topic Cannot ping interfaces in Switching

Cannot ping interfaces

Roger Richards — Fri, 08 Mar 2019 00:40:59 GMT

Ok.. Good day, I have an ASA 5510 and a 2921 -

My ASA is used for VPN and Internet

My 2921 is used to connect different subnets

I also have an attached diagram

I have a directly connected interface on 2921-10.10.10.1 to the ASA 10.10.10.2

Also on the 2921 i have a subnet 192.168.2.0 and 10.20.30.0

I have trunk link on my switch 2950 from the 2921... The ASA is aslo connected to the switch

on the ASA

Int0/0 66.xxx.xxx.xxx internet

Int0/1 10.20.60.2 - Gateway for computers

Int0/2 10.10.10.2 - connected to 2921

on the 2921

gig0/1 10.10.10.1 - connected to ASA

gig0/1.20 sub-if 192.168.2.1

gig0/1.30 sub-if 10.20.30.1

I have connected some static routes to get from 10.20.60.0 to 192.168.2.0

I cannot ping 10.10.10.2 from my PC

I cannot ping 10.20.60.2 from my 2921

I would appreciate any ideas for configuration help... And redesign...

What cannot happen is for us to use the 2921 for vpn and internet..

Thanks,,, see image.

Re: Cannot ping interfaces

Umesh Shetty — Tue, 19 Nov 2013 17:36:21 GMT

Hi Roger,

The config from routing perspective looks good, now since in both cases you are trying to ping the IP configured on the ASA firewall I wonder if there is a stealth rule thats dropping that traffic.(I am not an expert though with ASA, I would check that first).

Also if you have set the rule to allow ICMP between these subnets can you try

1> Pinging from your PC to 10.10.10.1

2> From 2921 to ping your PC

Another suggestion would be since this probles is related to ASA you could post this in the Security section to get the security experts to help you.

HTH

Regards

Umesh

Re: Cannot ping interfaces

Jon Marshall — Tue, 19 Nov 2013 19:48:10 GMT

Roger

I cannot ping 10.10.10.2 from my PC

I cannot ping 10.20.60.2 from my 2921

You won't be able to because on the ASA this is a restriction by design ie you cannot ping another interface across the ASA. You can obviously ping through the ASA ie. in one interface and out another (as long as your rulebase allows it) but if the destination IP of the packet is another ASA interface this will be blocked.

So what you are seeing is correct behaviour. Do you have a connectivity problem or was it just a query you had ?

Jon

Cannot ping interfaces

Roger Richards — Wed, 20 Nov 2013 17:23:26 GMT

Not connectivity issues but probems with provisioning some avaya phones using DHCP on W2K8 server . Just basically needed to do intervlan routing with the 2921 but we still need the ASA connected as default gateway. Sooooooooo....... i need lots of help. Maybe on a different forum. But thats how this all started.

Cannot ping interfaces

Jon Marshall — Wed, 20 Nov 2013 18:00:10 GMT

Roger

Maybe on a different forum

If it's a problem with the phones then maybe the VOIP forums but if it is the network layout then this is the right forum.

If it is network layout etc. can you perhaps specify exactly what you want to be able to do and then we may be able to help you.

Jon

Cannot ping interfaces

Roger Richards — Wed, 27 Nov 2013 20:50:07 GMT

I got everything working. That "untagpvidonly" is a avaya command.

My real issue is I can ping anything on the 192.168.2.0 subnet but I cant actually login to any devices. If I can resolve that, it'll be great. Take another look at the attached diagram and tell what can I do. If I put my pc with a gateway address of 10.20.60.1 I can log into my phone call server, If I put my pc with 10.20.60.2 , it just hangs there

Cannot ping interfaces

Jon Marshall — Wed, 27 Nov 2013 21:01:45 GMT

Roger

What is 10.20.60.1 ?

Jon

Cannot ping interfaces

Roger Richards — Wed, 27 Nov 2013 21:11:27 GMT

sorry I forgot to include 10.20.60.1. Its a sub interface on the 2921, and its dot1q is 10. Vlan 10. I coudnt see how else I colud have routed to the 192.168.2.0 network. and both subnet has ip helper pointing to a dhcp server.

Cannot ping interfaces

Jon Marshall — Wed, 27 Nov 2013 21:19:42 GMT

Roger

I think the way you have it now is the way to do it ie. use the 2921 to route the internal vlans and only use the ASA when you need to go to the internet or use the vpn. If you wanted to use the ASA to route the vlans then you would need additional configuration on it and i can't see the advantage of doing that unless you have security issues ?

Does this make sense ?

Jon

Cannot ping interfaces

Roger Richards — Fri, 29 Nov 2013 18:40:04 GMT

Perfect sense... Thanks again jon....

Cannot ping interfaces

admiralrich — Tue, 03 Dec 2013 17:54:19 GMT

Hey Jon,

I got another Issue. How can I use the 2921 for the internet ,my ASA has the 10.20.60.2 <-- as the gateway for my computers and also my 2921 has the interface 10.20.60.1 interface also?

i appreciate any information given.

Cannot ping interfaces

Jon Marshall — Tue, 03 Dec 2013 18:33:40 GMT

Roger

This could get a bit complicated but not necessarily.

Your ASA has 2 internal connections, one to the switch and one to the 2921. But it only really needs the one connection to the 2921. So all vlans internally are routed off the 2921 and you only go to the firewall for VPN and internet.

However that would mean changes to the 2921 and more importantly the ASA. The current ASA inside interface is on the 10.20.60.x network whereas it would move to the 10.10.10.0/31. This would mean a route change on the 2921 but potentially a fair bit more config on the ASA.

Before you did any of that thoug, on the ASA you have this route -

172.20.2.0 255.255.255.0 172.20.16.11 inside

what is the 172.20.2.x network and what device is 172.20.16.11 ?

Jon

Cannot ping interfaces

admiralrich — Tue, 03 Dec 2013 18:38:16 GMT

thats a network on the other side on the vpn. I couldnt get to it from the 2921

Cannot ping interfaces

Jon Marshall — Tue, 03 Dec 2013 18:50:19 GMT

Roger

If it is a network on the other side of the VPN then why does the ASA have a route pointing back into your network ie. the route is reachable via the inside interface of the ASA not the outside.

Not trying to be difficult but if i am to suggest changes i need to make sure i don't stop things working.

Jon

Cannot ping interfaces

admiralrich — Tue, 03 Dec 2013 18:55:09 GMT

Sorry Jon, my apologeeez.. that was an experimentl route... it does not serve a perpose. I do and will appreciate if i can get this task done. It would solve my problems. (well at least the ones here)

Cannot ping interfaces

Jon Marshall — Tue, 03 Dec 2013 19:04:11 GMT

Roger

No problem. Can you post the configs of the 2921 and the ASA and i can then have a look and suggest how to reorganize it so all vlans are routed off the 2921 and the ASA is just for internet.

Note when you post remove any sensitive info from the ASA such as public IPs etc.

Jon

Cannot ping interfaces

admiralrich — Tue, 03 Dec 2013 20:04:36 GMT

THIS IS THE ASA:

ciscoasa-stx# show run

: Saved

ASA Version 8.3(1)

