Routing problem between C3560 and ASA

sysadmin — Tue, 12 Mar 2019 02:59:34 GMT

I'm new to firewalls, so apologies if i'm wrong anhywhere.

Here is my setup.

I have a cisco C3560 switch with multiple VLans

It is connected to ASA 5505 which is further connected to Internet.

C3560 <--> G0/46 <--> 10.40.250.2 <--> 10.40.250.1 <--> E0/1 <--> ASA 5505

My problem is I'm not able to ping internet hosts from switch. Reverse route is fine. I'm able to ping switch and hosts on other Vlans.

And from switch I'm able to ping 10.40.250.1 (ASA interface). But from switch or my desktop i'm not able to go to internet.

Following are my configurations. Kindly help.

ASA Configuration

<code>

ASA Version 8.2(2)

hostname sg-fw2

names

interface Ethernet0/0

nameif OUTSIDE

security-level 0

ip address dhcp setroute

interface Ethernet0/1

nameif INSIDE

security-level 100

ip address 10.40.250.1 255.255.255.0

interface Ethernet0/2

shutdown

no nameif

no security-level

no ip address

interface Ethernet0/3

shutdown

no nameif

no security-level

no ip address

interface Management0/0

shutdown

no nameif

no security-level

no ip address

ftp mode passive

object-group network INTERNAL_RANGE

pager lines 24

logging enable

logging asdm informational

logging mail critical

mtu OUTSIDE 1500

mtu INSIDE 1500

icmp unreachable rate-limit 1 burst-size 1

no asdm history enable

arp timeout 14400

router eigrp 321

no auto-summary

default-metric 100000 1 255 1 1500

network 0.0.0.0 0.0.0.0

redistribute static

route INSIDE 10.40.0.0 255.255.0.0 10.40.250.2 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

dynamic-access-policy-record DfltAccessPolicy

aaa authentication ssh console LOCAL

http server enable

http 10.40.0.0 255.255.0.0 INSIDE

snmp-server host INSIDE 10.40.12.210 poll community ***** version 2c

no snmp-server location

no snmp-server contact

snmp-server community *****

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

telnet timeout 5

ssh 10.40.0.0 255.255.0.0 INSIDE

ssh timeout 5

ssh version 2

console timeout 0

threat-detection basic-threat

threat-detection statistics port

threat-detection statistics protocol

threat-detection statistics access-list

threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200

webvpn

class-map inspection_default

match default-inspection-traffic

policy-map type inspect dns preset_dns_map

parameters

message-length maximum client auto

message-length maximum 512

policy-map global_policy

class inspection_default

inspect dns preset_dns_map

inspect ftp

inspect h323 h225

inspect h323 ras

inspect ip-options

inspect netbios

inspect rsh

inspect rtsp

inspect skinny

inspect esmtp

inspect sqlnet

inspect sunrpc

inspect tftp

inspect sip

inspect xdmcp

inspect http

inspect icmp

service-policy global_policy global

prompt hostname context

call-home

profile CiscoTAC-1

no active

destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService

destination address email callhome@cisco.com

destination transport-method http

subscribe-to-alert-group diagnostic

subscribe-to-alert-group environment

subscribe-to-alert-group inventory periodic monthly

subscribe-to-alert-group configuration periodic monthly

subscribe-to-alert-group telemetry periodic daily

Cryptochecksum:3b4c6840cb9a7b2b490bcc2574f65371

: end

</code>

C3560 Swittch Configuration

<code>

Building configuration...

Current configuration : 10370 bytes

! Last configuration change at 19:05:13 WST Sat Nov 2 2013 by sysadmin

version 15.0

no service pad

no service timestamps debug uptime

service timestamps log datetime

service password-encryption

service sequence-numbers

boot-start-marker

boot-end-marker

aaa new-model

aaa authentication login default local

aaa session-id common

clock timezone WST 8 0

clock summer-time GMT recurring last Sun Mar 1:00 last Sun Oct 2:00

system mtu routing 1500

ip routing

ip dhcp snooping vlan 522

ip dhcp snooping

errdisable recovery cause udld

errdisable recovery cause bpduguard

errdisable recovery cause security-violation

errdisable recovery cause channel-misconfig (STP)

