Can't get routing to work.

Answered Question
Sep 15th, 2010
User Badges:

So I have a 3560GPOE that connects to an ASA 5510 that then connects to an internet router.


If I connect directly into the asa all works fine. So I know from there on everything is OK.


Buttt if I connect to the 3560 all the traffic dies there. I can't even ping the external IP of the 3560, which is 10.245.253.2.


Please help, here is the config:


Building configuration...

Current configuration : 6637 bytes
!
version 12.2
no service pad
service timestamps debug uptime
service timestamps log uptime
service password-encryption
!
hostname ............
!
boot-start-marker
boot-end-marker
!
enable secret 5 $1$7Rt3$XmTMVTMDXajmJjMi7EtEQ.
enable password 7 03555F52570B771F4D0D1C5512165C0D017873217E6267201101125452035B0F01555E5B4E135D0A06570657575C5F55560A0207100352020F5509251D4F584956
!
no aaa new-model
system mtu routing 1500
ip subnet-zero
ip routing
ip domain-name .............
!
!
!
!
crypto pki trustpoint TP-self-signed-1453801472
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-1453801472
revocation-check none
rsakeypair TP-self-signed-1453801472
!
!
crypto pki certificate chain TP-self-signed-1453801472
certificate self-signed 01
  30820261 308201CA A0030201 02020101 300D0609 2A864886 F70D0101 04050030
  31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
  69666963 6174652D 31343533 38303134 3732301E 170D3933 30333031 30303031
  33365A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
  4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D31 34353338
  30313437 3230819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
  8100C903 8A72BA2B A410DBE0 E42F60B2 8780E07D E29C8561 C5B2385A 5FA73D30
  F3C9E4D0 CCE8CD86 E74AE153 05EF1EFE EB66109B 2EFA8202 C3BD739B 5B1B7CDA
  EEFD553B A4DF4EB7 986B3618 53DF4514 166ED1F3 B3ED61B8 E39E4482 B9F6FB67
  56D777C4 5B221DC7 6355E087 8F19DFA5 0225E1EA 7070FF71 0419A22A 6809840E
  337F0203 010001A3 81883081 85300F06 03551D13 0101FF04 05300301 01FF3032
  0603551D 11042B30 29822745 4153544F 4E2D4443 2D535231 2D333536 302D312E
  65707366 696E616E 6369616C 2E6C6F63 616C301F 0603551D 23041830 16801441
  92E0358F 56325F0D 3F36B26F 5A8657FA C132A230 1D060355 1D0E0416 04144192
  E0358F56 325F0D3F 36B26F5A 8657FAC1 32A2300D 06092A86 4886F70D 01010405
  00038181 008F0E2C 1B3BC402 2A0D83E6 6DC4BF38 013B1601 C034FE2E F829012C
  A62851A1 3DD0DFE5 E5BDD9A9 6D67C2EE 73755CAC 6923CF37 CB5EFE49 08D48092
  B466D7C7 D5426801 F4D47A8B E0302D59 615222E3 3EB77770 07659B09 DBA35E95
  8760FBAC B66D6B38 F6E02899 9D861A92 CF3C5C36 5E1E66BB 9024A91E 802BF244
  EDEE2949 C8
  quit
!
!
!
!
!
spanning-tree mode pvst
spanning-tree etherchannel guard misconfig
spanning-tree extend system-id
!
vlan internal allocation policy ascending
!
!
!
!
interface GigabitEthernet0/1
switchport access vlan 2
switchport mode access
spanning-tree portfast
spanning-tree bpduguard enable
!
interface GigabitEthernet0/2
switchport access vlan 2
switchport mode access
spanning-tree portfast
spanning-tree bpduguard enable
!
interface GigabitEthernet0/3
switchport access vlan 2
switchport mode access
spanning-tree portfast
spanning-tree bpduguard enable
!
interface GigabitEthernet0/4
switchport access vlan 2
switchport mode access
spanning-tree portfast
spanning-tree bpduguard enable
!
interface GigabitEthernet0/5
switchport access vlan 2
switchport mode access
spanning-tree portfast
spanning-tree bpduguard enable
!
interface GigabitEthernet0/6
switchport access vlan 2
switchport mode access
spanning-tree portfast
spanning-tree bpduguard enable
!
interface GigabitEthernet0/7
switchport access vlan 2
switchport mode access
spanning-tree portfast
spanning-tree bpduguard enable
!
interface GigabitEthernet0/8
switchport access vlan 2
switchport mode access
spanning-tree portfast
spanning-tree bpduguard enable
!
interface GigabitEthernet0/9
switchport access vlan 2
switchport mode access
spanning-tree portfast
spanning-tree bpduguard enable
!
interface GigabitEthernet0/10
switchport access vlan 2
switchport mode access
spanning-tree portfast
spanning-tree bpduguard enable
!
interface GigabitEthernet0/11
switchport access vlan 2
switchport mode access
spanning-tree portfast
spanning-tree bpduguard enable
!
interface GigabitEthernet0/12
switchport access vlan 2
switchport mode access
spanning-tree portfast
spanning-tree bpduguard enable
!
interface GigabitEthernet0/13
switchport access vlan 2
switchport mode access
spanning-tree portfast
spanning-tree bpduguard enable
!
interface GigabitEthernet0/14
switchport access vlan 2
switchport mode access
spanning-tree portfast
spanning-tree bpduguard enable
!
interface GigabitEthernet0/15
switchport access vlan 2
switchport mode access
spanning-tree portfast
spanning-tree bpduguard enable
!
interface GigabitEthernet0/16
switchport access vlan 2
switchport mode access
spanning-tree portfast
spanning-tree bpduguard enable
!
interface GigabitEthernet0/17
description ......................
switchport trunk encapsulation dot1q
switchport mode trunk
!
interface GigabitEthernet0/18
description ..................
switchport trunk encapsulation dot1q
switchport mode trunk
!
interface GigabitEthernet0/19
description ..................
switchport trunk encapsulation dot1q
switchport mode trunk
!
interface GigabitEthernet0/20
description ....................
switchport trunk encapsulation dot1q
switchport mode trunk
!
interface GigabitEthernet0/21
description ....................
switchport trunk encapsulation dot1q
switchport mode trunk
!
interface GigabitEthernet0/22
description ....................
switchport trunk encapsulation dot1q
switchport mode trunk
!
interface GigabitEthernet0/23
description .................
no switchport
ip address 10.245.253.2 255.255.255.0
spanning-tree portfast
!
interface GigabitEthernet0/24
description ..................
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 1,2
switchport mode trunk
spanning-tree portfast
!
interface GigabitEthernet0/25
!
interface GigabitEthernet0/26
!
interface GigabitEthernet0/27
!
interface GigabitEthernet0/28
!
interface Vlan1
description MANAGEMENT
ip address 10.245.1.1 255.255.255.0
!
interface Vlan2
description LAN_1
ip address 10.245.2.1 255.255.255.0
!
ip classless
ip route 0.0.0.0 0.0.0.0 10.245.253.1
ip http server
ip http secure-server
!
!
!
!
control-plane
!
!
line con 0
password 7 091C16504152464A085A53287C21706634774701145500530A5B0306570248450A095306060C565A5A5F060A555D1600055D5A0757241F1A5C485044130E0D572B
login
line vty 0 4
password 7 13044E47535D547A2D202B606221415614575452010807515807194F5F0C5103570C015C5855540D04501700070F0F040B791D1B59410445405C09567228747B65
login
line vty 5 15
password 7 13044E47535D547A2D202B606221415614575452010807515807194F5F0C5103570C015C5855540D04501700070F0F040B791D1B59410445405C09567228747B65
login
!
end

Correct Answer by Nagaraja Thanthry about 6 years 10 months ago

Hello,


Sorry, I did not notice the interface configuration. Based on the interface configuration and based on the configuration you have posted in another thread (for 5510), it looks like the 5510 does not have routes to your internal subnets. Please try the following on the 5510:


route inside 10.245.0.0 255.255.0.0 10.245.253.2


Hope this helps.


Regards,


NT

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
ColinChambers Wed, 09/15/2010 - 09:34
User Badges:

Could be a daft one but have you turned routing on?


'ip routing'


Regards,


Colin


Nagaraja Thanthry Wed, 09/15/2010 - 09:43
User Badges:
  • Cisco Employee,


/* Style Definitions */ table.MsoNormalTable {mso-style-name:"Table Normal"; mso-tstyle-rowband-size:0; mso-tstyle-colband-size:0; mso-style-noshow:yes; mso-style-parent:""; mso-padding-alt:0in 5.4pt 0in 5.4pt; mso-para-margin:0in; mso-para-margin-bottom:.0001pt; mso-pagination:widow-orphan; font-size:10.0pt; font-family:"Times New Roman"; mso-ansi-language:#0400; mso-fareast-language:#0400; mso-bidi-language:#0400;}

Hello,

From your configuration on the switch, I see that your VLAN IP is 10.245.1.1 or 10.245.2.1. You are pointing your default gateway to 10.245.253.1. There is no interface in 10.245.253.x subnet on the switch. Can you ensure that the VLAN where the ASA is connected has an IP in the range of 10.245.253.x?

If it is VLAN 1, then

interface VLAN 1

ip address 10.245.253.x 255.255.255.0

exit

That should fix the issue.

Regards,

NT

mundusrector Wed, 09/15/2010 - 09:46
User Badges:

Port 23 is configured with the IP. It needs to be specified as a VLAN as well? I can just make a 3rd VLAN for this?


This bring me to two questions.


A. Do I configure VLAN3 interface with 10.245.253.2 and just specify port 23 as VLAN 3?


or


B. Do I configure the VLAN interface with that IP and port 23 with that IP?

Correct Answer
Nagaraja Thanthry Wed, 09/15/2010 - 09:52
User Badges:
  • Cisco Employee,

Hello,


Sorry, I did not notice the interface configuration. Based on the interface configuration and based on the configuration you have posted in another thread (for 5510), it looks like the 5510 does not have routes to your internal subnets. Please try the following on the 5510:


route inside 10.245.0.0 255.255.0.0 10.245.253.2


Hope this helps.


Regards,


NT

mundusrector Wed, 09/15/2010 - 09:58
User Badges:

I'll try that but even if the ASA wasn't there I still couldn't ping the Outside interface on the 3560. Leads me to believe this is isolated to the 3

560? I'm probably wrong.

Nagaraja Thanthry Wed, 09/15/2010 - 13:00
User Badges:
  • Cisco Employee,

Hello,


Does the interface state stays up when you connect the ASA and the switch? If the interface state is down, then can you move the L3 configuration to another VLAN interface and make that port an access port in the new vlan?


Regards,


NT

glen.grant Wed, 09/15/2010 - 16:08
User Badges:
  • Purple, 4500 points or more

   The interface has to be in a up/up status in order for it to respond to ping.  A firewall is normally setup to block ping so you probably won't be able to ping the FW itself .  Nothing else really jumps out , seems like it should work .

Actions

This Discussion