08-20-2013 02:00 AM - edited 03-11-2019 07:27 PM
Hi All,
I'm not able to access a vlan from another vlan.
Let me explain it deeply:
I've got a 3750 switch connected through a non switched port to the asa.
I've implemented ospf routing to pass directly all the vlans behind the 3750 to the asa and it's working like a charm. I can access internet from that vlans.
One eth port of the asa is connected to the inside network 10.60.0.0/16 and the other to the "new network" through the 3750.
I need to let the traffic flow between eth0 to eth1 (they have the same security level, 100).
I've already enable the inter-vlan and intra-vlan traffic.
Thanks,
Cheers,
Lnx
08-20-2013 05:52 AM
Hi,
Can you attach some configurations from both the ASA and the 3750 to the original post and provide "show route" output from ASA and "show ip route" from the 3750.
- Jouni
08-20-2013 06:02 AM
Hi JouniForss,
This is the asa, i've had to create all the static nat rules because i was not even able to ping between from one network to another
ASA Version 8.2(5)
!
interface Ethernet0/2
description inside
nameif Inside
security-level 100
ip address 10.60.1.1 255.255.0.0
!
interface Ethernet0/3
nameif NewInfrastructure
security-level 100
ip address 10.90.1.1 255.255.255.0
!
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object-group network DM_INLINE_NETWORK_4
network-object 10.130.0.0 255.255.255.0
network-object 10.130.1.0 255.255.255.0
network-object 10.65.0.0 255.255.0.0
access-list Inside_access_in extended permit ip 10.60.0.0 255.255.0.0 object-group DM_INLINE_NETWORK_4
access-list Inside_access_in remark Block all toward outside
access-list Inside_access_in extended deny ip any any
nat (NewInfrastructure) 1 10.130.0.0 255.255.255.0
nat (NewInfrastructure) 1 10.130.1.0 255.255.255.0
nat (NewInfrastructure) 1 10.130.2.0 255.255.255.0
nat (NewInfrastructure) 1 10.130.3.0 255.255.255.0
nat (NewInfrastructure) 1 10.130.4.0 255.255.255.0
nat (NewInfrastructure) 1 10.130.5.0 255.255.255.0
nat (NewInfrastructure) 1 10.130.6.0 255.255.255.0
nat (NewInfrastructure) 1 10.65.0.0 255.255.0.0
static (NewInfrastructure,Inside) 10.130.1.0 10.130.1.0 netmask 255.255.255.0
static (NewInfrastructure,Inside) 10.65.0.0 10.65.0.0 netmask 255.255.0.0
static (NewInfrastructure,Inside) 10.130.2.0 10.130.2.0 netmask 255.255.255.0
static (NewInfrastructure,Inside) 10.130.3.0 10.130.3.0 netmask 255.255.255.0
static (NewInfrastructure,Inside) 10.130.0.0 10.130.0.0 netmask 255.255.255.0
static (NewInfrastructure,Inside) 10.130.4.0 10.130.4.0 netmask 255.255.255.0
static (NewInfrastructure,Inside) 10.130.5.0 10.130.5.0 netmask 255.255.255.0
static (NewInfrastructure,Inside) 10.130.6.0 10.130.6.0 netmask 255.255.255.0
static (Inside,NewInfrastructure) 10.60.0.0 10.60.0.0 netmask 255.255.0.0
access-group Colt_access_in in interface Colt
access-group Isa_access_in in interface ISA_ML
access-group Inside_access_in in interface Inside
!
router ospf 1
router-id 3.3.3.3
network 10.62.0.0 255.255.0.0 area 0
network 10.65.0.0 255.255.0.0 area 0
network 10.90.1.0 255.255.255.0 area 0
network 10.130.0.0 255.255.255.0 area 0
network 10.130.1.0 255.255.255.0 area 0
network 10.130.2.0 255.255.255.0 area 0
network 10.130.3.0 255.255.255.0 area 0
network 10.130.4.0 255.255.255.0 area 0
network 10.130.5.0 255.255.255.0 area 0
network 10.130.6.0 255.255.255.0 area 0
area 0
log-adj-changes
!
console timeout 0
threat-detection basic-threat
threat-detection statistics
threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
!
class-map global-class
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global-policy
class global-class
inspect dns preset_dns_map
inspect esmtp
inspect ftp
inspect netbios
inspect rsh
inspect rtsp
inspect sip
inspect skinny
inspect sqlnet
inspect sunrpc
inspect tftp
inspect xdmcp
inspect h323 h225
inspect h323 ras
!
service-policy global-policy global
: end
Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP
i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
* - candidate default, U - per-user static route, o - ODR
P - periodic downloaded static route
Gateway of last resort is x.x.x.x to network 0.0.0.0
O 10.0.0.0 255.255.255.240
[110/11] via 10.90.1.2, 5:38:38, NewInfrastructure
S 10.62.0.0 255.255.0.0 [1/0] via 10.60.1.10, Inside
C 10.60.0.0 255.255.0.0 is directly connected, Inside
O 10.65.0.0 255.255.0.0 [110/12] via 10.90.1.2, 4:28:47, NewInfrastructure
C 10.90.1.0 255.255.255.0 is directly connected, NewInfrastructure
O 10.130.1.0 255.255.255.0
[110/11] via 10.90.1.2, 2:45:21, NewInfrastructure
C 192.168.1.0 255.255.255.0 is directly connected, management
S* 0.0.0.0 0.0.0.0 [1/0] via x.x.x.x, Colt
08-20-2013 06:08 AM
Here the 3750 config:
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname Switch
!
boot-start-marker
boot-end-marker
!
ip routing
!
!
!
!
!
!
spanning-tree mode pvst
spanning-tree extend system-id
!
!
!
!
!
!
!
!
!
vlan internal allocation policy ascending
!
!
!
!
!
!
!
!
!
!
!
interface FastEthernet0
no ip address
no ip route-cache
shutdown
!
interface GigabitEthernet1/0/1
no switchport
ip address 10.0.0.1 255.255.255.240
ip ospf hello-interval 5
!
interface GigabitEthernet1/0/2
no switchport
ip address 10.90.1.2 255.255.255.0
!
interface GigabitEthernet1/0/3
switchport access vlan 60
switchport mode access
!
interface GigabitEthernet1/0/4
!
interface GigabitEthernet1/0/5
!
interface GigabitEthernet1/0/6
!
interface GigabitEthernet1/0/7
!
interface GigabitEthernet1/0/8
!
interface GigabitEthernet1/0/9
!
interface GigabitEthernet1/0/10
!
interface GigabitEthernet1/0/11
switchport access vlan 131
switchport mode access
!
interface GigabitEthernet1/0/12
switchport access vlan 130
switchport mode access
spanning-tree portfast
!
interface GigabitEthernet1/1/1
!
interface GigabitEthernet1/1/2
!
interface GigabitEthernet1/1/3
!
interface GigabitEthernet1/1/4
!
interface TenGigabitEthernet1/1/1
!
interface TenGigabitEthernet1/1/2
!
interface Vlan1
no ip address
shutdown
!
interface Vlan60
ip address 10.60.1.5 255.255.0.0
!
interface Vlan130
ip address 10.130.1.1 255.255.255.0
!
interface Vlan131
ip address 10.131.1.1 255.255.255.0
!
router ospf 1
router-id 2.2.2.2
network 10.0.0.0 0.0.0.15 area 0
network 10.60.0.0 0.0.255.255 area 0
network 10.62.0.0 0.0.255.255 area 0
network 10.90.1.0 0.0.0.255 area 0
network 10.130.1.0 0.0.0.255 area 0
network 10.131.1.0 0.0.0.255 area 0
default-information originate always
!
ip http server
ip http secure-server
!
ip route 0.0.0.0 0.0.0.0 10.90.1.1
ip route 10.63.0.0 255.255.0.0 10.60.1.10
Switch#sh ip route
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level
ia - IS-IS inter area, * - candidate default, U - per-user static r
o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP
+ - replicated route, % - next hop override
Gateway of last resort is 10.90.1.1 to network 0.0.0.0
S* 0.0.0.0/0 [1/0] via 10.90.1.1
10.0.0.0/8 is variably subnetted, 10 subnets, 4 masks
C 10.0.0.0/28 is directly connected, GigabitEthernet1/0/1
L 10.0.0.1/32 is directly connected, GigabitEthernet1/0/1
C 10.60.0.0/16 is directly connected, Vlan60
L 10.60.1.5/32 is directly connected, Vlan60
S 10.63.0.0/16 [1/0] via 10.60.1.10
O 10.65.0.0/16 [110/2] via 10.0.0.2, 1w3d, GigabitEthernet1/0/1
C 10.90.1.0/24 is directly connected, GigabitEthernet1/0/2
L 10.90.1.2/32 is directly connected, GigabitEthernet1/0/2
C 10.130.1.0/24 is directly connected, Vlan130
L 10.130.1.1/32 is directly connected, Vlan130
Switch#
!
08-20-2013 07:28 AM
Hi,
To me seems that the setup possibly only contains 3 devices. ASA and 2-3 Routers?
Also seems to me that the routing is a bit messed up.
You are essentially using the native routing table and have connected the core 3750 with 2 links to the ASA
Would seem to me that all the networks behind your ASA route directly through the 3750 and dont go through the ASA?
What were the 2 networks which traffic should go through the ASA?
I would suggest going through the whole setup because it seems to me to make no sense at the moment. If you have a simple network then I would suggest sticking to static routing. Atleast I personally feel that I would not get much out of running dynamic routing protocol if there is no redundancy in the network and the network is small.
If you want to separate network with the ASA then you will have to bring those Vlans directly to ASA and let the ASA handle the inter Vlan routing. Naturally in this case the ASA might become a bottleneck for traffic because of limited throughput performance.
Other option would be to use VRFs on the 3750. This means essentially that you could separate certain networks/Vlans to their own routing table and let them have their own default route towards the ASA. In the same way you could have another VRF for some new network that would be separate from the rest of the network and connect that network to the ASA on their own link.
- Jouni
08-20-2013 07:37 AM
I pasted part of the configuration at the moment
Basically there are let's say 3 phisical location:
1- datacenter with 10.65.0.0/16 subnet and a 3rd party switch with l3 routing enabled
2- 3750 core with l3 routing
3- another network 10.60.0.0/16 10.62.0.0 with the isp-managed router which send everything "unknown" to the asa.
It doesn't know the vlan configured on the 3750 ip so it sends all the traffic to the asa.
Right now i cannot change the default gateway on the 10.60 network to the 3750 that's the main problem
I would like to manage it with the asa if it's possible.
Hope that you see what i mean.
Cheers,
D
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide