cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1398
Views
0
Helpful
15
Replies

intervlan routing behind ASA

Bart Kersten
Level 1
Level 1

Hi,

Im setting up this lab and ran into an issue. My setup is as folows:

Internet ----> Asa ----> 3550 ---> vlans

The ASA is directly connected to the internet. The fa0/1 on the ASA is connected to the 3550 fa0/1. I configured that fa0/1 on the 3550 as a routed port. Configured the ASA as default gateway on the switch. I can ping the asa from the switch and the switch from the ASA.

However if i try to ping a host on the internet from the switch it fails.

This isnt a NAT issue because hosts on the same subnet can ping hosts on the internet.

Ive done this before with a normal router and it worked like a charm. Setting up SVIs on the 3550 and a layer 3 uplink to the gateway.

Did is miss something!? Any help is appreciated!

Thanks in advance.
Kind regards,

Bart



Sent from Cisco Technical Support iPhone App

Sent from Cisco Technical Support iPhone App

1 Accepted Solution

Accepted Solutions

Bart

Okay this is 9.1 code on the ASA and i have no experience with 8.3 new NAT code onwards so if you wait on me it may take a while. One thing i would do is try connecting from the switch and then look at the xlate table on the ASA. The command used to

sh xlate 10.128.242.5

but it may have changed in 9.1.

I will have a look at the new NAT but it's not going to be that quick.

Hopefully someone else might step in or alternatively you could move this post or start a new one linking back to this in the firewall forums where there will be people who are familiar with the new NAT.

Jon

View solution in original post

15 Replies 15

Jon Marshall
Hall of Fame
Hall of Fame

Bart

Could you give us specifics in terms of addresses ie. when you say ping from the switch which IP is being used ? Is this IP from the same subnet as the hosts that can ping the internet ?

Jonj

Reza Sharifi
Hall of Fame
Hall of Fame

Hi,

Can you post the configs from the switch and the ASA?

Is 3550 the defaul gateway for your hosts?

I am assuming your hosts have private IPs.  Is NAT configures on the ASA?

HTH

Bart Kersten
Level 1
Level 1

Hi,

Thanks for the reply. The ASA IP 10.128.242.1/25, switch 10.128.242.15/25.

Can ping both adresses, from the switch and the asa. Configured 10.128.242.1 as the default gateway on the switch:

Ip route 0.0.0.0 0.0.0.0 10.128.242.1

Dont have access to the devices at the moment but the switch has a very basic config:

Int fa0/1
No switchport
Ip address 10.128.242.15 255.255.255.128

Asa does PAT for the subnet. A client in the same subnet connected to the asa can ping 8.8.8.8 but on the switch it
Fails.

Setup vlan 20:

Int vlan 20

Ip add 10.129.242.1/24

Int fa0/5
Switchport mode access
Switchport access vlan 20

Put a client on that port in vlan 20, ip add 10.129.242.10/24

Configured a static route on the asa to the 10.129.242.0/24 via 10.128.242.1.

I can ping the asa int of 10.128.242.1 from the client in vlan 20 10.129.242.0/24.

Ping to 8.8.8.8 fails.

Sent from Cisco Technical Support iPhone App

Bart

Your addressing is bit mixed up.

You say -

The ASA IP 10.128.242.1/25, switch 10.128.242.15/25

but you show the switch IP with a /28 subnet mask ?  Can you confirm subnet masks for both ASA and switch.

Also

Configured a static route on the asa to the 10.129.242.0/24 via 10.128.242.1.

10.128.242.1 is the ASA. Did you mean to put "via 10.128.242.15" ie. the switch ?

Jon

Bart

I believe that your problem is indeed a problem with address translation. When you ping from the switch toward the Internet it will use its address on the routed port as the source address. And I am pretty sure that the ASA is not doing address translation for the 10.128.242.0 subnet.

One good way to test this would be to use extended ping on the switch. In the extended ping use 8.8.8.8 as the destination and specify the switch interface address in vlan 20 as the source.

HTH

Rick

HTH

Rick

Jon,

sorry made some typo's, to clear things up:

Subnets are correct and the static route on the asa to the 10.129.242.0 network via 10.128.242.15. If I ping my client in vlan 20 from the asa, 10.129.242.10 its succesfull. I can also ping the inside interface from the asa from the the client in vlan 20, 10.128.242.1. So routing is functioning.

Richard,

The ASA is doing PAT for the 10.128.242.0/25 subnet and its working for my client connected to the asa, the setup is as follows:

Client in subnet 10.128.242.0 with ip 10.128.242.50 can ping the internet. This client is connected to port 3 on my asa.

The switch with is routed port in subnet 10.128.242.0 with ip 10.128.242.15 cant ping the internet. the switch is connected to port 4 on the asa.

