Solved: Cannot reach gateway through routing switch (3750)

kerry-davis · ‎03-12-2012

Hi, all.

I'm running into what seems a basic ip routing config problem with a Catalyst 3750 (IP Base) switch. Hoping someone can point out the error of my ways.

I have several VLANS configured on the switch with IP routing enabled, and the switch is connected to the inside interace of a new ASA 5520 as follows:

ASA5520 IP (Default gateway): 192.168.1.1
Switchport Gi1/0/1 is configured as a routed port, IP address 192.168.1.3 255.255.255.0
Example VLAN is VLAN 100, IP address 192.168.100.1 255.255.252.0

From the switch CLI, I can ping all VLAN addresses, as well as the ASA5520, and the client laptop I'm testing with from VLAN 100.

From the client laptop on VLAN 100, I can ping all switch interface and VLAN addresses (inter-VLAN routing is working), including 192.168.1.3, but I CANNOT ping the default gateway at 192.168.1.1.

Here is the relevant configuration information on the 3750:

!

no aaa new-model

switch 1 provision ws-c3750x-24

system mtu routing 1500

ip routing

!

spanning-tree mode pvst

spanning-tree extend system-id

!

vlan internal allocation policy ascending

!

interface FastEthernet0

no ip address

no ip route-cache cef

no ip route-cache

!

interface GigabitEthernet1/0/1 ***routing port connected to inside interface of ASA

no switchport

ip address 192.168.1.3 255.255.255.0

!

interface GigabitEthernet1/0/2

!

interface GigabitEthernet1/0/3

!

interface GigabitEthernet1/0/4

!

interface GigabitEthernet1/0/5 ***Client testing laptop connected here on VLAN 100

switchport access vlan 100

switchport mode access

spanning-tree portfast

!

**SNIP**

!

interface GigabitEthernet1/0/23

switchport trunk encapsulation isl

switchport trunk allowed vlan 1,2,4

switchport mode trunk

!

interface GigabitEthernet1/0/24

switchport trunk encapsulation isl

switchport trunk allowed vlan 20,100,200

switchport mode trunk

!

**SNIP**

!

interface Vlan1

no ip address

shutdown

!

interface Vlan2

ip address 192.168.2.4 255.255.255.0

!

interface Vlan4

ip address 192.168.4.2 255.255.255.0

!

interface Vlan20

ip address 192.168.20.1 255.255.252.0

!

interface Vlan100

ip address 192.168.100.1 255.255.252.0 ***Client from this VLAN cannot ping ASA, can ping sw routing port

!

interface Vlan200

ip address 192.168.200.2 255.255.252.0

!

router rip

network 192.168.1.0

network 192.168.2.0

network 192.168.4.0

network 192.168.20.0

network 192.168.100.0

network 192.168.200.0

!

ip classless

ip route 0.0.0.0 0.0.0.0 192.168.1.1

ip http server

ip http secure-server

!

ip sla enable reaction-alerts

!

**SNIP**

SWOKCCS01#show ip route

Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP

D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area

N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2

E1 - OSPF external type 1, E2 - OSPF external type 2

i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2

ia - IS-IS inter area, * - candidate default, U - per-user static route

o - ODR, P - periodic downloaded static route

Gateway of last resort is 192.168.1.1 to network 0.0.0.0

C 192.168.4.0/24 is directly connected, Vlan4

C 192.168.1.0/24 is directly connected, GigabitEthernet1/0/1

C 192.168.2.0/24 is directly connected, Vlan2

S* 0.0.0.0/0 [1/0] via 192.168.1.1

C 192.168.200.0/22 is directly connected, Vlan200

C 192.168.20.0/22 is directly connected, Vlan20

C 192.168.100.0/22 is directly connected, Vlan100

amigomnemonik · ‎03-12-2012

Looks like you need to create static routes on ASA back to your subnets and on the switch default static route with next hop of internal ASA interface.

Sent from my iPhone

View solution in original post

Richard Burts · ‎03-12-2012

Kerry

You have given us good information about the switch and not anything about the ASA. Based on what you have given us so far I would guess that the problem is that the ASA does not have any route to network 192.168.100.0 (and probably not the other networks that are defined on the switch). Can you check the ASA and tell us what is in its route table?

HTH

Rick

HTH

Rick

View solution in original post

amigomnemonik · ‎03-12-2012

Looks like you need to create static routes on ASA back to your subnets and on the switch default static route with next hop of internal ASA interface.

Sent from my iPhone

Richard Burts · ‎03-12-2012

Kerry

You have given us good information about the switch and not anything about the ASA. Based on what you have given us so far I would guess that the problem is that the ASA does not have any route to network 192.168.100.0 (and probably not the other networks that are defined on the switch). Can you check the ASA and tell us what is in its route table?

HTH

Rick

HTH

Rick

kerry-davis · ‎03-12-2012

Rick and Kamil -

You're both right about this one. I was so focused on the switch config and the fact it could ping the firewall, I neglected to realize firewall doesn't actually know about the .100 subnet

I added a network object and the proper route in the ASA and now traffic is flowing.

Thanks for the super-fast replies!

Kerry

Richard Burts · ‎03-12-2012

Kerry

I am glad that you solved the problem and that our suggestions pointed the way. Thank you for posting back to the forum indicating that the problem was solved and marking the question as resolved. It makes the forum more useful when people can read about a problem and can know that a solution was found. Your marking has contributed to this process. I encourage you to continue your participation in the forum.

HTH

Rick

HTH

Rick