Solved

Cicso 6500 & ASA 5505 firewall  routing

Posted on 2013-11-11
26
558 Views
Last Modified: 2013-11-23
I have a new setup that I am trying to get working.
I have  6500 core switch/router  with 3 lyaer 3 VLANs on it.

Vlan 2 172.16.3.0/24  
Vlan 3 172.16.4.0/24
Vlan 5 10.40.226.0/24

There is also a Layer 2 VLAN to talk to the firewall  VLAN 100
The firewall  internal interface is 172.16.1.1
What do need to do get all the switch VLAN to talk back and forth to the firewall
What would the routing look like.
new.txt
0
Comment
Question by:thombie
  • 14
  • 7
  • 2
  • +3
26 Comments
 
LVL 17

Expert Comment

by:TimotiSt
ID: 39639557
I don't see any interface on the Cat6500 in the 172.16.1.0/24 subnet, so the default gateway and static route won't really work.
You just want vlan 2,3,5 to be able to go out to the Internet through the ASA?
-Give vlan100 an IP address, like 172.16.1.2/24;
-Set up static routes on the ASA to the subnets through 172.16.1.2 (the Cat6500);
-Set up NAT on the ASA for all subnets.

Tamas
0
 

Author Comment

by:thombie
ID: 39639586
I will try it tomorrow when back in the office
0
 

Author Comment

by:thombie
ID: 39641045
I have created   172.16.1.2/24 on vlan 100 and it still not working. anu ideas
0
Efficient way to get backups off site to Azure

This user guide provides instructions on how to deploy and configure both a StoneFly Scale Out NAS Enterprise Cloud Drive virtual machine and Veeam Cloud Connect in the Microsoft Azure Cloud.

 
LVL 17

Expert Comment

by:TimotiSt
ID: 39641061
Let's figure out what's not working:
From a PC on any of the subnets:
- Try pinging the default gateway (vlan interface on the Cat6500),
- Ping a PC on a different subnet (make sure the pinged PC is not firewalled),
- Ping the inside interface of the ASA (172.16.1.1),
- Ping something on the Internet.
0
 

Author Comment

by:thombie
ID: 39641186
i can ping the  DG from pc
I can't ping  inside Int of firewall.  (destination unreachable)
can ping internet yet as the link is not up I am trying get all the internal stuff working first
0
 
LVL 17

Expert Comment

by:TimotiSt
ID: 39641197
Okay, depending on the config of the ASA, it might not reply to pings even on the inside interface.
Can you ping a PC/something on another subnet?
0
 

Author Comment

by:thombie
ID: 39641216
No I get  "destination unreachable"
0
 

Author Comment

by:thombie
ID: 39641230
will NAT  affec t this  ?
0
 
LVL 17

Expert Comment

by:TimotiSt
ID: 39641249
Checked the catalyst config again: looks like you're missing the line:
ip routing

Open in new window

to actually enable IP routing.
Can you put that in, and ping a PC on another subnet?
0
 

Author Comment

by:thombie
ID: 39641256
IP routing is enabled   I can't ping another pc on another subnet.  and I cant ping 172.16.1.1
0
 
LVL 17

Expert Comment

by:TimotiSt
ID: 39641260
Can you post the output of "ipconfig /all" from a PC?
0
 

Author Comment

by:thombie
ID: 39641277
Physical Address. . . . . . . . . : 00-08-02-D8-48-F9
 Dhcp Enabled. . . . . . . . . . . : Yes
 Autoconfiguration Enabled . . . . : Yes
 IP Address. . . . . . . . . . . . : 172.16.3.3
 Subnet Mask . . . . . . . . . . . : 255.255.255.0
 Default Gateway . . . . . . . . . : 172.16.3.1
 DHCP Server . . . . . . . . . . . : 172.16.3.1
 DNS Servers . . . . . . . . . . . : 8.8.4.4
0
 

Author Comment

by:thombie
ID: 39641290
The switch is the DHCP server
0
 
LVL 17

Expert Comment

by:TimotiSt
ID: 39641353
Based on this, you should be able to ping hosts on the 172.16.4.0/24 network at least (unless they have Windows firewall enabled).
Can you post the current config of the Catalyst?
0
 

Author Comment

by:thombie
ID: 39641521
windows firewall is not enabled
runningconfig.TXT
0
 

Author Comment

by:thombie
ID: 39643902
What do you think ?
0
 
LVL 17

Expert Comment

by:TimotiSt
ID: 39645916
Looks okay to me...
Let's ask for a bit of help here...
0
 
