- Cisco Community
- Technology and Support
- Security
- Network Security
- Re: Cisco 2821 - ASA5520 - 3750G help
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Cisco 2821 - ASA5520 - 3750G help
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
01-06-2012 04:46 PM - edited 03-11-2019 03:11 PM
I need help
Before – working no probs
at the moment my router is my dsl connection and then a point to point link between the router and the switch with ospf routing.
I'm trying to put a routed asa 5520 between my router and switch for added protection as you do...
I can get the links up and running and ospf routing between the router and the asa, however when I enable the switch side the asa becomes extremely slow and almost unresponsive not sure what is happening there and I can't get any http traffic to pass. I have a any any rule on the interfaces so that shouldn't be stopping it, the asa is passing the ospf routing to the router as I can see the routes..
i'm hitting my head against the wall so to speak any assistance would be greatly appreaciated
here are snippets of the relevant parts of the configs
-------------------------------------------------------------------------------
router
interface Loopback0
description --- Loopback ---
ip address 10.100.0.1 255.255.255.255
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
ip nat inside
ip virtual-reassembly in
interface GigabitEthernet0/1
ip address 10.0.1.1 255.255.255.252
no ip redirects
no ip unreachables
no ip proxy-arp
ip nbar protocol-discovery
ip flow ingress
ip flow egress
ip nat inside
ip virtual-reassembly in
duplex full
speed 1000
no mop enabled
hold-queue 0 in
router ospf 1
router-id 10.100.0.1
log-adjacency-changes detail
network 10.0.0.0 0.0.0.255 area 1
network 10.0.1.1 0.0.0.0 area 1
network 10.0.1.0 0.0.0.3 area 1
network 10.0.99.0 0.0.0.15 area 1
network 10.100.0.1 0.0.0.0 area 1
-------------------------------------------------------------------------------
ASA
-------------------------------------------------------------------------------
ASA# sh run
Saved
:
ASA Version 8.4(2)
!
hostname ASA
domain-name domain.com
names
!
interface GigabitEthernet0/0
speed 1000
duplex full
nameif outside
security-level 0
ip address 10.0.1.2 255.255.255.252
!
interface GigabitEthernet0/1
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/2
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/3
speed 1000
duplex full
nameif inside
security-level 100
ip address 10.0.11.1 255.255.255.252
!
interface Management0/0
speed 100
duplex full
nameif management
security-level 0
ip address 10.1.0.3 255.255.255.0
!
boot system disk0:/asa842-k8.bin
ftp mode passive
clock timezone AEST 10
clock summer-time AEDT recurring 1 Sun Oct 2:00 1 Sun Apr 3:00
object-group icmp-type Ping
icmp-object echo
icmp-object echo-reply
icmp-object unreachable
access-list outside_access_in extended permit ip any any log
access-list outside_access_in extended permit tcp any any eq www
access-list inside_access_in extended permit ip any any log
access-list inside_access_in extended permit tcp any any eq www
access-list global_access extended permit ip any any
pager lines 24
logging trap errors
logging host inside 10.27.134.28
logging host inside 10.55.7.94
mtu outside 1500
mtu inside 1500
mtu management 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
icmp permit any outside
icmp permit any inside
asdm image disk0:/asdm-645-206.bin
asdm history enable
arp timeout 14400
access-group outside_access_in in interface outside
access-group inside_access_in in interface inside
access-group global_access global
!
router ospf 1
router-id 10.0.11.1
network 10.0.1.2 255.255.255.255 area 1
network 10.0.1.0 255.255.255.252 area 1
network 10.0.11.1 255.255.255.255 area 1
network 10.0.11.0 255.255.255.252 area 1
log-adj-changes
!
