0/15
!
interface FastEthernet0/16
!
interface FastEthernet0/17
!
interface FastEthernet0/18
!
interface FastEthernet0/19
!
interface FastEthernet0/20
!
interface FastEthernet0/21
!
interface FastEthernet0/22
!
interface FastEthernet0/23
!
interface FastEthernet0/24
!
interface GigabitEthernet0/1
 description L2-Uplink
 switchport trunk encapsulation dot1q
 switchport mode trunk
!
interface GigabitEthernet0/2
!
interface GigabitEthernet0/3
!
interface GigabitEthernet0/4
!
interface Vlan1
 ip address 192.168.0.3 255.255.255.0
!
interface Vlan40
 ip address 192.168.4.1 255.255.255.0
!
ip classless
ip route 0.0.0.0 0.0.0.0 192.168.0.1
ip http server
ip http secure-server
!
!
!
line con 0
line vty 5 15
!
end
0
 
AkinsdNetwork AdministratorCommented:
Issue Show route command on ASA

You may need to add 4 subnet on the acl for the inside interface inbound also
0
 
Craig BeckCommented:
If you don't need the VLANs to see eachother it may be a better option to configure an interface on VLAN40 on the ASA instead of configuring routing between the ASA and L3 switch.
0
 
Craig BeckCommented:
Just use a new interface on the ASA if you don't have the Sec+ license...

interface Ethernet0/2
 switchport access vlan 40
0
 
Ernie BeekExpertCommented:
Craig,  remember there are limitations (regarding VLANs) when you don't have a sec+ license.
0
 
jasonmohanAuthor Commented:
Erniebeek,
I tried what you stated, and now I'm able to ping the ASA, however I can't get out past that point. I tried ping 8.8.8.8 and no response, also checked internet and it doesn't work. I decided to make ethernet 0/3 the ASA uplink from the Layer 3 switch fa0/2. Also I had to changed the vlan to 30, and ip range 192.168.3.X. I got further however I'm not sure why I'm not routing to the internet. I'm attaching the ASA and layer 3 sh runs.
0
 
jasonmohanAuthor Commented:
Switch L 3



switchl3#sh run
Building configuration...

Current configuration : 2663 bytes
!
version 12.2
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname switchl3
!
boot-start-marker
boot-end-marker
!
!
!
!
!
aaa session-id common
system mtu routing 1500
ip routing
ip domain-name bridgelanegroup.local
!
!
!
!
!
!
!
!
spanning-tree mode pvst
spanning-tree extend system-id
!
vlan internal allocation policy ascending
!
!
!
interface FastEthernet0/1
!
interface FastEthernet0/2
 description ASA-Uplink
 switchport trunk encapsulation dot1q
 switchport mode trunk
!
interface FastEthernet0/3
!
interface FastEthernet0/4
!
interface FastEthernet0/5
!
interface FastEthernet0/6
!
interface FastEthernet0/7
!
interface FastEthernet0/8
!
interface FastEthernet0/9
!
interface FastEthernet0/10
!
interface FastEthernet0/11
!
interface FastEthernet0/12
!
interface FastEthernet0/13
!
interface FastEthernet0/14
!
interface FastEthernet0/15
!
interface FastEthernet0/16
!
interface FastEthernet0/17
!
interface FastEthernet0/18
!
interface FastEthernet0/19
!
interface FastEthernet0/20
!
interface FastEthernet0/21
!
interface FastEthernet0/22
!
interface FastEthernet0/23
!
interface FastEthernet0/24
!
interface FastEthernet0/25
!
interface FastEthernet0/26
!
interface FastEthernet0/27
!
interface FastEthernet0/28
!
interface FastEthernet0/29
!
interface FastEthernet0/30
!
interface FastEthernet0/31
!
interface FastEthernet0/32
!
interface FastEthernet0/33
 description Backyard Camera
!
interface FastEthernet0/34
 description Front Driveway
!
interface FastEthernet0/35
 description Front Entry
!
interface FastEthernet0/36
 description Backyard Gate
!
interface FastEthernet0/37
!
interface FastEthernet0/38
!
interface FastEthernet0/39
!
interface FastEthernet0/40
!
interface FastEthernet0/41
!
interface FastEthernet0/42
!
interface FastEthernet0/43
!
interface FastEthernet0/44
!
interface FastEthernet0/45
!
interface FastEthernet0/46
!
interface FastEthernet0/47
!
interface FastEthernet0/48
!
interface GigabitEthernet0/1
 description L2-Uplink
 switchport trunk encapsulation dot1q
 switchport mode trunk
!
interface GigabitEthernet0/2
!
interface GigabitEthernet0/3
!
interface GigabitEthernet0/4
!
interface Vlan1
 ip address 192.168.0.3 255.255.255.0
!
interface Vlan30
 ip address 192.168.3.1 255.255.255.0
!
ip classless
ip route 0.0.0.0 0.0.0.0 192.168.3.2
ip http server
ip http secure-server
!
!
!
line con 0
line vty 5 15
!
end