Any ideas are welcome but like i said i dont have access to the devices at the moment. So i will post configs when i do, that will probably make things a bit easier

Thanks so far

Bart

Thanks for clarifying.

So just so i have it straight. The subnet masks are 255.255.255.128 on both the ASA and the switch ?

A client in the 10.129.242.x connected to the L3 switch can connect to the internet ?

So what exactly isn't working ?

Jon

Bart Kersten
Level 1
Level 1

Yep correct, the subnet mask in use is 255.255.255.128, on the switch and the ASA, lets forget vlan 20 for now.

Basicly what isnt working is:

Thw switch wont go out to the internet even though it can ping his gateway.

With this i mean it has a routed port connected to the asa in the correct subnet with a correct ip address and the correct gateway and still isnt able to connect to the internet cq ping 8.8.8.8.



Sent from Cisco Technical Support iPhone App

Bart

What model is the ASA ?

You say you have ports 3 and 4 in the same subnet so presumably the same vlan ?

Where is the inside interface in relation to these ports.

Jon

Bart Kersten
Level 1
Level 1

Its an ASA 5505, basis setup.

Vlan 2 outside port 0

Rest of the ports are in vlan 1, also the port thats is connected to the switch.



Sent from Cisco Technical Support iPhone App

Okay, thanks. When you get them can you post configs of switch and ASA. Remove any sensitive info from the ASA config.

Jon

Hi,

Got the configs, see below:

Result of the command: "sh run"

: Saved

:

ASA Version 9.1(2)

!

hostname BK-HOME-ASA

domain-name bk.local

enable password 4IVQ83MLsfSK0fmr encrypted

xlate per-session deny tcp any4 any4

xlate per-session deny tcp any4 any6

xlate per-session deny tcp any6 any4

xlate per-session deny tcp any6 any6

xlate per-session deny udp any4 any4 eq domain

xlate per-session deny udp any4 any6 eq domain

xlate per-session deny udp any6 any4 eq domain

xlate per-session deny udp any6 any6 eq domain

passwd 2KFQnbNIdI.2KYOU encrypted

names

interface Ethernet0/0

switchport access vlan 2

!

interface Ethernet0/1

!

interface Ethernet0/2

!

interface Ethernet0/3

!

interface Ethernet0/4

!

interface Ethernet0/5

!

interface Ethernet0/6

!

interface Ethernet0/72

!

interface Vlan1

description LAN

nameif inside

security-level 100

ip address 10.128.242.1 255.255.255.128

!

interface Vlan2

description INT-OUTSIDE

nameif outside

security-level 0

ip address dhcp setroute

!

!

time-range SSL-Portal-Logon-hours

periodic daily 7:00 to 23:30

!

boot system disk0:/asa912-k8.bin

ftp mode passive

clock timezone CEST 1

clock summer-time CEDT recurring last Sun Mar 2:00 last Sun Oct 3:00

dns domain-lookup inside

dns domain-lookup outside

dns server-group DefaultDNS

name-server 213.51.129.37

name-server 213.51.144.37

name-server 8.8.8.8

name-server 8.8.4.4

name-server 4.2.2.2

domain-name bk.local

object network obj_any

subnet 0.0.0.0 0.0.0.0

object network obj-SSL-VPN-Pool

subnet 172.16.1.0 255.255.255.0

description Object t.b.v. SSL VPN

object network NETWORK_OBJ_10.128.242.0_25

subnet 10.128.242.0 255.255.255.128

object network NETWORK_OBJ_172.16.1.0_24

subnet 172.16.1.0 255.255.255.0

object network BK-TS01

host 10.128.242.54

description Terminal-Server

object network TS-01

host 10.128.242.54

description BK-TS01

object service RDP

service tcp destination eq 3389

description 3389

object service Spotnet

service tcp source range 45000 65000 destination eq nntp

description ACL tbv Spotnet

object network RDP-RDS-01

host 10.128.242.11

description RDSH

object network HTTPS-BK-WSS2

host 10.128.242.22

description NAT, tbv https

object network HTTP-BK-DSS1

host 10.128.242.21

description HTTP naar de BK-DSS1

object network PPTP-DC-01

host 10.128.242.10

description Dial-up VPN

object network GRE-VPN-DC01

host 10.128.242.10

description GRE tbv VPN

object network BK-DSS1

host 10.128.242.20

description DNS

object network TEST-LGG

subnet 192.168.10.0 255.255.255.0

object network LGG-Rot

subnet 192.168.11.0 255.255.255.0

object network SMTP-EXC-01

host 10.128.242.12

description Exchange-mail

object network Webmail

host 10.128.242.12

description WEBMAIL

object network TEST

host 10.128.242.50

object network VLAN20

subnet 10.129.242.0 255.255.255.0

description VLAN20-Client VLAN

object-group service Inside-to-Outside

description Verkeer van binnen naar buiten

service-object object RDP

service-object tcp-udp destination eq domain

service-object tcp destination eq ftp

service-object tcp destination eq ftp-data

service-object tcp destination eq https

service-object tcp destination eq imap4

service-object tcp destination eq smtp

service-object tcp destination eq ssh

service-object tcp destination eq telnet

service-object udp destination eq domain

service-object udp destination eq ntp

service-object tcp destination eq www

object-group service Outside-to-Inside

description Verkeer van buiten naar binnen

service-object tcp destination eq www

service-object tcp destination eq https

service-object udp destination eq domain

object-group service Spotnet-UDP udp

description Spotnet

port-object eq 119

object-group service DM_INLINE_TCP_1 tcp

port-object eq www

port-object eq https

object-group icmp-type DM_INLINE_ICMP_1

icmp-object echo

icmp-object echo-reply

access-list Baas_splitTunnelAcl standard permit 192.168.2.0 255.255.255.0

access-list inside_nat0_outbound extended permit ip 192.168.2.0 255.255.255.0 172.16.1.0 255.255.255.192

access-list BK-Home-Ipsec_splitTunnelAcl standard permit 10.128.242.0 255.255.255.128

access-list botnet-exclude extended deny ip any 10.128.242.0 255.255.255.128

access-list botnet-exclude extended permit ip any any

access-list Suzaba-IPsec_splitTunnelAcl standard permit 10.128.242.0 255.255.255.128

access-list Suzaba-IPsec_splitTunnelAcl_1 standard permit 10.128.242.0 255.255.255.128

access-list inside_access_in extended permit ip 10.128.242.0 255.255.255.128 any

access-list inside_access_in remark Toegestaan verkeer van binnen naar buiten.

access-list inside_access_in extended permit object-group Inside-to-Outside 10.128.242.0 255.255.255.128 any

access-list inside_access_in extended permit object Spotnet 10.128.242.0 255.255.255.128 any

access-list inside_access_in extended permit tcp 10.128.242.0 255.255.255.128 any eq pop3

access-list inside_access_in extended permit tcp 10.128.242.0 255.255.255.128 any eq imap4

access-list inside_access_in extended deny ip any any

access-list outside_access_in extended permit ip any any

access-list outside_access_in extended permit object RDP any object RDP-RDS-01 inactive

access-list outside_access_in extended permit tcp any object Webmail object-group DM_INLINE_TCP_1

access-list outside_access_in extended permit tcp any object PPTP-DC-01 eq pptp inactive

access-list outside_access_in extended permit gre any object GRE-VPN-DC01

access-list outside_access_in extended permit icmp any any object-group DM_INLINE_ICMP_1

access-list outside_access_in extended permit tcp any object SMTP-EXC-01 eq smtp

access-list outside_access_in extended deny ip any any

pager lines 24

logging enable

logging asdm informational

mtu inside 1500

mtu outside 1500

no failover

icmp unreachable rate-limit 1 burst-size 1

asdm image disk0:/asdm-713.bin

asdm history enable

arp timeout 14400

no arp permit-nonconnected

nat (inside,outside) source static NETWORK_OBJ_10.128.242.0_25 NETWORK_OBJ_10.128.242.0_25 destination static NETWORK_OBJ_172.16.1.0_24 NETWORK_OBJ_172.16.1.0_24 no-proxy-arp route-lookup

nat (inside,outside) source static NETWORK_OBJ_10.128.242.0_25 NETWORK_OBJ_10.128.242.0_25 destination static TEST-LGG TEST-LGG no-proxy-arp route-lookup

nat (inside,outside) source static NETWORK_OBJ_10.128.242.0_25 NETWORK_OBJ_10.128.242.0_25 destination static LGG-Rot LGG-Rot no-proxy-arp route-lookup

!

object network obj_any

nat (inside,outside) dynamic interface

object network RDP-RDS-01

nat (inside,outside) static interface service tcp 3389 3389

object network PPTP-DC-01

nat (inside,outside) static interface service tcp pptp pptp

object network GRE-VPN-DC01

nat (inside,outside) static interface service tcp 47 47

object network BK-DSS1

nat (inside,outside) static interface service udp domain domain

object network SMTP-EXC-01

nat (inside,outside) static interface service tcp smtp smtp

object network Webmail

nat (inside,outside) static interface service tcp https https

object network TEST

nat (any,outside) static interface

access-group inside_access_in in interface inside

access-group outside_access_in in interface outside

timeout xlate 3:00:00

timeout pat-xlate 0:00:30

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

timeout floating-conn 0:00:00

dynamic-access-policy-record DfltAccessPolicy

user-identity default-domain LOCAL

aaa authentication http console LOCAL

aaa authentication serial console LOCAL

aaa authentication ssh console LOCAL

aaa authentication telnet console LOCAL

http server enable 444

http 192.168.2.0 255.255.255.0 inside

http 10.128.242.0 255.255.255.0 inside

threat-detection basic-threat

threat-detection scanning-threat shun except ip-address 192.168.2.0 255.255.255.0

threat-detection scanning-threat shun duration 3600

threat-detection statistics

threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200

ntp server 193.67.79.202 source outside prefer

!

class-map inspection_default

match default-inspection-traffic

class-map botnet-DNS

match port udp eq domain

!