route outside 0.0.0.0 255.255.255.255 10.0.1.1 1
route inside 10.0.0.0 255.0.0.0 10.0.11.2 1
route management 10.122.0.200 255.255.255.255 10.122.0.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ (inside) host 10.122.0.10
key *****
aaa-server TACACS+ (inside) host 10.122.0.20
key *****
user-identity default-domain LOCAL
aaa authentication enable console TACACS+ LOCAL
aaa authentication http console TACACS+ LOCAL
aaa authentication ssh console TACACS+ LOCAL
aaa authentication telnet console TACACS+ LOCAL
aaa authorization command TACACS+ LOCAL
aaa accounting command TACACS+
http server enable
http 10.122.0.200 255.255.255.255 management
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
telnet 10.122.0.200 255.255.255.255 management
telnet timeout 5
ssh 10.122.0.200 255.255.255.255 management
ssh timeout 5
ssh version 2
console timeout 0
threat-detection basic-threat
threat-detection statistics host
threat-detection statistics port
threat-detection statistics protocol
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
username admin password <removed> privilege 15
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect ip-options
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
inspect icmp
inspect http
class class-default
user-statistics accounting
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email callhome@cisco.com
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:64d0fef2ddc6fddf66f51f3f1da15d78
end
-------------------------------------------------------------------------------
Switch
interface Loopback0
ip address 10.100.0.2 255.255.255.255
interface GigabitEthernet0/1
no switchport
ip address 10.0.11.2 255.255.255.252
logging event link-status
logging event trunk-status
logging event status
power inline never
speed 1000
duplex full
flowcontrol receive desired
router ospf 1
router-id 10.100.0.2
log-adjacency-changes detail
redistribute connected
network 10.0.1.2 0.0.0.0 area 1
network 10.0.11.0 0.0.0.3 area 1
network 10.122.0.0 0.0.0.255 area 1
network 10.27.0.0 0.0.0.255 area 1
network 10.38.0.0 0.0.0.255 area 1
network 10.41.0.0 0.0.0.255 area 1
network 10.52.0.0 0.0.0.255 area 1
network 10.68.0.0 0.0.0.255 area 1
network 10.79.0.0 0.0.0.255 area 1
network 10.100.0.2 0.0.0.0 area 1
ip route 0.0.0.0 0.0.0.0 10.0.11.1
-------------------------------------------------------------------------------
Thanks for your time and effort.
- Labels:
-
NGFW Firewalls
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
01-06-2012 05:18 PM
Hello,
The ASA has a permit IP on both interfaces, nat control is not enable ( as default on this version).
Please provide the following answers:
1- I guess all traffic is working ( traversing the 3 devices) except for http traffic being generated behind the ASA right?
I would take out the http inspection because that adds some deep packet inspection for the http protocol that can cause some delays regarding that traffic.
-no fixup protocol http
2-Are you using a public DNS?
Regards.
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
01-06-2012 06:58 PM
G'day
thanks for the reply, yes all other traffic appears to be traversing except http
will try the no fixup protocol http and let you know,
I'm using inside dns servers x 4 they are going outside if needed.
thanks again for your reply.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
01-07-2012 12:05 PM
Hello,
Yes, let me know and lets use an outside DNS server.
Julio
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
01-07-2012 03:11 PM
Julio thank you so much for your assistance thus far
ok here is a update I tried like you said with the no fixup and still no change
and public dns isn't working either
one thing i didn't notice I can't ping to the web ie from a host on the inside, i can't ping 8.8.8.8
on the router i can.
here is my latest asa config
ASA# sh run
: Saved
:
ASA Version 8.4(2)
!
hostname ASA
domain-name domain.com
names
!
interface GigabitEthernet0/0
speed 1000
duplex full
nameif outside
security-level 0
ip address 10.0.1.2 255.255.255.252
!
interface GigabitEthernet0/1
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/2
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/3
speed 1000
duplex full
nameif inside
security-level 100
ip address 10.0.11.1 255.255.255.252
!
interface Management0/0
speed 100
duplex full
nameif management
security-level 0
ip address 10.1.0.3 255.255.255.0
!
boot system disk0:/asa842-k8.bin
ftp mode passive
clock timezone AEST 10
clock summer-time AEDT recurring 1 Sun Oct 2:00 1 Sun Apr 3:00
dns domain-lookup inside
dns server-group DefaultDNS
name-server 10.122.0.10
name-server 10.122.0.20
domain-name domain.com
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object-group icmp-type Ping
icmp-object echo
icmp-object echo-reply
icmp-object unreachable
access-list outside_access_in extended permit ip any any log
access-list outside_access_in extended permit tcp any any eq www
access-list outside_access_in extended permit icmp any any object-group Ping
access-list inside_access_in extended permit ip any any log
access-list inside_access_in extended permit tcp any any eq www
access-list inside_access_in extended permit icmp any any object-group Ping
pager lines 24
logging trap errors
logging host inside 10.122.0.30
logging host inside 10.122.0.10
mtu outside 1500
mtu inside 1500
mtu management 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
icmp permit any outside
icmp permit any inside
asdm image disk0:/asdm-645-206.bin
asdm history enable
arp timeout 14400
access-group outside_access_in in interface outside
access-group inside_access_in in interface inside
!
router ospf 1
router-id 10.0.11.1
network 10.0.1.2 255.255.255.255 area 1
network 10.0.1.0 255.255.255.252 area 1
network 10.0.11.1 255.255.255.255 area 1
network 10.0.11.0 255.255.255.252 area 1
log-adj-changes detail
!
route outside 0.0.0.0 255.255.255.255 10.0.1.1 1
route inside 10.0.0.0 255.255.255.255 10.0.11.2 1
route management 10.122.0.200 255.255.255.255 10.122.0.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ (inside) host 10.122.0.10
key *****
aaa-server TACACS+ (inside) host 10.122.0.20
key *****
user-identity default-domain LOCAL
aaa authentication enable console TACACS+ LOCAL
aaa authentication http console TACACS+ LOCAL
aaa authentication ssh console TACACS+ LOCAL
aaa authentication telnet console TACACS+ LOCAL
aaa authorization command TACACS+ LOCAL
aaa accounting command TACACS+
http server enable
http 10.122.0.200 255.255.255.255 management
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
telnet 10.122.0.200 255.255.255.255 management
telnet timeout 5
ssh 10.122.0.200 255.255.255.255 management
ssh timeout 60
ssh version 2
console timeout 0
threat-detection basic-threat
threat-detection statistics host
threat-detection statistics port
threat-detection statistics protocol
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ntp server 10.0.1.1 source outside
ntp server 10.1.0.1 source inside prefer
webvpn
username admin password
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect ftp
inspect h323 h225
inspect h323 ras
inspect ip-options
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
class class-default
user-statistics accounting
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email callhome@cisco.com
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:eeb3971cd7bac746abef319b53a5a9c1
: end
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
01-07-2012 04:05 PM
Hello,
-Can you ping from the Asa to 8.8.8.8 ?
-Can you ping from the Switch to 8.8.8.8 ?
-Please provide sh route on the ASA
-Please provide sh ip route on the router
-Please provide sh ip route on the switch
Regards,
Julio
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
01-07-2012 04:45 PM
Julio
thanks so much again for your assistance
here is the info you requested.
-Can you ping from the Asa to 8.8.8.8 ?
no initially my outside route was set incorrectly,
it was route inside 10.0.0.0 255.255.255.255 10.0.11.2 1
upon pinging 8.8.8.8
ASA(config)# ping 8.8.8.8
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 8.8.8.8, timeout is 2 seconds:
No route to host 8.8.8.8
Success rate is 0 percent (0/1)
I changed my outside route to
route outside 0.0.0.0 0.0.0.0 10.0.1.1 1
now pinging
ASA# ping 8.8.8.8
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 8.8.8.8, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 150/152/160 ms
-Can you ping from the Switch to 8.8.8.8 ? NO
SWITCH#ping 8.8.8.8
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 8.8.8.8, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)
-Please provide sh route on the ASA
ASA# sh route
Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP
i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
* - candidate default, U - per-user static route, o - ODR
P - periodic downloaded static route
Gateway of last resort is 10.0.1.1 to network 0.0.0.0
C 10.0.11.0 255.255.255.252 is directly connected, inside
O 10.0.0.2 255.255.255.255 [110/1010] via 10.0.1.1, 0:04:36, outside
O 10.2.0.0 255.255.255.0 [110/11] via 10.0.11.2, 0:04:36, inside
O 10.0.0.3 255.255.255.255 [110/1010] via 10.0.1.1, 0:04:36, outside
O 10.3.0.0 255.255.255.0 [110/11] via 10.0.11.2, 0:04:36, inside
S 10.0.0.0 255.0.0.0 [1/0] via 10.0.11.2, inside
O 10.0.0.1 255.255.255.255 [110/10] via 10.0.1.1, 0:04:36, outside
C 10.0.1.0 255.255.255.252 is directly connected, outside
C 10.1.0.0 255.255.255.0 is directly connected, management
O 10.6.0.0 255.255.255.0 [110/11] via 10.0.11.2, 0:04:36, inside
O 10.7.0.0 255.255.255.0 [110/11] via 10.0.11.2, 0:04:36, inside
O 10.0.0.4 255.255.255.255 [110/1010] via 10.0.1.1, 0:04:36, outside
O 10.4.0.0 255.255.255.0 [110/11] via 10.0.11.2, 0:04:36, inside
O 10.5.0.0 255.255.255.0 [110/11] via 10.0.11.2, 0:04:36, inside
O 10.62.0.0 255.255.255.0 [110/1012] via 10.0.1.1, 0:04:37, outside
O 10.60.0.2 255.255.255.255 [110/1012] via 10.0.1.1, 0:04:37, outside
O 10.63.0.0 255.255.255.0 [110/1012] via 10.0.1.1, 0:04:37, outside
O 10.0.60.0 255.255.255.252 [110/1011] via 10.0.1.1, 0:04:37, outside
O 10.61.0.0 255.255.255.0 [110/1012] via 10.0.1.1, 0:04:37, outside
O 10.60.0.1 255.255.255.255 [110/1011] via 10.0.1.1, 0:04:37, outside
O 10.74.0.0 255.255.255.0 [110/1012] via 10.0.1.1, 0:04:37, outside
O 10.75.0.0 255.255.255.0 [110/1012] via 10.0.1.1, 0:04:37, outside
O 10.72.0.0 255.255.255.0 [110/1012] via 10.0.1.1, 0:04:37, outside
O 10.73.0.0 255.255.255.0 [110/1012] via 10.0.1.1, 0:04:37, outside
O 10.76.0.0 255.255.255.0 [110/1012] via 10.0.1.1, 0:04:37, outside
O 10.0.77.1 255.255.255.255 [110/1011] via 10.0.1.1, 0:04:37, outside
O 10.77.0.0 255.255.255.0 [110/1012] via 10.0.1.1, 0:04:37, outside
O 10.66.0.0 255.255.255.0 [110/1012] via 10.0.1.1, 0:04:37, outside
O 10.67.0.0 255.255.255.0 [110/1012] via 10.0.1.1, 0:04:37, outside
O 10.0.66.1 255.255.255.255 [110/1011] via 10.0.1.1, 0:04:37, outside
O 10.64.0.0 255.255.255.0 [110/1012] via 10.0.1.1, 0:04:37, outside
