No communication between VLAN gateways - ASA & layer 2 switch

cmi_marketing · ‎02-16-2012

ISSUE: Can't ping the gateway of other VLAN's, which is causing a problem getting DHCP from Active Directory.

I have a straight forward config in my test lab. I have an ASA5520 (3 vlans) and Cisco layer2 Swtich. I have a total of 3 VLAN's:

Vlan0010 - 10.10.10.1 (gateway)

Vlan0020 - 10.10.20.1 (gateway)

Vlan0030 - 10.10.30.1 (gateway)

Vlan 30 can ping with other machines in the test lab through Vlan 20 and Vlan 10. When I give a machine a static address, I can authenticate to my Active Directory DC regardless of the VLan. When I remove the static address and attempt to connect via DHCP, it fails. All the subnets are configured accordingly, but the PC's in the vlan0020 and vlan0010 do not get address. I can not ping the gateway of other Vlan's, but I can ping the machines within the Vlans. I can however get DHCP address from machines inside the VLAN30.

I have created the IP helper command on the VLan's on the switch (ip helper-address 10.10.30.2), and have added the dhcprelay server 10.10.30.2 vlan0030 command on the ASA.

I need to be able to communicate with the gateway's so I can get DHCP from machines outside the Vlans my Actice Directory DC resides.

Vlan0030 - DHCP server, machines on this VLAN get get DHCP, can't ping gateway of Vlan0020 or Vlan0010

Vlan0020 - These machines can't get DHCP address or ping the Vlan0030 gateway. Can ping machines in different VLans.

Vlan0010 - These machines can't get DHCP address or ping the Vlan0030 gateway. Can ping machines in different VLans.

ASA Config provided below.

Reza Sharifi · ‎02-16-2012

I have created the IP helper command on the VLan's on the switch (ip helper-address 10.10.30.2)

If this switch is layer-2 only then you don;t need the IP helper address command

also, can you add "dhcprelay enable inside" to the firewall and test again?

HTH

cmi_marketing · ‎02-16-2012

Reza_Sharifi

Thanks for the reply. I checked the ASA, and I do not have the option for 'inside'. when i run the command dhcprelay enable ...I have options:

Management

Outside

VLAN0010

VLAN0020

VLAN0030

glen.grant · ‎02-16-2012

Sounds like your trunking setup is incorrect or not working correctly between the FW and the switch.Maybe post the relevant parts of the FW and switch configs for the port between them.

cmi_marketing · ‎02-17-2012

glen.grant

I probably should have added that in the first place. I have listed both (what i think are) relevant areas of the switch and firewall. If you need to take a look at the entire ASA config, I attached that with my initial posting.

Switch

interface FastEthernet0/1

switchport trunk encapsulation dot1q

switchport trunk allowed vlan 1,10,20,30,1002-1005

switchport mode trunk

!

interface FastEthernet0/2

!

interface FastEthernet0/3

switchport access vlan 20

!

interface FastEthernet0/4

switchport access vlan 10

!

interface FastEthernet0/5

switchport access vlan 10

!

interface FastEthernet0/6

!

interface FastEthernet0/7

switchport access vlan 10

!

interface FastEthernet0/8

!

interface FastEthernet0/9

switchport access vlan 30

!

interface FastEthernet0/10

!

interface FastEthernet0/11

switchport access vlan 30

!

interface VLAN1

no ip address

no ip directed-broadcast

no ip route-cache

shutdown

!

interface VLAN10

ip helper-address 10.10.30.2

no ip directed-broadcast

no ip route-cache

!

interface VLAN20

ip helper-address 10.10.30.2

no ip directed-broadcast

no ip route-cache

shutdown

!

interface VLAN30

ip helper-address 10.10.30.2

no ip directed-broadcast

no ip route-cache

shutdown

ASA Version 8.2(5)

!

hostname ciscoasa

enable password 8Ry2YjIyt7RRXU24 encrypted

passwd 2KFQnbNIdI.2KYOU encrypted

names

!

interface GigabitEthernet0/0

shutdown

nameif outside

security-level 0

no ip address

!

interface GigabitEthernet0/1

shutdown

no nameif

security-level 100

no ip address

!

interface GigabitEthernet0/2

no nameif

no security-level

no ip address

!

interface GigabitEthernet0/2.10

vlan 10

nameif vlan0010

security-level 100

ip address 10.10.10.1 255.255.255.0

!

interface GigabitEthernet0/2.20

vlan 20

nameif vlan0020

security-level 100

ip address 10.10.20.1 255.255.255.0

!

interface GigabitEthernet0/2.30

vlan 30

nameif vlan0030

security-level 100

ip address 10.10.30.1 255.255.255.0

!

interface GigabitEthernet0/3

shutdown

no nameif

no security-level

no ip address

!

interface Management0/0

nameif management

security-level 100

ip address 192.168.1.1 255.255.255.0

management-only

same-security-traffic permit inter-interface

same-security-traffic permit intra-interface

access-list capin extended permit ip any 10.10.20.0 255.255.255.0

access-list capin extended permit ip 10.10.20.0 255.255.255.0 any

access-list capin extended permit ip any 10.10.10.0 255.255.255.0

access-list capin extended permit ip 10.10.10.0 255.255.255.0 any

access-list capin extended permit ip 10.10.30.0 255.255.255.0 any

access-list capin extended permit ip any 10.10.30.0 255.255.255.0

access-list permit extended permit icmp interface vlan0030 any

access-list permit extended permit icmp interface vlan0010 any

dhcpd address 192.168.1.2-192.168.1.254 management

dhcpd enable management

!

dhcprelay server 10.10.30.2 vlan0030

dhcprelay timeout 90

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

webvpn

ASA

ASA Version 8.2(5)
!
hostname ciscoasa
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface GigabitEthernet0/0
shutdown
nameif outside
security-level 0
no ip address
!
interface GigabitEthernet0/1
shutdown
no nameif
security-level 100
no ip address
!
interface GigabitEthernet0/2
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/2.10
vlan 10
nameif vlan0010
security-level 100
ip address 10.10.10.1 255.255.255.0
!
interface GigabitEthernet0/2.20
vlan 20
nameif vlan0020
security-level 100
ip address 10.10.20.1 255.255.255.0
!
interface GigabitEthernet0/2.30
vlan 30
nameif vlan0030
security-level 100
ip address 10.10.30.1 255.255.255.0
!
interface GigabitEthernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
nameif management
security-level 100
ip address 192.168.1.1 255.255.255.0
management-only

same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
access-list capin extended permit ip any 10.10.20.0 255.255.255.0
access-list capin extended permit ip 10.10.20.0 255.255.255.0 any
access-list capin extended permit ip any 10.10.10.0 255.255.255.0
access-list capin extended permit ip 10.10.10.0 255.255.255.0 any
access-list capin extended permit ip 10.10.30.0 255.255.255.0 any
access-list capin extended permit ip any 10.10.30.0 255.255.255.0
access-list permit extended permit icmp interface vlan0030 any
access-list permit extended permit icmp interface vlan0010 any

dhcpd address 192.168.1.2-192.168.1.254 management
dhcpd enable management
!
dhcprelay server 10.10.30.2 vlan0030
dhcprelay timeout 90
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn

cmi_marketing · ‎02-22-2012

Ok..This was resolved. For anyone that has a similar issue, the problem had nothing to do with the switch. I missed a necessary step on the ASA. I did have part of the command but overlooked the rest of it.

dhcprelay server 10.10.30.2 vlan0030

From the config listed in my earlier post, you can see I added the dhcprelay command already. What I didn't do was add the enable command. Below are commands that needed to be run. You need to enable the command for every vlan on your network that requires DHCP from your Windows network.

dhcprelay server 10.10.30.2 vlan0030

dhcprelay enable vlan0010

dhcprelay enable vlan0020