hostname ciscoasa-stx

domain-name stt.vidol.gov

enable password lb70NCTEuCJ09Sct encrypted

passwd 2KFQnbNIdI.2KYOU encrypted

names

interface Ethernet0/0

nameif Vipowernet

security-level 0

ip address 66.xx.xx.xx 255.255.255.248

interface Ethernet0/1

nameif Inside

security-level 100

ip address 10.20.60.2 255.255.254.0

interface Ethernet0/2

shutdown

nameif Voice

security-level 100

no ip address

interface Ethernet0/3

nameif 2921

security-level 100

ip address 10.10.10.2 255.255.254.0

interface Management0/0

nameif management

security-level 100

ip address 10.20.80.100 255.255.255.0

boot system disk0:/asa831-k8.bin

ftp mode passive

clock timezone AST -4

dns domain-lookup Inside

dns server-group DefaultDNS

name-server 10.20.60.21

name-server 172.20.16.3

domain-name stt.vidol.gov

same-security-traffic permit inter-interface

same-security-traffic permit intra-interface

object network obj_any

subnet 0.0.0.0 0.0.0.0

object network STT

subnet 172.20.16.0 255.255.255.0

description St. Thomas Office

object network A_66.xx.xx.xx.105

host 66.xx.xx.xx.105

object network PublicServer_NAT1

host 10.20.60.39

object service ClockLink

service tcp source eq 5074 destination eq 5074

description Clock Link Management Software

object network A_66.xx.xx.xx.107

host 66.xx.xx.xx.107

object service rdp

service tcp destination eq 3389

description Remote Desktop Protocol

object network VoIP-STT-Network

subnet 192.168.4.0 255.255.255.0

object network VoIP-STX-Network

subnet 192.168.2.0 255.255.255.0

object network STTNET

subnet 172.20.16.0 255.255.255.0

description STT NETWORK

object network STXET

subnet 10.20.60.0 255.255.254.0

description STX NETWORK

object network outside

host 66.xx.xx.xx.106

object network inside

host 10.20.60.2

object network Public-66.xx.xx.xx.108

host 66.xx.xx.xx.108

object service TCP8080

service tcp source eq 8080

object network VC_66.xx.xx.xx.109

host 66.xx.xx.xx.109

object network Clock82

host 10.20.61.82

object network Clock83

host 10.20.61.83

object network Clock81

host 10.20.61.81

object network Clocks

range 10.20.61.81 10.20.61.83

description Clocks

object network Polycom

host 10.20.60.8

object network PRTG

host 10.20.60.35

object network prtg1

host 10.20.60.35

object network Object_Clock81

host 10.20.61.81

object network Object_Clock_6401

host 10.20.61.81

object network Object_Clock_6402

host 10.20.61.82

object network Object_Clock_6403

host 10.20.61.83

object network Voice1

host 192.168.2.1

object-group network DM_INLINE_NETWORK_1

network-object host 172.20.21.4

network-object 172.20.16.0 255.255.255.0

network-object 192.168.4.0 255.255.255.0

object-group network DM_INLINE_NETWORK_2

network-object 10.20.60.0 255.255.254.0

network-object 192.168.2.0 255.255.255.0

object-group network DM_INLINE_NETWORK_3

network-object 10.20.60.0 255.255.254.0

network-object 192.168.2.0 255.255.255.0

object-group network DM_INLINE_NETWORK_4

network-object 10.20.60.0 255.255.254.0

network-object object VoIP-STX-Network

object-group network DM_INLINE_NETWORK_6

network-object object STT

network-object object VoIP-STT-Network

object-group network DM_INLINE_NETWORK_8

network-object host 125.210.221.172

network-object host 220.231.141.29

object-group service POLLY tcp

port-object eq h323

port-object eq sip

port-object eq 1731

port-object range 3230 3235

object-group service DM_INLINE_SERVICE_2

service-object tcp-udp destination eq domain

service-object tcp destination eq www

service-object tcp destination eq https

object-group service web tcp

port-object eq 8081

object-group network DM_INLINE_NETWORK_7

network-object host 10.20.61.81

network-object host 10.20.61.82

network-object host 10.20.61.83

object-group service ExtClkLnk tcp

port-object eq 5402

access-list Vipowernet_access_in extended deny ip object-group DM_INLINE_NETWORK_8 any inactive

access-list Vipowernet_access_in extended permit ip object-group DM_INLINE_NETWORK_3 any

access-list Vipowernet_access_in extended deny tcp any object PRTG eq 8081 inactive

access-list Vipowernet_access_in extended deny tcp any object Polycom eq www inactive

access-list Vipowernet_access_in extended permit tcp host 66.248.189.100 object-group DM_INLINE_NETWORK_7 eq 5402

access-list Vipowernet_cryptomap extended permit ip object-group DM_INLINE_NETWORK_2 object-group DM_INLINE_NETWORK_1

access-list Inside_access_in extended permit ip object STXET object STTNET

access-list Inside_access_in extended permit ip host 10.20.61.1 any

access-list Inside_access_in extended permit object-group DM_INLINE_SERVICE_2 host 10.20.60.81 any

