Solved

Cisco ASA, Cisco 4948, Cisco 2900g routing and nat issues

Posted on 2014-01-27
28
172 Views
Last Modified: 2016-10-14
fw0-10-68-0-5.txtHi Experts,

I am having routing and nat issues with my cisco asa 5505 (fw0) , cisco 2900g (sw1) and cisco 4948 (sw1-dr).
 
The issue started ever since I introduced 4948 switch to the network.

I created a new vlan inside-dr. Please find the network setup

Outside (192.168.0.x/24) vlan 20 >>>> Cisco 2900g (10.68.0.220 >> inside - vlan 4)  >>>ether channel >> connected to cisco 4948 inside-dr vlan 2 (10.65.10.220)

SAN (10.0.0.x/24) is connected to vlan 10 - San and connected to 4948 and an interface is created on the firewall with security level 50


1. Before I added the 4948 switch, 10.68.0.x was running on vlan 1. I had  to disable vlan 1 for vtp to be able to work between the two switch.

2. I am unable to browse the internet from a pc, that are connected behind sw0

3. I am unable to ping the san gateway 10.0.0.1 from sw1-dr

4. I am unable to ping 10.68.0.x range from sw1-dr.

Please find configs attached. I am not where are things going wrong ?

Any help would appreciated.

Thank you

M
sw0-10-68-0-220.txt
sw1-dr---10-65-10-x.txt
0
Comment
Question by:mshaikh22
  • 19
  • 5
  • 2
28 Comments
 
LVL 26

Expert Comment

by:Soulja
ID: 39813267
Your 2900 config you attached is your ASA config. Can you attach the correct config.

Is your ASA in transparent mode. I do not see any routes configured on it?

Your 4948 is in layer 2 mode. Is this how you want it set? I see you created routes on it, but they are invalid if ip  routing isn't enabled. Regardless, all of the routes point to the same next hop which is the same as you ip default gateway.
0
 

Author Comment

by:mshaikh22
ID: 39813301
sorry Just uploaded the right config
sw0-10-68-0-220.txt
0
 
LVL 26

Expert Comment

by:Soulja
ID: 39813442
From your 4948 post the output for:

sh int trunk
sh etherchannel summary
sh spanning tree vlan 2
0
 

Author Comment

by:mshaikh22
ID: 39813507
Thank you for your help soulja

Please find the outputs below


sw1dr.mscorp.com#sh int trunk

Port        Mode             Encapsulation  Status        Native vlan
Po1         on               802.1q         trunking      1

Port        Vlans allowed on trunk
Po1         1-4094

Port        Vlans allowed and active in management domain
Po1         1-2,4,10,20,30,50

Port        Vlans in spanning tree forwarding state and not pruned
Po1         1-2,4,10,20,30,50


sw1dr.mscorp.com#sh etherchannel summary
Flags:  D - down        P - in port-channel
        I - stand-alone s - suspended
        R - Layer3      S - Layer2
        U - in use      f - failed to allocate aggregator
        u - unsuitable for bundling
        w - waiting to be aggregated
        d - default port


Number of channel-groups in use: 1
Number of aggregators:           1

Group  Port-channel  Protocol    Ports
------+-------------+-----------+-----------------------------------------------
1      Po1(SU)         LACP      Gi1/45(P)   Gi1/47(P)


sw1dr.mscorp.com#sh spanning-tree vlan 2

VLAN0002
  Spanning tree enabled protocol ieee
  Root ID    Priority    32770
             Address     001e.f7de.5f80
             This bridge is the root
             Hello Time   2 sec  Max Age 20 sec  Forward Delay 15 sec

  Bridge ID  Priority    32770  (priority 32768 sys-id-ext 2)
             Address     001e.f7de.5f80
             Hello Time   2 sec  Max Age 20 sec  Forward Delay 15 sec
             Aging Time 300

Interface        Role Sts Cost      Prio.Nbr Type
---------------- ---- --- --------- -------- --------------------------------
Gi1/4            Desg FWD 19        128.4    P2p
Gi1/5            Desg FWD 4         128.5    P2p
Gi1/7            Desg FWD 19        128.7    P2p
Gi1/44           Desg FWD 19        128.44   P2p
Po1              Desg FWD 3         128.641  P2p
0
 

Author Comment

by:mshaikh22
ID: 39813594
i have enabled ip routing on the 4948.  
I am still unable to ping 10.68.0.5 or 10.0.0.1 (both ints on cisco asa).

I can ping 10.68.0.220.

