Not able to access internet using VRF-lite on through ASA 5505

Answered Question
May 5th, 2012

Hi guys

I am trying to “build up” a small home-network and using some of following Cisco equipment’s

  • ASA 5505 v8.4.3 witch base license
  • Cisco Catalyst 3750G with ipservices version 15.0.x
  • and 1 qty of AP1142N

I am not able to get internet access from any VRF’s.

From "MILAN (LAN) VRF, I am able to ping my gw: 10.45.45.1 but I am not able to ping for example: “linknett VRF”.

It seems that i am missing some NAT rules on ASA or ?

If i connect my laptop directly to the ASA, i am able to get internet access!

I am not feeling comfortable with a new ASA 8.4 code yet, so im not so sure which exact code's i am missing on ASA ...

Please look at attached digram including configuration files from ASA and 3750 sw.

Thanks!!

I have this problem too.
0 votes
Correct Answer by Mohamed Sobair about 1 year 11 months ago

OHHH Vuko!!!!!!

I do really apologize , After I got deeper look , I got where your issue. Its really embarassing issue, but beleive me when I was amswering your first post it was very late and was not concentrating well.

Your issue firstly seem to me VRF-RouteLeaking, and then I knew from you you dont need those VRFs to internally communicate except for Internet Traffic.

Now, Your issue is not with the VRF Leaking problem or configuration, the Issue lies on your Firewall, Let me explain further:

VRFs (MILAN, VOICE, & WLAN) have a static default route pointing to 10.20.45.2.  Now, this IP represent the Firewall which is the Gateway (Nexthop) to reach the internet for all VRFs.

Now, Since the (10.20.45.2) has been Leaked from VRF (LINKNETT), So the Communication Established to the Firewall.

However, the Firewall have a route back for all VRFs pointing to (LINKNETT VRF ip: 10.20.45.1) Your Core Switch. and with My recommended config and Setup which has to be done this way, VRF (LINKNETT) has all routes for all VRFs in its routing table.

So when traffic initiated from WLAN VRF , it goes to the Firewall, the Firewall return it back to the Core Switch (VRF LINKNETT), and VRF (LINKNETT) has all routes for all VRFs in its routing table, So it forwards the traffic directly to it.

And this happens vice versa for the returned path.>>> Did you get it yet???

Now, Since we have to have VRF (LINKNETT) has all connected VRFs routes in its routing table which is a MUST, we have no other choice but to deploy (Access Control List) as Close to the Source as possible as you Know.

Since this is the Case, I would suggest you have an ACL Configuration like below added to your Switch configuration, with this ACL , you will prevent All VRFs to communicate with each other Except for Internet:

interface Vlan10

description ** linknett_to_ASA **

ip vrf forwarding LINKNETT

ip address 10.20.45.1 255.255.255.248

!

interface Vlan20

description ** LAN **

ip vrf forwarding MILAN

ip address 10.45.45.1 255.255.255.0

Access-group 100 in ---------------------(Add this statement)

!

interface Vlan30

description ** VOICE **

ip vrf forwarding VOICE

ip address 172.45.45.1 255.255.255.248

access-group 101 in ---------------------- (Add this statement)

!

interface Vlan40

description ** WLAN **

ip vrf forwarding WLAN

ip address 192.168.45.1 255.255.255.240

access-group 102 in  -------------------- (Add this statement)

Add the Following ACLs as Well:

Access-list 100 deny ip 10.45.45.0 0.0.0.255 172.45.45.0 0.0.0.7

access-list 100 deny ip 10.45.45.0 0.0.0.255 192.168.45.0 0.0.0.15

access-list 100 permit ip any any

access-list 101 deny ip 172.45.45.0 0.0.0.7 10.45.45.0 0.0.0.255

access-list 101 deny ip 172.45.45.0 0.0.0.7 192.168.45.0 0.0.0.7

access-list 101 permit ip 172.45.45.0 0.0.0.7 any

access-list 102 deny ip 192.168.45.0 0.0.0.15 10.45.45.0 0.0.0.255

access-list 102 deny ip 192.168.45.0 0.0.0.15 172.45.45.0 0.0.0.7

access-list 102 permit ip any any

After the above Config, you should have Access to internet in all VRFs and NO Inter-VRF communication.

Again, I am reall Sorry and Apologize for not Concentrating on your Second requirement.

Let me know how it goes, Or if you have any doubt.

Thanks,

Mohamed

Correct Answer by Mohamed Sobair about 1 year 11 months ago

Hello,

From either of all VRFs, you wont be able to access the internet, the problem is not your ASA config, the problem is in your 3750 Switch.

you have VRF-lite configured on all vlan interfaces, therfore , you will be having seperate routing table for each VRF which will not allow other VRFs to interface with the 10.20.45.0/29 by default.

Since you need to setup your default route pointing to 10.20.45.2/29 in all other VRFs, then you need VRF MILAN , VOICE & WLAN to have the 10.20.45.2 in its vrf routing table, Also you need vrf LINKNETT to have all networks in VRF Voice, MILAN & WLAN in its routing table.

In order to perform the above, you will have to configure BGP routing protocol, the ONLY protocol allows VRFs to be carried and leaked together.

So, add the following configuration in your 3750 Switch:

router bgp 1

address-family ipv4 vrf LINKNETT

redistribute connected

address-family ipv4 vrf VOICE

redistribute connected

address-family vrf MILAN

redistribute connected

address-family vrf WLAN

redistribute connected

ip vrf LINKNETT

rd 10:1

route-target export 1:1

route-target import 1:2

route-target import 1:3

route-target import 1:4

ip vrf  MILAN

rd 45:1

route-target export 1:2

route-target import 1:1

ip vrf VOICE

rd 172:1

route-target export 1:3

route-target import 1:1

ip vrf WLAN

rd 192:1

route-target export 1:4

route-target import 1:1

After doing it, you should be good to go and have internet Access at all VRFs.

Thanks,

Mohamed

  • 1
  • 2
  • 3
  • 4
  • 5
Average Rating: 5 (2 ratings)
Correct Answer
Mohamed Sobair Sat, 05/05/2012 - 13:56

Hello,

From either of all VRFs, you wont be able to access the internet, the problem is not your ASA config, the problem is in your 3750 Switch.

you have VRF-lite configured on all vlan interfaces, therfore , you will be having seperate routing table for each VRF which will not allow other VRFs to interface with the 10.20.45.0/29 by default.

Since you need to setup your default route pointing to 10.20.45.2/29 in all other VRFs, then you need VRF MILAN , VOICE & WLAN to have the 10.20.45.2 in its vrf routing table, Also you need vrf LINKNETT to have all networks in VRF Voice, MILAN & WLAN in its routing table.

In order to perform the above, you will have to configure BGP routing protocol, the ONLY protocol allows VRFs to be carried and leaked together.

So, add the following configuration in your 3750 Switch:

router bgp 1

address-family ipv4 vrf LINKNETT

redistribute connected

address-family ipv4 vrf VOICE

redistribute connected

address-family vrf MILAN

redistribute connected

address-family vrf WLAN

redistribute connected

ip vrf LINKNETT

rd 10:1

route-target export 1:1

route-target import 1:2

route-target import 1:3

route-target import 1:4

ip vrf  MILAN

rd 45:1

route-target export 1:2

route-target import 1:1

ip vrf VOICE

rd 172:1

route-target export 1:3

route-target import 1:1

ip vrf WLAN

rd 192:1

route-target export 1:4

route-target import 1:1

After doing it, you should be good to go and have internet Access at all VRFs.

Thanks,

Mohamed

vucko-sanel Sun, 05/06/2012 - 04:52

Thanks Mohamed! That was the trick!

I have now other quetsion:

I don't want to allow access from one specific vrf to other one...

