Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

ASA 5510 inter-vlan routing

Hi All,

I'm not able to access a vlan from another vlan.

Let me explain it deeply:

I've got a 3750 switch connected through a non switched port to the asa.

I've implemented ospf routing to pass directly all the vlans behind the 3750 to the asa and it's working like a charm. I can access internet from that vlans.

One eth port of the asa is connected to the inside network 10.60.0.0/16 and the other to the "new network" through the 3750.

I need to let the traffic flow between eth0 to eth1 (they have the same security level, 100).

I've already enable the inter-vlan and intra-vlan traffic.

Thanks,

Cheers,

Lnx

5 REPLIES
Super Bronze

ASA 5510 inter-vlan routing

Hi,

Can you attach some configurations from both the ASA and the 3750 to the original post and provide "show route" output from ASA and "show ip route" from the 3750.

- Jouni

New Member

ASA 5510 inter-vlan routing

Hi JouniForss,

This is the asa, i've had to create all the static nat rules because i was not even able to ping between from one network to another

ASA Version 8.2(5)

!

interface Ethernet0/2

description inside

nameif Inside

security-level 100

ip address 10.60.1.1 255.255.0.0

!

interface Ethernet0/3

nameif NewInfrastructure

security-level 100

ip address 10.90.1.1 255.255.255.0

!

same-security-traffic permit inter-interface

same-security-traffic permit intra-interface

object-group network DM_INLINE_NETWORK_4

network-object 10.130.0.0 255.255.255.0

network-object 10.130.1.0 255.255.255.0

network-object 10.65.0.0 255.255.0.0

access-list Inside_access_in extended permit ip 10.60.0.0 255.255.0.0 object-group DM_INLINE_NETWORK_4

access-list Inside_access_in remark Block all toward outside

access-list Inside_access_in extended deny ip any any

nat (NewInfrastructure) 1 10.130.0.0 255.255.255.0

nat (NewInfrastructure) 1 10.130.1.0 255.255.255.0

nat (NewInfrastructure) 1 10.130.2.0 255.255.255.0

nat (NewInfrastructure) 1 10.130.3.0 255.255.255.0

nat (NewInfrastructure) 1 10.130.4.0 255.255.255.0

nat (NewInfrastructure) 1 10.130.5.0 255.255.255.0

nat (NewInfrastructure) 1 10.130.6.0 255.255.255.0

nat (NewInfrastructure) 1 10.65.0.0 255.255.0.0

static (NewInfrastructure,Inside) 10.130.1.0 10.130.1.0 netmask 255.255.255.0

static (NewInfrastructure,Inside) 10.65.0.0 10.65.0.0 netmask 255.255.0.0

static (NewInfrastructure,Inside) 10.130.2.0 10.130.2.0 netmask 255.255.255.0

static (NewInfrastructure,Inside) 10.130.3.0 10.130.3.0 netmask 255.255.255.0

static (NewInfrastructure,Inside) 10.130.0.0 10.130.0.0 netmask 255.255.255.0

static (NewInfrastructure,Inside) 10.130.4.0 10.130.4.0 netmask 255.255.255.0

static (NewInfrastructure,Inside) 10.130.5.0 10.130.5.0 netmask 255.255.255.0

static (NewInfrastructure,Inside) 10.130.6.0 10.130.6.0 netmask 255.255.255.0

static (Inside,NewInfrastructure) 10.60.0.0 10.60.0.0 netmask 255.255.0.0

access-group Colt_access_in in interface Colt

access-group Isa_access_in in interface ISA_ML

access-group Inside_access_in in interface Inside

!

router ospf 1

router-id 3.3.3.3

network 10.62.0.0 255.255.0.0 area 0

network 10.65.0.0 255.255.0.0 area 0

network 10.90.1.0 255.255.255.0 area 0

network 10.130.0.0 255.255.255.0 area 0

network 10.130.1.0 255.255.255.0 area 0

network 10.130.2.0 255.255.255.0 area 0

network 10.130.3.0 255.255.255.0 area 0

network 10.130.4.0 255.255.255.0 area 0

network 10.130.5.0 255.255.255.0 area 0

network 10.130.6.0 255.255.255.0 area 0

area 0

log-adj-changes

!

console timeout 0

threat-detection basic-threat

threat-detection statistics

threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200

!

class-map global-class

match default-inspection-traffic

!

!

policy-map type inspect dns preset_dns_map

parameters

  message-length maximum 512

policy-map global-policy

class global-class

  inspect dns preset_dns_map

  inspect esmtp

  inspect ftp

  inspect netbios

  inspect rsh

  inspect rtsp

  inspect sip 

  inspect skinny 

  inspect sqlnet

  inspect sunrpc

  inspect tftp

  inspect xdmcp

  inspect h323 h225

  inspect h323 ras

!

service-policy global-policy global

: end

Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP

       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area

       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2

       E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP

       i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area

       * - candidate default, U - per-user static route, o - ODR

       P - periodic downloaded static route

Gateway of last resort is x.x.x.x to network 0.0.0.0

O    10.0.0.0 255.255.255.240

           [110/11] via 10.90.1.2, 5:38:38, NewInfrastructure

S    10.62.0.0 255.255.0.0 [1/0] via 10.60.1.10, Inside

C    10.60.0.0 255.255.0.0 is directly connected, Inside

O    10.65.0.0 255.255.0.0 [110/12] via 10.90.1.2, 4:28:47, NewInfrastructure

C    10.90.1.0 255.255.255.0 is directly connected, NewInfrastructure

O    10.130.1.0 255.255.255.0

           [110/11] via 10.90.1.2, 2:45:21, NewInfrastructure

C    192.168.1.0 255.255.255.0 is directly connected, management

S*   0.0.0.0 0.0.0.0 [1/0] via x.x.x.x, Colt

New Member

ASA 5510 inter-vlan routing

Here the 3750 config:

no service pad

service timestamps debug datetime msec

service timestamps log datetime msec

service password-encryption

!

hostname Switch

!

boot-start-marker

boot-end-marker

!

ip routing

!

