Solved: Re: Routing in L3 Device

SajeshB · ‎01-08-2021

Hi Need help in Routing protocol between 2 L3 Device.

Connectivity

Core Switch (SVI VLAN)------->Firewall

I have configured 2 SVI VLan (Vlan no 628 and 629) on core switch both are on same VRF but different subnet.
then i Have configured an Interface on my Cisco ASA firewall, the interface having an IP of Vlan 628 but in ASA interface i have assigned a vlan of 628 on Firewall Interface

I am able to ping ASA interface from VLAN 628 but not able to ping the same from Vlan 629
I have return route on ASA for both the Subnet of Vlan 628 and 629
and on Core switch when i am doing sh ip route vrf VRF_name ASA_Interface_IP it is learning via directly connected Vlan 628.

Is there any way that i can ping ASA interface from Vlan 629 also

Please find the config for Core Switch, ASA and sh ip route

Core Switch:

interface Vlan628
description **LnG Voice_Vlan**
ip vrf forwarding V629:LNG
ip address 163.122.129.126 255.255.255.224
end

interface Vlan629
description **LnG Data_Vlan**
ip vrf forwarding V629:LNG
ip address 10.58.204.254 255.255.255.128
end

FW:
interface int5
nameif LNG-628
security-level 100
ip address 163.122.129.124 255.255.255.224 standby 163.122.129.125

CoreSwitch: sh ip route vrf V629:LNG 163.122.129.124--------------------------------FW Interface IP
Routing Table: V629:LNG
Routing entry for 163.122.129.96/27
Known via "connected", distance 0, metric 0 (connected, via interface)
Redistributing via bgp 64532
Advertised by bgp 64532
Routing Descriptor Blocks:
* directly connected, via Vlan628
Route metric is 0, traffic share count is 1

balaji.bandi · ‎01-08-2021

what is the FW gateway IP address

when you ping connected interface fine, other interface not directly connected, so it look for the FW gateway to resolve for FW when you ping other VLAN

so check the routing and post more information FW side routing table.

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

View solution in original post

balaji.bandi · ‎01-08-2021

what is the FW gateway IP address

when you ping connected interface fine, other interface not directly connected, so it look for the FW gateway to resolve for FW when you ping other VLAN

so check the routing and post more information FW side routing table.

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

SajeshB · ‎01-08-2021

Hi Balaji,

Thanx for the response.

I was also not aware of the architecture was helping one of the Customer for troubleshooting this.

I found out the ASA firewall was context based so Vlan 628 was assigned to that Firewall interface, on System Context of firewall and that's why from Core switch Vlan 628 is able to ping FW Interface.

So i told them to to create a Separate Interface for Vlan 629 on Firewall as well. We cannot route the traffic to the existing interface of firewall as it is on Vlan 628.

if u can help me with this if i will remove the Vlan 628 from the Firewall Interface then both the Vlan will able to ping the Fw interface if im not wrong.

Core Switch and FIrewall are directly Connected.

Their is no gateway for firewall as return Route from the firewall is pointed toward both the Vlan just like this.

for 163.x.x.x subnet route pointed toward Vlan 628 and for 10.x.x.x.x route pointed toward Vlan 629.

balaji.bandi · ‎01-08-2021

Some where that routing need to be populated right, if they have interface , FW able to able get access to both.

we need to know the config on FW side also - hope that is possible ?

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help