errdisable recovery cause pagp-flap

errdisable recovery cause dtp-flap

errdisable recovery cause link-flap

errdisable recovery cause sfp-config-mismatch

errdisable recovery cause gbic-invalid

errdisable recovery cause l2ptguard

errdisable recovery cause psecure-violation

errdisable recovery cause dhcp-rate-limit

errdisable recovery cause vmps

errdisable recovery cause storm-control

errdisable recovery cause arp-inspection

errdisable recovery cause loopback

spanning-tree mode pvst

spanning-tree extend system-id

spanning-tree vlan 1-999 priority 24576

vlan internal allocation policy ascending

interface Loopback0

ip address 3.3.3.3 255.255.255.255

interface Port-channel1

switchport trunk encapsulation dot1q

switchport mode trunk

interface GigabitEthernet0/1

switchport access vlan 522

switchport mode access

interface GigabitEthernet0/2

switchport access vlan 522

switchport mode access

interface GigabitEthernet0/3

switchport access vlan 522

switchport mode access

interface GigabitEthernet0/4

switchport access vlan 522

switchport mode access

interface GigabitEthernet0/5

switchport access vlan 512

switchport mode access

interface GigabitEthernet0/6

switchport access vlan 522

switchport mode access

interface GigabitEthernet0/7

switchport access vlan 522

switchport mode access

interface GigabitEthernet0/8

switchport access vlan 522

switchport mode access

interface GigabitEthernet0/9

switchport access vlan 522

switchport mode access

interface GigabitEthernet0/10

switchport access vlan 522

switchport mode access

interface GigabitEthernet0/11

switchport access vlan 522

switchport mode access

interface GigabitEthernet0/12

switchport access vlan 522

switchport mode access

interface GigabitEthernet0/13

switchport access vlan 522

switchport mode access

interface GigabitEthernet0/14

switchport access vlan 522

switchport mode access

interface GigabitEthernet0/15

switchport access vlan 522

switchport mode access

interface GigabitEthernet0/16

switchport access vlan 522

switchport mode access

interface GigabitEthernet0/17

switchport access vlan 523

interface GigabitEthernet0/18

description trunk to bm-sg-sw3 in other server room

switchport trunk encapsulation dot1q

switchport mode trunk

interface GigabitEthernet0/19

description link to 3com switch for 10.40.12.x network

switchport access vlan 512

ip dhcp snooping trust

interface GigabitEthernet0/20

description link to drac card on xen server

switchport access vlan 523

switchport mode access

mls qos trust cos

interface GigabitEthernet0/21

switchport access vlan 512

switchport mode access

interface GigabitEthernet0/22

switchport access vlan 512

switchport mode access

interface GigabitEthernet0/23

switchport access vlan 512

switchport mode access

interface GigabitEthernet0/24

switchport access vlan 512

switchport mode access

interface GigabitEthernet0/25

switchport access vlan 512

switchport mode access

interface GigabitEthernet0/26

switchport access vlan 512

switchport mode access

interface GigabitEthernet0/27

switchport access vlan 512

switchport mode access

interface GigabitEthernet0/28

switchport access vlan 512

switchport mode access

interface GigabitEthernet0/29

switchport access vlan 512

switchport mode access

interface GigabitEthernet0/30

switchport access vlan 512

switchport mode access

interface GigabitEthernet0/31

switchport access vlan 512

switchport mode access

interface GigabitEthernet0/32

switchport access vlan 512

switchport mode access

ip dhcp snooping trust

interface GigabitEthernet0/33

description servers in engineering room

switchport access vlan 523

mls qos trust cos

interface GigabitEthernet0/34

description link to rack for engineering network

switchport access vlan 523

mls qos trust cos

interface GigabitEthernet0/35

description C1841-F0/1

switchport access vlan 600

switchport mode access

spanning-tree portfast

interface GigabitEthernet0/36

description ASA5510-F0/1

switchport access vlan 600

switchport mode access

mls qos trust cos

spanning-tree portfast

interface GigabitEthernet0/37

description C2811-F0/0

switchport access vlan 600

switchport mode access

mls qos trust cos

spanning-tree portfast

interface GigabitEthernet0/38

description vmserver1

switchport access vlan 512

ip dhcp snooping trust

interface GigabitEthernet0/39

switchport access vlan 512

switchport mode access

interface GigabitEthernet0/40

description build server nas

switchport access vlan 512

switchport mode access

interface GigabitEthernet0/41

description server farm b

switchport access vlan 522

interface GigabitEthernet0/42

switchport access vlan 523

switchport mode access

mls qos trust cos

interface GigabitEthernet0/43

description hub for engineering server farm

switchport access vlan 522

interface GigabitEthernet0/44

description connection for voip 2851

no switchport

ip address 10.40.40.1 255.255.255.0

interface GigabitEthernet0/45

no switchport

no ip address

interface GigabitEthernet0/46

description connection to ASA inside

no switchport

ip address 10.40.250.2 255.255.255.0

duplex full

interface GigabitEthernet0/47

description span port

interface GigabitEthernet0/48

interface GigabitEthernet0/49

description trunk to 3560-POE switch 2

switchport trunk encapsulation dot1q

switchport mode trunk

channel-group 1 mode desirable

interface GigabitEthernet0/50

interface GigabitEthernet0/51

interface GigabitEthernet0/52

interface Vlan1

ip address 10.10.100.1 255.255.255.0

interface Vlan10

ip address 10.40.10.3 255.255.255.0

interface Vlan300

ip address 10.40.255.1 255.255.255.248

interface Vlan512

description corp_serv

ip address 10.40.12.1 255.255.255.0

interface Vlan520

description corp_con

ip address 10.40.200.1 255.255.254.0

interface Vlan522

description workstations

ip address 10.40.224.1 255.255.254.0 secondary

ip address 10.40.220.1 255.255.254.0

ip helper-address 10.40.12.253

ip helper-address 10.40.12.252

interface Vlan523

description office_lab

ip address 10.40.230.1 255.255.254.0

ip access-group vlan523_access_in in

no ip unreachables

router eigrp 321

network 3.0.0.0

network 10.0.0.0

eigrp stub connected summary

ip http server

ip http authentication local

ip http secure-server

ip route 0.0.0.0 0.0.0.0 10.40.250.1

ip route 10.1.0.0 255.255.0.0 10.40.10.254

ip route 10.1.1.0 255.255.255.0 10.40.250.1

ip route 10.40.240.0 255.255.254.0 10.40.40.2

ip route 202.56.195.121 255.255.255.255 10.40.10.254

ip route 202.152.162.174 255.255.255.255 10.40.10.254

ip route 202.152.162.177 255.255.255.255 10.40.10.254

ip route 203.145.131.152 255.255.255.255 10.40.10.254

ip route 203.196.249.7 255.255.255.255 10.40.10.254

ip access-list extended search_for_192.168

permit ip any host 216.246.60.14 log-input

ip access-list extended vlan523_access_in

remark permit any tcp connection into this vlan to return

permit tcp any any established

remark allow DNS query

permit udp any host 10.40.12.253 eq domain

remark http access to fumes

permit tcp any host 10.26.156.51 eq www

permit tcp any host 10.26.156.51 eq 443

remark http access to 3.0 build machine

permit tcp any host 10.26.156.30 eq www

permit tcp any host 10.26.156.30 eq 443

remark allow communication between 10.40.231.205 and cisco cme

permit ip host 10.40.231.205 host 10.40.240.1

permit ip host 10.40.231.205 host 10.40.40.2

remark Allow IANA ephemeral port

permit udp any any range 49152 65535

permit udp any any range 25000 35000

permit udp any any range 40001 45000

remark permit connection to SingNet Proxy

permit tcp any host 220.255.4.9 eq 8080

remark http and NFS access to filesvr

permit tcp any host 10.40.12.248 eq www

permit tcp any host 10.40.12.248 eq 443

permit tcp any host 10.40.12.248 eq sunrpc

permit udp any host 10.40.12.248 eq sunrpc

permit tcp any host 10.40.12.248 eq 2049

permit udp any host 10.40.12.248 eq 2049

permit tcp any host 10.40.12.248 range 4000 4002

permit udp any host 10.40.12.248 range 4000 4002

remark permit sip traffic

permit tcp any any range 5060 5063

permit udp any any range 5060 5063

permit udp any any range 5000 5003

permit udp any any range 5010 5013

permit udp any any range 16384 32767

remark permit access to ldap server

permit tcp any host 10.40.12.247 eq 389

deny icmp any any redirect

deny icmp any any mask-request

permit icmp any any

permit ip 0.0.0.0 255.255.254.0 0.0.0.0 255.255.254.0

permit tcp 0.0.0.0 255.255.254.0 0.0.0.0 255.255.254.0

permit ip any any

permit tcp any any

logging trap warnings

logging facility syslog

logging source-interface Loopback0

logging host 10.40.12.210

line con 0

logging synchronous

line vty 0 4

privilege level 15

password 7 120F0B0F1F08545D79

transport preferred none

transport input telnet

transport output none

line vty 5 15

privilege level 15

password 7 120F0B0F1F08545D79

transport preferred none

transport input telnet

transport output none

monitor session 1 source vlan 1 - 4094

monitor session 1 destination interface Gi0/47

ntp server 10.40.12.253 prefer

end

</code>

topic Routing problem between C3560 and ASA in Network Security

Routing problem between C3560 and ASA

Routing problem between C3560 and ASA