!

policy-map type inspect dns preset_dns_map

parameters

  message-length maximum 1500

policy-map global_policy

class inspection_default

  inspect ftp

  inspect h323 h225

  inspect h323 ras

  inspect rsh

  inspect rtsp

  inspect esmtp

  inspect sqlnet

  inspect skinny 

  inspect sunrpc

  inspect xdmcp

  inspect sip 

  inspect netbios

  inspect tftp

  inspect ip-options

  inspect pptp

  inspect dns preset_dns_map

class class-default

  user-statistics accounting

policy-map botnet-policy

class botnet-DNS

  inspect dns dynamic-filter-snoop

!

service-policy global_policy global

service-policy botnet-policy interface outside

prompt hostname context

Cryptochecksum:14165e9d634be236de46041efa87e40d

: end

Switch:

BK-Dist-SW1#sh run

Building configuration...

Current configuration : 2254 bytes

!

version 12.2

no service pad

service timestamps debug uptime

service timestamps log uptime

no service password-encryption

!

hostname BK-Dist-SW1

!

!

no aaa new-model

ip subnet-zero

ip routing

!

!

!

!

!

!

no file verify auto

spanning-tree mode pvst

spanning-tree extend system-id

!

vlan internal allocation policy ascending

!

!

interface FastEthernet0/1

no switchport

ip address 10.128.242.5 255.255.255.128

!

interface FastEthernet0/2

switchport mode dynamic desirable

!

interface FastEthernet0/3

switchport mode dynamic desirable

!

interface FastEthernet0/4

switchport mode dynamic desirable

!

interface FastEthernet0/5

switchport mode dynamic desirable

!

interface FastEthernet0/6

switchport mode dynamic desirable

!

interface FastEthernet0/7

switchport mode dynamic desirable

!

interface FastEthernet0/8

switchport mode dynamic desirable

!

interface FastEthernet0/9

switchport mode dynamic desirable

!

interface FastEthernet0/10

switchport mode dynamic desirable

!

interface FastEthernet0/11

switchport mode dynamic desirable

!

interface FastEthernet0/12

switchport mode dynamic desirable

!

interface FastEthernet0/13

switchport mode dynamic desirable

!

interface FastEthernet0/14

switchport mode dynamic desirable

!

interface FastEthernet0/15

switchport mode dynamic desirable

!

interface FastEthernet0/16

switchport mode dynamic desirable

!

interface FastEthernet0/17

switchport mode dynamic desirable

!

interface FastEthernet0/18

switchport mode dynamic desirable

!

interface FastEthernet0/19

switchport mode dynamic desirable

!

interface FastEthernet0/20

switchport mode dynamic desirable

!

interface FastEthernet0/21

switchport mode dynamic desirable

!

interface FastEthernet0/22

switchport mode dynamic desirable

!

interface FastEthernet0/23

switchport mode dynamic desirable

!

interface FastEthernet0/24

switchport mode dynamic desirable

!

interface GigabitEthernet0/1

switchport mode dynamic desirable

!

interface GigabitEthernet0/2

switchport mode dynamic desirable

!

interface Vlan1

no ip address

!

interface Vlan10

no ip address

!

ip classless

ip route 0.0.0.0 0.0.0.0 10.128.242.1

ip http server

ip http secure-server

!

!

!

control-plane

!

!

line con 0

line vty 0 4

no login

line vty 5 15

no login

!

!

end

Bart

Okay this is 9.1 code on the ASA and i have no experience with 8.3 new NAT code onwards so if you wait on me it may take a while. One thing i would do is try connecting from the switch and then look at the xlate table on the ASA. The command used to

sh xlate 10.128.242.5

but it may have changed in 9.1.

I will have a look at the new NAT but it's not going to be that quick.

Hopefully someone else might step in or alternatively you could move this post or start a new one linking back to this in the firewall forums where there will be people who are familiar with the new NAT.

Jon

Hi Jon,

I got it working now, since its just my home lab i did a factory default on the ASA, works like a charm now:

Type escape sequence to abort.

Sending 1000, 100-byte ICMP Echos to 8.8.8.8, timeout is 2 seconds:

!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

!!!!!!!!!!!!!!!!!!!!

Success rate is 100 percent (1000/1000), round-trip min/avg/max = 8/14/32 ms

BK-Dist-SW1#

Weird issue glad its working now

Thanks for helping, ill rate your post helpfull.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: