I have what is surely a simple question about my home-lab setup (I'm fairly new to networking so pardon my ignorance).
My ASA 5520 (which is the final hop before the internet) has an etherchannel setup that connects to my core (3750 stack with ip-routing). On the ASA there is a network, 10.7.2.0/24 which I named "CORE_BRIDGE", with the ASA having a subinterface of 10.7.2.1 and the 3750 having an SVI of 10.7.2.2. The default route for the 3750 is 0.0.0.0 0.0.0.0 10.7.2.1 -- aka it sends everything it can't route out to the CORE_BRIDGE, which the ASA then sends to the outside.
The issue I'm running into is that I want to create another network subinterface on the ASA, 10.7.7.0/24. I created the sub interface 10.7.7.1, vlan 7, and spun up a VM on that same network: 10.7.7.2. The VM can ping 10.7.7.1 just fine, however it can't ping anything on any of the networks that exist on the 3750.
My understanding was that, due to the static routes I have set, the 10.7.7.0/24 network would know that 10.7.5.0/24 is reached by going to 10.7.2.2 (the SVI on the 3750 for my CORE_BRIDGE). However this isn't happening, I'm unable to ping anything on 10.7.5.0/24, or any of the other networks that exist on the 3750.
Any assistance is GREATLY appreciated as this is something I've been struggling with for quite some time. Thanks!
: Saved
:
: Serial Number:
: Hardware: ASA5520, 2048 MB RAM, CPU Pentium 4 Celeron 2000 MHz
!
ASA Version 9.1(6)10
!
hostname asa
domain-name home.local
xlate per-session deny tcp any4 any4
xlate per-session deny tcp any4 any6
xlate per-session deny tcp any6 any4
xlate per-session deny tcp any6 any6
xlate per-session deny udp any4 any4 eq domain
xlate per-session deny udp any4 any6 eq domain
xlate per-session deny udp any6 any4 eq domain
xlate per-session deny udp any6 any6 eq domain
names
!
interface GigabitEthernet0/0
nameif outside
security-level 0
ip address dhcp setroute
!
interface GigabitEthernet0/1
channel-group 3 mode active
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/2
channel-group 3 mode active
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
shutdown
no nameif
no security-level
no ip address
!
interface Port-channel3
nameif ASA_TRUNK
security-level 100
no ip address
!
interface Port-channel3.2
vlan 2
nameif CORE_BRIDGE
security-level 100
ip address 10.7.2.1 255.255.255.0
!
interface Port-channel3.7
vlan 7
nameif VOIP
security-level 100
ip address 10.7.7.1 255.255.255.0
!
boot system disk0:/asa916-10-k8.bin
ftp mode passive
clock timezone CST -6
clock summer-time CDT recurring
dns server-group DefaultDNS
domain-name home.local
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object network network-3
subnet 10.7.3.0 255.255.255.0
description ACE Backside
object network network-4
subnet 10.7.4.0 255.255.255.0
description ACE Frontside (VIP)
object network network-5
subnet 10.7.5.0 255.255.255.0
description infra services
object network network-9
subnet 10.7.9.0 255.255.255.0
description wireless subnet
object network winplex
host 10.7.5.44
object network INSIDE_SUBENET
subnet 10.7.0.0 255.255.0.0
object network INSIDE-SUBNET
object network vc
host 10.7.5.15
object network railsdev-vip
host 10.7.4.254
object service https
service tcp source eq https
object-group service DM_INLINE_TCP_1 tcp
port-object eq www
port-object eq https
access-list CORE_BRIDGE_access_in extended permit ip any any
access-list CORE_BRIDGE_access_in extended permit icmp any any
access-list outside_access_in extended permit tcp any object winplex eq 32400
access-list outside_access_in extended permit tcp any object railsdev-vip object-group DM_INLINE_TCP_1
access-list outside_access_in remark RDP to vc
access-list outside_access_in extended permit tcp any object vc eq 3389
access-list outside_access_in extended permit icmp any any
access-list VOIP_access_in extended permit ip any any
access-list VOIP_access_in extended permit icmp any any
pager lines 24
logging enable
logging trap informational
logging asdm informational
logging facility 22
logging host CORE_BRIDGE 10.7.5.39 17/1514
mtu VOIP 1500
mtu ASA_TRUNK 1500
mtu outside 1500
mtu CORE_BRIDGE 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-752.bin
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
nat (CORE_BRIDGE,outside) source static railsdev-vip interface service https https
!
object network network-3
nat (CORE_BRIDGE,outside) dynamic interface
object network network-4
nat (CORE_BRIDGE,outside) dynamic interface
object network network-5
nat (CORE_BRIDGE,outside) dynamic interface
object network network-9
nat (CORE_BRIDGE,outside) dynamic interface
object network winplex
nat (any,outside) static interface service tcp 32400 32400
object network vc
nat (CORE_BRIDGE,outside) static interface service tcp 3389 3389
object network railsdev-vip
nat (CORE_BRIDGE,outside) static interface service tcp www www
access-group VOIP_access_in in interface VOIP
access-group outside_access_in in interface outside
access-group CORE_BRIDGE_access_in in interface CORE_BRIDGE
route CORE_BRIDGE 10.7.3.0 255.255.255.0 10.7.2.2 1
route CORE_BRIDGE 10.7.4.0 255.255.255.0 10.7.2.2 1
route CORE_BRIDGE 10.7.5.0 255.255.255.0 10.7.2.2 1
route CORE_BRIDGE 10.7.9.0 255.255.255.0 10.7.2.2 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
aaa authentication ssh console LOCAL
aaa authentication enable console LOCAL
aaa authentication http console LOCAL
aaa authorization command LOCAL
http server enable
http 10.0.0.0 255.0.0.0 CORE_BRIDGE
no snmp-server location
no snmp-server contact
snmp-server community public
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
crypto ipsec security-association pmtu-aging infinite
crypto ca trustpool policy
telnet timeout 5
ssh stricthostkeycheck
ssh 10.0.0.0 255.0.0.0 CORE_BRIDGE
ssh timeout 5
ssh key-exchange group dh-group1-sha1
console timeout 0
threat-detection basic-threat
threat-detection statistics
threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
ntp server 10.7.5.20 source CORE_BRIDGE prefer
ntp server 10.7.5.30 source CORE_BRIDGE prefer
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect ip-options
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
class class-default
user-statistics accounting
!
: end
