Solved: Many thanks Marius for

mahesh18 · ‎06-19-2014

Hi Everyone,

Need to config new site where users behind the context firewall need to access the internet.

Setup is

SW1----Vlan 26----Sw3-----trunk vlan allowed 26,27 --ASA---Outside int---Layer2 switch4-----Router

SW2---vlan 27---sw3-----rest is same as above.

ASA has 2 context say admin which has vlan 26 and context x which has vlan 27.

SW1 and 2 have SVI vlans 26 and 27.

Sw3 has layer 2 vlans 26 and 27 only.

From Switch1 and 2 i can ping SVI Vlans IP on ASA.

Sw4 has no SVI interface.

Outside inetrface is shared by both context admin and x.

ASA both context has default route pointing to Router IP 172.16.1.2.

From both ASAs context i can ping the IP 172.16.1.2.

I am testing from Sw1 and 2 to ping 172.16.1.2 but it does not work.

I even do not see ping traffic from Sw1 to IP 172.16.1.2 hitting the any context of ASA.

Router is having connection to internet.

What config or design i need so that SW1 and 2 can ping the Router IP 172.16.1.2?

Best Regards

Mahesh

jumora · ‎06-19-2014

The security appliance lets you assign a different MAC address in each context to the same shared interface, whether it is a shared physical interface or a shared subinterface. By default, shared interfaces do not have unique MAC addresses; the interface uses the physical interface burned-in MAC address in every context. An upstream router cannot route directly to a context without unique MAC addresses. You can set the MAC addresses manually when you configure each interface (see the "Configuring Interface Parameters" section), or you can automatically generate MAC addresses (see the "Automatically Assigning MAC Addresses to Context Interfaces" section).

In system context configuration mode:

enable

config t

mac-address auto

Value our effort and rate the assistance!

View solution in original post

Marius Gunnerud · ‎06-21-2014

1>Outside interface is shared by both contexts and it has different IP in but subnet is same.How does traffic flow from shared outside interface (both context share the same interface.)

The ASA uses a combination of the IP address and the MAC address when deciding which subinterface to forward traffic to...alternitively you could configure static MAC addresses for each interface so that it will advertise a different MAC for each subinterface...though this is usually not recommended.

2>How does layer 2 switches in path allow the ping to IP 172.16.1.2 as it passes from them as both switches have no default gateway and they have no SVI for subnet 172.16.1.x

The layer two switchs plays no part in the "routing" of traffic. Switch 1 and 2 have default routes/gateway configured. So when, lets say, switch 1 sends traffic, it sees that the IP it is sending two is not on the same subnet it is sending from...and if it is a layer 3 switch it sees that no connected interfaces are in that subnet either. It will then ARP for the MAC address of the default gateway which would be the interface of the admin context. The admin context replies with its MAC and Switch 1 sends the packet to the admin context.

The only role the layer two switch plays here is the forwarding of the packet. The switch will learn on which ports can reach which MAC addresses and it will store this information in its MAC address table and it will do this for all connected hosts and MACs learned through trunks.

So, the same theory would apply when the ASA is going to forward the packet to the 172.16.1.2 router. The ASA sees that the router is on the same subnet as the outside interface. If it doesn't already know the MAC address of router it will send an ARP request, the layer 2 switch will at this point learn of the ASAs MAC address because of the ARP request, and it will learn the routers MAC address once the router sends the ARP reply. The ASA will then send the frame to the layer 2 switch. The switch checks the destination MAC of the frame and also checks the MAC address table to see which interface that specific MAC address can be reached through and forward it out that interface.

If for whatever reason the switch has not learned the MAC address of the router it will broadcast an ARP request for the MAC address of 172.16.1.2, and then forward the packet once it gets a reply.

--

Please remember to select a correct answer and rate helpful posts

--
Please remember to select a correct answer and rate helpful posts

View solution in original post

jumora · ‎06-19-2014

The security appliance lets you assign a different MAC address in each context to the same shared interface, whether it is a shared physical interface or a shared subinterface. By default, shared interfaces do not have unique MAC addresses; the interface uses the physical interface burned-in MAC address in every context. An upstream router cannot route directly to a context without unique MAC addresses. You can set the MAC addresses manually when you configure each interface (see the "Configuring Interface Parameters" section), or you can automatically generate MAC addresses (see the "Automatically Assigning MAC Addresses to Context Interfaces" section).

In system context configuration mode:

enable

config t

mac-address auto

Value our effort and rate the assistance!

mahesh18 · ‎06-19-2014

Hi Jumora,

I did the config as you said.Still from Sw1 i can not ping IP 172.16.1.2.

i see no logs on ASA context admin.

Regards

MAhesh

Marius Gunnerud · ‎06-20-2014

I am assuming that router 172.16.1.2 has routes back to the subnets on switch 1 and switch 2? remember that you would need one route pointing to the outside interface of context admin for VLAN 26 and a route pointing to the outside interface of context x for VLAN 27.

The outside interface you mention, which context is that associated with...do you have an outside interface for both context admin and context x?

Have you allowed ICMP in the ACL on the outside interface?

Can the router ping the outside interface on the ASA?

Would be helpful if you could posts sanitised configurations for both contexts and the router.

--

Please remember to select a correct answer and rate helpful posts

--
Please remember to select a correct answer and rate helpful posts

Marius Gunnerud · ‎06-20-2014

Another thing you could also try doing is a packet capture for traffic flowing through one context, that way we can get a better idea where the traffic is stopping.

http://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/110117-asa-capture-asdm-config.html

--

Please remember to select a correct answer and rate helpful posts

--
Please remember to select a correct answer and rate helpful posts

mahesh18 · ‎06-20-2014

Hi Marius,

Here is what i did---to have ping working

There were not routes pointing from router 172.16.1.2 to subnets on switch 1 and switch2.

I added those static routes to each contexts outside interface.

Outside interface is shared by both contexs and it has different IP for each context.

Router was able to ping the outside interface IP of each context.

Need to understand 2 things here from you----

1>Outside interface is shared by both contexts and it has different IP in but subnet is same.How does traffic flow from shared outside interface (both context share the same

interface.)

2>How does layer 2 switches in path allow the ping to IP 172.16.1.2 as it passes from

them as both switches have no default gateway and they have no SVI for subnet 172.16.1.x

Regards

MAhesh

Marius Gunnerud · ‎06-21-2014

1>Outside interface is shared by both contexts and it has different IP in but subnet is same.How does traffic flow from shared outside interface (both context share the same interface.)

The ASA uses a combination of the IP address and the MAC address when deciding which subinterface to forward traffic to...alternitively you could configure static MAC addresses for each interface so that it will advertise a different MAC for each subinterface...though this is usually not recommended.

2>How does layer 2 switches in path allow the ping to IP 172.16.1.2 as it passes from them as both switches have no default gateway and they have no SVI for subnet 172.16.1.x

The layer two switchs plays no part in the "routing" of traffic. Switch 1 and 2 have default routes/gateway configured. So when, lets say, switch 1 sends traffic, it sees that the IP it is sending two is not on the same subnet it is sending from...and if it is a layer 3 switch it sees that no connected interfaces are in that subnet either. It will then ARP for the MAC address of the default gateway which would be the interface of the admin context. The admin context replies with its MAC and Switch 1 sends the packet to the admin context.

The only role the layer two switch plays here is the forwarding of the packet. The switch will learn on which ports can reach which MAC addresses and it will store this information in its MAC address table and it will do this for all connected hosts and MACs learned through trunks.

So, the same theory would apply when the ASA is going to forward the packet to the 172.16.1.2 router. The ASA sees that the router is on the same subnet as the outside interface. If it doesn't already know the MAC address of router it will send an ARP request, the layer 2 switch will at this point learn of the ASAs MAC address because of the ARP request, and it will learn the routers MAC address once the router sends the ARP reply. The ASA will then send the frame to the layer 2 switch. The switch checks the destination MAC of the frame and also checks the MAC address table to see which interface that specific MAC address can be reached through and forward it out that interface.

If for whatever reason the switch has not learned the MAC address of the router it will broadcast an ARP request for the MAC address of 172.16.1.2, and then forward the packet once it gets a reply.

--

Please remember to select a correct answer and rate helpful posts

--
Please remember to select a correct answer and rate helpful posts

mahesh18 · ‎06-21-2014

Many thanks Marius for detailed explanation

Regards

MAhesh

ASA design question