I can ping 10.65.10.1 (int on cisco asa)
0
 

Author Comment

by:mshaikh22
ID: 39813597
I can browse the internet. When I change the inside interface vlan from 1 to 4.
It deleted all of my nat statements,

I did manage get some nat statements but I am not available access the internet now
0
 

Author Comment

by:mshaikh22
ID: 39813630
Sorry soulja. what I meant i cannot browse the internet from 10.68.0.15
eversince I change the inside interface vlan 1 to 4
It deleted all of my nat statements,

I did manage get some nat statements but I am unable to access the internet now
0
 

Author Comment

by:mshaikh22
ID: 39813652
The firewall is in routed mode. I havent enabled transparent.
0
 

Author Comment

by:mshaikh22
ID: 39814144
Hi,

I am still having issues accessing the internet, accessing the inside, san and outside interfaces from the inside interface.

Can you please help ?
0
 

Author Comment

by:mshaikh22
ID: 39814997
Hi Experts,

Would really appreciate it, if someone can tell me where things are going wrong ?

Thank you,

M
0
 
LVL 17

Expert Comment

by:MAG03
ID: 39816343
It is a little unclear what is working and not working right now.  Could you please indicate what works and doesn't work, please indicate to and from IPs.  Also if possible could you post a visio drawing of your network physical connections?

At first glance you are missing some ACL rules permitting traffic from the inside interface to the internet, currently only ICMP is permitted.
To be able to ping the SAN interface you might need to add the command permit icmp <IP> <mask> SAN

try adding that and test.

A couple things you can do to troubleshoot is to do a packet tracer and see if the packet is allowed though the ASA.  Another is to check the log on the ASA to see if there are any deny entries for the specified traffic.

Also check to see if you can reach anything else on the SAN network.

packet-tracer input inside-dr tcp 10.68.10.10 12345 10.0.0.1 80
0
 

Author Comment

by:mshaikh22
ID: 39816453
Thank you MAG for your help. I will draw a visio diagram and will add it tomorrow.


heres the output of the packet tracer


fw0# packet-tracer input inside-dr tcp 10.65.10.10 12345 10.0.0.1 80

Phase: 1
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
MAC Access list

Phase: 2
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in   10.0.0.1        255.255.255.255 identity

Phase: 3
Type: ACCESS-LIST
Subtype:
Result: DROP
Config:
Implicit Rule
Additional Information:

Result:
input-interface: inside-dr
input-status: up
input-line-status: up
output-interface: NP Identity Ifc
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule


1) I am unable to access the internet (outside - 8.8.8.8) from the inside interface (10.68.0.15)

fw0# packet-tracer input inside tcp 10.68.0.15 12345 8.8.8.8 53

Phase: 1
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
MAC Access list

Phase: 2
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in   0.0.0.0         0.0.0.0         outside

Phase: 3
Type: ACCESS-LIST
Subtype:
Result: DROP
Config:
Implicit Rule
Additional Information:

Result:
input-interface: inside
input-status: up
input-line-status: up
output-interface: outside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule



2) I am able to access the internet from inside-dr interface after adding the following nat rules but i am unable to access the internet from the inside interface, i am not sure which access-list i need to enter

fw0# show run nat
!
object network mgmt-server_inside
 nat (inside,outside) static interface service tcp 3389 3389
object network vcenter_inside
 nat (inside,outside) static interface service tcp 5480 5480
object network inside_anysubnet
 nat (inside,SAN) dynamic interface
object network excas01_inside
 nat (inside,outside) static interface service tcp smtp smtp
!
nat (inside,outside) after-auto source dynamic Generic_All_Network interface
nat (inside-dr,outside) after-auto source dynamic Generic_All_Network interface


fw0# show run object network
object network mgmt-server_inside
 host 10.68.0.15
object network sw0_inside
 host 10.65.10.220
object network vcenter_inside
 host 10.68.0.30
object network san_subnet
 subnet 10.0.0.0 255.255.255.0
object network inside_anysubnet
 subnet 10.68.0.0 255.255.255.0
object network excas01_inside
 host 10.68.0.61
object network inside-dr
object network f5-mgmt_inside
 host 10.68.0.245
object network filer1_inside
 host 10.68.0.230
object network fsw_inside
 host 10.68.0.240
object network filer2_inside
 host 10.65.10.230
object network sw0-dr_inside
object network sw1-dr_inside-dr
 host 10.65.10.220
object network Generic_All_Network
 subnet 0.0.0.0 0.0.0.0

fw0# show run access-list
access-list inside_in extended permit icmp any any
access-list outside_in extended permit tcp any host 10.68.0.220 eq telnet
access-list outside_in extended permit icmp any any
access-list outside_in extended permit icmp any any echo-reply
access-list outside_in extended permit tcp any host 10.68.0.15 eq 3389
access-list outside_in extended permit tcp any host 10.68.0.61 eq smtp
access-list outside_in extended deny ip any any log
access-list san_in extended permit icmp any any echo-reply
access-list inside-dr_in extended permit icmp any any echo-reply

When I am trying to browse the internet from 10.68.0.15 (inside)




Any help will greatly appreciated



Thank you

M
0
 

Author Comment

by:mshaikh22
ID: 39816473
I am not sure the its blocking the inside interface from access the outside (Internet) since the same nat rule is applied for inside-dr and thats working fine.
0
Free Trending Threat Insights Every Day

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

 

Author Comment

by:mshaikh22
ID: 39816492
I cannot access the inside-dr from the inside interface


fw0# packet-tracer input inside tcp 10.68.0.15 12345 10.65.10.1 22

Phase: 1
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in   10.65.10.1      255.255.255.255 identity

Phase: 2
Type: ACCESS-LIST
Subtype:
Result: DROP
Config:
Implicit Rule
Additional Information:

Result:
input-interface: inside
input-status: up
input-line-status: up
output-interface: NP Identity Ifc
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule



I cannot access inside from the inside-dr interface

fw0# packet-tracer input inside-dr tcp 10.65.10.15 12345 10.68.0.5 22

Phase: 1
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
MAC Access list

Phase: 2
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in   10.68.0.5       255.255.255.255 identity

Phase: 3
Type: ACCESS-LIST
Subtype:
Result: DROP
Config:
Implicit Rule
Additional Information:

Result:
input-interface: inside-dr
input-status: up
input-line-status: up
output-interface: NP Identity Ifc
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule


I cannot access the san interface from the inside-dr



fw0# packet-tracer input inside-dr tcp 10.65.10.15 12345 10.0.0.1 22

Phase: 1
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
MAC Access list

Phase: 2
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in   10.0.0.1        255.255.255.255 identity

Phase: 3
Type: ACCESS-LIST
Subtype:
Result: DROP
Config:
Implicit Rule
Additional Information:

Result:
input-interface: inside-dr
input-status: up
input-line-status: up
output-interface: NP Identity Ifc
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule


I cannot access the san interface from the inside


fw0# packet-tracer input inside tcp 10.68.0.15 12345 10.0.0.1 22

Phase: 1
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in   10.0.0.1        255.255.255.255 identity

Phase: 2
Type: ACCESS-LIST
Subtype:
Result: DROP
Config:
Implicit Rule
Additional Information:

Result:
input-interface: inside
input-status: up
input-line-status: up
output-interface: NP Identity Ifc
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule


Would really appreciate your help with this.
0
 
LVL 17

Expert Comment

by:MAG03
ID: 39817576
What license do you have for the ASA?  You need to have a security plus license to be able to send traffic between 3 or more VLANs.

As for your inside network not able to reach the internet, it is because of your configured access list for that interface:

access-list inside_in extended permit icmp any any
access-group inside_in in interface inside

add this to the following and test.
access-list inside_in extended permit ip 10.68.0.0 255.255.255.0 any

The reason your inside-dr is able to reach the internet is because there is no ACL assigned to the interface, therefore the security levels of the interfaces will play their part.  inside-dr has a security level of 100 and outside has a security level of 0.  Traffic is permitted from a higher to lower security level and that is why traffic is allowed to pass.
0
 

Author Comment

by:mshaikh22
ID: 39817647
Thanks a lot for the detailed explanation, MAG03.

The asa firewall does have a security plus license.

I will try putting that acl this evening and will let you know.
0
 

Author Comment

by:mshaikh22
ID: 39817860
Please find Visio Diagram attached
Lab-Diagram.jpg
0
 

Author Comment

by:mshaikh22
ID: 39818913
I am able to browse internet from inside and inside-dr

I just two things

inside and inside-dr to be able to talk to each other

I have the following line but the interfaces are still not talking
same-security-traffic permit inter-interface


Thank you

M
0
 
LVL 17

Expert Comment

by:MAG03
ID: 39818975
How are you testing connectivity? with ping?  are these windows machines?

If these are windows machines could you turn off the windows firewall and then test with ping.  

If that is not the case, could you please post an updated ASA running config file which includes any changes that have been made.
0
 

Author Comment

by:mshaikh22
ID: 39818999
no firewall is configured

I have configured one interface from the management server 10.65.10.15

I am disabling the other inside interface 10.68.0.15

and I am trying to ping the gateway inside 10.68.0.5
0
 

Author Comment

by:mshaikh22
ID: 39819016
I just help getting the inside and inside-dr interfaces talking.

Then all should be good after that.
0
 
LVL 17

Expert Comment

by:MAG03
ID: 39819050
no firewall is configured
does that mean you have disabled the windows firewall?  All windows machines have the windows firewall enabled by default and they all block ICMP packets by default.

I am disabling the other inside interface 10.68.0.15
I don't follow where this interface comes into play?  you can not have two interfaces on the ASA that have the same IP.


and I am trying to ping the gateway inside 10.68.0.5
If you are pinging the interface itself you might need to add this command to get it to work.

icmp permit any inside
icmp permit any inside-dr

if you want to be more restrictive, replace any with the IP subnets you would like to be able to ping the inside and inside-dr networks

Also, please post an updated configuration file of your ASA if this does not work.
0
 

Author Comment

by:mshaikh22
ID: 39819119
I have a windows 2008 management server connected to the two interfaces
10.68.0.15 inside and 10.65.10.15 inside-dr

Everytime I want to test inside, I am disabling inside-dr and have the gateway configured on one.

Testing using 10.65.0.15

I am unable to ping the inside gateway 10.68.0.5.
I guess I wont be able to.

But I can ping the sw1 switch which is sitting on the inside interface

Testing using 10.68.0.15

I am unable to ping the inside-dr gateway 10.65.10.1.
I guess I wont be able to.

But I can ping the sw1-dr switch which is sitting on the inside interface


So it seems to be working. I am sorry for the confusion.

both interfaces are talking to each other. I just test it out a bit more.

Could you please tell the reason why a server on a inside-dr ip will not able to communicate with the inside gateway 10.68.0.5 or vice versa.

Thank you very much for your help.

M
0
 
LVL 17

Accepted Solution

by:
MAG03 earned 500 total points
ID: 39820299
Testing using 10.65.0.15
is this a typo? shouldn't this be 10.65.10.15?

Could you please tell the reason why a server on a inside-dr ip will not able to communicate with the inside gateway 10.68.0.5 or vice versa.

Well it sounds like when you are testing from 10.65.10.15 you disable the inside interface of 10.65.0.1?  if that is the case, and 10.65.10.1 is the default gateway for 10.65.0.15, then there will be no connectivity with 10.68.0.0/24 as the 10.65.10.0/24 network has no way of reaching that subnet.

By default the ASA should respond to ICMP packets.  have you tried adding the commands I mentioned in an earlier post

icmp permit any inside
icmp permit any inside-dr
0
 

Author Comment

by:mshaikh22
ID: 39825935
Thanks a lot, MAG03 for all of your help. Really appreciate it.

Have a good weekend.

M
0
 

Author Comment

by:mshaikh22
ID: 39827543
I've requested that this question be closed as follows:

Accepted answer: 96 points for MAG03's comment #a39820299
Assisted answer: 20 points for Soulja's comment #a39813267
Assisted answer: 20 points for Soulja's comment #a39813442
Assisted answer: 0 points for mshaikh22's comment #a39813507
Assisted answer: 0 points for mshaikh22's comment #a39813630
Assisted answer: 76 points for MAG03's comment #a39816343
Assisted answer: 0 points for mshaikh22's comment #a39816453
Assisted answer: 0 points for mshaikh22's comment #a39816492
Assisted answer: 96 points for MAG03's comment #a39817576
Assisted answer: 0 points for mshaikh22's comment #a39817647
Assisted answer: 0 points for mshaikh22's comment #a39817860
Assisted answer: 0 points for mshaikh22's comment #a39818913
Assisted answer: 96 points for MAG03's comment #a39818975
Assisted answer: 0 points for mshaikh22's comment #a39818999
Assisted answer: 0 points for mshaikh22's comment #a39819016
Assisted answer: 96 points for MAG03's comment #a39819050
Assisted answer: 0 points for mshaikh22's comment #a39819119
Assisted answer: 0 points for mshaikh22's comment #a39825935

for the following reason:

Issue has been resolved with MAG03's help.

Thank you.
0

Featured Post

How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

Join & Write a Comment

Suggested Solutions

In the world of WAN, QoS is a pretty important topic for most, if not all, networks. Some WAN technologies have QoS mechanisms built in, but others, such as some L2 WAN's, don't have QoS control in the provider cloud.
Use of TCL script on Cisco devices:  - create file and merge it with running configuration to apply configuration changes
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

758 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

22 Experts available now in Live!

Get 1:1 Help Now