Solved: Re: ASA 5525 vlan interface traffic not working

Maddhattr · ‎10-26-2018

I am working on configuring a pair of cisco ASA 5525 and I am running into some trouble. I have done the basic configuration and have a management interface and HA setup without issue. Now I am trying to configure some vlan sub-interfaces but cannot get them to pass traffic. I am familiar with cisco switches and Palo Alto firewalls and watchguard firewalls.

Basic setup is two cisco switches for redundancy connected to the ASA on interface 2 and 3 set as a redundant interface. The switch connections to the ASA are set a trunk interfaces with the proper vlans allowed. Similar to how I have set up other networks.

The ASA has the sub-interfaces configured with the correct vlans and show a status of UP in the home section of the ASDM. I however cannot ping the interface IP address nor can I pass traffic to another VLAN interface. I also cannot pass any external traffic. I am sure it is something simple that I am missing.

Any help or advice would be great! I can post a copy of the ASA config if needed. Thanks

rmfalconer · ‎10-26-2018

In the switch config, ports 23 and 24 go to gig0/3 on each firewall? Based on the redundant config, gig0/2 on the firewall will be the active interface.

Is Q-in-Q configured on gig0/23 for a specific reason?

What does spanning tree for one of the vlans look like on each switch?

View solution in original post

rmfalconer · ‎10-26-2018

Yes, the relevant ASA and switch configuration snips would be helpful.

Maddhattr · ‎10-26-2018

Here are the interface ports on the switch that is connected to the FW:

interface GigabitEthernet1/0/3
description FEP1 N1
switchport trunk native vlan 888
switchport trunk allowed vlan 413-415,417
switchport mode trunk
spanning-tree portfast disable
!
interface GigabitEthernet1/0/4
description FEP1 N2
switchport trunk native vlan 888
switchport trunk allowed vlan 413-415,417
switchport mode trunk
spanning-tree portfast disable
!
interface GigabitEthernet1/0/5
description FEP2 N1
switchport trunk native vlan 888
switchport trunk allowed vlan 413-415,417
switchport mode trunk
spanning-tree portfast disable
!
interface GigabitEthernet1/0/6
description FEP2 N2
switchport trunk native vlan 888
switchport trunk allowed vlan 413-415,417
switchport mode trunk
spanning-tree portfast disable
!
interface GigabitEthernet1/0/23
description "FW1 P3"
switchport trunk allowed vlan 413-417,904
switchport mode dot1q-tunnel
no cdp enable
spanning-tree portfast disable
!
interface GigabitEthernet1/0/24
description "FW2 P3"
switchport trunk allowed vlan 413-417,904
switchport mode trunk
spanning-tree portfast disable

Here is the ASA settings:

ASA Version 9.8(2)
!
hostname FW01

!
interface GigabitEthernet0/0
description Interface for external ISP 1
nameif ISP01
security-level 0
zone-member Z0-Public
ip address 192.168.40.33 255.255.254.0
!
interface GigabitEthernet0/0.904
description MGMT
vlan 904
nameif MGMT
security-level 100
no ip address
!
interface GigabitEthernet0/1
description Interface for external ISP 2
shutdown
nameif ISP02
security-level 0
zone-member Z0-Public
no ip address
!
interface Redundant4
member-interface GigabitEthernet0/2
member-interface GigabitEthernet0/3
nameif REDUNDANT
security-level 0
no ip address
!
interface Redundant4.413
vlan 413
nameif HM-PHYS
security-level 60
ip address 192.168.13.1 255.255.255.0
!
interface Redundant4.414
vlan 414
nameif HM-AD
security-level 70
ip address 192.168.14.1 255.255.255.0
!
interface Redundant4.415
vlan 415
nameif HM-DMZ
security-level 50
ip address 192.168.15.1 255.255.255.0
!
interface Redundant4.416
vlan 416
nameif HM-PLNT
security-level 20
ip address 192.168.16.1 255.255.255.0
!
interface Redundant4.417
vlan 417
nameif HM-FEP
security-level 80
ip address 192.168.17.1 255.255.255.0
!
object network FEPA
host 192.168.17.21
description FEPA
object network FEPA-NAT
host 10.116.251.93
description NAT for PLNT acccess by the FEP
object network FEPB-NAT
host 10.116.251.94
description NAT for PLNT access from FEPB
object network FEPB
host 192.168.17.22
description FEPB
object network HERMDC1
host 192.168.14.15
description DC1
object network HERMDC2
host 192.168.14.16
description DC2
object network HMPHFEPA
host 192.168.13.21
description Physical FEP server A
object network HMPHFEPB
host 192.168.13.22
description Physical FEP server B
object network HM-EMS-SW01
host 192.168.104.201
object network HM-EMS-SW02
host 192.168.104.202
object network HERM-FW02
host 192.168.104.102
object network HERM-FW01
host 192.168.104.101
object network HM-ISP-SW01
host 192.168.104.205
object network HM-ISP-SW02
host 192.168.104.206
object network PHYS-GW
host 192.168.13.1
object network AD-GW
host 192.168.14.1
object-group network DM_INLINE_NETWORK_1
network-object object HMPHFEPA
network-object object HMPHFEPB
object-group network DM_INLINE_NETWORK_2
network-object object HERMDC1
network-object object HERMDC2
object-group network DM_INLINE_NETWORK_3
network-object object FEPA
network-object object FEPB
object-group network DM_INLINE_NETWORK_4
network-object object HERMDC1
network-object object HERMDC2
object-group network DM_INLINE_NETWORK_5
network-object object HMPHFEPA
network-object object HMPHFEPB
object-group network DM_INLINE_NETWORK_6
network-object object HERMDC1
network-object object HERMDC2
object-group network DM_INLINE_NETWORK_7
network-object object HMPHFEPA
network-object object HMPHFEPB
object-group network DM_INLINE_NETWORK_8
network-object object HERMDC1
network-object object HERMDC2
object-group network DM_INLINE_NETWORK_9
network-object object HMPHFEPA
network-object object HMPHFEPB
access-list PLNT_access_in_1 remark Allows communication from FEPA to the PLNT network
access-list PLNT_access_in_1 extended permit ip object FEPA 192.168.251.64 255.255.255.224
access-list PLNT_access_in_1 remark Allows communication from FEPB to the PLNT network
access-list PLNT_access_in_1 extended permit ip object FEPB 192.168.251.64 255.255.255.224
access-list PHYS_access_out extended permit ip object-group DM_INLINE_NETWORK_5 192.168.14.0 255.255.255.0
access-list PHYS_access_out extended permit ip any any
access-list HERM-AD-SVR_access_in extended permit ip object-group DM_INLINE_NETWORK_1 object-group DM_INLINE_NETWORK_2
access-list HERM-AD-SVR_access_in extended permit ip object-group DM_INLINE_NETWORK_3 object-group DM_INLINE_NETWORK_4
access-list HERM-AD-SVR_access_out extended permit ip object-group DM_INLINE_NETWORK_6 object-group DM_INLINE_NETWORK_7
access-list PHYS_access_in extended permit ip object-group DM_INLINE_NETWORK_8 object-group DM_INLINE_NETWORK_9
access-list PHYS_access_in extended permit ip any any
access-list AD_access_out extended permit ip 192.168.14.0 255.255.255.0 192.168.13.0 255.255.255.0
access-list AD_access_out extended permit ip any any
access-list AD_access_in extended permit ip any any
access-list HERM-PHYS_access_out extended permit ip any any
access-list HERM-PHYS_access_in extended permit ip any any

rmfalconer · ‎10-26-2018

In the switch config, ports 23 and 24 go to gig0/3 on each firewall? Based on the redundant config, gig0/2 on the firewall will be the active interface.

Is Q-in-Q configured on gig0/23 for a specific reason?

What does spanning tree for one of the vlans look like on each switch?

Maddhattr · ‎10-26-2018

I have updated the configs for the switch ports. They no longer have spanning tree portfast disable on them. This seems to have solved the issue of ping and interface traffic. I discovered this when going through the questions you asked and checking my connections. I removed the cable to FW1 P3 and had ping all of a sudden.

interface GigabitEthernet1/0/23
description "FW1 P3"
switchport trunk native vlan 888
switchport trunk allowed vlan 413-417,904
switchport mode trunk
!
interface GigabitEthernet1/0/24
description "FW2 P3"
switchport trunk native vlan 888
switchport trunk allowed vlan 413-417,904
switchport mode trunk

Originally I had planned to set the interfaces as an Etherchannel but could not get that to work and figured redundant ports would be easier to configure. I left some settings on SW01 from when I had been configuring that. Now I just have to figure out how to set up a tunnel and VPN! And make some static routes. Can you point me a any good resources for that.

For example does my route for external look correct? Ignoring the fact that the address of 40.1 is a private ip. This system is currently sitting behind another firewall.

route ISP01 0.0.0.0 0.0.0.0 192.168.40.1 1

Then I guess I have to work on NAT's.

rmfalconer · ‎10-26-2018

Yes, that route does look correct. If you are just doing static routing, then it's pretty basic.

When you do get to setting up VPN, you'll want to have routes for the VPN traffic to access internal resources. This needs the keyword 'tunneled' included. It basically differentiates between traffic going through the firewall and traffic going through VPN.

Ex: route inside 0.0.0.0 0.0.0.0 x.x.x.x tunneled

The Cisco site has plenty of documentation about setting up VPN. You'll want to make sure you have the proper licensing in place for the number of clients you'll need. 'Sh Ver' will tell you how many you have.