O 10.65.0.0 255.255.255.0 [110/1012] via 10.0.1.1, 0:04:37, outside
O 10.0.70.0 255.255.255.252 [110/1011] via 10.0.1.1, 0:04:37, outside
O 10.71.0.0 255.255.255.0 [110/1012] via 10.0.1.1, 0:04:37, outside
O 10.70.0.1 255.255.255.255 [110/1011] via 10.0.1.1, 0:04:37, outside
O 10.70.0.2 255.255.255.255 [110/1012] via 10.0.1.1, 0:04:37, outside
O 10.0.88.1 255.255.255.255 [110/1011] via 10.0.1.1, 0:04:37, outside
O 10.82.0.0 255.255.255.0 [110/1012] via 10.0.1.1, 0:04:37, outside
O 10.80.0.2 255.255.255.255 [110/1012] via 10.0.1.1, 0:04:37, outside
O 10.83.0.0 255.255.255.0 [110/1012] via 10.0.1.1, 0:04:37, outside
O 10.0.80.0 255.255.255.252 [110/1011] via 10.0.1.1, 0:04:37, outside
O 10.81.0.0 255.255.255.0 [110/1012] via 10.0.1.1, 0:04:37, outside
O 10.80.0.1 255.255.255.255 [110/1011] via 10.0.1.1, 0:04:37, outside
O 10.86.0.0 255.255.255.0 [110/1012] via 10.0.1.1, 0:04:37, outside
O 10.84.0.0 255.255.255.0 [110/1012] via 10.0.1.1, 0:04:37, outside
O 10.85.0.0 255.255.255.0 [110/1012] via 10.0.1.1, 0:04:37, outside
O 10.0.99.1 255.255.255.255 [110/11] via 10.0.1.1, 0:04:37, outside
O 10.100.0.2 255.255.255.255 [110/11] via 10.0.11.2, 0:04:37, inside
O 10.100.0.1 255.255.255.255 [110/11] via 10.0.1.1, 0:04:37, outside
S 10.2.0.200 255.255.255.255 [1/0] via 10.2.0.1, management
S* 0.0.0.0 0.0.0.0 [1/0] via 10.0.1.1, outside
-Please provide sh ip route on the router
ROUTER#sh ip route
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP
+ - replicated route, % - next hop override
Gateway of last resort is 0.0.0.0 to network 0.0.0.0
S* 0.0.0.0/0 is directly connected, Dialer0
10.0.0.0/8 is variably subnetted, 53 subnets, 4 masks
C 10.0.0.0/24 is directly connected, Tunnel0
L 10.0.0.1/32 is directly connected, Tunnel0
O 10.0.0.2/32 [110/1000] via 10.0.0.2, 1d23h, Tunnel0
O 10.0.0.3/32 [110/1000] via 10.0.0.3, 1d23h, Tunnel0
O 10.0.0.4/32 [110/1000] via 10.0.0.4, 1d23h, Tunnel0
C 10.0.1.0/30 is directly connected, GigabitEthernet0/1
L 10.0.1.1/32 is directly connected, GigabitEthernet0/1
C 10.0.2.0/30 is directly connected, Content-Engine1/0
L 10.0.2.1/32 is directly connected, Content-Engine1/0
O 10.0.11.0/30 [110/11] via 10.0.1.2, 00:05:45, GigabitEthernet0/1
O 10.0.60.0/30 [110/1001] via 10.0.0.2, 1d23h, Tunnel0
O 10.0.66.1/32 [110/1001] via 10.0.0.2, 1d23h, Tunnel0
O 10.0.70.0/30 [110/1001] via 10.0.0.4, 1d23h, Tunnel0
O 10.0.77.1/32 [110/1001] via 10.0.0.4, 1d23h, Tunnel0
O 10.0.80.0/30 [110/1001] via 10.0.0.3, 1d23h, Tunnel0
O 10.0.88.1/32 [110/1001] via 10.0.0.3, 1d23h, Tunnel0
C 10.0.99.0/28 is directly connected, Loopback99
L 10.0.99.1/32 is directly connected, Loopback99
O 10.1.0.0/24 [110/12] via 10.0.1.2, 00:05:45, GigabitEthernet0/1
O 10.2.0.0/24 [110/12] via 10.0.1.2, 00:05:45, GigabitEthernet0/1
O 10.3.0.0/24 [110/12] via 10.0.1.2, 00:05:45, GigabitEthernet0/1
O 10.4.0.0/24 [110/12] via 10.0.1.2, 00:05:45, GigabitEthernet0/1
O 10.5.0.0/24 [110/12] via 10.0.1.2, 00:05:45, GigabitEthernet0/1
O 10.6.0.0/24 [110/12] via 10.0.1.2, 00:05:45, GigabitEthernet0/1
O 10.7.0.0/24 [110/12] via 10.0.1.2, 00:05:45, GigabitEthernet0/1
O 10.60.0.1/32 [110/1001] via 10.0.0.2, 1d23h, Tunnel0
O 10.60.0.2/32 [110/1002] via 10.0.0.2, 1d23h, Tunnel0
O 10.61.0.0/24 [110/1002] via 10.0.0.2, 1d23h, Tunnel0
O 10.62.0.0/24 [110/1002] via 10.0.0.2, 1d23h, Tunnel0
O 10.63.0.0/24 [110/1002] via 10.0.0.2, 1d23h, Tunnel0
O 10.64.0.0/24 [110/1002] via 10.0.0.2, 1d23h, Tunnel0
O 10.65.0.0/24 [110/1002] via 10.0.0.2, 1d23h, Tunnel0
O 10.66.0.0/24 [110/1002] via 10.0.0.2, 1d23h, Tunnel0
O 10.67.0.0/24 [110/1002] via 10.0.0.2, 1d23h, Tunnel0
O 10.70.0.1/32 [110/1001] via 10.0.0.4, 1d23h, Tunnel0
O 10.70.0.2/32 [110/1002] via 10.0.0.4, 1d23h, Tunnel0
O 10.71.0.0/24 [110/1002] via 10.0.0.4, 1d23h, Tunnel0
O 10.72.0.0/24 [110/1002] via 10.0.0.4, 1d23h, Tunnel0
O 10.73.0.0/24 [110/1002] via 10.0.0.4, 1d23h, Tunnel0
O 10.74.0.0/24 [110/1002] via 10.0.0.4, 1d23h, Tunnel0
O 10.75.0.0/24 [110/1002] via 10.0.0.4, 1d23h, Tunnel0
O 10.76.0.0/24 [110/1002] via 10.0.0.4, 1d23h, Tunnel0
O 10.77.0.0/24 [110/1002] via 10.0.0.4, 1d23h, Tunnel0
O 10.80.0.1/32 [110/1001] via 10.0.0.3, 1d23h, Tunnel0
O 10.80.0.2/32 [110/1002] via 10.0.0.3, 1d23h, Tunnel0
O 10.81.0.0/24 [110/1002] via 10.0.0.3, 1d23h, Tunnel0
O 10.82.0.0/24 [110/1002] via 10.0.0.3, 1d23h, Tunnel0
O 10.83.0.0/24 [110/1002] via 10.0.0.3, 1d23h, Tunnel0
O 10.84.0.0/24 [110/1002] via 10.0.0.3, 1d23h, Tunnel0
O 10.85.0.0/24 [110/1002] via 10.0.0.3, 1d23h, Tunnel0
O 10.86.0.0/24 [110/1002] via 10.0.0.3, 1d23h, Tunnel0
C 10.100.0.1/32 is directly connected, Loopback0
O 10.100.0.2/32 [110/12] via 10.0.1.2, 00:05:45, GigabitEthernet0/1
C
C
-Please provide sh ip route on the switch
SWITCH#sh ip route
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP
+ - replicated route, % - next hop override
Gateway of last resort is 10.0.11.1 to network 0.0.0.0
S* 0.0.0.0/0 [1/0] via 10.0.11.1
10.0.0.0/8 is variably subnetted, 60 subnets, 3 masks
O 10.0.0.1/32 [110/11] via 10.0.11.1, 00:07:36, GigabitEthernet0/2
O 10.0.0.2/32 [110/1011] via 10.0.11.1, 00:07:36, GigabitEthernet0/2
O 10.0.0.3/32 [110/1011] via 10.0.11.1, 00:07:36, GigabitEthernet0/2
O 10.0.0.4/32 [110/1011] via 10.0.11.1, 00:07:36, GigabitEthernet0/2
O 10.0.1.0/30 [110/11] via 10.0.11.1, 00:07:36, GigabitEthernet0/2
C 10.0.11.0/30 is directly connected, GigabitEthernet0/2
L 10.0.11.2/32 is directly connected, GigabitEthernet0/2
O 10.0.60.0/30 [110/1012] via 10.0.11.1, 00:07:36, GigabitEthernet0/2
O 10.0.66.1/32 [110/1012] via 10.0.11.1, 00:07:36, GigabitEthernet0/2
O 10.0.70.0/30 [110/1012] via 10.0.11.1, 00:07:36, GigabitEthernet0/2
O 10.0.77.1/32 [110/1012] via 10.0.11.1, 00:07:36, GigabitEthernet0/2
O 10.0.80.0/30 [110/1012] via 10.0.11.1, 00:07:36, GigabitEthernet0/2
O 10.0.88.1/32 [110/1012] via 10.0.11.1, 00:07:36, GigabitEthernet0/2
O 10.0.99.1/32 [110/12] via 10.0.11.1, 00:07:36, GigabitEthernet0/2
C 10.1.0.0/24 is directly connected, Vlan1
L 10.1.0.1/32 is directly connected, Vlan1
C 10.2.0.0/24 is directly connected, Vlan2
L 10.2.0.1/32 is directly connected, Vlan2
C 10.3.0.0/24 is directly connected, Vlan3
L 10.3.0.1/32 is directly connected, Vlan3
C 10.4.0.0/24 is directly connected, Vlan4
L 10.4.0.1/32 is directly connected, Vlan4
C 10.5.0.0/24 is directly connected, Vlan5
L 10.5.0.1/32 is directly connected, Vlan5
C 10.6.0.0/24 is directly connected, Vlan6
L 10.6.0.1/32 is directly connected, Vlan6
C 10.7.0.0/24 is directly connected, Vlan7
L 10.7.0.1/32 is directly connected, Vlan7
C 10.8.0.0/24 is directly connected, Vlan8
L 10.8.0.1/32 is directly connected, Vlan8
C 10.9.0.0/24 is directly connected, Vlan9
L 10.9.0.1/32 is directly connected, Vlan9
O 10.60.0.1/32 [110/1012] via 10.0.11.1, 00:07:36, GigabitEthernet0/2
O 10.60.0.2/32 [110/1013] via 10.0.11.1, 00:07:36, GigabitEthernet0/2
O 10.61.0.0/24 [110/1013] via 10.0.11.1, 00:07:36, GigabitEthernet0/2
O 10.62.0.0/24 [110/1013] via 10.0.11.1, 00:07:36, GigabitEthernet0/2
O 10.63.0.0/24 [110/1013] via 10.0.11.1, 00:07:36, GigabitEthernet0/2
O 10.64.0.0/24 [110/1013] via 10.0.11.1, 00:07:36, GigabitEthernet0/2
O 10.65.0.0/24 [110/1013] via 10.0.11.1, 00:07:36, GigabitEthernet0/2
O 10.66.0.0/24 [110/1013] via 10.0.11.1, 00:07:36, GigabitEthernet0/2
O 10.67.0.0/24 [110/1013] via 10.0.11.1, 00:07:36, GigabitEthernet0/2
O 10.70.0.1/32 [110/1012] via 10.0.11.1, 00:07:36, GigabitEthernet0/2
O 10.70.0.2/32 [110/1013] via 10.0.11.1, 00:07:36, GigabitEthernet0/2
O 10.71.0.0/24 [110/1013] via 10.0.11.1, 00:07:36, GigabitEthernet0/2
O 10.72.0.0/24 [110/1013] via 10.0.11.1, 00:07:36, GigabitEthernet0/2
O 10.73.0.0/24 [110/1013] via 10.0.11.1, 00:07:36, GigabitEthernet0/2
O 10.74.0.0/24 [110/1013] via 10.0.11.1, 00:07:36, GigabitEthernet0/2
O 10.75.0.0/24 [110/1013] via 10.0.11.1, 00:07:36, GigabitEthernet0/2
O 10.76.0.0/24 [110/1013] via 10.0.11.1, 00:07:36, GigabitEthernet0/2
O 10.77.0.0/24 [110/1013] via 10.0.11.1, 00:07:36, GigabitEthernet0/2
O 10.80.0.1/32 [110/1012] via 10.0.11.1, 00:07:36, GigabitEthernet0/2
O 10.80.0.2/32 [110/1013] via 10.0.11.1, 00:07:36, GigabitEthernet0/2
O 10.81.0.0/24 [110/1013] via 10.0.11.1, 00:07:36, GigabitEthernet0/2
O 10.82.0.0/24 [110/1013] via 10.0.11.1, 00:07:36, GigabitEthernet0/2
O 10.83.0.0/24 [110/1013] via 10.0.11.1, 00:07:36, GigabitEthernet0/2
O 10.84.0.0/24 [110/1013] via 10.0.11.1, 00:07:36, GigabitEthernet0/2
O 10.85.0.0/24 [110/1013] via 10.0.11.1, 00:07:36, GigabitEthernet0/2
O 10.86.0.0/24 [110/1013] via 10.0.11.1, 00:07:36, GigabitEthernet0/2
O 10.100.0.1/32 [110/12] via 10.0.11.1, 00:07:36, GigabitEthernet0/2
C 10.100.0.2/32 is directly connected, Loopback0
Thanks again for your help
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
01-07-2012 04:58 PM
Hello,
Okay it seems to be a routing issue, like the one you had on the ASA.
Before analizing the routing table of the devices.
On the ASA, provide the following output:
packet-tracer input inside icmp 10.11.1.2 8 0 8.8.8.8
Regards,
As soon as I get home I will reply to your next post!
Julio
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
01-07-2012 09:06 PM
Julio
ASA# packet-tracer input inside icmp 10.11.1.2 8 0 8.8.8.8
Phase: 1
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
MAC Access list