access-list Inside_access_in extended deny ip host 10.20.60.81 any

access-list Inside_access_in extended permit ip object-group DM_INLINE_NETWORK_4 any

access-list Inside_access_in extended permit ip any any

access-list Inside_access_in extended deny ip any any

access-list 2921_access_in extended permit ip any any log

access-list outside_1_cryptomap extended permit ip 10.20.60.0 255.255.254.0 172.20.16.0 255.255.255.0

access-list DOF extended permit ip any 172.20.2.0 255.255.255.0

access-list vidolas extended permit ip host 10.20.60.251 host 172.20.16.109

access-list vidolas extended permit ip host 172.20.16.109 host 10.20.60.251

access-list STX-STT extended permit ip object STXET object STTNET

access-list STX-STT extended permit ip object STTNET object STXET

access-list block extended deny ip host 23.15.5.113 any

access-list voice-to-lan extended permit ip 10.20.60.0 255.255.254.0 192.168.2.0 255.255.255.0

pager lines 24

logging enable

logging timestamp

logging trap notifications

logging asdm informational

logging host Inside 10.20.60.35

logging host Inside 172.20.16.87

logging permit-hostdown

mtu Vipowernet 1500

mtu Inside 1500

mtu Voice 1500

mtu 2921 1500

mtu management 1500

no failover

icmp unreachable rate-limit 1 burst-size 1

icmp permit any Vipowernet

icmp permit any Inside

icmp permit any Voice

asdm image disk0:/asdm-631.bin

no asdm history enable

arp timeout 14400

nat (Inside,any) source static any any destination static DM_INLINE_NETWORK_6 DM_INLINE_NETWORK_6

object network obj_any

nat (management,Vipowernet) dynamic interface

object network Polycom

nat (Inside,Vipowernet) static 66.xx.xx.xx.108

object network prtg1

nat (Inside,Vipowernet) static 66.xx.xx.xx.109

object network Object_Clock_6401

nat (Inside,Vipowernet) static interface service tcp 5402 6401

object network Object_Clock_6402

nat (Inside,Vipowernet) static interface service tcp 5402 6402

object network Object_Clock_6403

nat (Inside,Vipowernet) static interface service tcp 5402 6403

nat (Inside,Vipowernet) after-auto source dynamic any interface

access-group Vipowernet_access_in in interface Vipowernet

access-group Inside_access_in in interface Inside

access-group 2921_access_in in interface 2921

route Vipowernet 0.0.0.0 0.0.0.0 66.xx.xx.xx.105 1

route 2921 10.20.30.0 255.255.254.0 10.10.10.1 1

route Inside 172.20.2.0 255.255.255.0 172.20.16.11 1

route 2921 192.168.2.0 255.255.255.0 10.10.10.1 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

dynamic-access-policy-record DfltAccessPolicy

aaa authentication telnet console LOCAL

aaa authorization command LOCAL

aaa authorization exec authentication-server

http server enable

http 192.168.1.0 255.255.255.0 management

http 10.20.60.0 255.255.254.0 Inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac

crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac

crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac

crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac

crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac

crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac

crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac

crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

crypto map Vipowernet_map0 1 match address Vipowernet_cryptomap

crypto map Vipowernet_map0 1 set peer 66.xx.xx.xxx.170

crypto map Vipowernet_map0 1 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5

crypto map Vipowernet_map0 interface Vipowernet

crypto map outside_map 1 match address outside_1_cryptomap

crypto map outside_map 1 set peer 66.xx.xx.xx.170

crypto map outside_map 1 set transform-set ESP-3DES-SHA

crypto ca trustpoint ASDM_TrustPoint0

enrollment url http://stxdc3:80/certsrv

crl configure

crypto ca trustpoint ASDM_TrustPoint1

enrollment url http://stxdc3:80/CertSrv

crl configure

crypto ca trustpoint ASDM_TrustPoint2

enrollment url http://stxdc3:80/CertEnroll

crl configure

crypto ca trustpoint ASDM_TrustPoint3

enrollment url http://stxdc3:80/certsrv

crl configure

crypto ca trustpoint ASDM_TrustPoint4

enrollment terminal

crl configure

crypto isakmp enable Vipowernet

crypto isakmp enable Voice

crypto isakmp policy 5

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

crypto isakmp policy 15

authentication pre-share

encryption des

hash md5

group 2

lifetime 28800

telnet 172.20.16.0 255.255.255.0 Vipowernet

telnet 10.20.61.1 255.255.255.255 Inside

telnet 10.20.60.0 255.255.254.0 Inside

telnet 0.0.0.0 0.0.0.0 Inside

telnet 172.20.16.0 255.255.255.0 Inside

telnet timeout 30

ssh timeout 5

console timeout 0

management-access Inside

dhcpd auto_config management

dhcprelay timeout 60

threat-detection basic-threat

threat-detection statistics host number-of-rate 2

threat-detection statistics port number-of-rate 2

threat-detection statistics protocol number-of-rate 2

threat-detection statistics access-list

threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200

ntp server 10.20.60.21 source Inside prefer

ntp server 172.20.16.3 source Inside

webvpn

username Admin password 44WTHkc9M2sg5m4p encrypted privilege 15

username Ruser1 password IrO5kN5XfPlLpQcH encrypted

tunnel-group 66.xx.xx.xx.170 type ipsec-l2l

tunnel-group 66.xx.xx.xx.170 ipsec-attributes

pre-shared-key *****

class-map inspection_default

match default-inspection-traffic

policy-map type inspect dns preset_dns_map

parameters

message-length maximum 512

policy-map global_policy

class inspection_default

inspect dns preset_dns_map

inspect ftp

inspect h323 h225

inspect h323 ras

inspect rsh

inspect rtsp

inspect esmtp

inspect sqlnet

inspect skinny

inspect sunrpc

inspect xdmcp

inspect sip

inspect netbios

inspect tftp

inspect ip-options

inspect pptp

service-policy global_policy global

privilege cmd level 3 mode exec command perfmon

privilege cmd level 3 mode exec command ping

privilege cmd level 3 mode exec command who

privilege cmd level 3 mode exec command logging

privilege cmd level 3 mode exec command failover

privilege cmd level 3 mode exec command packet-tracer

privilege show level 5 mode exec command import

privilege show level 5 mode exec command running-config

privilege show level 3 mode exec command reload

privilege show level 3 mode exec command mode

privilege show level 3 mode exec command firewall

privilege show level 3 mode exec command asp

privilege show level 3 mode exec command cpu

privilege show level 3 mode exec command interface

privilege show level 3 mode exec command clock

privilege show level 3 mode exec command dns-hosts

privilege show level 3 mode exec command access-list

privilege show level 3 mode exec command logging

privilege show level 3 mode exec command vlan

privilege show level 3 mode exec command ip

privilege show level 3 mode exec command ipv6

privilege show level 3 mode exec command failover

privilege show level 3 mode exec command asdm

privilege show level 3 mode exec command arp

privilege show level 3 mode exec command route

privilege show level 3 mode exec command ospf

privilege show level 3 mode exec command aaa-server

privilege show level 3 mode exec command aaa

privilege show level 3 mode exec command eigrp

privilege show level 3 mode exec command crypto

privilege show level 3 mode exec command vpn-sessiondb

privilege show level 3 mode exec command ssh

privilege show level 3 mode exec command dhcpd

privilege show level 3 mode exec command vpn

privilege show level 3 mode exec command blocks

privilege show level 3 mode exec command wccp

privilege show level 3 mode exec command dynamic-filter

privilege show level 3 mode exec command webvpn

privilege show level 3 mode exec command module

privilege show level 3 mode exec command uauth

privilege show level 3 mode exec command compression