!

!

!

!

!

spanning-tree mode pvst

spanning-tree extend system-id

!

!

!

!

!

!

!

!

!

vlan internal allocation policy ascending

!

!

!

!

!

!

!

!

!

!

!

interface FastEthernet0

no ip address

no ip route-cache

shutdown

!

interface GigabitEthernet1/0/1

no switchport

ip address 10.0.0.1 255.255.255.240

ip ospf hello-interval 5

!

interface GigabitEthernet1/0/2

no switchport

ip address 10.90.1.2 255.255.255.0

!

interface GigabitEthernet1/0/3

switchport access vlan 60

switchport mode access

!

interface GigabitEthernet1/0/4

!

interface GigabitEthernet1/0/5

!

interface GigabitEthernet1/0/6

!

interface GigabitEthernet1/0/7

!

interface GigabitEthernet1/0/8

!

interface GigabitEthernet1/0/9

!

interface GigabitEthernet1/0/10

!

interface GigabitEthernet1/0/11

switchport access vlan 131

switchport mode access

!

interface GigabitEthernet1/0/12

switchport access vlan 130

switchport mode access

spanning-tree portfast

!

interface GigabitEthernet1/1/1

!

interface GigabitEthernet1/1/2

!

interface GigabitEthernet1/1/3

!

interface GigabitEthernet1/1/4

!

interface TenGigabitEthernet1/1/1

!

interface TenGigabitEthernet1/1/2

!

interface Vlan1

no ip address

shutdown

!

interface Vlan60

ip address 10.60.1.5 255.255.0.0

!

interface Vlan130

ip address 10.130.1.1 255.255.255.0

!

interface Vlan131

ip address 10.131.1.1 255.255.255.0

!

router ospf 1

router-id 2.2.2.2

network 10.0.0.0 0.0.0.15 area 0

network 10.60.0.0 0.0.255.255 area 0

network 10.62.0.0 0.0.255.255 area 0

network 10.90.1.0 0.0.0.255 area 0

network 10.130.1.0 0.0.0.255 area 0

network 10.131.1.0 0.0.0.255 area 0

default-information originate always

!

ip http server

ip http secure-server

!

ip route 0.0.0.0 0.0.0.0 10.90.1.1

ip route 10.63.0.0 255.255.0.0 10.60.1.10

Switch#sh ip route

Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP

       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area

       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2

       E1 - OSPF external type 1, E2 - OSPF external type 2

       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level

       ia - IS-IS inter area, * - candidate default, U - per-user static r

       o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP

       + - replicated route, % - next hop override

Gateway of last resort is 10.90.1.1 to network 0.0.0.0

S*    0.0.0.0/0 [1/0] via 10.90.1.1

      10.0.0.0/8 is variably subnetted, 10 subnets, 4 masks

C        10.0.0.0/28 is directly connected, GigabitEthernet1/0/1

L        10.0.0.1/32 is directly connected, GigabitEthernet1/0/1

C        10.60.0.0/16 is directly connected, Vlan60

L        10.60.1.5/32 is directly connected, Vlan60

S        10.63.0.0/16 [1/0] via 10.60.1.10

O        10.65.0.0/16 [110/2] via 10.0.0.2, 1w3d, GigabitEthernet1/0/1

C        10.90.1.0/24 is directly connected, GigabitEthernet1/0/2

L        10.90.1.2/32 is directly connected, GigabitEthernet1/0/2

C        10.130.1.0/24 is directly connected, Vlan130

L        10.130.1.1/32 is directly connected, Vlan130

Switch#

!

Super Bronze

Re: ASA 5510 inter-vlan routing

Hi,

To me seems that the setup possibly only contains 3 devices. ASA and 2-3 Routers?

Also seems to me that the routing is a bit messed up.

You are essentially using the native routing table and have connected the core 3750 with 2 links to the ASA

Would seem to me that all the networks behind your ASA route directly through the 3750 and dont go through the ASA?

What were the 2 networks which traffic should go through the ASA?

I would suggest going through the whole setup because it seems to me to make no sense at the moment. If you have a simple network then I would suggest sticking to static routing. Atleast I personally feel that I would not get much out of running dynamic routing protocol if there is no redundancy in the network and the network is small.

If you want to separate network with the ASA then you will have to bring those Vlans directly to ASA and let the ASA handle the inter Vlan routing. Naturally in this case the ASA might become a bottleneck for traffic because of limited throughput performance.

Other option would be to use VRFs on the 3750. This means essentially that you could separate certain networks/Vlans to their own routing table and let them have their own default route towards the ASA. In the same way you could have another VRF for some new network that would be separate from the rest of the network and connect that network to the ASA on their own link.

- Jouni

New Member

Re: ASA 5510 inter-vlan routing

I pasted part of the configuration at the moment

Basically there are let's say 3 phisical location:

1- datacenter with 10.65.0.0/16 subnet and a 3rd party switch with l3 routing enabled

2- 3750 core with l3 routing

3- another network 10.60.0.0/16 10.62.0.0 with the isp-managed  router which send everything "unknown" to the asa.

It doesn't know the vlan configured on the 3750 ip so it sends all the traffic to the asa.

Right now i cannot change the default gateway on the 10.60 network to the 3750 that's the main problem

I would like to manage it with the asa if it's possible.

Hope that you see what i mean.

Cheers,

D

249
Views
0
Helpful
5
Replies