Phase: 2
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 0.0.0.0 0.0.0.0 outside
Phase: 3
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group inside_access_in in interface inside
access-list inside_access_in extended permit ip any any log
Additional Information:
Phase: 4
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 5
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
Additional Information:
Phase: 6
Type: USER-STATISTICS
Subtype: user-statistics
Result: ALLOW
Config:
Additional Information:
Phase: 7
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 303, packet dispatched to next module
Result:
input-interface: inside
input-status: up
input-line-status: up
output-interface: outside
output-status: up
output-line-status: up
Action: allow
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
01-07-2012 09:07 PM
I also have a new problem my management address is injecting 10.1.0.0 into ospf as it is connected
I need to filter that out, I can't seem to find the passive-interface command anywhere.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
01-08-2012 12:41 AM
Hello,
Can you ping from the switch to the router,
Regarding the managment network on the ASA being advertised to the swich I think that is the problem.
Here is how to filter networks on OSPF on an ASA
http://www.petri.co.il/how-to-use-a-distribute-list-to-filter-out-routing-updates-in-cisco-ios.htm
Regards,
Rate post if it helps you!!
Julio
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
01-08-2012 04:21 PM
Get rid of the 10/8 -> 10.0.11.2 inside static route and try again. Ospf looks like its working correctly internally.
Sent from Cisco Technical Support iPad App
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
01-08-2012 08:06 PM
Hello,
Great so OSPF is now working as expected, can you ping the router from the switch?
Regards,
Julio
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
01-08-2012 10:17 PM
Julio
results as requested
Ping router interface from switch
SWITCH#ping 10.0.1.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.0.1.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/4/9 ms
I can't ping the outside asa interface from the inside???
SWITCH#ping 10.0.1.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.0.1.2, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)
Ping SWITCH from ROUTER
ROUTER#ping 10.0.11.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.0.11.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/4/8 ms
once again I can't ping the asa inside interface from outside
ROUTER#ping 10.0.11.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.0.11.1, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)
thanks again.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
01-08-2012 10:39 PM
Hello
By default, as a security device
The asa will not allow traffic to a distant interface so this ia normal.
Can you ping from a pc attached to the switch to the asa inside
Interface, also try it pinging the router??
Regards
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:
