×

Warning message

  • Cisco Support Forums is in Read Only mode while the site is being migrated.
  • Cisco Support Forums is in Read Only mode while the site is being migrated.

Cannot ping interfaces

Answered Question
Nov 19th, 2013
User Badges:

Ok.. Good day, I have an ASA 5510 and a 2921 -


My ASA is used for VPN and Internet

My 2921 is used to connect different subnets


I also have an attached diagram


I have a directly connected interface on 2921-10.10.10.1 to the ASA 10.10.10.2

Also on the 2921 i have a subnet 192.168.2.0 and 10.20.30.0


I have trunk link on my switch 2950 from the 2921... The ASA is aslo connected to the switch


on the ASA

Int0/0 66.xxx.xxx.xxx internet

Int0/1 10.20.60.2 - Gateway for computers

Int0/2 10.10.10.2 - connected to 2921


on the 2921

gig0/1 10.10.10.1 - connected to ASA

gig0/1.20 sub-if 192.168.2.1

gig0/1.30 sub-if 10.20.30.1



I have connected some static routes to get from 10.20.60.0 to 192.168.2.0

I cannot ping 10.10.10.2 from my PC

I cannot ping 10.20.60.2 from my 2921


I would appreciate any ideas for configuration help...  And redesign...

What cannot happen is for us to use the 2921 for vpn and internet..


Thanks,,, see image.

Correct Answer by Jon Marshall about 3 years 8 months ago

Roger


I think the way you have it now is the way to do it ie. use the 2921 to route the internal vlans and only use the ASA when you need to go to the internet or use the vpn. If you wanted to use the ASA to route the vlans then you would need additional configuration on it and i can't see the advantage of doing that unless you have security issues ?


Does this make sense ?


Jon

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4.5 (2 ratings)
Loading.
Umesh Shetty Tue, 11/19/2013 - 09:36
User Badges:

Hi Roger,


The config from routing perspective looks good, now since in both cases you are trying to ping the IP configured on the ASA firewall I wonder if there is a stealth rule thats dropping that traffic.(I am not an expert though with ASA, I would check that first).


Also if you have set the rule to allow ICMP between these subnets can you try 


1> Pinging from your PC to 10.10.10.1

2> From 2921 to ping your PC


Another suggestion would be since this probles is related to ASA you could post this in the Security section to get the security experts to help you.


HTH



Regards

Umesh

Jon Marshall Tue, 11/19/2013 - 11:48
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Roger


I cannot ping 10.10.10.2 from my PC

I cannot ping 10.20.60.2 from my 2921

You won't be able to because on the ASA this is a restriction by design ie you cannot ping another interface across the ASA.  You can obviously ping through the ASA ie. in one interface and out another (as long as your rulebase allows it) but if the destination IP of the packet is another ASA interface this will be blocked.


So what you are seeing is correct behaviour. Do you have a connectivity problem or was it just a query you had ?


Jon

Roger Richards Wed, 11/20/2013 - 09:23
User Badges:

Not connectivity issues but probems with provisioning some avaya phones using DHCP on W2K8 server . Just basically needed to do intervlan routing with the 2921 but we still need the ASA connected as default gateway. Sooooooooo....... i need lots of help. Maybe on a different forum. But thats how this all started.

Jon Marshall Wed, 11/20/2013 - 10:00
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Roger


Maybe on a different forum

If it's a problem with the phones then maybe the VOIP forums but if it is the network layout then this is the right forum.


If it is network layout etc. can you perhaps specify exactly what you want to be able to do and then we may be able to help you.


Jon

Roger Richards Wed, 11/27/2013 - 12:50
User Badges:

I got everything working. That "untagpvidonly" is a avaya command.

My real issue is I can ping anything on the 192.168.2.0 subnet but I cant actually login to any devices. If I can resolve that, it'll be great. Take another look at the attached diagram and tell what can I do. If I put my pc with a gateway address of 10.20.60.1 I can log into my phone call server, If I put my pc with 10.20.60.2 , it just hangs there

Jon Marshall Wed, 11/27/2013 - 13:01
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Roger


What is 10.20.60.1 ?


Jon

Roger Richards Wed, 11/27/2013 - 13:11
User Badges:

sorry I forgot to include 10.20.60.1. Its a sub interface on the 2921, and its dot1q is 10. Vlan 10. I coudnt see how else I colud have routed to the 192.168.2.0 network. and both subnet has ip helper pointing to a dhcp server.

Correct Answer
Jon Marshall Wed, 11/27/2013 - 13:19
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Roger


I think the way you have it now is the way to do it ie. use the 2921 to route the internal vlans and only use the ASA when you need to go to the internet or use the vpn. If you wanted to use the ASA to route the vlans then you would need additional configuration on it and i can't see the advantage of doing that unless you have security issues ?


Does this make sense ?


Jon

Roger Richards Tue, 12/03/2013 - 09:54
User Badges:

Hey Jon,


I got another Issue. How can I use the 2921 for the internet ,my ASA has the 10.20.60.2 <-- as the gateway for my computers and also my 2921 has the interface 10.20.60.1 interface also?


i appreciate any information given.

Jon Marshall Tue, 12/03/2013 - 10:33
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Roger


This could get a bit complicated but not necessarily.


Your ASA has 2 internal connections, one to the switch and one to the 2921. But it only really needs the one connection to the 2921.  So all vlans internally are routed off the 2921 and you only go to the firewall for VPN and internet.


However that would mean changes to the 2921 and more importantly the ASA. The current ASA inside interface is on the 10.20.60.x network whereas it would move to the 10.10.10.0/31. This would mean a route change on the 2921 but potentially a fair bit more config on the ASA.


Before you did any of that thoug, on the ASA you have this route -


172.20.2.0 255.255.255.0 172.20.16.11 inside


what is the 172.20.2.x network and what device is 172.20.16.11 ?


Jon

Roger Richards Tue, 12/03/2013 - 10:38
User Badges:

thats a network on the other side on the vpn. I couldnt get to it from the 2921

Jon Marshall Tue, 12/03/2013 - 10:50
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Roger


If it is a network on the other side of the VPN then why does the ASA have a route pointing back into your network ie. the route is reachable via the inside interface of the ASA not the outside.


Not trying to be difficult but if i am to suggest changes i need to make sure i don't stop things working.


Jon

Roger Richards Tue, 12/03/2013 - 10:55
User Badges:

Sorry Jon, my apologeeez.. that was an experimentl route... it does not  serve a perpose. I do and will appreciate if i can get this task done.  It would solve my problems. (well at least the ones here)

Jon Marshall Tue, 12/03/2013 - 11:04
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Roger


No problem. Can you post the configs of the 2921 and the ASA and i can then have a look and suggest how to reorganize it so all vlans are routed off the 2921 and the ASA is just for internet.


Note when you post remove any sensitive info from the ASA such as public IPs etc.


Jon

Roger Richards Tue, 12/03/2013 - 12:04
User Badges:

THIS IS THE ASA:

ciscoasa-stx# show run

: Saved

:

ASA Version 8.3(1)

!

hostname ciscoasa-stx

domain-name stt.vidol.gov

enable password lb70NCTEuCJ09Sct encrypted

passwd 2KFQnbNIdI.2KYOU encrypted

names

!

interface Ethernet0/0

nameif Vipowernet

security-level 0

ip address 66.xx.xx.xx  255.255.255.248

!

interface Ethernet0/1

nameif Inside

security-level 100

ip address 10.20.60.2 255.255.254.0

!

interface Ethernet0/2

shutdown

nameif Voice

security-level 100

no ip address

!

interface Ethernet0/3

nameif 2921

security-level 100

ip address 10.10.10.2 255.255.254.0

!

interface Management0/0

nameif management

security-level 100

ip address 10.20.80.100 255.255.255.0

!

boot system disk0:/asa831-k8.bin

ftp mode passive

clock timezone AST -4

dns domain-lookup Inside

dns server-group DefaultDNS

name-server 10.20.60.21

name-server 172.20.16.3

domain-name stt.vidol.gov

same-security-traffic permit inter-interface

same-security-traffic permit intra-interface

object network obj_any

subnet 0.0.0.0 0.0.0.0

object network STT

subnet 172.20.16.0 255.255.255.0

description St. Thomas Office

object network A_66.xx.xx.xx.105

host 66.xx.xx.xx.105

object network PublicServer_NAT1

host 10.20.60.39

object service ClockLink

service tcp source eq 5074 destination eq 5074

description Clock Link Management Software

object network A_66.xx.xx.xx.107

host 66.xx.xx.xx.107

object service rdp

service tcp destination eq 3389

description Remote Desktop Protocol

object network VoIP-STT-Network

subnet 192.168.4.0 255.255.255.0

object network VoIP-STX-Network

subnet 192.168.2.0 255.255.255.0

object network STTNET

subnet 172.20.16.0 255.255.255.0

description STT NETWORK

object network STXET

subnet 10.20.60.0 255.255.254.0

description STX NETWORK

object network outside

host 66.xx.xx.xx.106

object network inside

host 10.20.60.2

object network Public-66.xx.xx.xx.108

host 66.xx.xx.xx.108

object service TCP8080

service tcp source eq 8080

object network VC_66.xx.xx.xx.109

host 66.xx.xx.xx.109

object network Clock82

host 10.20.61.82

object network Clock83

host 10.20.61.83

object network Clock81

host 10.20.61.81

object network Clocks

range 10.20.61.81 10.20.61.83

description Clocks

object network Polycom

host 10.20.60.8

object network PRTG

host 10.20.60.35

object network prtg1

host 10.20.60.35

object network Object_Clock81

host 10.20.61.81

object network Object_Clock_6401

host 10.20.61.81

object network Object_Clock_6402

host 10.20.61.82

object network Object_Clock_6403

host 10.20.61.83

object network Voice1

host 192.168.2.1

object-group network DM_INLINE_NETWORK_1

network-object host 172.20.21.4

network-object 172.20.16.0 255.255.255.0

network-object 192.168.4.0 255.255.255.0

object-group network DM_INLINE_NETWORK_2

network-object 10.20.60.0 255.255.254.0

network-object 192.168.2.0 255.255.255.0

object-group network DM_INLINE_NETWORK_3

network-object 10.20.60.0 255.255.254.0

network-object 192.168.2.0 255.255.255.0

object-group network DM_INLINE_NETWORK_4

network-object 10.20.60.0 255.255.254.0

network-object object VoIP-STX-Network

object-group network DM_INLINE_NETWORK_6

network-object object STT

network-object object VoIP-STT-Network

object-group network DM_INLINE_NETWORK_8

network-object host 125.210.221.172

network-object host 220.231.141.29

object-group service POLLY tcp

port-object eq h323

port-object eq sip

port-object eq 1731

port-object range 3230 3235

object-group service DM_INLINE_SERVICE_2

service-object tcp-udp destination eq domain

service-object tcp destination eq www

service-object tcp destination eq https

object-group service web tcp

port-object eq 8081

object-group network DM_INLINE_NETWORK_7

network-object host 10.20.61.81

network-object host 10.20.61.82

network-object host 10.20.61.83

object-group service ExtClkLnk tcp

port-object eq 5402

access-list Vipowernet_access_in extended deny ip object-group DM_INLINE_NETWORK_8 any inactive

access-list Vipowernet_access_in extended permit ip object-group DM_INLINE_NETWORK_3 any

access-list Vipowernet_access_in extended deny tcp any object PRTG eq 8081 inactive

access-list Vipowernet_access_in extended deny tcp any object Polycom eq www inactive

access-list Vipowernet_access_in extended permit tcp host 66.248.189.100 object-group DM_INLINE_NETWORK_7 eq 5402

access-list Vipowernet_cryptomap extended permit ip object-group DM_INLINE_NETWORK_2 object-group DM_INLINE_NETWORK_1

access-list Inside_access_in extended permit ip object STXET object STTNET

access-list Inside_access_in extended permit ip host 10.20.61.1 any

access-list Inside_access_in extended permit object-group DM_INLINE_SERVICE_2 host 10.20.60.81 any

access-list Inside_access_in extended deny ip host 10.20.60.81 any

access-list Inside_access_in extended permit ip object-group DM_INLINE_NETWORK_4 any

access-list Inside_access_in extended permit ip any any

access-list Inside_access_in extended deny ip any any

access-list 2921_access_in extended permit ip any any log

access-list outside_1_cryptomap extended permit ip 10.20.60.0 255.255.254.0 172.20.16.0 255.255.255.0

access-list DOF extended permit ip any 172.20.2.0 255.255.255.0

access-list vidolas extended permit ip host 10.20.60.251 host 172.20.16.109

access-list vidolas extended permit ip host 172.20.16.109 host 10.20.60.251

access-list STX-STT extended permit ip object STXET object STTNET

access-list STX-STT extended permit ip object STTNET object STXET

access-list block extended deny ip host 23.15.5.113 any

access-list voice-to-lan extended permit ip 10.20.60.0 255.255.254.0 192.168.2.0 255.255.255.0

pager lines 24

logging enable

logging timestamp

logging trap notifications

logging asdm informational

logging host Inside 10.20.60.35

logging host Inside 172.20.16.87

logging permit-hostdown

mtu Vipowernet 1500

mtu Inside 1500

mtu Voice 1500

mtu 2921 1500

mtu management 1500

no failover

icmp unreachable rate-limit 1 burst-size 1

icmp permit any Vipowernet

icmp permit any Inside

icmp permit any Voice

asdm image disk0:/asdm-631.bin

no asdm history enable

arp timeout 14400

nat (Inside,any) source static any any destination static DM_INLINE_NETWORK_6 DM_INLINE_NETWORK_6

!

object network obj_any

nat (management,Vipowernet) dynamic interface

object network Polycom

nat (Inside,Vipowernet) static 66.xx.xx.xx.108

object network prtg1

nat (Inside,Vipowernet) static 66.xx.xx.xx.109

object network Object_Clock_6401

nat (Inside,Vipowernet) static interface service tcp 5402 6401

object network Object_Clock_6402

nat (Inside,Vipowernet) static interface service tcp 5402 6402

object network Object_Clock_6403

nat (Inside,Vipowernet) static interface service tcp 5402 6403

!

nat (Inside,Vipowernet) after-auto source dynamic any interface

access-group Vipowernet_access_in in interface Vipowernet

access-group Inside_access_in in interface Inside

access-group 2921_access_in in interface 2921

route Vipowernet 0.0.0.0 0.0.0.0 66.xx.xx.xx.105 1

route 2921 10.20.30.0 255.255.254.0 10.10.10.1 1

route Inside 172.20.2.0 255.255.255.0 172.20.16.11 1

route 2921 192.168.2.0 255.255.255.0 10.10.10.1 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

dynamic-access-policy-record DfltAccessPolicy

aaa authentication telnet console LOCAL

aaa authorization command LOCAL

aaa authorization exec authentication-server

http server enable

http 192.168.1.0 255.255.255.0 management

http 10.20.60.0 255.255.254.0 Inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac

crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac

crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac

crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac

crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac

crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac

crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac

crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

crypto map Vipowernet_map0 1 match address Vipowernet_cryptomap

crypto map Vipowernet_map0 1 set peer 66.xx.xx.xxx.170

crypto  map Vipowernet_map0 1 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5  ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5  ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5

crypto map Vipowernet_map0 interface Vipowernet

crypto map outside_map 1 match address outside_1_cryptomap

crypto map outside_map 1 set peer 66.xx.xx.xx.170

crypto map outside_map 1 set transform-set ESP-3DES-SHA

crypto ca trustpoint ASDM_TrustPoint0

enrollment url http://stxdc3:80/certsrv

crl configure

crypto ca trustpoint ASDM_TrustPoint1

enrollment url http://stxdc3:80/CertSrv

crl configure

crypto ca trustpoint ASDM_TrustPoint2

enrollment url http://stxdc3:80/CertEnroll

crl configure

crypto ca trustpoint ASDM_TrustPoint3

enrollment url http://stxdc3:80/certsrv

crl configure

crypto ca trustpoint ASDM_TrustPoint4

enrollment terminal

crl configure

crypto isakmp enable Vipowernet

crypto isakmp enable Voice

crypto isakmp policy 5

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

crypto isakmp policy 15

authentication pre-share

encryption des

hash md5

group 2

lifetime 28800

telnet 172.20.16.0 255.255.255.0 Vipowernet

telnet 10.20.61.1 255.255.255.255 Inside

telnet 10.20.60.0 255.255.254.0 Inside

telnet 0.0.0.0 0.0.0.0 Inside

telnet 172.20.16.0 255.255.255.0 Inside

telnet timeout 30

ssh timeout 5

console timeout 0

management-access Inside

dhcpd auto_config management

!

dhcprelay timeout 60

threat-detection basic-threat

threat-detection statistics host number-of-rate 2

threat-detection statistics port number-of-rate 2

threat-detection statistics protocol number-of-rate 2

threat-detection statistics access-list

threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200

ntp server 10.20.60.21 source Inside prefer

ntp server 172.20.16.3 source Inside

webvpn

username Admin password 44WTHkc9M2sg5m4p encrypted privilege 15

username Ruser1 password IrO5kN5XfPlLpQcH encrypted

tunnel-group 66.xx.xx.xx.170 type ipsec-l2l

tunnel-group 66.xx.xx.xx.170 ipsec-attributes

pre-shared-key *****

!

class-map inspection_default

match default-inspection-traffic

!

!

policy-map type inspect dns preset_dns_map

parameters

  message-length maximum 512

policy-map global_policy

class inspection_default

  inspect dns preset_dns_map

  inspect ftp

  inspect h323 h225

  inspect h323 ras

  inspect rsh

  inspect rtsp

  inspect esmtp

  inspect sqlnet

  inspect skinny

  inspect sunrpc

  inspect xdmcp

  inspect sip

  inspect netbios

  inspect tftp

  inspect ip-options

  inspect pptp

!

service-policy global_policy global

privilege cmd level 3 mode exec command perfmon

privilege cmd level 3 mode exec command ping

privilege cmd level 3 mode exec command who

privilege cmd level 3 mode exec command logging

privilege cmd level 3 mode exec command failover

privilege cmd level 3 mode exec command packet-tracer

privilege show level 5 mode exec command import

privilege show level 5 mode exec command running-config

privilege show level 3 mode exec command reload

privilege show level 3 mode exec command mode

privilege show level 3 mode exec command firewall

privilege show level 3 mode exec command asp

privilege show level 3 mode exec command cpu

privilege show level 3 mode exec command interface

privilege show level 3 mode exec command clock

privilege show level 3 mode exec command dns-hosts

privilege show level 3 mode exec command access-list

privilege show level 3 mode exec command logging

privilege show level 3 mode exec command vlan

privilege show level 3 mode exec command ip

privilege show level 3 mode exec command ipv6

privilege show level 3 mode exec command failover

privilege show level 3 mode exec command asdm

privilege show level 3 mode exec command arp

privilege show level 3 mode exec command route

privilege show level 3 mode exec command ospf

privilege show level 3 mode exec command aaa-server

privilege show level 3 mode exec command aaa

privilege show level 3 mode exec command eigrp

privilege show level 3 mode exec command crypto

privilege show level 3 mode exec command vpn-sessiondb

privilege show level 3 mode exec command ssh

privilege show level 3 mode exec command dhcpd

privilege show level 3 mode exec command vpn

privilege show level 3 mode exec command blocks

privilege show level 3 mode exec command wccp

privilege show level 3 mode exec command dynamic-filter

privilege show level 3 mode exec command webvpn

privilege show level 3 mode exec command module

privilege show level 3 mode exec command uauth

privilege show level 3 mode exec command compression

privilege show level 3 mode configure command interface

privilege show level 3 mode configure command clock

privilege show level 3 mode configure command access-list

privilege show level 3 mode configure command logging

privilege show level 3 mode configure command ip

privilege show level 3 mode configure command failover

privilege show level 5 mode configure command asdm

privilege show level 3 mode configure command arp

privilege show level 3 mode configure command route

privilege show level 3 mode configure command aaa-server

privilege show level 3 mode configure command aaa

privilege show level 3 mode configure command crypto

privilege show level 3 mode configure command ssh

privilege show level 3 mode configure command dhcpd

privilege show level 5 mode configure command privilege

privilege clear level 3 mode exec command dns-hosts

privilege clear level 3 mode exec command logging

privilege clear level 3 mode exec command arp

privilege clear level 3 mode exec command aaa-server

privilege clear level 3 mode exec command crypto

privilege clear level 3 mode exec command dynamic-filter

privilege cmd level 3 mode configure command failover

privilege clear level 3 mode configure command logging

privilege clear level 3 mode configure command arp

privilege clear level 3 mode configure command crypto

privilege clear level 3 mode configure command aaa-server

prompt hostname context

call-home

profile CiscoTAC-1

  no active

  destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService

  destination address email [email protected]

  destination transport-method http

  subscribe-to-alert-group diagnostic

  subscribe-to-alert-group environment

  subscribe-to-alert-group inventory periodic monthly

  subscribe-to-alert-group configuration periodic monthly

  subscribe-to-alert-group telemetry periodic daily

hpm topN enable

Cryptochecksum:b414a7744b28428be148e7c9b3083d67


THIS IS THE 2921


Labrstxrt1#show run

Building configuration...


Current configuration : 4023 bytes

!

! Last configuration change at 16:55:18 Caracas Fri Nov 29 2013 by ruser1

version 15.2

service timestamps debug datetime msec

service timestamps log datetime msec

no service password-encryption

!

hostname Labrstxrt1

!

boot-start-marker

boot-end-marker

!

!

logging buffered 51200 warnings

enable secret 4 weG1bff8xq6vwYSaAhFlBe/uto9gzwL2MYg8LekeXp6

!

no aaa new-model

clock timezone Caracas -4 0

!

ip cef

!

!

!

!

!

!

ip domain name stt.vidol.gov

no ipv6 cef

!

multilink bundle-name authenticated

!

!

!

crypto pki trustpoint TP-self-signed-2781641347

enrollment selfsigned

subject-name cn=IOS-Self-Signed-Certificate-2781641347

revocation-check none

rsakeypair TP-self-signed-2781641347

!

!

crypto pki certificate chain TP-self-signed-2781641347

certificate self-signed 01

3082022B 30820194 A0030201 02020101 300D0609 2A864886 F70D0101 05050030

31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274

69666963 6174652D 32373831 36343133 3437301E 170D3133 30363135 30303433

35345A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649

4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D32 37383136

34313334 3730819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281

8100CFAF D23E606C C51528EA 47F8028A 83570542 09EFCB1F 67410747 F0C94084

AF3129F7 2233EACD 98F1F99C 2BCEC5C3 7C19832B D4C913E0 FC0FF02D 9A4F3082

8F97FDAE C02F9D94 AA1152C0 EA825EE5 00571372 0E3C6C8E B3FD9457 E15F1192

563C3B11 1670F621 C683FCC6 A947E4B4 3220EA1E BC011FAC CC84E076 02C9F617

29D10203 010001A3 53305130 0F060355 1D130101 FF040530 030101FF 301F0603

551D2304 18301680 14FDB25B C1F42448 FF76D440 401C0CEE 9D852B3C DD301D06

03551D0E 04160414 FDB25BC1 F42448FF 76D44040 1C0CEE9D 852B3CDD 300D0609

2A864886 F70D0101 05050003 81810073 05C06429 C2397277 F4943DEB C59B996C

66E43213 1B7350EA FBAC44D1 BEF573BF 746B9B6C AE149735 4BBFC01A 93D385D8

8828787C 68585752 459A247C CD84DE74 F23C35C6 10115568 F2A08FEB 42546A2F

F4203FD7 EE8251FF 17B76913 8CCF5C4F 8062F788 9B087559 93C0305F 91E880A7

4C0F0662 9656D563 801B5A6E C804FA

       quit

license udi pid CISCO2921/K9 sn FTX1724AM2U

license boot module c2900 technology-package securityk9

!

!

object-group network Clock_6401

host 10.20.61.81

!

object-group network Clock_6402

host 10.20.61.82

!

object-group network Clock_6403

host 10.20.61.83

!

username ruser1 privilege 15 secret 4 AOt2ZJMSG0QC5a/jxOxI9WhUy2Z8zyuyGyQheOp0w2E

username Admin view root secret 4 56jyXs.RSLFQFX5Ebzwqm0eXTwHAtDmINcDLgnOqA16

!

redundancy

!

!

!

!

!

!

!

!

!

!

!

!

!

!

interface Embedded-Service-Engine0/0

no ip address

shutdown

!

interface GigabitEthernet0/0

description Internet$ETH-SW-LAUNCH$$INTF-INFO-GE 0/0$

no ip address

shutdown

duplex auto

speed auto

!

interface GigabitEthernet0/1

no ip address

duplex auto

speed auto

media-type rj45

!

interface GigabitEthernet0/1.10

description Data$ETH-LAN$

encapsulation dot1Q 10

ip address 10.20.60.1 255.255.254.0

ip helper-address 10.20.60.21

!

interface GigabitEthernet0/1.20

description VoiceVlan$ETH-LAN$

encapsulation dot1Q 20

ip address 192.168.2.1 255.255.255.0

ip helper-address 10.20.60.21

!

interface GigabitEthernet0/2

description Directly Connected to ASA$ETH-LAN$

ip address 10.10.10.1 255.255.254.0

duplex auto

speed auto

!

ip forward-protocol nd

!

ip http server

ip http access-class 23

ip http authentication local

ip http secure-server

ip http timeout-policy idle 60 life 86400 requests 10000

!

ip route 172.20.16.0 255.255.255.0 10.10.10.2 permanent

ip route 192.168.4.0 255.255.255.0 10.10.10.2 permanent

!

!

!

!

control-plane

!

!

!

line con 0

login local

line aux 0

line 2

no activation-character

no exec

transport preferred none

transport input all

transport output pad telnet rlogin lapb-ta mop udptn v120 ssh

stopbits 1

line vty 0 4

access-class 23 in

privilege level 15

login local

transport input telnet ssh

line vty 5 15

privilege level 15

login local

transport input telnet ssh

!

scheduler allocate 20000 1000

!

Thanks

Jon Marshall Tue, 12/03/2013 - 12:18
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Roger


Note that the ASA uses 8.3 code and that uses a completely different NAT than previous versions - are you comfortable with that NAT because i haven't used it before but i should be able to sort it out. Basically i think the easiest thing would be to simply reconnect the 2921 to the inside interface of the ASA but we would need to readdress the inside interface.


Anyway, lets do the router first. If you could answer the following -


1) you only have these routes on the router -


ip route 172.20.16.0 255.255.255.0 10.10.10.2 permanent

ip route 192.168.4.0 255.255.255.0 10.10.10.2 permanent


From your diagram i expected to see a default route so i'm not sure how 192.168.2.x clients get to the internet ?


2) Can you confirm that the only internal networks that need routing are -


10.20.60.0/24


192.168.2.0/24


If the 2) is correct then the only change we need to make on the router is to remove those 2 routes and simply add a default ie.


ip route 0.0.0.0 0.0.0.0 10.10.10.1   <-- which will be the new inside interface of the ASA


but i need both 1) and 2) answering first.


Also important to note you will need an outage to do this work and you have to do it all together so we also need to sort out the ASA.


Jon

Roger Richards Tue, 12/03/2013 - 12:33
User Badges:

OK...



1) Those address  are on the other side of the VPN. couldnt get to them from the 2921.



2) And Yes... only  two internal thats needs routing,, maybe more in the future..

Jon Marshall Tue, 12/03/2013 - 12:40
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Right, well that't the router sorted then. Once we have done all this the 192.168.2.x network will be able to get to the internet.


So it's just a question of sorting out the ASA.  Basically we need to have the inside interface readdressed to 10.10.10.2 and the 2921 interface on the ASA shutdown with no ip address.  I think it's a good idea to use the inside interfce because the NAT statements refer to that interface.


So you would need to reconnect the 2921 to the inside interface of the ASA and readdress.


But like i say i'm not familiar with the ASA NAT config so i need to have a look at it with the docs just to work out if there are any gotchas. How comfortable are you with the ASA config in terms of NAT ?


It's not that complicated it's just i can't give you an immediate answer unless you know it well.


Jon

Roger Richards Tue, 12/03/2013 - 12:51
User Badges:

I am somewhat familiar with it. 


Question, if you remove the  2921 interface and reconnect to the inside interface on the asa, what would happen to my Vlan 10 which is on my 10.20.60.0 network?

Jon Marshall Tue, 12/03/2013 - 13:01
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

vlan 10 is going to be routed off the 2921 so the ASA does not need a connection to that network. So to get to the internet or VPN a 10.20.60.x client would send it's traffic to the 2921 as this is now it's default gateway (or it will be, can't remember whether we changed that or not). The 2921 has a default route pointing to the ASA so it will send the packets on to the ASA.


So if the clients are still using 10.20.60.2 as their default gateway that would need changing to 10.20.60.1 ie. the 2921.


Okay, so you know what needs doing. Bear in mind that you should probably reload the 2921 and ASA ot clear all caches and you may need to reboot the clients or clear their arp caches if they are still using 10.20.60.2 as the default gateway.


Do you want to me look at the ASA configs or are you comfortable with that.


On a more general note are you comfortable with all i've outlined because it is quite a big change ?


Jon

Roger Richards Tue, 12/03/2013 - 16:01
User Badges:

I am totally comfortable with the changes and I dont mind if you look at the configs...

Jon Marshall Tue, 12/03/2013 - 16:10
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Roger


Good to hear. I was only worried about the ASA because i know the old NAT very well but then Cisco had to go and change it and i've not go to use the new NAT yet.


But it should all be fine and it would then be much easier i think to add new subnets etc. in future.


Let me know how it goes and if you want/need a second pair of eyes on the config just post them here and i'll be happy to have a look.


Jon

Jon Marshall Tue, 12/03/2013 - 13:11
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Roger


Sorry, i forgot to mention we will need to add these routes to the ASA -


route inside 10.20.60.0 255.255.254.0 10.10.10.1

route inside 192.168.2.0 255.255.255.0 10.10.10.1


Jon

Jon Marshall Tue, 12/03/2013 - 13:42
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

And obviously remove these routes -


route 2921 10.20.30.0 255.255.254.0 10.10.10.1 1

route Inside 172.20.2.0 255.255.255.0 172.20.16.11 1

route 2921 192.168.2.0 255.255.255.0 10.10.10.1 1


Jon

Roger Richards Mon, 12/09/2013 - 11:37
User Badges:

Hey there, back again. Can I change my local network subnet instead of changing the interface? Just wondering if it would be easier instead of messing with the natting and stuff.


example; instead of using 10.20.60.0 on my local net, ill use 10.20.40.0 on vlan 10...


then and the necesarry routing.


route inside 10.20.40.0/23 10.10.10.1

Jon Marshall Mon, 12/09/2013 - 13:01
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Roger


Whatever is easiest basically. But the inside interface on the ASA is not 10.10.10.2 so -


route inside 10.20.40.0/23 10.10.10.1

not sure how that would work.  I thought you were going to simply  move the 2921 connection on the ASA to the inside interface and then readdress that to 10.10.10.2. The NAT refers to "inside" so it just should work. 


I can't see any NAT statements that refer to the actual 10.20.60.2 address of the inside interface so changing it should not make a difference. And you simply shutdown the 2921 interface on the ASA.


The only reason i said it needed checking was just in case i missed something because i'm not that familiar with 8.3 NAT on the ASA.


Jon

Roger Richards Wed, 12/11/2013 - 12:12
User Badges:

Jon, I made a mistake in that last post..Take a look at the changes.. Also dont pay attention to the routes shown. They were not changed from the previous setup...


Jon Marshall Wed, 12/11/2013 - 12:18
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Roger


My understanding was that you wanted to use the 2921 to route the internal vlans ? If so there are quite a few points to clarify -


1) The ASA only has 2 routes via it's inside interface. This interface (inside) is now connected to the 2921 is that correct ?


The routes it has are for 10.20.60.0 which is directly connected and 172.16.20.0 which i think you said was just a test route.


So how is it going to get to the 2921 subnets ?


You need to add routes for vlans 10 and 20 pointing to 10.20.60.1.  Also your diagram shows a guest network (vlan 50) so you would need to add a route for that as well.


2) The 2921 only needs a default route pointing to the ASA. Why are all the routes pointing to 10.10.10.2 still there ?


3)  What do you mean when you say in the diagram "But there is no vlan 10 on the router" ?


Edit - okay, you have just updated post so the stuff about the routes does not apply. Can you answer point 3) though.


Jon

Roger Richards Wed, 12/11/2013 - 12:48
User Badges:

Jon,



Sorry for the confusion. So with this update I would need to add to the ASA


routes to 10.20.10.0,192.168.2.0 and 10.20.50.0

and a defualt route in the 2921 to the ASA? Also my gateway would now be 10.20.60.1




Roger Richards Wed, 12/11/2013 - 13:19
User Badges:

Sorry for the headache Jon,  But I think I will stick to your original idea whci  was to readress the Inside interface. It makes more sense....

Jon Marshall Wed, 12/11/2013 - 13:44
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Roger


No problem.


You can do what you are suggesting in the diagram and it would work fine.


