Solved: Indeed. Try that out and let

vinceobannon · ‎09-29-2014

Hey, im trying to route vlan traffic from my 3560 through my 2800 router to my ASA 5520. This Vlan has an IP different from an IP address on a different Vlan. I have two Vlan's setup.

Switch

Vlan 2: 10.1.1.15 /24

Vlan 10: 172.16.10.5 /24

I can route traffic via OSPF through Vlan 2 and hit the internet, but Vlan 10 cant hit the internet.

ASA Config:

interface GigabitEthernet0/0
nameif outside
security-level 0
ip address 192.168.1.103 255.255.255.0
!
interface GigabitEthernet0/1
nameif inside
security-level 100
ip address 10.1.1.30 255.255.255.0
!
interface GigabitEthernet0/1.10
vlan 10
nameif vlan10
security-level 0
ip address 172.16.10.10 255.255.255.0
!
interface GigabitEthernet0/2
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/3
no nameif
no security-level
no ip address
!
interface Management0/0
no nameif
no security-level
no ip address
!
ftp mode passive
access-list inside extended permit ip any any
access-list vlan10 extended permit ip any any
pager lines 24
mtu outside 1500
mtu inside 1500
mtu vlan10 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
nat (vlan10) 1 0.0.0.0 0.0.0.0
access-group inside in interface inside
access-group vlan10 in interface vlan10
!
router ospf 1
network 10.1.1.0 255.255.255.0 area 0
network 172.16.10.0 255.255.255.0 area 0
network 192.168.1.0 255.255.255.0 area 0
log-adj-changes
default-information originate always
!
route outside 0.0.0.0 0.0.0.0 192.168.1.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
aaa authentication ssh console LOCAL
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
telnet timeout 5
ssh 10.1.1.0 255.255.255.0 inside
ssh timeout 5
console timeout 0
dhcpd address 10.1.1.31-10.1.1.99 inside
dhcpd dns 8.8.8.8 interface inside
dhcpd enable inside
!
dhcpd address 172.16.10.21-172.16.10.50 vlan10
dhcpd dns 8.8.8.8 interface vlan10
dhcpd enable vlan10
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept

!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:dcdbe42707254b43aa47e147b0c6598a
ciscoasa#

Switch config:

aaa new-model
!
!
!
!
!
aaa session-id common
system mtu routing 1500
vtp mode transparent
ip routing
ip domain-name
!
!
!
!
crypto pki trustpoint TP-Self-signed
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate
revocation-check none
rsakeypair TP-self-signed
!
crypto pki trustpoint TP-self-signed-1338394240
revocation-check crl
!
!
!
!
!
!
spanning-tree mode pvst
spanning-tree extend system-id
no spanning-tree vlan 2
!
vlan internal allocation policy ascending
!
vlan 2,10,221
!
!
!
!
interface Loopback0
ip address 20.20.20.20 255.255.255.0
!
interface FastEthernet0/1
switchport access vlan 2
ip access-group Digi in
spanning-tree bpduguard disable
!
interface FastEthernet0/2
switchport access vlan 2
spanning-tree bpduguard disable
!
interface FastEthernet0/3
switchport access vlan 2
spanning-tree bpduguard disable
!
interface FastEthernet0/4
switchport access vlan 2
spanning-tree bpduguard disable
!
interface FastEthernet0/5
switchport access vlan 10
switchport mode access
spanning-tree bpduguard disable
!
interface FastEthernet0/6
switchport access vlan 10
switchport mode access
spanning-tree bpduguard disable
!
interface FastEthernet0/7
switchport access vlan 10
switchport mode access
spanning-tree bpduguard disable
!
interface FastEthernet0/8
switchport access vlan 10
switchport mode access
spanning-tree bpduguard disable
!
interface FastEthernet0/9
switchport access vlan 2
spanning-tree bpduguard disable
!
interface FastEthernet0/10
switchport access vlan 7
spanning-tree bpduguard disable
!
interface FastEthernet0/11
switchport access vlan 7
spanning-tree bpduguard disable
!
interface FastEthernet0/12
switchport access vlan 7
spanning-tree bpduguard disable
!
interface FastEthernet0/13
switchport access vlan 2
spanning-tree bpduguard disable
!
interface FastEthernet0/14
switchport access vlan 2
spanning-tree bpduguard disable
!
interface FastEthernet0/15
switchport access vlan 2
spanning-tree bpduguard disable
!
interface FastEthernet0/16
switchport access vlan 2
spanning-tree bpduguard disable
!
interface FastEthernet0/17
switchport access vlan 2
spanning-tree bpduguard disable
!
interface FastEthernet0/18
switchport access vlan 2
spanning-tree bpduguard disable
!
interface FastEthernet0/19
switchport access vlan 2
spanning-tree bpduguard disable
!
interface FastEthernet0/20
switchport access vlan 2
spanning-tree bpduguard disable
!
interface FastEthernet0/21
switchport access vlan 2
spanning-tree bpduguard disable
!
interface FastEthernet0/22
switchport access vlan 2
spanning-tree bpduguard disable
!
interface FastEthernet0/23
switchport access vlan 2
switchport mode access
spanning-tree bpduguard disable
!
interface FastEthernet0/24
switchport access vlan 2
switchport mode access
spanning-tree bpduguard disable
!
interface GigabitEthernet0/1
!
interface GigabitEthernet0/2
!
interface Vlan1
no ip address
shutdown
!
interface Vlan2
description Network Management VLAN
ip address 10.1.1.15 255.255.255.0

!
interface Vlan7
no ip address
!
interface Vlan10
ip address 172.16.10.5 255.255.255.0
!
router ospf 1
log-adjacency-changes
redistribute connected subnets
network 10.1.1.0 0.0.0.255 area 0
network 172.16.10.0 0.0.255.255 area 0

!
ip classless
ip route profile
ip route 0.0.0.0 0.0.0.0 10.1.1.20
ip http server
ip http secure-server
!
!
ip radius source-interface Vlan7
!
radius-server host 172.x.x.x auth-port 1645 acct-port 1646
radius-server key 7 142402041E102F282C796166
!
banner login ^C
######################################################################
# WARNING #
# This network device is private property of #
# Unauthorized access is strictly prohibited and #
# subject to prosecution under international, state, federal #
# and local statutes. This device is subject to monitoring. #
# If you are unauthorized or do not consent to #
# monitoring of usage disconnect NOW. #
# #
######################################################################^C

!
end

GA-Test-Switch-3560#

Router config:

hostname Router
!
boot-start-marker
boot-end-marker
!
no logging console
enable secret 5 $
!
no network-clock-participate wic 0
no network-clock-participate wic 1
aaa new-model
!
!
aaa authentication login default local
aaa session-id common
ip subnet-zero
!
!
ip cef
!
!
no ftp-server write-enable
!
voice-card 0
no dspfarm
!
!
!
!
!
!
!
!
!
!
!
!
!
!
username
!
!
controller E1 0/0/0
!
controller E1 0/1/0
!
!
!
interface Loopback0
ip address 10.10.10.10 255.255.255.0
!
interface FastEthernet0/0
no ip address
shutdown
duplex auto
speed auto
!
interface FastEthernet0/1
ip address 10.1.1.20 255.255.255.0
duplex auto
speed auto
!
router ospf 1
log-adjacency-changes
redistribute connected subnets
network 10.1.1.0 0.0.0.255 area 0
network 172.16.10.0 0.0.255.255 area 0
network 192.168.1.0 0.0.0.255 area 0
!
ip classless
!
!
ip http server
no ip http secure-server
ip ospf name-lookup
!
!
!
!
control-plane
!
!
!
!
!
!
!
!
line con 0
line aux 0
line vty 0 4
!
scheduler allocate 20000 1000
!
end

Router#

Help me please.

Sunil Bhadauria · ‎09-30-2014

Hello Vince ,

I have some experience with firewalls so will try to answer the query

Here are two things that I can see , could be worth checking :

1)

Wan side port has security level as 0 , lowest

For Gi0/1 interface ( vlan 2 is connected and reaching internet via this port ) has security-level as 100 , highest . We do not need any policy to reachability from higher to lower security zones in ASA .

But for sub-interface Gi0/1.10 ( Vlan 10 is connected and reaching internet via this port ) i can see security-level as 0 , lowest .

And as far as I know , By default interfaces on the same security level cannot communicate with each other .

anyways if needed below command can achieve it :

same-security-traffic permit inter-interface

2) another point is why on ASA we have configured vlan 2 ip on physical interface and Vlan 10 ip on sub-interface . I never tested such configuration and was exptecting to see another subinterface for vlan 2 connectivity as well .

Hope to help .

Regards

Sunil Bhadauria

! kindly rate all helpful posts !

View solution in original post

campbech1 · ‎09-30-2014

Also on the switch I don't see any ports that are setup to be trunks.

How I've done this in the past is to setup a trunk, set it with a native VLAN that isn't in use anywhere (3100), and then create sub-interfaces for any and all VLANs that need to be tagged to the ASA. This then allows you to also tag VLAN 1 traffic and keep a uniformed configuration.

View solution in original post

Rajeev Sharma · ‎09-29-2014

Hey,

How does router knows about 172.x.x.x subnet?

Regards,

RS.

vinceobannon · ‎09-29-2014

I would assume through ospf, but I could be wrong. Do I need to make a sub interface with the 172.16.x.x subnet on the router?

Rajeev Sharma · ‎09-29-2014

Indeed. Try that out and let us know the result.

HTH.

Regards,
RS.

vinceobannon · ‎09-30-2014

Didn't work. I created a sub interface on the router pointing to 172.16.10.x and still nothing. Im doing this in a lab environment using a 4G LTE connection for internet. I can switch Vlan's on the switch port that my laptop is connected to and get out to the internet. What else am I missing?

Rajeev Sharma · ‎09-30-2014

Do you have vlan 10 passing between switch and router?

I hope you are connecting your machine on switch with access vlan 10. Check with command:

#show int trunk

And make sure that vlan 10 is passing from switch to router.

Regards,

RS.

vinceobannon · ‎09-30-2014

It should have vlan 10 passing through. I setup the vlan the same way as vlan 2 with the exception of the sub interface on the router. Not too mention the ospf statements on the switch, router and asa. On the router it sees the vlan 10 ip as ospf. Same for the asa.

Rajeev Sharma · ‎09-30-2014

Still I suggest running '#show int trunk' command on switch verify; because there could be a possibility of broken broadcast domain.

Regards,

RS.

vinceobannon · ‎10-01-2014

I would like to thank all of you that helped me. I finally got it working. At one point I figured by creating a sub-interface with Vlan 10 under the main interface with Vlan 2 would work just fine and pass traffic through to my ASA. Boy was I wrong. I ended up removing the sub-interface and created a new interface under G0/2 pointing to Vlan 10. I then trunked the router port over to my switch as was suggested. On my ASA I added the typical access-lists to get it through. OSPF passes traffic through just fine. Thank you all again. If anyone wants to check out my configs i'll be more than happy to share. Now I have a 7200 VXR router to play with and add to my lab network.

I do have one more question though...In my network I have a switch, ASA and router. Whats the best practice to set it up? Internet-ASA-Router-Switch or Internet-Router-ASA-Switch?

Also, what if I want to add another Vlan with a different IP? How would I go about setting that up if I run out of ports on my router and ASA?

Sunil Bhadauria · ‎10-01-2014

Hello Vince ,

Its good to hear that issue is resolved .

Regarding current concern , I would recommend to have ASA interfacing with internet . As we never know what is coming from internet side and may cause resource issues on devices , ASA are built to avoid such issues .

HTH

Regards

Sunil Bhadauria

! kindly rate all helpful posts !

vinceobannon · ‎10-01-2014

Not sure my edit came through, but

Also, what if I want to add another Vlan with a different IP? How would I go about setting that up if I run out of ports on my router and ASA?

Sunil Bhadauria · ‎10-01-2014

Hello Vince ,

I that case you may use sub-interfaces on asa and connect this interface to a trunk port ( dot1q).Physical port on ASA act as trunk port and we do not need to configure it separately .

Another solution I can think of is :

however i have never tried but i think it will work , you can try connect this asa port to a router port which can have multiple tagged sub-interfaces ( dot1q).

HTH

Sunil Bhadauria

! Kindly rate all helpful posts and accordingly make correct to help forum !

vinceobannon · ‎10-01-2014

I tried that earlier and it did what I wanted, but it takes away from the ports on the router and switch. On the router im already using both ports to the switch. Would I create a sub-interface on the router under fa0/2? Like fa0/2.xx? I tried that as well and it didnt work. Unless I was missing something. I dunno. I also tried sub-interfaces on the ASA and trunked them to the switch and I do get the trunking back and forth, but it didnt work.

Sunil Bhadauria · ‎10-01-2014

May be you can provide the configurations of either side in both scenarios .

Regards

Sunil Bhadauria

vinceobannon · ‎10-01-2014

Here's the config for both my router and ASA as they stand right now. If you need the switch config let me know...

Router#sh config
Using 1258 out of 245752 bytes
!
version 12.3
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname Router
!
boot-start-marker
boot-end-marker
!
no logging console
enable secret 5 $1$AjKR$u/X0XfG77hUeiQ5XLMxQp0
!
no network-clock-participate wic 0
no network-clock-participate wic 1
aaa new-model
!
!
aaa authentication login default local
aaa session-id common
ip subnet-zero
!
!
ip cef
!
!
no ftp-server write-enable
!
voice-card 0
no dspfarm
!
!
!
!
!
!
!
!
!
!
!
!
!
!
username
!
!
controller E1 0/0/0
!
controller E1 0/1/0
!
!
!
interface Loopback0
ip address 10.10.10.10 255.255.255.0
!
interface FastEthernet0/0
ip address 10.1.1.20 255.255.255.0
duplex auto
speed auto
!
interface FastEthernet0/1
ip address 172.16.10.11 255.255.255.0
duplex auto
speed auto
!
router ospf 1
log-adjacency-changes
redistribute connected
network 10.1.1.0 0.0.0.255 area 0
network 172.16.10.0 0.0.0.255 area 0
network 172.16.20.0 0.0.0.255 area 0
network 192.168.1.0 0.0.0.255 area 0
!
ip classless
!
!
ip http server
no ip http secure-server
ip ospf name-lookup
!
!
!
!
control-plane
!
!
!
!
!
!
!
!
line con 0
line aux 0
line vty 0 4
!
scheduler allocate 20000 1000
!
end

Router#

ciscoasa# sh config
: Saved
: Written by enable_15 at 15:58:15.319 UTC Wed Oct 1 2014
!
ASA Version 8.0(4)
!
hostname ciscoasa
enable
names
!
interface GigabitEthernet0/0
nameif outside
security-level 0
ip address 192.168.1.103 255.255.255.0
!
interface GigabitEthernet0/1
nameif inside
security-level 100
ip address 10.1.1.30 255.255.255.0
!
interface GigabitEthernet0/2
nameif vlan10
security-level 100
ip address 172.16.10.12 255.255.255.0
!
interface GigabitEthernet0/3
no nameif
no security-level
no ip address
!
interface Management0/0
no nameif
no security-level
no ip address
!
ftp mode passive
same-security-traffic permit inter-interface
access-list inside extended permit ip any any
access-list vlan10 extended permit ip any any
pager lines 24
mtu outside 1500
mtu inside 1500
mtu vlan10 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-524.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
nat (vlan10) 1 0.0.0.0 0.0.0.0
access-group inside in interface inside
access-group vlan10 in interface vlan10
!
router ospf 1
network 10.1.1.0 255.255.255.0 area 0
network 172.16.10.0 255.255.255.0 area 0
network 172.16.20.0 255.255.255.0 area 0
network 192.168.1.0 255.255.255.0 area 0
log-adj-changes
default-information originate always
!
route outside 0.0.0.0 0.0.0.0 192.168.1.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
aaa authentication ssh console LOCAL
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
telnet timeout 5
ssh 10.1.1.0 255.255.255.0 inside
ssh timeout 5
console timeout 0
dhcpd address 10.1.1.41-10.1.1.99 inside
dhcpd dns 8.8.8.8 interface inside
dhcpd enable inside
!
dhcpd address 172.16.10.50-172.16.10.99 vlan10
dhcpd dns 8.8.8.8 interface vlan10
dhcpd enable vlan10
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
username
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:cd91a5c7189be1f5227d10cf9b38de80
ciscoasa#

Trying to route Vlan traffic from 3560 through ASA 5520