Hi,

Thanks ahmedshoaib,

I did try to make what you suggest but it did not work it give the same result. i did forget to mention that i run OSP.

router ospf 1
network 1.1.1.1 0.0.0.0 area 0
network 10.1.10.0 0.0.0.255 area 0
network 10.1.20.0 0.0.0.255 area 0
network 10.1.30.0 0.0.0.255 area 0
network 10.1.50.0 0.0.0.255 area 0
network 10.1.99.0 0.0.0.255 area 0

Thanks

Hi;

Im a little pusled about how to inject the default route from all vlans into ospf fra ASA Firewall,

i have tried to use ip route 0.0.0.0 0.0.0.0 10.1.10.4 but then it will only allow internet access for host on that vlan all other vlans are not allowed. 

my head is twisting when it comes to routing, but i guess it will come to me in time.

i have desperately tried to add ip route like this
0.0.0.0.0 0.0.0.0 10.1.10.4
0.0.0.0.0 0.0.0.0 10.1.20.4
not working at all or only one of them.

I have tried to use this instead just for trying.

10.1.10.0 255.255.255.0 10.1.10.4
10.1.20.0 255.255.255.0 10.1.20.4 

Not working also.

Thanks

Hi;

Can you confirm me that all the SVI are created on Cisco 3560 Switch? If yes then it should work, if there are other devices also then you can redistribute the default route into ospf so all other vlan also know the route toward firewall.

ip route 0.0.0.0 0.0.0.0 10.1.10.4

router ospf 1
network static subnets

Thanks & Best regards;

Hi;

All the SVI are created on the cisco 3560 switch, and i have added all the subnet to ospf. 

i will post my config file so you can see if its not to much trouble.

Thanks,

Hi;

Now you network topology is cleared after review the configuration and found the below are my recommendation:

First remove all the SVI from Access switch

no int vlan 10

no int vlan 20

no int vlan 30

no int vlan 40

no int vlan 60

Second native vlan don’t required any IP add (on all the switches, if you are using vlan 666 for some other purpose then no need to remove from 3560).

no  int vlan 666

Third you need to decide whether you want to use DS Switches (3560) as a user’s default gateway (vlan 10 - 10.1.10.5) or Firewall will be default gateway (vlan 10 – 10.1.10.4).

Once you decide you need to remove all other SVI (Vlan 10 till Vlan 50) you need to remove.

Example 1: if you decide Firewall will be users gateway (vlan 10 – 10.1.10.4) then you need to remove all the SVI from your DS Switches (3560) and on DNS you need to modify the default gateway field to be Firewall IP Address:

no int vlan 10

no int vlan 20

no int vlan 30

no int vlan 40

no int vlan 60

Example 2: You decide DS (3560) will be user’s gateway (vlan 10 – 10.1.10.5) then you need modify the following configuration: And also need to create a separate vlan b/w DS switches and Firewall for back and forth traffic.

i.e. create new vlan 100 b/w distribution switch & Firewall.

DS1:

vlan 100

int vlan 100

 ip address 10.1.100.1 255.255.255.0

 standby 100 ip 10.1.100.5

 standby 100 preempt

 standby 100 priority 110

 no shutdown

ip route 0.0.0.0 0.0.0.0 10.1.100.4

router ospf 1

redistribute static subnets metric 10

DS2:

vlan 100

int vlan 100

 ip address 10.1.100.2 255.255.255.0

 standby 100 ip 10.1.100.5

 standby 100 preempt

no shutdown

ip route 0.0.0.0 0.0.0.0 10.1.100.4

router ospf 1

redistribute static subnets metric 100

Firewall:

no interface redundant 2.10

no interface redundant 2.20

no interface redundant 2.30

no interface redundant 2.40

no interface redundant 2.50

no interface redundant 2.99

interface redundant 2

 description LAN

 nameif LAN

 security-level 100

 ip address 10.1.100.4 255.255.255.0

 no shutdown

 exit

route inside 10.1.0.0 255.255.0.0 10.1.100.5

object network VLAN10

 subnet 10.1.10.0 255.255.255.0

 nat (LAN,WAN) dynamic interface

object network VLAN20

 subnet 10.1.20.0 255.255.255.0

 nat (LAN,WAN) dynamic interface

object network VLAN30

 subnet 10.1.30.0 255.255.255.0

 nat (LAN,WAN) dynamic interface

object network VLAN40

 subnet 10.1.40.0 255.255.255.0

 nat (LAN,WAN) dynamic interface

object network VLAN50

 subnet 10.1.50.0 255.255.255.0

 nat (LAN,WAN) dynamic interface

 exit

Thanks & Best regards;

Hi,

I can't thank you enough for helping me out, but i still can't get it to work :)

after i change the configuration to what you suggest in example 2 i get a 
%ADJ-3-RESOLVE_REQ: Adj resolve request: Failed to resolve 10.1.100.4 Vlan100 on DS2  it do apear only once on DS1 but i do not have any conectivity to the ASA firewall, 

Thanks

Hi;

Hi;

It's my mistake in the configuration:

DS1:

router ospf 1

redistribute static subnets metric 10

DS2:

router ospf 1

redistribute static subnets metric 100

Can you try it and let me know?

Thanks & Best regards;

Hi;

I did changed to redistribute static subnets metric 10 on DS1 and 100 on DS2

But it did not work

Do i need to add the network of vlan 100 to ospf

router ospf 1
network 10.1.100.0 0.0.0.0.255 area 0

Could it have something to do with the IOS version i'm running

c3560-ipservicesk9-mz.150-2.SE9

c2960-lanbasek9-mz.150-2.SE9

asa916-K8

Or perhaps i just need to get some sleep and have a look at it again in the morning with some fresh eyes

Hi;

Yes you need to advertise the vlan 100 in ospf:

router ospf 1

network 10.1.100.0 0.0.0.0.255 area 0 (DS1 & DS2)

redistribute static subnets metric 10 (DS1)

redistribute static subnets metric 100 (DS2)

Firewall:

no route inside 10.1.0.0 255.255.0.0 10.1.100.1

route inside 10.1.0.0 255.255.0.0 10.1.100.5

Please also let me know you can ping the firewall IP Address (10.1.100.4) from all vlan (10, 20, 30, 40, 50)

Thanks & Best regards;

Hi;

I have tried what you suggest, but i still can't get any connectivity between ASA and SW or VLAN

I have tried from scratch and removed the Access Switch just to make it a bit more simple. 

I'm not able to ping 10.1.100.5  or 10.1.100.1 from ASA and i'm not able to ping 10.1.100.4 fra any DLSW.

I'm able to ping 10.1.100.1 and 10.1.100.2 and 10.1.100.5 from any DLSW

Thank You

 Hi;

Thank you sooo much for all of your help, i can't thank you enough.

Everything is working, and i must say i have learned a lot from this, i have been to focused on the issue every els then the link between the asa and DLSW. yes of course it has to be an access port, i feel a bit stupid at the moment that i did not see that myself :)

Thanks again,

Would it be possible to route the internet over a MPLS connection to a second site.