Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2296
Views
15
Helpful
21
Replies

Trying to route Vlan traffic from 3560 through ASA 5520

Go to solution
vinceobannon
Level 1
Level 1

‎09-29-2014 02:51 PM - edited ‎03-07-2019 08:55 PM

Hey, im trying to route vlan traffic from my 3560 through my 2800 router to my ASA 5520. This Vlan has an IP different from an IP address on a different Vlan. I have two Vlan's setup. 

 

Switch

Vlan 2: 10.1.1.15 /24

Vlan 10: 172.16.10.5 /24

I can route traffic via OSPF through Vlan 2 and hit the internet, but Vlan 10 cant hit the internet. 

 

ASA Config:

 

interface GigabitEthernet0/0
 nameif outside
 security-level 0
 ip address 192.168.1.103 255.255.255.0
!
interface GigabitEthernet0/1
 nameif inside
 security-level 100
 ip address 10.1.1.30 255.255.255.0
!
interface GigabitEthernet0/1.10
 vlan 10
 nameif vlan10
 security-level 0
 ip address 172.16.10.10 255.255.255.0
!
interface GigabitEthernet0/2
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet0/3
 no nameif
 no security-level
 no ip address
!
interface Management0/0
 no nameif
 no security-level
 no ip address
!
ftp mode passive
access-list inside extended permit ip any any
access-list vlan10 extended permit ip any any
pager lines 24
mtu outside 1500
mtu inside 1500
mtu vlan10 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
nat (vlan10) 1 0.0.0.0 0.0.0.0
access-group inside in interface inside
access-group vlan10 in interface vlan10
!
router ospf 1
 network 10.1.1.0 255.255.255.0 area 0
 network 172.16.10.0 255.255.255.0 area 0
 network 192.168.1.0 255.255.255.0 area 0
 log-adj-changes
 default-information originate always
!
route outside 0.0.0.0 0.0.0.0 192.168.1.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
aaa authentication ssh console LOCAL
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
telnet timeout 5
ssh 10.1.1.0 255.255.255.0 inside
ssh timeout 5
console timeout 0
dhcpd address 10.1.1.31-10.1.1.99 inside
dhcpd dns 8.8.8.8 interface inside
dhcpd enable inside
!
dhcpd address 172.16.10.21-172.16.10.50 vlan10
dhcpd dns 8.8.8.8 interface vlan10
dhcpd enable vlan10
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept

!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect netbios
  inspect rsh
  inspect rtsp
  inspect skinny
  inspect esmtp
  inspect sqlnet
  inspect sunrpc
  inspect tftp
  inspect sip
  inspect xdmcp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:dcdbe42707254b43aa47e147b0c6598a
ciscoasa#

Switch config:

aaa new-model
!
!
!
!
!
aaa session-id common
system mtu routing 1500
vtp mode transparent
ip routing
ip domain-name 
!
!
!
!
crypto pki trustpoint TP-Self-signed
 enrollment selfsigned
 subject-name cn=IOS-Self-Signed-Certificate
 revocation-check none
 rsakeypair TP-self-signed
!
crypto pki trustpoint TP-self-signed-1338394240
 revocation-check crl
!
!
!
!
!
!
spanning-tree mode pvst
spanning-tree extend system-id
no spanning-tree vlan 2
!
vlan internal allocation policy ascending
!
vlan 2,10,221
!
!
!
!
interface Loopback0
 ip address 20.20.20.20 255.255.255.0
!
interface FastEthernet0/1
 switchport access vlan 2
 ip access-group Digi in
 spanning-tree bpduguard disable
!
interface FastEthernet0/2
 switchport access vlan 2
 spanning-tree bpduguard disable
!
interface FastEthernet0/3
 switchport access vlan 2
 spanning-tree bpduguard disable
!
interface FastEthernet0/4
 switchport access vlan 2
 spanning-tree bpduguard disable
!
interface FastEthernet0/5
 switchport access vlan 10
 switchport mode access
 spanning-tree bpduguard disable
!
interface FastEthernet0/6
 switchport access vlan 10
 switchport mode access
 spanning-tree bpduguard disable
!
interface FastEthernet0/7
 switchport access vlan 10
 switchport mode access
 spanning-tree bpduguard disable
!
interface FastEthernet0/8
 switchport access vlan 10
 switchport mode access
 spanning-tree bpduguard disable
!
interface FastEthernet0/9
 switchport access vlan 2
 spanning-tree bpduguard disable
!
interface FastEthernet0/10
 switchport access vlan 7
 spanning-tree bpduguard disable
!
interface FastEthernet0/11
 switchport access vlan 7
 spanning-tree bpduguard disable
!
interface FastEthernet0/12
 switchport access vlan 7
 spanning-tree bpduguard disable
!
interface FastEthernet0/13
 switchport access vlan 2
 spanning-tree bpduguard disable
!
interface FastEthernet0/14
 switchport access vlan 2
 spanning-tree bpduguard disable
!
interface FastEthernet0/15
 switchport access vlan 2
 spanning-tree bpduguard disable
!
interface FastEthernet0/16
 switchport access vlan 2
 spanning-tree bpduguard disable
!
interface FastEthernet0/17
 switchport access vlan 2
 spanning-tree bpduguard disable
!
interface FastEthernet0/18
 switchport access vlan 2
 spanning-tree bpduguard disable
!
interface FastEthernet0/19
 switchport access vlan 2
 spanning-tree bpduguard disable
!
interface FastEthernet0/20
 switchport access vlan 2
 spanning-tree bpduguard disable
!
interface FastEthernet0/21
 switchport access vlan 2
 spanning-tree bpduguard disable
!
interface FastEthernet0/22
 switchport access vlan 2
 spanning-tree bpduguard disable
!
interface FastEthernet0/23
 switchport access vlan 2
 switchport mode access
 spanning-tree bpduguard disable
!
interface FastEthernet0/24
 switchport access vlan 2
 switchport mode access
 spanning-tree bpduguard disable
!
interface GigabitEthernet0/1
!
interface GigabitEthernet0/2
!
interface Vlan1
 no ip address
 shutdown
!
interface Vlan2
 description Network Management VLAN
  ip address 10.1.1.15 255.255.255.0
 
!
interface Vlan7
 no ip address
!
interface Vlan10
 ip address 172.16.10.5 255.255.255.0
!
router ospf 1
 log-adjacency-changes
 redistribute connected subnets
 network 10.1.1.0 0.0.0.255 area 0
 network 172.16.10.0 0.0.255.255 area 0
 
!
ip classless
ip route profile
ip route 0.0.0.0 0.0.0.0 10.1.1.20
ip http server
ip http secure-server
!
!
ip radius source-interface Vlan7
!
radius-server host 172.x.x.x auth-port 1645 acct-port 1646
radius-server key 7 142402041E102F282C796166
!
banner login ^C
######################################################################
#                               WARNING                              #
#    This network device is private property of                      #
#    Unauthorized access is strictly prohibited and                  #
#    subject to prosecution under international, state, federal      #
#    and local statutes. This device is subject to monitoring.       #
#    If you are unauthorized or do not consent to                    #
#    monitoring of usage disconnect NOW.                             #
#                                                                    #
######################################################################^C

!
end

GA-Test-Switch-3560#

Router config:

hostname Router
!
boot-start-marker
boot-end-marker
!
no logging console
enable secret 5 $
!
no network-clock-participate wic 0
no network-clock-participate wic 1
aaa new-model
!
!
aaa authentication login default local
aaa session-id common
ip subnet-zero
!
!
ip cef
!
!
no ftp-server write-enable
!
voice-card 0
 no dspfarm
!
!
!
!
!
!
!
!
!
!
!
!
!
!
username 
!
!
controller E1 0/0/0
!
controller E1 0/1/0
!
!
!
interface Loopback0
 ip address 10.10.10.10 255.255.255.0
!
interface FastEthernet0/0
 no ip address
 shutdown
 duplex auto
 speed auto
!
interface FastEthernet0/1
 ip address 10.1.1.20 255.255.255.0
 duplex auto
 speed auto
!
router ospf 1
 log-adjacency-changes
 redistribute connected subnets
 network 10.1.1.0 0.0.0.255 area 0
 network 172.16.10.0 0.0.255.255 area 0
 network 192.168.1.0 0.0.0.255 area 0
!
ip classless
!
!
ip http server
no ip http secure-server
ip ospf name-lookup
!
!
!
!
control-plane
!
!
!
!
!
!
!
!
line con 0
line aux 0
line vty 0 4
!
scheduler allocate 20000 1000
!
end

Router#

Help me please. 

Labels:
0 Helpful
21 Replies 21

Go to solution
Sunil Bhadauria
Level 1
Level 1
In response to vinceobannon

‎10-01-2014 03:01 PM

Hello Vince ,

 

These seems to be current configs . May be i did not made myself clear enough.

As you say that you tried both of the suggested options for multiple vlan setup and they did not work for you , I asked for those configuration on both end in both scenarios ( which did not worked for you ) .

 

Because at least in case of connecting switch ( trunk ) to ASA subinterfaces it should have worked .

 

Regards

Sunil Bhadauria

0 Helpful

Go to solution
vinceobannon
Level 1
Level 1
In response to Sunil Bhadauria

‎10-01-2014 03:37 PM

I removed the config because it hadnt worked. This is what I did...I basically matched fa0/21 to fa0/22 with the exception of vlan 20 rather than vlan 10. I even tried using fa0/22 to trunk the router where I had setup a sub-interface pointing to vlan 20. With that setup I was able to ping to the router using the vlan 20 ip I had setup. I did the same thing to the ASA using a sub-interface pointing to vlan 20. I couldnt ping the ASA with that address. I tried different scenarios, but none worked except for making fa0/21 a switchport on vlan 20. The reason fa0/21 is on vlan 10 is because it works to my ASA and im able to pull DHCP and get to the internet. 

 

interface Vlan20
 ip address 172.16.20.10 255.255.255.0


interface FastEthernet0/21
 switchport access vlan 10
 switchport mode access
 spanning-tree bpduguard disable
!
interface FastEthernet0/22
 switchport trunk encapsulation dot1q
 switchport trunk native vlan 100
 switchport trunk allowed vlan 10,20
 switchport mode trunk
 spanning-tree portfast
 spanning-tree bpduguard disable

0 Helpful

Go to solution
vinceobannon
Level 1
Level 1
In response to vinceobannon

‎10-02-2014 10:28 AM

Once again I want to thank everyone for their help. After re-reading all the posts I realized what I was doing wrong. I was going at it the wrong way. I created two trunk ports on my switch and they both connect to my router and ASA. I then created two sub-interfaces on my router and ASA to coincide with the Vlans I created on my switch. I can ping all the way through with each IP assigned to interfaces and sub-interfaces. I was still racking my brain as to why I couldnt ping with the main IP's I assigned to each device. I then realized like an idiot I forgot to connect both devices to my switch through a regular port with access to the main Vlan on my switch. D'OH. I assigned a different vlan to each switch port and I can plug my laptop into each one and pull DHCP and get to the internet. Im also doing all my routing through OSPF. What a relief. Thanks again guys!

0 Helpful

Go to solution
Akash Agrawal
Cisco Employee
Cisco Employee

‎09-29-2014 06:45 PM

 

A physical and logical topology diagram would help to understand the setup.

 

Regards,

Akash

0 Helpful

Go to solution
Sunil Bhadauria
Level 1
Level 1

‎09-30-2014 02:57 PM

Hello Vince ,

I have some experience with firewalls so will try to answer the query 

Here are two things that I can see , could be worth checking :

 

1)

Wan side port has security level as 0 , lowest 

For Gi0/1 interface ( vlan 2 is connected and reaching internet via this port ) has security-level as 100 , highest . We do not need any policy to reachability from higher to lower security zones in ASA .

But for sub-interface Gi0/1.10 ( Vlan 10 is connected and reaching internet via this port ) i can see security-level as 0 , lowest .

 

And as far as I know , By default interfaces on the same security level cannot communicate with each other . 

anyways if needed below command can achieve it : 

same-security-traffic permit inter-interface

2) another point is why on ASA we have configured vlan 2 ip on physical interface and Vlan 10 ip on sub-interface . I never tested such configuration and was exptecting to see another subinterface for vlan 2 connectivity as well . 

 

Hope to help .

Regards

Sunil Bhadauria

! kindly rate all helpful posts !

 

0 Helpful

Go to solution
campbech1
Level 1
Level 1

‎09-30-2014 08:39 PM

I diagram would be very helpful to get this resolved for you.

0 Helpful

Go to solution
campbech1
Level 1
Level 1
In response to campbech1

‎09-30-2014 08:44 PM

Also on the switch I don't see any ports that are setup to be trunks.

How I've done this in the past is to setup a trunk, set it with a native VLAN that isn't in use anywhere (3100), and then create sub-interfaces for any and all VLANs that need to be tagged to the ASA. This then allows you to also tag VLAN 1 traffic and keep a uniformed configuration.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card