switchl3#
0
 
jasonmohanAuthor Commented:
Cisco ASA 5505 security plus

ciscoasa# sh run
: Saved
:
ASA Version 8.4(2)
!
hostname ciscoasa
domain-name bridgelanegroup.local
names
!
interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
 switchport access vlan 13
!
interface Ethernet0/2
!
interface Ethernet0/3
 switchport trunk allowed vlan 30
 switchport mode trunk
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
interface Vlan1
 nameif inside
 security-level 100
 ip address 192.168.0.1 255.255.255.0
!
interface Vlan2
 nameif outside
 security-level 0
 ip address 23.30.93.89 255.255.255.0
!
interface Vlan13
 nameif backupisp
 security-level 0
 ip address 192.168.2.10 255.255.255.0
!
interface Vlan30
 nameif vlan-storage
 security-level 100
 ip address 192.168.3.2 255.255.255.0
!
boot system disk0:/asa842-k8.bin
ftp mode passive
clock timezone CST -6
clock summer-time CDT recurring
dns domain-lookup inside
dns domain-lookup outside
dns server-group DefaultDNS
 name-server 192.168.0.12
 name-server 192.168.0.13
 domain-name bridgelanegroup.local
object network obj_any
 subnet 0.0.0.0 0.0.0.0
nat (inside,outside) source static NETWORK_OBJ_192.168.0.0_24 NETWORK_OBJ_192.168.0.0_24 destination static NETWORK_OBJ_192.168.0.192_27 NETWORK_OBJ_192.168.0.192_27 no-proxy-arp route-lookup
nat (inside,outside) source static NETWORK_OBJ_192.168.0.0_24 NETWORK_OBJ_192.168.0.0_24 destination static NETWORK_OBJ_192.168.0.128_26 NETWORK_OBJ_192.168.0.128_26 no-proxy-arp route-lookup
nat (inside,backupisp) source dynamic any interface
nat (vlan-storage,outside) source static any any no-proxy-arp route-lookup
!
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 23.30.93.94 128 track 1
route backupisp 0.0.0.0 0.0.0.0 192.168.2.1 254
!
track 1 rtr 123 reachability
telnet 192.168.0.0 255.255.255.0 inside
telnet timeout 60
ssh 0.0.0.0 0.0.0.0 inside
ssh timeout 60
console timeout 0
!
threat-detection basic-threat
threat-detection statistics
threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
ciscoasa#
0
 
Craig BeckCommented:
Agreed, Ernie.  Which is why I said...
"If you don't need the VLANs to see eachother"
:-)
0
 
AkinsdNetwork AdministratorCommented:
packet-tracer input inside tcp 192.168.3.2 4444 8.8.8.8 4444 detailed

check results to see where the packet is dropping

Also check the statements in acl outside_access_in
show access-list outside_access_in
0
 
jasonmohanConnect With a Mentor Author Commented:
I found out what the issue was. I had to remove a nat statement and add a different one. I'm including that below for anyone who comes across this.

no nat (vlan-storage,outside) source static any any no-proxy-arp route-lookup
object network obj-vlan-storage
subnet 0 0
nat (vlan-storage,outside) dynamic interface
show run nat
0
 
Ernie BeekExpertCommented:
I just started typing but saw your comment (2 fast 4 me :)

So, are you getting there?
0
 
Ernie BeekExpertCommented:
@Craig: doh...

Remind me to get a new pair of glasses ;)
0
 
Craig BeckCommented:
Too quick for me too... ;-)
0
 
jasonmohanAuthor Commented:
Yes it worked thanks Erine. I got Cisco TAC involved on the nat problem, but after that your post and there NAT statement helped fix the problem. Thanks.
0
 
Ernie BeekExpertCommented:
My pleasure,  thx for the points :)
0
 
jasonmohanAuthor Commented:
Ernie solution was halfway correct. I needed to create the trunk port, however that allowed it to make it to the ASA, but a NAT rule needed to be created to get it from the ASA to the internet, and back into the vlan.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.