09-02-2012 03:03 AM - edited 03-11-2019 04:48 PM
Hi there,
i have a problem with Routing on ASA 5505.
Here is a brief explanation of the topology:
DC Upstream IP: 77.246.165.141/30
ASA 5505 Upstream to DC IP: 77.246.165.142/30
Interface outside.
There is a Cisco Switch connected to one of ASA Ethernet ports, forming Public/DMZ VLAN.
ASA 5505 Public VLAN interface ip: 31.24.36.1/26
Cisco 3750 Public VLAN interface ip: 31.24.36.62, default gateway: 31.24.36.1, IP Routing enabled on Switch.
From the Cisco Switch I can access the Internet with source ip: 31.24.36.62.
Now I have asked from DC additional subnet: 31.24.36.192/26 and they have it routed correctly towards the ASA Outside interface ip: 77.246.165.142.
I have created additional Public2 VLAN on the Switch with IP address of: 31.24.36.193/26.
On the ASA 5505 i added the route to this Public2 VLAN:
#route public 31.24.36.192 255.255.255.192 31.24.36.62 1
Now the problem is that from the Switch with Source IP: 31.24.36.193 i can ping ASA 5505 Public VLAN IP: 31.24.36.1 so the routing between subnets 31.24.36.0/26 and 31.24.36.192/26 is working OK on both the ASA 5505 and the Switch.
But I can't access the Internet from the Switch with Source IP: 31.24.36.193.
09-02-2012 06:42 AM
Hi.
Any NAT/PAT related config missed on ASA for the new Subnet?
Post the sanitized configs from ASA & Switch.
Thx
MS
09-02-2012 12:11 PM
Hello Vladimir,
What version are you running, I do not think you have any NAT as you are already playing with a public range.
Do you have any ACL applied to the public interface on the ASA?
Can you place here the Configuration from both devices?
Regards,
Julio
09-07-2012 01:43 AM
Thanks for the replies.
I am running:
Cisco Adaptive Security Appliance Software Version 8.2(2)
As for NAT configuration, there is NAT configured between the Outside Interface IP and the Internal Subnet:
global (outside) 1 interface
nat (inside) 1 192.168.X.0 255.255.255.0
nat (inside) 1 0.0.0.0 0.0.0.0
also there is NAT exemption configured because of the Site-to-Site IPSec VPN that we have:
nat (inside) 0 access-list inside_nat0_outbound1
access-list inside_nat0_outbound1 extended permit ip any 192.168.X.0 255.255.255.0
access-list inside_nat0_outbound1 extended permit ip 192.168.X.0 255.255.255.0 OtherSiteLAN 255.255.255.0
access-list inside_nat0_outbound1 extended permit ip any 192.168.X.240 255.255.255.248
access-list inside_nat0_outbound1 extended permit ip 192.168.X.0 255.255.255.128 OtherSiteLAN 255.255.255.0
I don't have any ACL configured on the Public interface in any direction.
Here is the configuration on the Switch regarding this scenario:
!
interface FastEthernet2/0/X
description Access Port for Public Subnet(31.24.32.0/26) to ASA
switchport access vlan 500
switchport mode access
!
interface Vlan500
description Public VLAN 1
ip address 31.24.36.62 255.255.255.192
!
interface Vlan510
description Public VLAN 2
ip address 31.24.36.193 255.255.255.192
!
ip route 0.0.0.0 0.0.0.0 31.24.36.1
Here is the output when pinging the ASA Public Interface IP with source IP address of: 31.24.36.193(VLAN 510)
SWITCH#ping 31.24.36.1 source vlan 510
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 31.24.36.1, timeout is 2 seconds:
Packet sent with a source address of 31.24.36.193
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/4/9 ms
And here is when I try to ping some Internet host:
SWITCH#ping 8.8.8.8 source vlan 510
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 8.8.8.8, timeout is 2 seconds:
Packet sent with a source address of 31.24.36.193
.....
Success rate is 0 percent (0/5)
09-07-2012 09:12 AM
Hello Vladimir,
Can you add the following command.
fixup protocol icmp and provide us the result
If this does not work I would like to check the entire config of both devices
rate all the answers, that is more important for us that a thanks
Julio
11-21-2012 04:39 AM
Hello,
sorry for the late response...
The command:
fixup protocol icmp also didn't solved the problem.
Can this have anything related to the Base licence, that this device is having and it's 3 VLAN limitation?
I have configured:
interface Vlan500
no forward interface Vlan1 <--Private VLAN
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide