Go Premium for a chance to win a PS4. Enter to Win

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 567
  • Last Modified:

Cicso 6500 & ASA 5505 firewall routing

I have a new setup that I am trying to get working.
I have  6500 core switch/router  with 3 lyaer 3 VLANs on it.

Vlan 2 172.16.3.0/24  
Vlan 3 172.16.4.0/24
Vlan 5 10.40.226.0/24

There is also a Layer 2 VLAN to talk to the firewall  VLAN 100
The firewall  internal interface is 172.16.1.1
What do need to do get all the switch VLAN to talk back and forth to the firewall
What would the routing look like.
new.txt
0
thombie
Asked:
thombie
  • 14
  • 7
  • 2
  • +3
2 Solutions
 
TimotiStCommented:
I don't see any interface on the Cat6500 in the 172.16.1.0/24 subnet, so the default gateway and static route won't really work.
You just want vlan 2,3,5 to be able to go out to the Internet through the ASA?
-Give vlan100 an IP address, like 172.16.1.2/24;
-Set up static routes on the ASA to the subnets through 172.16.1.2 (the Cat6500);
-Set up NAT on the ASA for all subnets.

Tamas
0
 
thombieAuthor Commented:
I will try it tomorrow when back in the office
0
 
thombieAuthor Commented:
I have created   172.16.1.2/24 on vlan 100 and it still not working. anu ideas
0
Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
TimotiStCommented:
Let's figure out what's not working:
From a PC on any of the subnets:
- Try pinging the default gateway (vlan interface on the Cat6500),
- Ping a PC on a different subnet (make sure the pinged PC is not firewalled),
- Ping the inside interface of the ASA (172.16.1.1),
- Ping something on the Internet.
0
 
thombieAuthor Commented:
i can ping the  DG from pc
I can't ping  inside Int of firewall.  (destination unreachable)
can ping internet yet as the link is not up I am trying get all the internal stuff working first
0
 
TimotiStCommented:
Okay, depending on the config of the ASA, it might not reply to pings even on the inside interface.
Can you ping a PC/something on another subnet?
0
 
thombieAuthor Commented:
No I get  "destination unreachable"
0
 
thombieAuthor Commented:
will NAT  affec t this  ?
0
 
TimotiStCommented:
Checked the catalyst config again: looks like you're missing the line:
ip routing

Open in new window

to actually enable IP routing.
Can you put that in, and ping a PC on another subnet?
0
 
thombieAuthor Commented:
IP routing is enabled   I can't ping another pc on another subnet.  and I cant ping 172.16.1.1
0
 
TimotiStCommented:
Can you post the output of "ipconfig /all" from a PC?
0
 
thombieAuthor Commented:
Physical Address. . . . . . . . . : 00-08-02-D8-48-F9
 Dhcp Enabled. . . . . . . . . . . : Yes
 Autoconfiguration Enabled . . . . : Yes
 IP Address. . . . . . . . . . . . : 172.16.3.3
 Subnet Mask . . . . . . . . . . . : 255.255.255.0
 Default Gateway . . . . . . . . . : 172.16.3.1
 DHCP Server . . . . . . . . . . . : 172.16.3.1
 DNS Servers . . . . . . . . . . . : 8.8.4.4
0
 
thombieAuthor Commented:
The switch is the DHCP server
0
 
TimotiStCommented:
Based on this, you should be able to ping hosts on the 172.16.4.0/24 network at least (unless they have Windows firewall enabled).
Can you post the current config of the Catalyst?
0
 
thombieAuthor Commented:
windows firewall is not enabled
runningconfig.TXT
0
 
thombieAuthor Commented:
What do you think ?
0
 
TimotiStCommented:
Looks okay to me...
Let's ask for a bit of help here...
0
 
Henk van AchterbergCommented:
on the switch please enter:

term len 0
sh run

and past output in a file and post it here.

on the ASA please use

term pag 0
sh run

sanitize the config and post it here.
0
 
thombieAuthor Commented:
attached is a file  has both outputs requested
asa-output.txt
0
 
Henk van AchterbergCommented:
can you please enable your vlan interface of the ASA?

interface Vlan100
no shutdown

when you have done that can you try to:

1. ping the ASA from your switch (ping 172.16.1.1)
2. ping a workstation from the switch
3. ping the ASA from the switch

and post the results?
0
 
thombieAuthor Commented:
vlan 100 enabled
1.success rate  0  from switch to asa
2. i can ping a workstation from the switch
3.cannot ping the switch from the ASA



would this be nating on the ASA ?
0
 
thombieAuthor Commented:
My cable layout
6500 switch

port  7/47 Vlan 100 cabled to outside inferface of the ASA
port  7/48  VLAN 100 Cabled to ISP equipment
should have a 7/46  cabled to Internal interface  for the ASA ?
and do I need a new VLAN for th the internal ASA interface  ?
0
 
kevinhsiehCommented:
You should NOT have an interface VLAN 100. That is just a layer 2 grouping so your ASA can talk to the Internet. I have not gone through all of your configs, and I am doing this from memory. Please review carefully before making any changes. I am suggesting vlan 101 for the link between the switch and ASA, but you can pick another vlan if you like.

conf t
! remove L3 VLAN 100 interface. L2 VLAN will remain
no int vlan 100
! create L3 VLAN interface
int vlan 101
description uplink to ASA
ip address 172.16.1.254 255.255.255.0
no shut
!
! creates L2 VLAN
vlan 101
!
ip route 0.0.0.0 0.0.0.0 172.16.1.1
!
! configure port 7/46 for uplink to ASA
int f7/46
desc uplink to ASA
switchport access vlan 101
switchport mode access

on the ASA, you will need to route to 172.16.1.254 for your internal subnets.
0
 
mikebernhardtCommented:
You asked very similar questions on your other post, and I gave you suggested routing there. You're only going to confuse yourself if you ask the same questions twice.

Here's what I said:
1. ASA needs a default route to the ISP
2. ASA needs routes to the 6500 for any Layer 3 LANs that exist there.
3. 6500 needs a default route to the ASA.
0
 
lrmooreCommented:
>route inside 0.0.0.0 0.0.0.0 195.40.10.97 1
This should be route "outside" on the ASA

Connect Port 0/1 of the ASA to the 6500 port 7/46 (with IP address 172.16.1.2)
Although, what I typically do is use a routed interface on the 6500, instead of SVI - i.e.

interface gig 7/46
 no switchport
 ip address 172.16.1.2 255.255.255.0
 no shutdown
 descript ** transit link to ASA Firewall  0/1 **


Connect port 0/0 of the ASA to the ISP router, not to the 6500 / vlan 100

No, you cannot ping the outside interface of the asa from the inside no matter what.
0
 
thombieAuthor Commented:
cool this works.  Thanks for your help
0

Featured Post

Free Tool: SSL Checker

Scans your site and returns information about your SSL implementation and certificate. Helpful for debugging and validating your SSL configuration.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

  • 14
  • 7
  • 2
  • +3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now