TrustGroup-UAE
asked on
Cisco ASA Inter-Vlan Routing
Hi All,
Hope Everyone is Well?
Hope somebody could help as im banging my head with this one:-
I have several Sub Interfaces for VLAN's Setup on my Firewall. I have these connected to a Switch, which inturn has the Switch Port set in Trunk Mode,
Switch Config Here:-
interface FastEthernet0/1
description ** Firewall Uplink - FA0/1 **
switchport trunk native vlan 101
switchport trunk allowed vlan 101-104,110
switchport mode trunk
If i connect my Laptop up and Set a IP of 10.1.1.100 i cant even ping the Firewall (10.1.1.1). Same on the other Subnets. I cant ping any default Gateways, or ping Gateways between VLANS.
Strangely enough thought the Firewall can ping the switch on 10.1.1.21
From All Subnets there is no internet access either but i assume this is something to do with the above not working.
My ASA Config is attached.
Many Thanks for Any Help.
Cheers
Si
Config.txt
Hope Everyone is Well?
Hope somebody could help as im banging my head with this one:-
I have several Sub Interfaces for VLAN's Setup on my Firewall. I have these connected to a Switch, which inturn has the Switch Port set in Trunk Mode,
Switch Config Here:-
interface FastEthernet0/1
description ** Firewall Uplink - FA0/1 **
switchport trunk native vlan 101
switchport trunk allowed vlan 101-104,110
switchport mode trunk
If i connect my Laptop up and Set a IP of 10.1.1.100 i cant even ping the Firewall (10.1.1.1). Same on the other Subnets. I cant ping any default Gateways, or ping Gateways between VLANS.
Strangely enough thought the Firewall can ping the switch on 10.1.1.21
From All Subnets there is no internet access either but i assume this is something to do with the above not working.
My ASA Config is attached.
Many Thanks for Any Help.
Cheers
Si
Config.txt
How many vlans is your asa licensed to have? execute a 'show version' in order to reveal this.
ASKER
Hi NetDSG,
Please find below from Sh Ver. Showing me 50 Vlans.
Licensed features for this platform:
Maximum Physical Interfaces : Unlimited perpetual
Maximum VLANs : 50 perpetual
Inside Hosts : Unlimited perpetual
Failover : Disabled perpetual
VPN-DES : Enabled perpetual
VPN-3DES-AES : Enabled perpetual
Security Contexts : 0 perpetual
GTP/GPRS : Disabled perpetual
AnyConnect Premium Peers : 2 perpetual
AnyConnect Essentials : Disabled perpetual
Other VPN Peers : 250 perpetual
Total VPN Peers : 250 perpetual
Shared License : Disabled perpetual
AnyConnect for Mobile : Disabled perpetual
AnyConnect for Cisco VPN Phone : Disabled perpetual
Advanced Endpoint Assessment : Disabled perpetual
UC Phone Proxy Sessions : 2 perpetual
Total UC Proxy Sessions : 2 perpetual
Botnet Traffic Filter : Disabled perpetual
Intercompany Media Engine : Disabled perpetual
Cheers
Si
Please find below from Sh Ver. Showing me 50 Vlans.
Licensed features for this platform:
Maximum Physical Interfaces : Unlimited perpetual
Maximum VLANs : 50 perpetual
Inside Hosts : Unlimited perpetual
Failover : Disabled perpetual
VPN-DES : Enabled perpetual
VPN-3DES-AES : Enabled perpetual
Security Contexts : 0 perpetual
GTP/GPRS : Disabled perpetual
AnyConnect Premium Peers : 2 perpetual
AnyConnect Essentials : Disabled perpetual
Other VPN Peers : 250 perpetual
Total VPN Peers : 250 perpetual
Shared License : Disabled perpetual
AnyConnect for Mobile : Disabled perpetual
AnyConnect for Cisco VPN Phone : Disabled perpetual
Advanced Endpoint Assessment : Disabled perpetual
UC Phone Proxy Sessions : 2 perpetual
Total UC Proxy Sessions : 2 perpetual
Botnet Traffic Filter : Disabled perpetual
Intercompany Media Engine : Disabled perpetual
Cheers
Si
Hi,
You need to config nat and nonat
You need to config nat and nonat
ASKER
Thanks ikalmar,
Any Tips, Pointers for example Config or this?
Cheers
Si
Any Tips, Pointers for example Config or this?
Cheers
Si
Lets see what the ASA thinks is going on by enabling some logging. Try:
conf t
logging buffered 7
logging buffered size 100000
logging timestamp
exit
Then attempt the functionality you are looking for, followed by a show log. Hopefully you'll see a syslog entry that corresponds with your attempt by using the 'show log' command.
conf t
logging buffered 7
logging buffered size 100000
logging timestamp
exit
Then attempt the functionality you are looking for, followed by a show log. Hopefully you'll see a syslog entry that corresponds with your attempt by using the 'show log' command.
ASKER
Hi,
I cant see anything in there thats obvious:-
Mar 08 2014 10:02:36: %ASA-6-302021: Teardown ICMP connection for faddr 10.1.2.101/1 gaddr 10.1.2.1/0 laddr 10.1.2.1/0
Mar 08 2014 10:02:36: %ASA-7-609002: Teardown local-host inside_voip:10.1.2.101 duration 0:00:00
Mar 08 2014 10:02:36: %ASA-7-609002: Teardown local-host identity:10.1.2.1 duration 0:00:00
Mar 08 2014 10:02:37: %ASA-7-609001: Built local-host inside_voip:10.1.2.101
Mar 08 2014 10:02:37: %ASA-7-609001: Built local-host identity:10.1.2.1
Mar 08 2014 10:02:37: %ASA-6-302020: Built inbound ICMP connection for faddr 10.1.2.101/1 gaddr 10.1.2.1/0 laddr 10.1.2.1/0
Mar 08 2014 10:02:37: %ASA-6-302021: Teardown ICMP connection for faddr 10.1.2.101/1 gaddr 10.1.2.1/0 laddr 10.1.2.1/0
Mar 08 2014 10:02:37: %ASA-7-609002: Teardown local-host inside_voip:10.1.2.101 duration 0:00:00
Mar 08 2014 10:02:37: %ASA-7-609002: Teardown local-host identity:10.1.2.1 duration 0:00:00
Mar 08 2014 10:02:41: %ASA-7-710005: UDP request discarded from 10.1.2.101/137 to inside_voip:10.1.2.255/137
Mar 08 2014 10:02:42: %ASA-7-710005: UDP request discarded from 10.1.2.101/137 to inside_voip:10.1.2.255/137
Mar 08 2014 10:02:42: %ASA-7-710005: UDP request discarded from 10.1.2.101/137 to inside_voip:10.1.2.255/137
Mar 08 2014 10:02:43: %ASA-7-710005: UDP request discarded from 10.1.2.101/137 to inside_voip:10.1.2.255/137
Mar 08 2014 10:02:43: %ASA-7-710005: UDP request discarded from 10.1.2.101/137 to inside_voip:10.1.2.255/137
Mar 08 2014 10:02:43: %ASA-7-710005: UDP request discarded from 10.1.2.101/137 to inside_voip:10.1.2.255/137
Mar 08 2014 10:02:44: %ASA-7-710005: UDP request discarded from 10.1.2.101/137 to inside_voip:10.1.2.255/137
Mar 08 2014 10:02:44: %ASA-7-710005: UDP request discarded from 10.1.2.101/137 to inside_voip:10.1.2.255/137
Mar 08 2014 10:02:45: %ASA-7-710005: UDP request discarded from 10.1.2.101/137 to inside_voip:10.1.2.255/137
Mar 08 2014 10:02:45: %ASA-6-302014: Teardown TCP connection 340 for management:192.168.1.2/498
Mar 08 2014 10:02:45: %ASA-6-302014: Teardown TCP connection 342 for management:192.168.1.2/498
Mar 08 2014 10:02:45: %ASA-6-302014: Teardown TCP connection 343 for management:192.168.1.2/498
Mar 08 2014 10:02:45: %ASA-6-302014: Teardown TCP connection 344 for management:192.168.1.2/498
Mar 08 2014 10:02:51: %ASA-7-710005: UDP request discarded from 10.1.2.101/137 to inside_voip:10.1.2.255/137
Mar 08 2014 10:02:52: %ASA-7-710005: UDP request discarded from 10.1.2.101/137 to inside_voip:10.1.2.255/137
Mar 08 2014 10:02:52: %ASA-7-710005: UDP request discarded from 10.1.2.101/137 to inside_voip:10.1.2.255/137
Mar 08 2014 10:02:53: %ASA-6-302016: Teardown UDP connection 316 for management:192.168.1.2/68 to identity:255.255.255.255/6
Mar 08 2014 10:02:53: %ASA-7-609002: Teardown local-host identity:255.255.255.255 duration 0:03:21
Mar 08 2014 10:03:00: %ASA-7-710005: UDP request discarded from 10.1.2.101/137 to inside_voip:10.1.2.255/137
Mar 08 2014 10:03:01: %ASA-7-710005: UDP request discarded from 10.1.2.101/137 to inside_voip:10.1.2.255/137
Mar 08 2014 10:03:01: %ASA-7-710005: UDP request discarded from 10.1.2.101/137 to inside_voip:10.1.2.255/137
Mar 08 2014 10:03:05: %ASA-7-710005: UDP request discarded from 10.1.2.101/138 to inside_voip:10.1.2.255/138
Mar 08 2014 10:03:06: %ASA-6-302016: Teardown UDP connection 317 for management:192.168.1.2/68 to identity:192.168.1.1/67 duration 0:03:34 bytes 1168
Mar 08 2014 10:03:08: %ASA-5-111005: console end configuration: OK
Mar 08 2014 10:03:09: %ASA-7-710005: UDP request discarded from 10.1.2.101/137 to inside_voip:10.1.2.255/137
Mar 08 2014 10:03:10: %ASA-7-710005: UDP request discarded from 10.1.2.101/137 to inside_voip:10.1.2.255/137
Mar 08 2014 10:03:10: %ASA-7-710005: UDP request discarded from 10.1.2.101/137 to inside_voip:10.1.2.255/137
I have also modified my config here and there as i have been playin around. With my Laptop on the switch and the switch port set to the VLAN i can now on each VLAN ping the default gateway.
I still cannot ping gateways between VLANs not get any outside connectivity.
I have attached my New Config.
Many thanks again
Si
Config.txt
I cant see anything in there thats obvious:-
Mar 08 2014 10:02:36: %ASA-6-302021: Teardown ICMP connection for faddr 10.1.2.101/1 gaddr 10.1.2.1/0 laddr 10.1.2.1/0
Mar 08 2014 10:02:36: %ASA-7-609002: Teardown local-host inside_voip:10.1.2.101 duration 0:00:00
Mar 08 2014 10:02:36: %ASA-7-609002: Teardown local-host identity:10.1.2.1 duration 0:00:00
Mar 08 2014 10:02:37: %ASA-7-609001: Built local-host inside_voip:10.1.2.101
Mar 08 2014 10:02:37: %ASA-7-609001: Built local-host identity:10.1.2.1
Mar 08 2014 10:02:37: %ASA-6-302020: Built inbound ICMP connection for faddr 10.1.2.101/1 gaddr 10.1.2.1/0 laddr 10.1.2.1/0
Mar 08 2014 10:02:37: %ASA-6-302021: Teardown ICMP connection for faddr 10.1.2.101/1 gaddr 10.1.2.1/0 laddr 10.1.2.1/0
Mar 08 2014 10:02:37: %ASA-7-609002: Teardown local-host inside_voip:10.1.2.101 duration 0:00:00
Mar 08 2014 10:02:37: %ASA-7-609002: Teardown local-host identity:10.1.2.1 duration 0:00:00
Mar 08 2014 10:02:41: %ASA-7-710005: UDP request discarded from 10.1.2.101/137 to inside_voip:10.1.2.255/137
Mar 08 2014 10:02:42: %ASA-7-710005: UDP request discarded from 10.1.2.101/137 to inside_voip:10.1.2.255/137
Mar 08 2014 10:02:42: %ASA-7-710005: UDP request discarded from 10.1.2.101/137 to inside_voip:10.1.2.255/137
Mar 08 2014 10:02:43: %ASA-7-710005: UDP request discarded from 10.1.2.101/137 to inside_voip:10.1.2.255/137
Mar 08 2014 10:02:43: %ASA-7-710005: UDP request discarded from 10.1.2.101/137 to inside_voip:10.1.2.255/137
Mar 08 2014 10:02:43: %ASA-7-710005: UDP request discarded from 10.1.2.101/137 to inside_voip:10.1.2.255/137
Mar 08 2014 10:02:44: %ASA-7-710005: UDP request discarded from 10.1.2.101/137 to inside_voip:10.1.2.255/137
Mar 08 2014 10:02:44: %ASA-7-710005: UDP request discarded from 10.1.2.101/137 to inside_voip:10.1.2.255/137
Mar 08 2014 10:02:45: %ASA-7-710005: UDP request discarded from 10.1.2.101/137 to inside_voip:10.1.2.255/137
Mar 08 2014 10:02:45: %ASA-6-302014: Teardown TCP connection 340 for management:192.168.1.2/498
Mar 08 2014 10:02:45: %ASA-6-302014: Teardown TCP connection 342 for management:192.168.1.2/498
Mar 08 2014 10:02:45: %ASA-6-302014: Teardown TCP connection 343 for management:192.168.1.2/498
Mar 08 2014 10:02:45: %ASA-6-302014: Teardown TCP connection 344 for management:192.168.1.2/498
Mar 08 2014 10:02:51: %ASA-7-710005: UDP request discarded from 10.1.2.101/137 to inside_voip:10.1.2.255/137
Mar 08 2014 10:02:52: %ASA-7-710005: UDP request discarded from 10.1.2.101/137 to inside_voip:10.1.2.255/137
Mar 08 2014 10:02:52: %ASA-7-710005: UDP request discarded from 10.1.2.101/137 to inside_voip:10.1.2.255/137
Mar 08 2014 10:02:53: %ASA-6-302016: Teardown UDP connection 316 for management:192.168.1.2/68 to identity:255.255.255.255/6
Mar 08 2014 10:02:53: %ASA-7-609002: Teardown local-host identity:255.255.255.255 duration 0:03:21
Mar 08 2014 10:03:00: %ASA-7-710005: UDP request discarded from 10.1.2.101/137 to inside_voip:10.1.2.255/137
Mar 08 2014 10:03:01: %ASA-7-710005: UDP request discarded from 10.1.2.101/137 to inside_voip:10.1.2.255/137
Mar 08 2014 10:03:01: %ASA-7-710005: UDP request discarded from 10.1.2.101/137 to inside_voip:10.1.2.255/137
Mar 08 2014 10:03:05: %ASA-7-710005: UDP request discarded from 10.1.2.101/138 to inside_voip:10.1.2.255/138
Mar 08 2014 10:03:06: %ASA-6-302016: Teardown UDP connection 317 for management:192.168.1.2/68 to identity:192.168.1.1/67 duration 0:03:34 bytes 1168
Mar 08 2014 10:03:08: %ASA-5-111005: console end configuration: OK
Mar 08 2014 10:03:09: %ASA-7-710005: UDP request discarded from 10.1.2.101/137 to inside_voip:10.1.2.255/137
Mar 08 2014 10:03:10: %ASA-7-710005: UDP request discarded from 10.1.2.101/137 to inside_voip:10.1.2.255/137
Mar 08 2014 10:03:10: %ASA-7-710005: UDP request discarded from 10.1.2.101/137 to inside_voip:10.1.2.255/137
I have also modified my config here and there as i have been playin around. With my Laptop on the switch and the switch port set to the VLAN i can now on each VLAN ping the default gateway.
I still cannot ping gateways between VLANs not get any outside connectivity.
I have attached my New Config.
Many thanks again
Si
Config.txt
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Hi,
After adding in the above still there was no routing. I have since spoken to TAC who asked me to upgrade the ASA IOS.
After doing this and adding the above all now works!
Many thanks for your Help!
Cheers
Si
After adding in the above still there was no routing. I have since spoken to TAC who asked me to upgrade the ASA IOS.
After doing this and adding the above all now works!
Many thanks for your Help!
Cheers
Si
Hi Si,
What is the version of the IOS did you need to upgrade to?
Cheers,
Samashcam
What is the version of the IOS did you need to upgrade to?
Cheers,
Samashcam