Solved

Cicso 6500 & ASA 5505 firewall  routing

Posted on 2013-11-11
26
554 Views
Last Modified: 2013-11-23
I have a new setup that I am trying to get working.
I have  6500 core switch/router  with 3 lyaer 3 VLANs on it.

Vlan 2 172.16.3.0/24  
Vlan 3 172.16.4.0/24
Vlan 5 10.40.226.0/24

There is also a Layer 2 VLAN to talk to the firewall  VLAN 100
The firewall  internal interface is 172.16.1.1
What do need to do get all the switch VLAN to talk back and forth to the firewall
What would the routing look like.
new.txt
0
Comment
Question by:thombie
  • 14
  • 7
  • 2
  • +3
26 Comments
 
LVL 17

Expert Comment

by:TimotiSt
Comment Utility
I don't see any interface on the Cat6500 in the 172.16.1.0/24 subnet, so the default gateway and static route won't really work.
You just want vlan 2,3,5 to be able to go out to the Internet through the ASA?
-Give vlan100 an IP address, like 172.16.1.2/24;
-Set up static routes on the ASA to the subnets through 172.16.1.2 (the Cat6500);
-Set up NAT on the ASA for all subnets.

Tamas
0
 

Author Comment

by:thombie
Comment Utility
I will try it tomorrow when back in the office
0
 

Author Comment

by:thombie
Comment Utility
I have created   172.16.1.2/24 on vlan 100 and it still not working. anu ideas
0
 
LVL 17

Expert Comment

by:TimotiSt
Comment Utility
Let's figure out what's not working:
From a PC on any of the subnets:
- Try pinging the default gateway (vlan interface on the Cat6500),
- Ping a PC on a different subnet (make sure the pinged PC is not firewalled),
- Ping the inside interface of the ASA (172.16.1.1),
- Ping something on the Internet.
0
 

Author Comment

by:thombie
Comment Utility
i can ping the  DG from pc
I can't ping  inside Int of firewall.  (destination unreachable)
can ping internet yet as the link is not up I am trying get all the internal stuff working first
0
 
LVL 17

Expert Comment

by:TimotiSt
Comment Utility
Okay, depending on the config of the ASA, it might not reply to pings even on the inside interface.
Can you ping a PC/something on another subnet?
0
 

Author Comment

by:thombie
Comment Utility
No I get  "destination unreachable"
0
 

Author Comment

by:thombie
Comment Utility
will NAT  affec t this  ?
0
 
LVL 17

Expert Comment

by:TimotiSt
Comment Utility
Checked the catalyst config again: looks like you're missing the line:
ip routing

Open in new window

to actually enable IP routing.
Can you put that in, and ping a PC on another subnet?
0
 

Author Comment

by:thombie
Comment Utility
IP routing is enabled   I can't ping another pc on another subnet.  and I cant ping 172.16.1.1
0
 
LVL 17

Expert Comment

by:TimotiSt
Comment Utility
Can you post the output of "ipconfig /all" from a PC?
0
 

Author Comment

by:thombie
Comment Utility
Physical Address. . . . . . . . . : 00-08-02-D8-48-F9
 Dhcp Enabled. . . . . . . . . . . : Yes
 Autoconfiguration Enabled . . . . : Yes
 IP Address. . . . . . . . . . . . : 172.16.3.3
 Subnet Mask . . . . . . . . . . . : 255.255.255.0
 Default Gateway . . . . . . . . . : 172.16.3.1
 DHCP Server . . . . . . . . . . . : 172.16.3.1
 DNS Servers . . . . . . . . . . . : 8.8.4.4
0
 

Author Comment

by:thombie
Comment Utility
The switch is the DHCP server
0
How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

 
LVL 17

Expert Comment

by:TimotiSt
Comment Utility
Based on this, you should be able to ping hosts on the 172.16.4.0/24 network at least (unless they have Windows firewall enabled).
Can you post the current config of the Catalyst?
0
 

Author Comment

by:thombie
Comment Utility
windows firewall is not enabled
runningconfig.TXT
0
 

Author Comment

by:thombie
Comment Utility
What do you think ?
0
 
LVL 17

Expert Comment

by:TimotiSt
Comment Utility
Looks okay to me...
Let's ask for a bit of help here...
0
 
LVL 12

Assisted Solution

by:Henk van Achterberg
Henk van Achterberg earned 250 total points
Comment Utility
on the switch please enter:

term len 0
sh run

and past output in a file and post it here.

on the ASA please use

term pag 0
sh run

sanitize the config and post it here.
0
 

Author Comment

by:thombie
Comment Utility
attached is a file  has both outputs requested
asa-output.txt
0
 
LVL 12

Expert Comment

by:Henk van Achterberg
Comment Utility
can you please enable your vlan interface of the ASA?

interface Vlan100
no shutdown

when you have done that can you try to:

1. ping the ASA from your switch (ping 172.16.1.1)
2. ping a workstation from the switch
3. ping the ASA from the switch

and post the results?
0
 

Author Comment

by:thombie
Comment Utility
vlan 100 enabled
1.success rate  0  from switch to asa
2. i can ping a workstation from the switch
3.cannot ping the switch from the ASA



would this be nating on the ASA ?
0
 

Author Comment

by:thombie
Comment Utility
My cable layout
6500 switch

port  7/47 Vlan 100 cabled to outside inferface of the ASA
port  7/48  VLAN 100 Cabled to ISP equipment
should have a 7/46  cabled to Internal interface  for the ASA ?
and do I need a new VLAN for th the internal ASA interface  ?
0
 
LVL 42

Accepted Solution

by:
kevinhsieh earned 250 total points
Comment Utility
You should NOT have an interface VLAN 100. That is just a layer 2 grouping so your ASA can talk to the Internet. I have not gone through all of your configs, and I am doing this from memory. Please review carefully before making any changes. I am suggesting vlan 101 for the link between the switch and ASA, but you can pick another vlan if you like.

conf t
! remove L3 VLAN 100 interface. L2 VLAN will remain
no int vlan 100
! create L3 VLAN interface
int vlan 101
description uplink to ASA
ip address 172.16.1.254 255.255.255.0
no shut
!
! creates L2 VLAN
vlan 101
!
ip route 0.0.0.0 0.0.0.0 172.16.1.1
!
! configure port 7/46 for uplink to ASA
int f7/46
desc uplink to ASA
switchport access vlan 101
switchport mode access

on the ASA, you will need to route to 172.16.1.254 for your internal subnets.
0
 
LVL 28

Expert Comment

by:mikebernhardt
Comment Utility
You asked very similar questions on your other post, and I gave you suggested routing there. You're only going to confuse yourself if you ask the same questions twice.

Here's what I said:
1. ASA needs a default route to the ISP
2. ASA needs routes to the 6500 for any Layer 3 LANs that exist there.
3. 6500 needs a default route to the ASA.
0
 
LVL 79

Expert Comment

by:lrmoore
Comment Utility
>route inside 0.0.0.0 0.0.0.0 195.40.10.97 1
This should be route "outside" on the ASA

Connect Port 0/1 of the ASA to the 6500 port 7/46 (with IP address 172.16.1.2)
Although, what I typically do is use a routed interface on the 6500, instead of SVI - i.e.

interface gig 7/46
 no switchport
 ip address 172.16.1.2 255.255.255.0
 no shutdown
 descript ** transit link to ASA Firewall  0/1 **


Connect port 0/0 of the ASA to the ISP router, not to the 6500 / vlan 100

No, you cannot ping the outside interface of the asa from the inside no matter what.
0
 

Author Comment

by:thombie
Comment Utility
cool this works.  Thanks for your help
0

Featured Post

How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

Join & Write a Comment

From Cisco ASA version 8.3, the Network Address Translation (NAT) configuration has been completely redesigned and it may be helpful to have the syntax configuration for both at a glance. You may as well want to read official Cisco published AS…
Exchange server is not supported in any cloud-hosted platform (other than Azure with Azure Premium Storage).
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

772 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

10 Experts available now in Live!

Get 1:1 Help Now