Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Webcast-Catalyst9k
New Member

DMZ Communication Issues on ASA5510 to 3560

Hi,

I've recently segmented my network and part of the process was creating a DMZ VLAN.  I'm running ESXi 5 and have created two new VM's to add to this DMZ to begin the process of moving everything public facing to the new VLAN.  At this point they new hosts will not communicate with each other, their gateway, and of course not the public internet.  To get the first out of the way, they are configured according to VMWare's VLAN guide: I have created a new vSwitch port group on the host and assigned them to the VLAN id 11 for the DMZ VLAN, and have the switchport on the switch (3560) setup as trunk in dot1q mode with all vlans tagged.  The management VLAN is also NOT the default VLAN 1, so that is not causing any issues.  My other server segment VLAN is working fine on the same ESXi host/s, so this does not seem to be the issue.

On the network side of things I have my ASA connecting to a 3560 with two interfaces, one for "inside", one for "dmz."

Is this below correct?  I feel like the static route should be route dmz with a gateway to 10.0.1.1..

_ASA_

interface Ethernet0/2

nameif dmz

security-level 50

ip address 10.0.1.1 255.255.255.0

route inside 10.0.1.0 255.255.255.0 192.168.201.2 1                          <- (192.168.201.2 is my 3560)

_3560_

interface GigabitEthernet0/1

description ASA5510MDF Inside

no switchport

ip address 192.168.201.2 255.255.255.252

!

interface GigabitEthernet0/2

description ASA5510MDF DMZ

switchport access vlan 11


Everyone's tags (2)
9 REPLIES

DMZ Communication Issues on ASA5510 to 3560

Hello Garan Sink,

Does your 3560 have an SVI for vlan 11?

The route you've specified on your ASA needs to be removed. You're directly connected to that network (10.0.1.1) therefore a route to "10.0.1.0 255.255.255.0" is not necessary.

Please update on whether removing that route has changed anything.

Kind Regards,

Kevin

**Please rate helpful posts as well as mark the questions as "Answered" once the issue is resolved. This will allow others to better find the solution.

Kind Regards, Kevin Sheahan, CCIE # 41349
New Member

DMZ Communication Issues on ASA5510 to 3560

Hi Kevin,

I've removed the route mentioned, and I have on the 3560:

interface vlan11

desc DMZ

but no ip address assigned.  I don't seem to be able to communicate still at this point.

Thanks for the help,

Garan

Re: DMZ Communication Issues on ASA5510 to 3560

You can delete the SVI then it is useless unless you add an IP.

Can you post full asa config and 3560 config? Feel free to sanitize before posting to protect potentially sensitive information.

Sent from Cisco Technical Support iPhone App

Kind Regards, Kevin Sheahan, CCIE # 41349
New Member

Re: DMZ Communication Issues on ASA5510 to 3560

Here are the config files, sanitized:

ASA

=====================

ASA Version 8.4(2)
!
hostname ASA5510MDF
domain-name domain.com
enable password encrypted
passwd encrypted
no names
dns-guard
!
interface Ethernet0/0
nameif outside
security-level 0
ip address 111.111.111.162 255.255.255.224
!
interface Ethernet0/1
nameif inside
security-level 100
ip address 192.168.201.1 255.255.255.252
!
interface Ethernet0/2
nameif dmz
security-level 50
ip address 10.0.1.1 255.255.255.0
!
interface Ethernet0/3
nameif guest
security-level 0
ip address 10.0.6.1 255.255.255.0
!
interface Management0/0
shutdown
no nameif
no security-level
no ip address
!
boot system disk0:/asa842-k8.bin
ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
dns domain-lookup outside
dns domain-lookup inside
dns server-group DefaultDNS
name-server 10.0.0.3
name-server 10.0.0.9
domain-name domain.com
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object network RMG-FS
host 10.0.0.9
object network RMG-UTIL
host 10.0.0.8
object network RMG-WAREHOUSE
host 10.0.0.4
object network RMG-RMS
host 10.0.0.13
object network RMG-SHAREPOINT
host 10.0.0.16
object network RMG-SQL
host 10.0.0.18
object network RMG-DEMO
host 10.0.0.19
object network REC-WEBCAM
host 10.0.0.45
object network J-MERRITT
host 10.0.3.253
object network L-MARCHESE
host 10.0.3.254
object network RMG-UAT
host 10.0.0.30
object network RMG_LAN
subnet 10.0.0.0 255.255.252.0
object network RMG_LUMOS
subnet 111.111.111.160 255.255.255.224
object network CLIENT_VPN
subnet 10.0.4.0 255.255.255.0
object network CLIENT_VPN_SPLIT
subnet 10.0.5.0 255.255.255.0
object network WORKSTATION_LAN
subnet 10.0.3.0 255.255.255.0
object network RMG-DC
host 10.0.0.3
object network SERVERS
subnet 10.0.0.0 255.255.255.0
object network RMG-SHAREPOINT2
host 10.0.0.40
object network RMG-REMOTE
host 10.0.0.73
object network RMG-WH2K8
host 10.0.0.32
object network GUEST_LAN
subnet 10.0.6.0 255.255.255.0
object network GARAN_TEST
host 10.0.3.143
object network RMG-WEB1
host 10.0.1.2
object network RMG-WEB2
host 10.0.1.3
object network DMZ
subnet 10.0.1.0 255.255.255.0
object-group service FTP_PASSIVE tcp
port-object range 23400 23449
port-object range 40000 40060
object-group service TIMBUKTU tcp
port-object range 1417 1420
port-object eq 407
object-group service RMS_STORES tcp
port-object range 34200 34202
object-group service SQL tcp
port-object range 1433 1434
object-group network RACKSPACE_DB
network-object 172.18.100.0 255.255.255.0
object-group network RACKSPACE_DMZ
network-object 172.18.101.0 255.255.255.0
object-group network RACKSPACE_SAN
group-object RACKSPACE_DB
group-object RACKSPACE_DMZ
object-group network BLOCK_RANGE
network-object 188.229.88.0 255.255.254.0
object-group network RMG_VPN
network-object object CLIENT_VPN
network-object object CLIENT_VPN_SPLIT
object-group network DOMAIN_CONTROLLERS
network-object object RMG-DC
network-object object RMG-FS
object-group service AD_PORTS_TCP tcp
port-object eq ldap
port-object eq ldaps
port-object eq 135
port-object range 1024 65535
port-object range 3268 3269
port-object eq netbios-ssn
port-object eq 445
port-object eq 5722
port-object eq domain
port-object eq 88
port-object eq 464
port-object eq 42
object-group service AD_PORTS_UDP udp
port-object eq 389
port-object eq 636
port-object eq netbios-ns
port-object eq netbios-dgm
port-object eq domain
port-object eq 88
port-object eq 464
port-object eq nameserver
port-object eq ntp
object-group service FILE_SHARE_TCP tcp
port-object eq 135
port-object eq 445
port-object eq netbios-ssn
object-group service FILE_SHARE_UDP udp
port-object eq netbios-dgm
port-object eq netbios-ns
object-group service WEB_PORTS tcp
port-object eq www
port-object eq https
object-group network WEB_SERVERS
network-object object RMG-DEMO
network-object object RMG-UAT
network-object object RMG-SHAREPOINT2
access-list outside_in extended deny ip object-group BLOCK_RANGE any
access-list outside_in extended permit icmp any any
access-list outside_in extended permit icmp any any echo-reply
access-list outside_in extended permit tcp any object RMG-RMS object-group RMS_STORES
access-list outside_in extended permit tcp any object RMG-FS eq ftp
access-list outside_in extended permit tcp any object RMG-FS eq ssh
access-list outside_in extended permit tcp any object RMG-FS eq 990
access-list outside_in extended permit tcp any object RMG-FS object-group FTP_PASSIVE
access-list outside_in extended permit udp 192.5.41.0 255.255.255.0 object RMG-DC eq ntp
access-list outside_in extended permit tcp any object REC-WEBCAM eq www
access-list outside_in extended permit tcp any object REC-WEBCAM eq rtsp
access-list outside_in extended permit tcp 222.111.111.0 255.255.255.0 object RMG-WAREHOUSE object-group SQL
access-list outside_in extended permit tcp 222.111.111.0 255.255.255.0 object RMG-SQL object-group SQL
access-list outside_in extended permit tcp any object RMG-SHAREPOINT eq www
access-list outside_in extended permit tcp any object J-MERRITT object-group TIMBUKTU
access-list outside_in extended permit tcp any object L-MARCHESE object-group TIMBUKTU
access-list outside_in extended permit tcp any object RMG-UTIL eq 5222
access-list outside_in extended permit tcp any object-group WEB_SERVERS object-group WEB_PORTS
access-list client_vpn_outside_cryptomap extended permit ip any object CLIENT_VPN
access-list client_vpn_outside_cryptomap extended permit ip any object CLIENT_VPN_SPLIT
access-list rackspace_outside_cryptomap extended permit ip object RMG_LUMOS object-group RACKSPACE_SAN
access-list split_tunnel extended permit ip object RMG_LAN object CLIENT_VPN_SPLIT
access-list split_tunnel extended permit ip object-group RACKSPACE_SAN object CLIENT_VPN_SPLIT
access-list split_tunnel extended permit ip object-group RMG_VPN object CLIENT_VPN_SPLIT
access-list vpn_remote_worker extended permit tcp object-group RMG_VPN object SERVERS eq www
access-list vpn_remote_worker extended permit tcp object-group RMG_VPN object SERVERS eq https
access-list vpn_remote_worker extended permit tcp object-group RMG_VPN object-group DOMAIN_CONTROLLERS object-group AD_PORTS_TCP
access-list vpn_remote_worker extended permit udp object-group RMG_VPN object-group DOMAIN_CONTROLLERS object-group AD_PORTS_UDP
access-list vpn_remote_worker extended permit tcp object-group RMG_VPN object RMG-SQL object-group FILE_SHARE_TCP
access-list vpn_remote_worker extended permit udp object-group RMG_VPN object RMG-SQL object-group FILE_SHARE_UDP
access-list vpn_remote_worker extended permit tcp object-group RMG_VPN any object-group WEB_PORTS
access-list vpn_remote_worker extended permit icmp object-group RMG_VPN any
access-list vpn_remote_worker extended permit tcp object-group RMG_VPN object RMG-WAREHOUSE object-group SQL
access-list vpn_remote_worker extended permit tcp object-group RMG_VPN object RMG-SQL object-group SQL
access-list vpn_remote_worker extended permit tcp object-group RMG_VPN object-group RACKSPACE_DB object-group SQL
access-list vpn_remote_worker extended permit tcp object-group RMG_VPN object WORKSTATION_LAN eq 3389
access-list vpn_remote_worker extended permit tcp object-group RMG_VPN object RMG-REMOTE eq 3389
access-list vpn_remote_desktop extended permit tcp object-group RMG_VPN object-group DOMAIN_CONTROLLERS object-group AD_PORTS_TCP
access-list vpn_remote_desktop extended permit udp object-group RMG_VPN object-group DOMAIN_CONTROLLERS object-group AD_PORTS_UDP
access-list vpn_remote_desktop extended permit tcp object-group RMG_VPN object WORKSTATION_LAN eq 3389
access-list vpn_remote_desktop extended permit icmp object-group RMG_VPN object RMG_LAN
access-list vpn_remote_desktop extended permit tcp object-group RMG_VPN any object-group WEB_PORTS
access-list vpn_retail extended permit tcp object CLIENT_VPN object-group DOMAIN_CONTROLLERS object-group AD_PORTS_TCP
access-list vpn_retail extended permit udp object CLIENT_VPN object-group DOMAIN_CONTROLLERS object-group AD_PORTS_UDP
access-list vpn_retail extended permit tcp object CLIENT_VPN object RMG-RMS eq 3389
access-list vpn_retail extended permit tcp object CLIENT_VPN object RMG-RMS object-group SQL
access-list vpn_retail extended permit icmp object CLIENT_VPN object RMG-RMS
access-list vpn_wh2k8 extended permit ip object-group RMG_VPN object RMG-WH2K8
access-list dmz_in extended permit tcp object DMZ object-group DOMAIN_CONTROLLERS eq domain
access-list dmz_in extended permit udp object DMZ object-group DOMAIN_CONTROLLERS eq domain
access-list dmz_in extended permit icmp object DMZ object RMG_LAN
pager lines 24
logging enable
logging timestamp
logging console warnings
logging history warnings
logging asdm warnings
logging from-address email@domain.com
logging recipient-address email@domain.com level alerts
mtu outside 1500
mtu inside 1500
mtu dmz 1500
mtu guest 1500
ip local pool client_vpn_split_pool 10.0.5.1-10.0.5.254 mask 255.255.255.0
ip local pool client_vpn_pool 10.0.4.1-10.0.4.254 mask 255.255.255.0
ip verify reverse-path interface inside
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-645-206.bin
no asdm history enable
arp timeout 14400
nat (inside,outside) source static RMG_LAN RMG_LAN destination static CLIENT_VPN CLIENT_VPN
nat (inside,outside) source static RMG_LAN RMG_LAN destination static CLIENT_VPN_SPLIT CLIENT_VPN_SPLIT
nat (inside,dmz) source static RMG_LAN RMG_LAN destination static DMZ DMZ
nat (inside,outside) source dynamic RMG_LAN interface destination static RACKSPACE_SAN RACKSPACE_SAN
nat (outside,outside) source dynamic CLIENT_VPN_SPLIT interface destination static RACKSPACE_SAN RACKSPACE_SAN
!
object network RMG-FS
nat (inside,outside) static 111.111.111.164
object network RMG-UTIL
nat (inside,outside) static 111.111.111.165
object network RMG-WAREHOUSE
nat (inside,outside) static 111.111.111.166
object network RMG-RMS
nat (inside,outside) static 111.111.111.167
object network RMG-SHAREPOINT
nat (inside,outside) static 111.111.111.168
object network RMG-SQL
nat (inside,outside) static 111.111.111.172
object network RMG-DEMO
nat (inside,outside) static 111.111.111.170
object network REC-WEBCAM
nat (inside,outside) static 111.111.111.173
object network J-MERRITT
nat (inside,outside) static 111.111.111.174
object network L-MARCHESE
nat (inside,outside) static 111.111.111.175
object network RMG-UAT
nat (inside,outside) static 111.111.111.163
object network CLIENT_VPN
nat (outside,outside) dynamic interface
object network WORKSTATION_LAN
nat (any,outside) dynamic interface
object network SERVERS
nat (inside,outside) dynamic interface
object network RMG-SHAREPOINT2
nat (inside,outside) static 111.111.111.169
object network GUEST_LAN
nat (any,outside) dynamic 111.111.111.189
object network GARAN_TEST
nat (any,outside) dynamic 111.111.111.189
object network DMZ
nat (dmz,outside) dynamic interface
access-group outside_in in interface outside
access-group dmz_in in interface dmz
route outside 0.0.0.0 0.0.0.0 111.111.111.161 1
route inside 10.0.0.0 255.255.255.0 192.168.201.2 1
route inside 10.0.2.0 255.255.255.0 192.168.201.2 1
route inside 10.0.3.0 255.255.255.0 192.168.201.2 1
route inside 10.0.10.0 255.255.255.0 192.168.201.2 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
ldap attribute-map ad_group
  map-name  memberOf Group-Policy
  map-value memberOf "CN=VPN - IT,OU=RMG Groups,DC=domain,DC=com" client_vpn_split
  map-value memberOf "CN=VPN - Remote Desktop Split,OU=RMG Groups,DC=domain,DC=com" client_vpn_split
  map-value memberOf "CN=VPN - Remote Desktop,OU=RMG Groups,DC=domain,DC=com" client_vpn
  map-value memberOf "CN=VPN - Remote Worker Split,OU=RMG Groups,DC=domain,DC=com" client_vpn_split
  map-value memberOf "CN=VPN - Remote Worker,OU=RMG Groups,DC=domain,DC=com" client_vpn
  map-value memberOf "CN=VPN - Retail,OU=RMG Groups,DC=domain,DC=com" client_vpn
  map-value memberOf "CN=VPN - WH2K8,OU=RMG Groups,DC=domain,DC=com" client_vpn
dynamic-access-policy-record DfltAccessPolicy
dynamic-access-policy-record Retail
network-acl vpn_retail
dynamic-access-policy-record Remote_Desktop
network-acl vpn_remote_desktop
dynamic-access-policy-record Remote_Worker
network-acl vpn_remote_worker
dynamic-access-policy-record WH2K8
network-acl vpn_wh2k8
aaa-server ad_auth protocol ldap
reactivation-mode timed
aaa-server ad_auth (inside) host 10.0.0.3
server-port 636
ldap-base-dn DC=domain,DC=com
ldap-group-base-dn DC=domain,DC=com
ldap-scope subtree
ldap-naming-attribute sAMAccountName
ldap-login-password *****
ldap-login-dn CN=LDAP Bind,OU=Service,OU=RMG Users,DC=domain,DC=com
ldap-over-ssl enable
server-type microsoft
ldap-attribute-map ad_group
user-identity default-domain LOCAL
aaa authentication enable console LOCAL
aaa authentication http console LOCAL
aaa authentication ssh console LOCAL
aaa authentication telnet console LOCAL
aaa authentication serial console LOCAL
aaa authorization command LOCAL
http server enable
http 10.0.0.0 255.0.0.0 inside
http redirect outside 80
snmp-server host inside 10.0.0.36 community ***** version 2c
snmp-server location MDF
snmp-server contact Administrator

snmp-server community *****
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec ikev1 transform-set esp_aes256_sha esp-aes-256 esp-sha-hmac
crypto dynamic-map client_vpn_map 10 match address client_vpn_outside_cryptomap
crypto dynamic-map client_vpn_map 10 set ikev1 transform-set esp_aes256_sha
crypto map vpn_map 10 match address rackspace_outside_cryptomap
crypto map vpn_map 10 set peer 333.111.111.23
crypto map vpn_map 10 set ikev1 transform-set esp_aes256_sha
crypto map vpn_map 20 ipsec-isakmp dynamic client_vpn_map
crypto map vpn_map interface outside
crypto isakmp identity address
crypto isakmp nat-traversal 10
crypto ikev2 remote-access trustpoint sub.domain.com
crypto ikev1 enable outside
crypto ikev1 policy 10
authentication pre-share
encryption aes-256
hash sha
group 2
lifetime 86400
telnet timeout 1
ssh 10.0.0.0 255.0.0.0 inside
ssh timeout 15
console timeout 0
management-access inside
no vpn-addr-assign aaa
no vpn-addr-assign dhcp
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ntp server 192.5.41.41
ssl trust-point sub.domain.com outside
ssl trust-point sub.domain.com outside vpnlb-ip
webvpn
enable outside
anyconnect-essentials
anyconnect image disk0:/anyconnect-win-3.0.5080-k9.pkg 1
anyconnect image disk0:/anyconnect-macosx-i386-3.0.5080-k9.pkg 2 regex "Intel Mac OS X"
anyconnect image disk0:/anyconnect-linux-3.0.5080-k9.pkg 3 regex "Linux"
anyconnect image disk0:/anyconnect-linux-64-3.0.5080-k9.pkg 4 regex "Linux"
anyconnect profiles rmg_anyconnect_profile disk0:/rmg_anyconnect_profile.xml
anyconnect enable
tunnel-group-list enable
group-policy DenyAccess internal
group-policy DenyAccess attributes
wins-server value 10.0.0.3
dns-server value 10.0.0.3 10.0.0.9
vpn-simultaneous-logins 0
vpn-tunnel-protocol ikev2
default-domain value domain.com
group-policy DfltGrpPolicy attributes
wins-server value 10.0.0.3
dns-server value 10.0.0.3 10.0.0.9
default-domain value domain.com
group-policy rackspace_l2l_policy internal
group-policy rackspace_l2l_policy attributes
vpn-idle-timeout none
vpn-tunnel-protocol ikev1
group-policy client_vpn internal
group-policy client_vpn attributes
vpn-simultaneous-logins 3
vpn-tunnel-protocol ikev1 ssl-client ssl-clientless
address-pools value client_vpn_pool
webvpn
  anyconnect keep-installer installed
  anyconnect profiles value rmg_anyconnect_profile type user
  anyconnect ask none default anyconnect
  customization value client_portal
group-policy client_vpn_ext external server-group ad_auth
group-policy client_vpn_split internal
group-policy client_vpn_split attributes
vpn-simultaneous-logins 3
vpn-tunnel-protocol ikev1 ssl-client ssl-clientless
split-tunnel-policy tunnelspecified
split-tunnel-network-list value split_tunnel
address-pools value client_vpn_split_pool
webvpn
  anyconnect keep-installer installed
  anyconnect profiles value rmg_anyconnect_profile type user
  anyconnect ask none default anyconnect
  customization value client_portal
username user1 password encrypted privilege 15
username user2 password encrypted privilege 15
tunnel-group DefaultRAGroup general-attributes
authentication-server-group ad_auth
tunnel-group 333.111.111.23 type ipsec-l2l
tunnel-group 333.111.111.23 general-attributes
default-group-policy rackspace_l2l_policy
tunnel-group 333.111.111.23 ipsec-attributes
ikev1 pre-shared-key *****
tunnel-group client_vpn type remote-access
tunnel-group client_vpn general-attributes
address-pool client_vpn_pool
authentication-server-group ad_auth
authorization-server-group ad_auth
default-group-policy DenyAccess
authorization-required
tunnel-group client_vpn webvpn-attributes
customization client_portal
group-alias RMG enable
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
  message-length maximum client auto
  message-length maximum 512
policy-map global_policy
class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
  inspect ip-options
  inspect icmp
  inspect icmp error
!
service-policy global_policy global
smtp-server 10.0.0.8
prompt hostname context
no call-home reporting anonymous

3560

======================


version 15.0
no service pad
service timestamps debug uptime
service timestamps log uptime
service password-encryption
!
hostname 3560MDF
!
boot-start-marker
boot-end-marker
!
enable secret 5
!
username user1 privilege 15 password 7
username user2 privilege 15 password 7
no aaa new-model
clock timezone EST 0 0
clock summer-time EST recurring
system mtu routing 1500
ip routing
ip domain-name domain.com
!
!
!
!
crypto pki trustpoint TP-self-signed-1452059392
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-1452059392
revocation-check none
rsakeypair TP-self-signed-1452059392
!
!
crypto pki certificate chain TP-self-signed-1452059392
certificate self-signed 01 nvram:IOS-Self-Sig#1.cer
auto qos srnd4
!
!
!
spanning-tree mode pvst
spanning-tree extend system-id
!
vlan internal allocation policy ascending
!
!
!
!
!
!
interface Port-channel1
switchport mode access
!
interface GigabitEthernet0/1
description ASA5510MDF Inside
no switchport
ip address 192.168.201.2 255.255.255.252
!
interface GigabitEthernet0/2
description ASA5510MDF DMZ
switchport access vlan 11
!
interface GigabitEthernet0/3
description ASA5510MDF Guest
switchport access vlan 16
!
interface GigabitEthernet0/4
description RMG-OPENFILER LAG
switchport access vlan 10
switchport mode access
channel-group 1 mode active
!
interface GigabitEthernet0/5
switchport access vlan 10
!
interface GigabitEthernet0/6
switchport access vlan 10
!
interface GigabitEthernet0/7
switchport access vlan 10
!
interface GigabitEthernet0/8
switchport access vlan 10
!
interface GigabitEthernet0/9
switchport access vlan 100
!
interface GigabitEthernet0/10
switchport access vlan 10
!

interface GigabitEthernet0/11
switchport access vlan 10
!
interface GigabitEthernet0/12
switchport access vlan 10
!
interface GigabitEthernet0/13
switchport access vlan 10
!
interface GigabitEthernet0/14
description RMG-OPENFILER LAG
switchport access vlan 10
switchport mode access
channel-group 1 mode active
!
interface GigabitEthernet0/15
switchport access vlan 10
!
interface GigabitEthernet0/16
switchport access vlan 10
!
interface GigabitEthernet0/17
description WS5100RS Uplink
switchport trunk encapsulation dot1q
switchport mode trunk
!
interface GigabitEthernet0/18
description WS5100 Uplink
switchport trunk encapsulation dot1q
switchport mode trunk
!
interface GigabitEthernet0/19
description Symbol Access Port
switchport trunk encapsulation dot1q
switchport mode trunk
!
interface GigabitEthernet0/20
description Symbol Access Port
switchport trunk encapsulation dot1q
switchport mode trunk
!
interface GigabitEthernet0/21
description Symbol Access Port
switchport trunk encapsulation dot1q
switchport mode trunk
!
interface GigabitEthernet0/22
description Symbol Access Port
switchport trunk encapsulation dot1q
switchport mode trunk
!
interface GigabitEthernet0/23
description Symbol Access Port
switchport trunk encapsulation dot1q
switchport mode trunk
!
interface GigabitEthernet0/24
switchport access vlan 10
!
interface GigabitEthernet0/25
switchport access vlan 10
!
interface GigabitEthernet0/26
switchport access vlan 10
!
interface GigabitEthernet0/27
switchport access vlan 10
!
interface GigabitEthernet0/28
switchport access vlan 10
!
interface GigabitEthernet0/29
switchport access vlan 10
!
interface GigabitEthernet0/30
switchport access vlan 10
!
interface GigabitEthernet0/31
switchport access vlan 10
!
interface GigabitEthernet0/32
switchport access vlan 10
!
interface GigabitEthernet0/33
switchport access vlan 10
!
interface GigabitEthernet0/34
switchport access vlan 10
!
interface GigabitEthernet0/35
description ESXi Host
switchport trunk encapsulation dot1q
switchport mode trunk
switchport nonegotiate
spanning-tree portfast trunk
!
interface GigabitEthernet0/36
description ESXi Host
switchport trunk encapsulation dot1q
switchport mode trunk
switchport nonegotiate
spanning-tree portfast trunk
!
interface GigabitEthernet0/37
description ESXi Host
switchport trunk encapsulation dot1q
switchport mode trunk
switchport nonegotiate
spanning-tree portfast trunk
!
interface GigabitEthernet0/38
description ESXi Host
switchport trunk encapsulation dot1q
switchport mode trunk
switchport nonegotiate
spanning-tree portfast trunk
!
interface GigabitEthernet0/39
description ESXi Host
switchport trunk encapsulation dot1q
switchport mode trunk
switchport nonegotiate
spanning-tree portfast trunk
!
interface GigabitEthernet0/40
description ESXi Host
switchport trunk encapsulation dot1q
switchport mode trunk
switchport nonegotiate
spanning-tree portfast trunk
!
interface GigabitEthernet0/41
description SG300MDF Uplink
switchport trunk encapsulation dot1q
switchport trunk native vlan 100
switchport mode trunk
!
interface GigabitEthernet0/42
switchport access vlan 10
!
interface GigabitEthernet0/43
description 2950MDF Uplink
switchport trunk encapsulation dot1q
switchport mode trunk
!
interface GigabitEthernet0/44
switchport access vlan 10
!
interface GigabitEthernet0/45
switchport access vlan 10
!
interface GigabitEthernet0/46
switchport access vlan 10
!
interface GigabitEthernet0/47
switchport access vlan 10
!
interface GigabitEthernet0/48
switchport access vlan 10
switchport trunk encapsulation dot1q
switchport mode trunk
!
interface GigabitEthernet0/49
switchport access vlan 10
switchport trunk encapsulation dot1q
switchport mode trunk
!
interface GigabitEthernet0/50
switchport access vlan 10
switchport trunk encapsulation dot1q
switchport mode trunk
!
interface GigabitEthernet0/51
description 2960IDF1 Uplink
switchport trunk encapsulation dot1q
switchport mode trunk
auto qos trust
macro description cisco-switch
spanning-tree link-type point-to-point
!
interface GigabitEthernet0/52
switchport trunk encapsulation dot1q
switchport mode trunk
!
interface Vlan1
no ip address
shutdown
!
interface Vlan10
description Servers
ip address 10.0.0.1 255.255.255.0
!
interface Vlan12
description Printers
ip address 10.0.2.1 255.255.255.0
!
interface Vlan13
description Workstations
ip address 10.0.3.1 255.255.255.0
ip helper-address 10.0.0.3
!
interface Vlan100
description Management
ip address 10.0.10.1 255.255.255.0
!
ip default-gateway 10.0.10.1
ip http server
ip http secure-server
!
ip route 0.0.0.0 0.0.0.0 192.168.201.1
!
logging esm config
access-list 1 permit 10.0.0.36
snmp-server community RO 1
snmp-server location IDF1
snmp-server enable traps snmp authentication linkdown linkup coldstart warmstart
snmp-server enable traps envmon fan shutdown supply temperature status
snmp-server host 10.0.0.36 version 2c
!
!
line con 0
line vty 0 4
exec-timeout 30 0
password 7
login local
length 0
line vty 5 15
password 7
login local
!
end

Re: DMZ Communication Issues on ASA5510 to 3560

At first glance, I do not see anything wrong with your current configuration. I will lab this up tomorrow to see if I can replicate your issue.

Kind Regards,

Kevin

**Please rate helpful posts as well as mark the questions as "Answered" once the issue is resolved. This will allow others to better find the solution.

Kind Regards, Kevin Sheahan, CCIE # 41349

Re: DMZ Communication Issues on ASA5510 to 3560

Hello again,

Ok, so after lab'ing this up I was unable to fully replicate your issue mostly due to the lack of the same type of vm environment that you have up on your network. I was able to poke around a bit and you may try adding back the SVI to your 3560 and specifying an IP address on it this time.

interface vlan 11

ip add 10.0.1.2 255.255.255.0

no shut

There is no need for a route on your ASA to this network because it is directly connected. Adding this SVI on your 3560 will also make it directly connected there too.

This should resolve your connectivity issues and allow your hosts on that vlan to communicate.

Sorry it took so long to come up with this.. been a busy few days.

Kind Regards,

Kevin

**Please rate helpful posts as well as mark the questions as "Answered" once the issue is resolved. This will allow others to better find the solution.

Kind Regards, Kevin Sheahan, CCIE # 41349
New Member

Re: DMZ Communication Issues on ASA5510 to 3560

Don't know why, but I never really looked at ipconfig on the vm side, but I am getting an autoconfiguration ipv4 address of 169.254.x.x

And then on the ASA when I run sh arp, I see the two autoconfiguration ip addresses mapped to the same mac address of the asa's dmz interface.  I read somewhere else to turn off proxy arp as a solution.  I will try this and report back.

Thank you for the help,

Garan

New Member

Re: DMZ Communication Issues on ASA5510 to 3560

so I ran:

sysopt noproxyarp dmz

clear arp dmz

Then reset the interfaces on the VM's and am now able to ping each host, their gateways, etc..

Re: DMZ Communication Issues on ASA5510 to 3560

Nice find. Thanks for posting back the solution!!

Sent from Cisco Technical Support iPhone App

Kind Regards, Kevin Sheahan, CCIE # 41349
1158
Views
0
Helpful
9
Replies
CreatePlease to create content