Yes you add routes on ASA for all the 2921 subnets via 10.20.60.1.


And you would only need a default route on the 2921 pointing to 10.20.60.2.


Jon

Roger Richards Thu, 12/12/2013 - 04:35
User Badges:

Ok.. I realize I have a lot of ACL's and some natting to different objects, so changing the Inside interface might be a better choice....


But I do understand what i need to do, by changing it though...

Roger Richards Fri, 12/20/2013 - 04:32
User Badges:

Hi,


I made an attemp to do the configuration. But I couldnt get to devices on my 10.20.60.0 subnet... or ping devices on that subnet from the ASA.


I stuck with your originial plan to change the inside interface 10.10.10.2 ..


But i didnt really know what else to change beside the interface and adding the routes.. What nat would need to change? what acl or other object needs to change?



Thanks again

Jon Marshall Fri, 12/20/2013 - 05:21
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Roger


Can you post configs of the router + ASA. Could you add them as attachments otherwise this thread is going to get too big to open. Or start a new thread as a continuation of this one.


Can you be specific as to what you mean when you say you couldn't get to 10.20.60.x devices ie. from where ?


Were other subnets working ?


Jon

Roger Richards Fri, 12/20/2013 - 08:31
User Badges:

the  Other subnets was working... .. I could not get to ping any server on the 10.20.60.0 subnet from the ASA... but was able to get to 192.168.2.0 sub.


All my devices are on the 10.20.60.0 network... from pcs to servers. so remember the plan was to remove the 2921 interface and use 10.10.10.2 on the inter with 10.20.60.2...


in the asa I added the routes via the Inside interface (10.10.10.2)


route to 10.20.60.0/23 10.10.10.2

route to 192.168.2.0/24 10.10.10.2

Jon Marshall Fri, 12/20/2013 - 10:40
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

edited

Jon Marshall Fri, 12/20/2013 - 10:48
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Roger


so remember the plan was to remove the 2921 interface and use 10.10.10.2 on the inter with 10.20.60.2...

But you haven't done this according to the configs you have just posted.


The idea is to use the inside interface to connect to the 2921 so that you do not need to change any NAT statements on the ASA. But you still have the 2921 interface connected to the router. So do this (note you will need downtime) - 


1) shutdown the 2921 interface on the ASA and remove the address from the config.


2) remove the cable from the inside interface of the ASA that i think still connects to a switch.


3) take the cable that is in the 2921 interface on the ASA and connect it to the inside interface of the ASA.


Now the 2921 router physical connection runs from gi0/2 on the router to the inside interface of the ASA.


4) remove the 10.20.60.2 address from the inside interface on the ASA and add the 10.10.10.2 address that was previously on the 2921 ASA interface.


5) these routes on the ASA need changing  -


a) remove these - 


no route 2921 10.20.30.0 255.255.254.0 10.10.10.1 1

no route 2921 192.168.2.0 255.255.255.0 10.10.10.1 1


b) add these


route inside 10.20.30.0 255.255.254.0 10.10.10.1 1

route inside 192.168.2.0 255.255.255.0 10.10.10.1 1


6) add this route to the 2921


ip route 0.0.0.0 0.0.0.0 10.10.10.2 


That should do it. As i say you will need downtime but once done all internal vlans should route via the 2921 and the ASA should only be used for internet. The ASA NAT statements reference the inside interface so it should just work.


Jon

Roger Richards Fri, 12/20/2013 - 10:56
User Badges:

The config i sent you was the current one. I had to put it back in order for things to work, cause its a production network ...



I did exactly what you have above..


Except I added a route in the asa to

10.20.60.0 /23 10.10.10.1 <-- ?


so i will do it again, and remove that route and all the other ones.

Jon Marshall Fri, 12/20/2013 - 11:01
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Roger


Sorry, i just copied the routes from the ASA config. You will need that 10.20.60.0/23 route ie.


route inside 10.20.60.0 255.255.254.0 10.10.10.1


I don't know where the 10.20.30.0/23 network is ie. there is a route on the ASA but no sign of it on the 2921. If there is no such network then just remove it from the ASA config altogether.


One other point. When you do the change after you have moved the cables around make sure you clear the arp tables on the both the 2921 and the ASA because the mac to IP mappings will have changed.


Jon

Roger Richards Thu, 01/09/2014 - 13:58
User Badges:

HAPPY NEW YEAR!!


I must be doing something wrong, cause I still cant get it to work. 

Jon Marshall Thu, 01/09/2014 - 14:14
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Roger


Happy New Year as well.


Okay, what didn't work and can you post the configs or are they back to where they were before the changes (i suspect they are).


Jon

Jon Marshall Thu, 01/09/2014 - 14:16
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Roger


Can you start a new thread for this as my browser keeps hanging every time i try to open or post a reply into this thread.


And i suspect we may well be sending a few more replies each to get this working


Jon

Actions

This Discussion

Related Content