LVL 12

Assisted Solution

by:Henk van Achterberg
Henk van Achterberg earned 250 total points
ID: 39646020
on the switch please enter:

term len 0
sh run

and past output in a file and post it here.

on the ASA please use

term pag 0
sh run

sanitize the config and post it here.
0
 

Author Comment

by:thombie
ID: 39647845
attached is a file  has both outputs requested
asa-output.txt
0
 
LVL 12

Expert Comment

by:Henk van Achterberg
ID: 39649041
can you please enable your vlan interface of the ASA?

interface Vlan100
no shutdown

when you have done that can you try to:

1. ping the ASA from your switch (ping 172.16.1.1)
2. ping a workstation from the switch
3. ping the ASA from the switch

and post the results?
0
 

Author Comment

by:thombie
ID: 39650507
vlan 100 enabled
1.success rate  0  from switch to asa
2. i can ping a workstation from the switch
3.cannot ping the switch from the ASA



would this be nating on the ASA ?
0
 

Author Comment

by:thombie
ID: 39650901
My cable layout
6500 switch

port  7/47 Vlan 100 cabled to outside inferface of the ASA
port  7/48  VLAN 100 Cabled to ISP equipment
should have a 7/46  cabled to Internal interface  for the ASA ?
and do I need a new VLAN for th the internal ASA interface  ?
0
 
LVL 42

Accepted Solution

by:
kevinhsieh earned 250 total points
ID: 39657173
You should NOT have an interface VLAN 100. That is just a layer 2 grouping so your ASA can talk to the Internet. I have not gone through all of your configs, and I am doing this from memory. Please review carefully before making any changes. I am suggesting vlan 101 for the link between the switch and ASA, but you can pick another vlan if you like.

conf t
! remove L3 VLAN 100 interface. L2 VLAN will remain
no int vlan 100
! create L3 VLAN interface
int vlan 101
description uplink to ASA
ip address 172.16.1.254 255.255.255.0
no shut
!
! creates L2 VLAN
vlan 101
!
ip route 0.0.0.0 0.0.0.0 172.16.1.1
!
! configure port 7/46 for uplink to ASA
int f7/46
desc uplink to ASA
switchport access vlan 101
switchport mode access

on the ASA, you will need to route to 172.16.1.254 for your internal subnets.
0
 
LVL 28

Expert Comment

by:mikebernhardt
ID: 39657681
You asked very similar questions on your other post, and I gave you suggested routing there. You're only going to confuse yourself if you ask the same questions twice.

Here's what I said:
1. ASA needs a default route to the ISP
2. ASA needs routes to the 6500 for any Layer 3 LANs that exist there.
3. 6500 needs a default route to the ASA.
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 39659257
>route inside 0.0.0.0 0.0.0.0 195.40.10.97 1
This should be route "outside" on the ASA

Connect Port 0/1 of the ASA to the 6500 port 7/46 (with IP address 172.16.1.2)
Although, what I typically do is use a routed interface on the 6500, instead of SVI - i.e.

interface gig 7/46
 no switchport
 ip address 172.16.1.2 255.255.255.0
 no shutdown
 descript ** transit link to ASA Firewall  0/1 **


Connect port 0/0 of the ASA to the ISP router, not to the 6500 / vlan 100

No, you cannot ping the outside interface of the asa from the inside no matter what.
0
 

Author Comment

by:thombie
ID: 39668830
cool this works.  Thanks for your help
0

Featured Post

PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
How to choose hardware firewall 5 44
Ping Through ASA Firewall 6 38
Cisco 3560 Switch with Multiple Gateways 10 64
Use of vpn-filter value  in S2S VPN 2 29
This article will cover setting up redundant ISPs for outbound connectivity on an ASA 5510 (although the same should work on the 5520s and up as well).  It’s important to note that this covers outbound connectivity only.  The ASA does not have built…
I recently attended Cisco Live! in Las Vegas, a conference that boasted over 28,000 techies in attendance, and a week of hands-on learning hosted by a solid partner with which Concerto goes to market.  Every year, Cisco displays cutting-edge technol…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Both in life and business – not all partnerships are created equal. Spend 30 short minutes with us to learn:   • Key questions to ask when considering a partnership to accelerate your business into the cloud • Pitfalls and mistakes other partners…

813 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now