privilege show level 3 mode configure command interface

privilege show level 3 mode configure command clock

privilege show level 3 mode configure command access-list

privilege show level 3 mode configure command logging

privilege show level 3 mode configure command ip

privilege show level 3 mode configure command failover

privilege show level 5 mode configure command asdm

privilege show level 3 mode configure command arp

privilege show level 3 mode configure command route

privilege show level 3 mode configure command aaa-server

privilege show level 3 mode configure command aaa

privilege show level 3 mode configure command crypto

privilege show level 3 mode configure command ssh

privilege show level 3 mode configure command dhcpd

privilege show level 5 mode configure command privilege

privilege clear level 3 mode exec command dns-hosts

privilege clear level 3 mode exec command logging

privilege clear level 3 mode exec command arp

privilege clear level 3 mode exec command aaa-server

privilege clear level 3 mode exec command crypto

privilege clear level 3 mode exec command dynamic-filter

privilege cmd level 3 mode configure command failover

privilege clear level 3 mode configure command logging

privilege clear level 3 mode configure command arp

privilege clear level 3 mode configure command crypto

privilege clear level 3 mode configure command aaa-server

prompt hostname context

call-home

profile CiscoTAC-1

no active

destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService

destination address email callhome@cisco.com

destination transport-method http

subscribe-to-alert-group diagnostic

subscribe-to-alert-group environment

subscribe-to-alert-group inventory periodic monthly

subscribe-to-alert-group configuration periodic monthly

subscribe-to-alert-group telemetry periodic daily

hpm topN enable

Cryptochecksum:b414a7744b28428be148e7c9b3083d67

THIS IS THE 2921

Labrstxrt1#show run

Building configuration...

Current configuration : 4023 bytes

! Last configuration change at 16:55:18 Caracas Fri Nov 29 2013 by ruser1

version 15.2

service timestamps debug datetime msec

service timestamps log datetime msec

no service password-encryption

hostname Labrstxrt1

boot-start-marker

boot-end-marker

logging buffered 51200 warnings

enable secret 4 weG1bff8xq6vwYSaAhFlBe/uto9gzwL2MYg8LekeXp6

no aaa new-model

clock timezone Caracas -4 0

ip cef

ip domain name stt.vidol.gov

no ipv6 cef

multilink bundle-name authenticated

crypto pki trustpoint TP-self-signed-2781641347

enrollment selfsigned

subject-name cn=IOS-Self-Signed-Certificate-2781641347

revocation-check none

rsakeypair TP-self-signed-2781641347

crypto pki certificate chain TP-self-signed-2781641347

certificate self-signed 01

3082022B 30820194 A0030201 02020101 300D0609 2A864886 F70D0101 05050030

31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274

69666963 6174652D 32373831 36343133 3437301E 170D3133 30363135 30303433

35345A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649

4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D32 37383136

34313334 3730819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281

8100CFAF D23E606C C51528EA 47F8028A 83570542 09EFCB1F 67410747 F0C94084

AF3129F7 2233EACD 98F1F99C 2BCEC5C3 7C19832B D4C913E0 FC0FF02D 9A4F3082

8F97FDAE C02F9D94 AA1152C0 EA825EE5 00571372 0E3C6C8E B3FD9457 E15F1192

563C3B11 1670F621 C683FCC6 A947E4B4 3220EA1E BC011FAC CC84E076 02C9F617

29D10203 010001A3 53305130 0F060355 1D130101 FF040530 030101FF 301F0603

551D2304 18301680 14FDB25B C1F42448 FF76D440 401C0CEE 9D852B3C DD301D06

03551D0E 04160414 FDB25BC1 F42448FF 76D44040 1C0CEE9D 852B3CDD 300D0609

2A864886 F70D0101 05050003 81810073 05C06429 C2397277 F4943DEB C59B996C

66E43213 1B7350EA FBAC44D1 BEF573BF 746B9B6C AE149735 4BBFC01A 93D385D8

8828787C 68585752 459A247C CD84DE74 F23C35C6 10115568 F2A08FEB 42546A2F

F4203FD7 EE8251FF 17B76913 8CCF5C4F 8062F788 9B087559 93C0305F 91E880A7

4C0F0662 9656D563 801B5A6E C804FA

quit

license udi pid CISCO2921/K9 sn FTX1724AM2U

license boot module c2900 technology-package securityk9

object-group network Clock_6401

host 10.20.61.81

object-group network Clock_6402

host 10.20.61.82

object-group network Clock_6403

host 10.20.61.83

username ruser1 privilege 15 secret 4 AOt2ZJMSG0QC5a/jxOxI9WhUy2Z8zyuyGyQheOp0w2E

username Admin view root secret 4 56jyXs.RSLFQFX5Ebzwqm0eXTwHAtDmINcDLgnOqA16

redundancy

interface Embedded-Service-Engine0/0

no ip address

shutdown

interface GigabitEthernet0/0

description Internet$ETH-SW-LAUNCH$$INTF-INFO-GE 0/0$

no ip address

shutdown

duplex auto

speed auto

interface GigabitEthernet0/1

no ip address

duplex auto

speed auto

media-type rj45

interface GigabitEthernet0/1.10

description Data$ETH-LAN$

encapsulation dot1Q 10

ip address 10.20.60.1 255.255.254.0

ip helper-address 10.20.60.21

interface GigabitEthernet0/1.20

description VoiceVlan$ETH-LAN$

encapsulation dot1Q 20

ip address 192.168.2.1 255.255.255.0

ip helper-address 10.20.60.21

interface GigabitEthernet0/2

description Directly Connected to ASA$ETH-LAN$

ip address 10.10.10.1 255.255.254.0

duplex auto

speed auto

ip forward-protocol nd

ip http server

ip http access-class 23

ip http authentication local

ip http secure-server

ip http timeout-policy idle 60 life 86400 requests 10000

ip route 172.20.16.0 255.255.255.0 10.10.10.2 permanent

ip route 192.168.4.0 255.255.255.0 10.10.10.2 permanent

control-plane

line con 0

line aux 0

line 2

no activation-character

no exec

transport preferred none

transport input all

transport output pad telnet rlogin lapb-ta mop udptn v120 ssh

stopbits 1

line vty 0 4

access-class 23 in

privilege level 15

transport input telnet ssh

line vty 5 15

privilege level 15

transport input telnet ssh

scheduler allocate 20000 1000

Thanks

Cannot ping interfaces

Jon Marshall — Tue, 03 Dec 2013 20:18:35 GMT

Roger

Note that the ASA uses 8.3 code and that uses a completely different NAT than previous versions - are you comfortable with that NAT because i haven't used it before but i should be able to sort it out. Basically i think the easiest thing would be to simply reconnect the 2921 to the inside interface of the ASA but we would need to readdress the inside interface.

Anyway, lets do the router first. If you could answer the following -

1) you only have these routes on the router -

ip route 172.20.16.0 255.255.255.0 10.10.10.2 permanent

ip route 192.168.4.0 255.255.255.0 10.10.10.2 permanent

From your diagram i expected to see a default route so i'm not sure how 192.168.2.x clients get to the internet ?

2) Can you confirm that the only internal networks that need routing are -

10.20.60.0/24

192.168.2.0/24

If the 2) is correct then the only change we need to make on the router is to remove those 2 routes and simply add a default ie.

ip route 0.0.0.0 0.0.0.0 10.10.10.1 <-- which will be the new inside interface of the ASA

but i need both 1) and 2) answering first.

Also important to note you will need an outage to do this work and you have to do it all together so we also need to sort out the ASA.

Jon

Re: Cannot ping interfaces

admiralrich — Tue, 03 Dec 2013 20:33:46 GMT

OK...

1) Those address are on the other side of the VPN. couldnt get to them from the 2921.

2) And Yes... only two internal thats needs routing,, maybe more in the future..

Re: Cannot ping interfaces

Jon Marshall — Tue, 03 Dec 2013 20:40:05 GMT

Right, well that't the router sorted then. Once we have done all this the 192.168.2.x network will be able to get to the internet.

So it's just a question of sorting out the ASA. Basically we need to have the inside interface readdressed to 10.10.10.2 and the 2921 interface on the ASA shutdown with no ip address. I think it's a good idea to use the inside interfce because the NAT statements refer to that interface.

So you would need to reconnect the 2921 to the inside interface of the ASA and readdress.

But like i say i'm not familiar with the ASA NAT config so i need to have a look at it with the docs just to work out if there are any gotchas. How comfortable are you with the ASA config in terms of NAT ?

It's not that complicated it's just i can't give you an immediate answer unless you know it well.

Jon