Solved: ASA 5520 internet access problem

gasparmenendez · ‎08-25-2016

Hello, I have a problem with an ASA 5520. The thing is that in one of the interfaces I have connected a switch 3750 and connected to the switch a PC. This PC is in the same network that the ASA interface (10.229.0.0/24 and the switch is serving DHCP for the PC). That PC have full acess to the internet. So far no problem. Now I need to add another network to the switch (let's say 10.229.2.0/24) through a vlan, connect a PC to that network and give it access to the internet through the same interface, but the problem is that the PC doesn't reach the internet in any way. I've been trying for several days and several solutions but there's no possible way for me to do this. Can anybody helpme please??? At this point I'm very desperate. Here is some things that maybe help you to understand what I'm talking about:

ASA interface ip: 10.229.0.1/24 connected directly to the 3750
ASA interface name: FTTH
Switch 3750 vlan800 ip: 10.229.0.2/24
   ip dhcp pool FTTH-0
   network 10.229.0.0 255.255.255.0
   dns-server X.X.X.X
   default-router 10.229.0.1
Switch 3750 vlan802 ip: 10.229.2.2/24
   ip dhcp pool FTTH-2
   network 10.229.2.0 255.255.255.0
   dns-server X.X.X.X
   default-router 10.229.2.2
ASA static route: route FTTH 10.229.2.0 255.255.255.0 10.229.0.2

Need something else??? please let me know. Thank you very much in advance.

S-Lemming · ‎08-26-2016

Firstly, you should know that the ip default-gateway has no effect at all when ip routing is enabled. The command is used when the switch operates at layer2 only. Basically the command does exactly the same as ip route 0.0.0.0 0.0.0.0 so they would be in conflict with each other.

The new default route you have configure will cause all traffic which is routed in the switch to be forwarded on vlan 800, is that what you want?

You broke the management since all traffic from the switch now is routed through vlan 800. You will need a route for the network where your management station is located pointning to 192.168.20.254, i.e. if your management station is located in the 172.16.10.0/24 subnet the route would look like this:

ip route 172.16.10.0 255.255.255.0 192.168.20.254

Hope this helps.

Please rate helpful posts.

Regards,

SL

View solution in original post

S-Lemming · ‎08-26-2016

For traffic on vlan 802 to be able to reach vlan 800 where the ASA is you need to enable ip routing on the switch. Also you will need a default route looking like this: ip route 0.0.0.0 0.0.0.0 10.229.0.1.

Another option is to set up vlan subinterfaces on the ASA so the firewall will do the routing. In that case you would need to configure the physical interface as a trunk on both ends.

Please rate helpful posts.

Regards,

SL

gasparmenendez · ‎08-26-2016

Hi S-Lemming, from vlan 802 I can ping 10.229.0.1 (ASA interface ip add.) so I think routing it's fine. Here are the basics of 3750:

Sw3750-Site2#show running-config
Building configuration...

Current configuration : 5256 bytes

!
version 12.2
no service pad
service timestamps debug uptime
service timestamps log uptime
service password-encryption
!
hostname Sw3750-Site2
!
!
aaa new-model
aaa authentication login default local
!
aaa session-id common
switch 1 provision ws-c3750g-12s
system mtu routing 1500
ip subnet-zero
ip routing
ip domain-name somosggl.com
ip dhcp excluded-address 10.229.0.1 10.229.0.10
ip dhcp excluded-address 10.229.2.1 10.229.2.10
!
ip dhcp pool FTTH-0
   network 10.229.0.0 255.255.255.0
   dns-server X.X.X.X
   default-router 10.229.0.1
!
ip dhcp pool FTTH-2
   network 10.229.2.0 255.255.255.0
   dns-server X.X.X.X
   default-router 10.229.2.2
!
ip multicast-routing distributed
ip multicast multipath
ip ssh version 2
ip igmp snooping querier
ip igmp snooping vlan 69 mrouter learn cgmp
ip igmp profile 1
    permit
    range X.X.X.X X.X.X.X
ip igmp ssm-map enable
!
mvr vlan 69
mvr
mvr mode dynamic
!
!
!
!
no file verify auto
spanning-tree mode pvst
spanning-tree extend system-id
!
vlan internal allocation policy ascending
!
!
interface GigabitEthernet1/0/1
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 1,2,10,15,19,20,25,30,50,69,70,81,100,110,130
switchport trunk allowed vlan add 140,150,160,170,180,190,200,230,450,700,800
switchport trunk allowed vlan add 802,900
switchport mode trunk
!
interface GigabitEthernet1/0/2
shutdown
!
interface GigabitEthernet1/0/3
shutdown
!
interface GigabitEthernet1/0/4
!
interface GigabitEthernet1/0/5
description *** red FTTH ***
switchport access vlan 800
switchport mode access
switchport nonegotiate
!
interface GigabitEthernet1/0/6
description ** clientes carriers **
switchport access vlan 900
switchport mode access
switchport nonegotiate
!
interface GigabitEthernet1/0/7
!
interface GigabitEthernet1/0/8
!
interface GigabitEthernet1/0/9
!
interface GigabitEthernet1/0/10
shutdown
!
interface GigabitEthernet1/0/11
!
interface GigabitEthernet1/0/12
shutdown
!
interface Vlan1
no ip address
!
interface Vlan10
no ip address
!
interface Vlan15
no ip address
!
interface Vlan19
no ip address
!
interface Vlan20
no ip address
!
interface Vlan25
no ip address
!
interface Vlan30
no ip address
!
interface Vlan50
no ip address
!
interface Vlan69
no ip address
ip pim dense-mode
ip igmp static-group *
!
interface Vlan70
no ip address
!
interface Vlan110
no ip address
!
interface Vlan230
ip address 192.168.20.223 255.255.255.0
!
interface Vlan450
no ip address
!
interface Vlan700
ip address 10.211.0.11 255.255.255.0
!
interface Vlan800
description *** red FTTH-0 ***
ip address 10.229.0.2 255.255.255.0
!
interface Vlan802
description *** red FTTH-2 ***
ip address 10.229.2.2 255.255.255.0
!
interface Vlan803
description *** red FTTH-3 ***
no ip address
!
interface Vlan900
description ** clientes carriers **
ip address 10.227.224.2 255.255.252.0
!
ip default-gateway 192.168.200.254
ip classless
ip route 0.0.0.0 0.0.0.0 192.168.20.254
ip http server
ip http secure-server
!
ip pim autorp listener
ip pim accept-rp auto-rp
!
ip access-list standard ELCACTI
!
logging 192.168.0.3
snmp-server community sw3750 RO ELCACTI
snmp-server enable traps license
radius-server source-ports 1645-1646
!
control-plane

What do you think?

Thanks in advance

S-Lemming · ‎08-26-2016

You are using a different default gateway in your routing.

ip route 0.0.0.0 0.0.0.0 192.168.20.254

This is your problem. Any packets destined for unknown addresses (as in IP addresses your 3750 does not have a specific route for) will hit this route. So the traffic from vlan 802 will be routed here.

You have two options, either configure vlan 802 as an interface in the ASA and let it do all the routing for the vlan or you can configure policy based routing in the 3750. What this does is allow you to set up rules for how traffic is routed.

It would like this:

access-list 10 permit 10.229.2.0 0.0.0.255 <- Create access-list to match for traffic

route-map Policy-route permit 10 <- Create route map to define policy route

match ip address 10 <- Match address based on access-list 10

set ip next-hop 10.229.0.1 <- Set default gateway

interface vlan 802 
ip policy route-map Policy-route <- Apply route map to interface

Traffic on vlan 802 with a source IP in the 10.229.2.0 subnet will match and that will set the default gateway to 10.229.0.1.

Hope this helps.

Please rate helpful posts.

Regards,

SL

gasparmenendez · ‎08-26-2016

Hi SL, first of all thank you very much for your help.

Configure vlan in the ASA is not an option, since I don't want to force the ASA to work harder.

About routing in the 3750 I made it simple:

ip default-gateway 192.168.20.254
ip classless
ip route 0.0.0.0 0.0.0.0 10.229.0.1
ip http server
ip http secure-server

and now vlan 802 reach internet perfectly!!

but I lost access to the 3750 through vlan230 (ip 192.168.20.223) and that's the one I use for management... Is any way to correct this???

S-Lemming · ‎08-26-2016

Firstly, you should know that the ip default-gateway has no effect at all when ip routing is enabled. The command is used when the switch operates at layer2 only. Basically the command does exactly the same as ip route 0.0.0.0 0.0.0.0 so they would be in conflict with each other.

The new default route you have configure will cause all traffic which is routed in the switch to be forwarded on vlan 800, is that what you want?

You broke the management since all traffic from the switch now is routed through vlan 800. You will need a route for the network where your management station is located pointning to 192.168.20.254, i.e. if your management station is located in the 172.16.10.0/24 subnet the route would look like this:

ip route 172.16.10.0 255.255.255.0 192.168.20.254

Hope this helps.

Please rate helpful posts.

Regards,

SL

gasparmenendez · ‎08-26-2016

Hi SL, I understood perfectly. Now my problem is solved and I learned something new. Thank you very much

gasparmenendez · ‎08-26-2016

Hi again SL,

I was thinking, I would get same result if I do:

ip route 0.0.0.0 0.0.0.0 192.168.20.254

ip route 10.229.2.0 255.255.255.0 10.229.0.1

??? Thanks again

Regards.

S-Lemming · ‎08-28-2016

No that would not work. What the ip route command does is tell the router how to send packets to a network which it does not know about.

Here's how it works:

ip route 0.0.0.0 0.0.0.0 192.168.20.254 <- This tells the router that for any packet with a destination address it does not know about (by having it in its routing table) should be forwarded to 192.168.20.254.

ip route 10.229.2.0 255.255.255.0 10.229.0.1 <- This tells the router that packets with a destination address of 10.229.2.0/24 should be sent to 10.229.0.1, which is not what you want. However, because the switch has an interface in the 10.229.2.0/24 network (10.229.2.2) it is a connected network and in the routing table a connected network always "wins" over a configured route. This basically means that the route you have configured never will exist in the routing table as long as the switch has vlan interface 802.

If you want to have the default route pointing to 192.168.20.254 you need to use policy-based routing like I suggested earlier.