I understand that i have to use route-target import command's ... but with configuration above, I am now able to access MILAN VRF from WLAN VRF which I acctualy don't wont ..

Mohamed Sobair Sun, 05/06/2012 - 14:13

Hello,

I missed that, you eventually needs not all VRFs to communicate with each other but rather ONLY to communicate with LINKNETT VRF.

Yes, now, add the below config to LINKNETT VRF:

ip vrf LINKNETT

rd 10:1

route-target export 1:1

route-target import 1:2

route-target import 1:3

route-target import 1:4

export-map INTERNET    (Add this statement)

route-map INTERNET permit 10

match ip address 10

access-list 10 permit 10.20.45.0 0.0.0.7

This should ONLY allow Internet Access to all VRFs while block Inter-VRF Communication.

Regards,

Mohamed

vucko-sanel Sun, 05/06/2012 - 14:23

After adding those commands below, i am still able to acess VRF MILAN (10.45.45.0/24) from VRF WLAN (192.168.45.0/28)

ip vrf LINKNETT

rd 10:1

export map INTERNET

route-target export 1:1

route-target import 1:2

route-target import 1:3

route-target import 1:4

!

access-list 10 permit 10.20.45.0 0.0.0.7

!

route-map INTERNET permit 10

match ip address 10

Core-01#sh route-map INTERNET

route-map INTERNET, permit, sequence 10

  Match clauses:

    ip address (access-lists): 10

  Set clauses:

  Policy routing matches: 0 packets, 0 bytes

Core-01#

Core-01#sh access-lists     

Standard IP access list 10

    10 permit 10.20.45.0, wildcard bits 0.0.0.7 (1 match)

Extended IP access list test

    10 permit ip any any

Core-01#

Attached switch configuration

Mohamed Sobair Sun, 05/06/2012 - 14:51

This Shouldnt be...

Can you clear the IP routing table for those VRFs manually and try again. Clear VRF WLAN and MILAN routing and check.

Regards,

Mohamed

vucko-sanel Sun, 05/06/2012 - 14:55

tallready done that ...

Core-01#clear ip route vrf WLAN *

Core-01#clear ip route vrf MILAN *

Core-01#clear ip route vrf LINKNETT *

but i still have acces to MILAN VRF for WLAN VRF ..

Core-01#sh ip route vrf MILAN

Routing Table: MILAN

Gateway of last resort is 10.20.45.2 to network 0.0.0.0

S*    0.0.0.0/0 [1/0] via 10.20.45.2

      10.0.0.0/8 is variably subnetted, 3 subnets, 3 masks

B        10.20.45.0/29 is directly connected, 00:03:57, Vlan10

C        10.45.45.0/24 is directly connected, Vlan20

L        10.45.45.1/32 is directly connected, Vlan20

Core-01#sh ip route vrf WLAN

Routing Table: WLAN

Gateway of last resort is 10.20.45.2 to network 0.0.0.0

S*    0.0.0.0/0 [1/0] via 10.20.45.2

      10.0.0.0/29 is subnetted, 1 subnets

B        10.20.45.0 is directly connected, 00:03:45, Vlan10

      192.168.45.0/24 is variably subnetted, 2 subnets, 2 masks

C        192.168.45.0/28 is directly connected, Vlan40

L        192.168.45.1/32 is directly connected, Vlan40

Core-01#sh ip route vrf LINKNETT

Routing Table: LINKNETT

Gateway of last resort is 10.20.45.2 to network 0.0.0.0

S*    0.0.0.0/0 [1/0] via 10.20.45.2

      10.0.0.0/8 is variably subnetted, 3 subnets, 3 masks

C        10.20.45.0/29 is directly connected, Vlan10

L        10.20.45.1/32 is directly connected, Vlan10

B        10.45.45.0/24 is directly connected, 00:03:52, Vlan20

      172.45.0.0/29 is subnetted, 1 subnets

B        172.45.45.0 is directly connected, 00:03:52, Vlan30

      192.168.45.0/28 is subnetted, 1 subnets

B        192.168.45.0 is directly connected, 00:03:52, Vlan40

Core-01#

but it seems that ping results from switch are correct ...

Core-01#ping vrf WLAN 192.168.45.10 source vlan 20

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 192.168.45.10, timeout is 2 seconds:

Packet sent with a source address of 10.45.45.1

.....

Success rate is 0 percent (0/5)

Core-01#

Core-01#ping vrf MILAN 10.45.45.20 source vlan 40

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 10.45.45.20, timeout is 2 seconds:

Packet sent with a source address of 192.168.45.1

.....

Success rate is 0 percent (0/5)

Core-01#

Mohamed Sobair Sun, 05/06/2012 - 15:11

Hmmm!!!!!

Can you add the below config and let me know:

ip vrf MILAN

rd 45:1

route-target export 1:2

route-target import 1:1

import map INTERNET (Add this statement)

ip vrf WLAN

rd 192:1

route-target export 1:4

route-target import 1:1

import map INTERNET  (Add this statement)

Let me know how it goes... I remeber the (import map) command have influence on what routes should be imported into the VRF regardless of its route-target..

Please check..

Regards,

Mohamed

Mohamed Sobair Sun, 05/06/2012 - 15:59

OK, I have reviewed the main VRF LINKNETT config, please configure it as follows:

ip vrf LINKNETT

rd 10:1

route-target export 1:1  (Remove this statement)

route-target import 1:2

route-target import 1:3

route-target import 1:4

export-map INTERNET (Add this statement)

route-map INTERNET permit 10

match ip address 10

set extcommunity rt 1:1    (Add this statement)

access-list 10 permit 10.20.45.0 0.0.0.7

Also remove all (import map) commands under both VRFs. Let me know

Clear All routing table and check your connectivity.

Regards,

Mohamed

vucko-sanel Sun, 05/06/2012 - 16:09

sorry to tell you that "issue" is still there ..

.. and yes, i clear all routering tables as well

maybe  i should try to reload switch and ASA .. ?

attached a new updated configuration ..

I just reloded both devices (ASA and switch) and im still able to communicate between VRFs

ping results still looks fine ..

Core-01#ping vrf WLAN 192.168.45.10 source vlan 20

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 192.168.45.10, timeout is 2 seconds:

Packet sent with a source address of 10.45.45.1

.....

Success rate is 0 percent (0/5)

Core-01#

Core-01#ping vrf MILAN 10.45.45.20 source vlan 40

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 10.45.45.20, timeout is 2 seconds:

Packet sent with a source address of 192.168.45.1

.....

Success rate is 0 percent (0/5)

Core-01#

Mohamed Sobair Tue, 05/08/2012 - 00:51

Hi,

This is how it should work!! and I am surprised if your other VRFs recieves other routes than the 10.20.45.0/29.

With the above config, VRF WLAN & MILAN Should ONLY recieve 10.20.45.0/29 from VRF LINKNETT.

Please double check your VRF routing table,

Regards,

Mohamed

vucko-sanel Tue, 05/08/2012 - 07:44

like u could have seen from diagram, i am using 3 VRFs (MILAN, WLAN and VOICE) and 4th VRF is just small linknet subnet between ASA og 3k.

My VRF routing table reciving just routes from "LINKNETT" VRF

Core-01#sh ip route vrf MILAN  

Routing Table: MILAN

Gateway of last resort is 10.20.45.2 to network 0.0.0.0

S*    0.0.0.0/0 [1/0] via 10.20.45.2

      10.0.0.0/8 is variably subnetted, 3 subnets, 3 masks

B        10.20.45.0/29 is directly connected, 17:00:51, Vlan10

C        10.45.45.0/24 is directly connected, Vlan20

L        10.45.45.1/32 is directly connected, Vlan20

Core-01#

Core-01#sh ip route vrf WLAN

Routing Table: WLAN

Gateway of last resort is 10.20.45.2 to network 0.0.0.0

S*    0.0.0.0/0 [1/0] via 10.20.45.2

      10.0.0.0/29 is subnetted, 1 subnets

B        10.20.45.0 is directly connected, 17:00:58, Vlan10

      192.168.45.0/24 is variably subnetted, 2 subnets, 2 masks

C        192.168.45.0/28 is directly connected, Vlan40

L        192.168.45.1/32 is directly connected, Vlan40

Core-01#

Core-01#sh ip route vrf VOICE

Routing Table: VOICE

Gateway of last resort is 10.20.45.2 to network 0.0.0.0

S*    0.0.0.0/0 [1/0] via 10.20.45.2

      10.0.0.0/29 is subnetted, 1 subnets

B        10.20.45.0 is directly connected, 17:01:06, Vlan10

      172.45.0.0/16 is variably subnetted, 2 subnets, 2 masks

C        172.45.45.0/29 is directly connected, Vlan30

L        172.45.45.1/32 is directly connected, Vlan30

Core-01#

so i canæt understand why i am stil able to log on server which is placed in MILAN VRF (10.45.45.0/24) from WLAN VRF (192.168.45.0/28)

Please find attached updated digram and configuration files!

Correct Answer
Mohamed Sobair Tue, 05/08/2012 - 10:08

OHHH Vuko!!!!!!

I do really apologize , After I got deeper look , I got where your issue. Its really embarassing issue, but beleive me when I was amswering your first post it was very late and was not concentrating well.

Your issue firstly seem to me VRF-RouteLeaking, and then I knew from you you dont need those VRFs to internally communicate except for Internet Traffic.

Now, Your issue is not with the VRF Leaking problem or configuration, the Issue lies on your Firewall, Let me explain further:

VRFs (MILAN, VOICE, & WLAN) have a static default route pointing to 10.20.45.2.  Now, this IP represent the Firewall which is the Gateway (Nexthop) to reach the internet for all VRFs.

Now, Since the (10.20.45.2) has been Leaked from VRF (LINKNETT), So the Communication Established to the Firewall.

However, the Firewall have a route back for all VRFs pointing to (LINKNETT VRF ip: 10.20.45.1) Your Core Switch. and with My recommended config and Setup which has to be done this way, VRF (LINKNETT) has all routes for all VRFs in its routing table.

So when traffic initiated from WLAN VRF , it goes to the Firewall, the Firewall return it back to the Core Switch (VRF LINKNETT), and VRF (LINKNETT) has all routes for all VRFs in its routing table, So it forwards the traffic directly to it.

And this happens vice versa for the returned path.>>> Did you get it yet???

Now, Since we have to have VRF (LINKNETT) has all connected VRFs routes in its routing table which is a MUST, we have no other choice but to deploy (Access Control List) as Close to the Source as possible as you Know.

Since this is the Case, I would suggest you have an ACL Configuration like below added to your Switch configuration, with this ACL , you will prevent All VRFs to communicate with each other Except for Internet:

interface Vlan10

description ** linknett_to_ASA **

ip vrf forwarding LINKNETT

ip address 10.20.45.1 255.255.255.248

!

interface Vlan20

description ** LAN **

ip vrf forwarding MILAN

ip address 10.45.45.1 255.255.255.0

Access-group 100 in ---------------------(Add this statement)

!

interface Vlan30

description ** VOICE **

ip vrf forwarding VOICE

ip address 172.45.45.1 255.255.255.248

access-group 101 in ---------------------- (Add this statement)

!

interface Vlan40

description ** WLAN **

ip vrf forwarding WLAN

ip address 192.168.45.1 255.255.255.240

access-group 102 in  -------------------- (Add this statement)

Add the Following ACLs as Well:

Access-list 100 deny ip 10.45.45.0 0.0.0.255 172.45.45.0 0.0.0.7

access-list 100 deny ip 10.45.45.0 0.0.0.255 192.168.45.0 0.0.0.15

access-list 100 permit ip any any

access-list 101 deny ip 172.45.45.0 0.0.0.7 10.45.45.0 0.0.0.255

access-list 101 deny ip 172.45.45.0 0.0.0.7 192.168.45.0 0.0.0.7

access-list 101 permit ip 172.45.45.0 0.0.0.7 any

access-list 102 deny ip 192.168.45.0 0.0.0.15 10.45.45.0 0.0.0.255

access-list 102 deny ip 192.168.45.0 0.0.0.15 172.45.45.0 0.0.0.7

access-list 102 permit ip any any

After the above Config, you should have Access to internet in all VRFs and NO Inter-VRF communication.

Again, I am reall Sorry and Apologize for not Concentrating on your Second requirement.

Let me know how it goes, Or if you have any doubt.

Thanks,

Mohamed

vucko-sanel Tue, 05/08/2012 - 10:42

Your post above, absolutely seems to me now to be more like a solution in this scenario - let my try to implement this during day and come back to you with results!

so for me looks like that i can remove/add some of bellow statements from configuration:

ip vrf LINKNETT

rd 10:1

export map INTERNET (remove this statement)

route-target export 1:1 (add this statement)

route-target import 1:2

route-target import 1:3

route-target import 1:4

!

access-list 10 permit 10.20.45.0 0.0.0.7 (remove this statement)

!

route-map INTERNET permit 10 (remove this statement)

match ip address 10

set extcommunity rt 1:1

Let me know if this is correct ?

I have now other question which I think, is most similar to suggested solution …

isn’t more recommended let firewall do this job and implement access-list on the firewall ?

vucko-sanel Tue, 05/08/2012 - 12:59

that did the trick - thank u very much on your patient and help!

configuration are bellow:

ip access-list extended milan-in

deny   ip 10.45.45.0 0.0.0.255 172.45.45.0 0.0.0.7

deny   ip 10.45.45.0 0.0.0.255 192.168.45.0 0.0.0.15

permit ip any any

!

ip access-list extended voice-in

deny ip 172.45.45.0 0.0.0.7 10.45.45.0 0.0.0.255

deny ip 172.45.45.0 0.0.0.7 192.168.45.0 0.0.0.7

permit ip 172.45.45.0 0.0.0.7 any

!

ip access-list extended wlan-in

deny ip 192.168.45.0 0.0.0.15 10.45.45.0 0.0.0.255

deny ip 192.168.45.0 0.0.0.15 172.45.45.0 0.0.0.7

permit ip any any

!

description ** LAN **

ip vrf forwarding MILAN

ip address 10.45.45.1 255.255.255.0

ip access-group milan-in in

!

interface Vlan30

description ** VOICE **

ip vrf forwarding VOICE

ip address 172.45.45.1 255.255.255.248

ip access-group voice-in in

!

interface Vlan40

description ** WLAN **

ip vrf forwarding WLAN

ip address 192.168.45.1 255.255.255.240

ip access-group wlan-in in

but i would realy like to let firewall do this job - are you agree ?

Mohamed Sobair Tue, 05/08/2012 - 15:02

You are Welcome!!

No, I dont recommend doing it on the firewall, if you remember from your studies, if you need to block a destination using Extended ACL, it should be blocked as Close to the Source as possible.

Why is that So? This is because , if you block it at the firewall, you then allow unnecessary process of routing and traffic up to the firewall and then gets dropped, this is not a good idea, Agree! So it would be beter be immediately dropped at the Gateway of the Host in the Switch before even the Switch takes any further process.

I am glad your issue is resolved.

Thanks,

Mohamed

Actions

Login or Register to take actions

This Discussion

Posted May 5, 2012 at 11:20 AM
Stats:
Replies:17 Avg. Rating:5
Views:2035 Votes:0
Shares:0
Categories: ASA
+

Related Content

Discussions Leaderboard