07-30-2016 01:57 AM - edited 03-12-2019 01:04 AM
Hi Everyone,
This is my first post here and i hope you can help me or point me into the right direction. Please be gentle i'm a newbe
I'm trying to configure 2 x 3560 8 Ports as my distribution layer and 1 x 2960 8port as access layer, with ether channel between all links,
and configured HSRP. HSRP is working fine at this point, then i wanted to add a ASA firewall. but i can only get internet connectivity if i use the gateway of the vlan 10 i configured on the asa box. is it not possible to add that address to HSRP redundant default gateway functionality.
so i would be able to use example 10.1.10.1 af default gateway.
For the DHSW1 i have configured HSRP like this
vlan 10
name OFFICE
interface vlan 10
ip address 10.1.10.1 255.255.255.0
ip helper-address 10.1.50.20
standby 10 ip 10.1.10.5
standby 10 preempt
standby 10 priority 110
no shutdown
exit
!
interface FastEthernet0/2
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 2-4094
switchport mode trunk
switchport nonegotiate
exit
!
and DHSW2
interface vlan 10
ip address 10.1.10.2 255.255.255.0
ip helper-address 10.1.50.20
standby 10 ip 10.1.10.5
standby 10 preempt
no shutdown
exit
!
interface FastEthernet0/2
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 2-4094
switchport mode trunk
switchport nonegotiate
exit
!
and AHSW1
interface vlan 10
ip address 10.1.10.3 255.255.255.0
ip helper-address 10.1.50.20
no shutdown
exit
!
interface gi0/1
switchport access vlan 10
switchport mode access
switchport nonegotiate
spanning-tree portfast
no shutdown
!
The ASA box is configured this way.
interface Ethernet 0/0
speed 100
duplex full
nameif outside
security-level 0
ip address dhcp setroute
no shutdown
!
interface Ethernet 0/1
speed 100
duplex full
no nameif
no security-level
no ip address
no shutdown
exit
!
interface Ethernet 0/2
speed 100
duplex full
no nameif
no security-level
no ip address
no shutdown
exit
!
interface redundant 1
description Redundant LAN Interface
member-interface ethernet 0/1
member-interface ethernet 0/2
no nameif
no security-level
no ip address
no shutdown
exit
!
interface redundant 1.10
vlan 10
description VLAN10
nameif inside
security-level 100
ip address 10.1.10.4 standby 10.1.10.5
no shutdown
exit.
http enable server
http 10.1.10.0 255.255.255.0 inside
object network VLAN10
subnet 10.1.10.0 255.255.255.0
nat (inside,outside) dynamic interface
then when i access my laptop that is connected to AHSW1 i get my ip address from my DHCP server with the default gateway of 10.1.10.1 and i can access the asa asdm on the ip address 10.1.10.4 but internet is not working. but if i change the default gateway to 10.1.10.4 internet is working perfectly.
So i guess my question are is this the way it supposed to work or am i missing some configuration some where.
Hope some one would help me.
Thank You.
Solved! Go to Solution.
07-30-2016 03:12 AM
Hi;
The reason you not access the internet is due to routing issue remaining your configuration is OK. You need to decide whether your user gateway will be on Firewall (10.1.10.4) or 3560 (10.1.10.5 VIP) switch and modify the default gateway config on DHCP server.
If you set as a firewall gateway and you already verify the internet is accessible.
If you want to configure Switch as a gateway then you need to divert the traffic from Switch to Firewall by configuring default route:
ip routing
ip route 0.0.0.0 0.0.0.0 10.1.10.4.
In addition there is a IP Address conflict is also there between Switch VIP (10.1.10.5) and Firewall Secondary IP (10.1.10.5). If you have only 1 Firewall then no need to configure standby IP on firewall, if you have 2 firewall then change the standby ip to (10.1.10.6 or else).
Thanks & Best regards;
07-30-2016 07:26 PM
Hi;
As per recommendation, your client/user gateway should be VIP (in your case 10.1.10.5) on your Distribution layer switch. Switch should have the route to reach outside network it’s either via static route or dynamic routing.
By default OSPF will exchange the route which is advertise in OSPF, It will not advertise default route (which is required to access the internet).
Now you have 2 options either configure the static default route on switch:
ip route 0.0.0.0 0.0.0.0 10.1.10.4
(OR)
Inject the default route in OSPF from ASA firewall.
Thanks & Best regards;
08-02-2016 05:48 AM
Hi;
The reason why you can’t ping the 10.1.100.5 from Firewall and 10.1.100.4 from DLSW, because you still have the trunk configuration on DLSW switches. You need to remove the trunk configuration and make as an access port vlan 100. (On both DLSW switches)
default interface fasethernet 0/2
interface FastEthernet0/2
description DLSW TO FWH1
switchport mode access
switchport access vlan 100
speed 100
duplex full
no shut
Firewall & DLSW switches on vlan 100 should ping each other. Please configure and verify. Hopefully now it will fixed your problem.
Thanks & Best regards;
07-30-2016 03:12 AM
Hi;
The reason you not access the internet is due to routing issue remaining your configuration is OK. You need to decide whether your user gateway will be on Firewall (10.1.10.4) or 3560 (10.1.10.5 VIP) switch and modify the default gateway config on DHCP server.
If you set as a firewall gateway and you already verify the internet is accessible.
If you want to configure Switch as a gateway then you need to divert the traffic from Switch to Firewall by configuring default route:
ip routing
ip route 0.0.0.0 0.0.0.0 10.1.10.4.
In addition there is a IP Address conflict is also there between Switch VIP (10.1.10.5) and Firewall Secondary IP (10.1.10.5). If you have only 1 Firewall then no need to configure standby IP on firewall, if you have 2 firewall then change the standby ip to (10.1.10.6 or else).
Thanks & Best regards;
07-30-2016 06:43 AM
Hi,
Thanks ahmedshoaib,
I did try to make what you suggest but it did not work it give the same result. i did forget to mention that i run OSP.
router ospf 1
network 1.1.1.1 0.0.0.0 area 0
network 10.1.10.0 0.0.0.255 area 0
network 10.1.20.0 0.0.0.255 area 0
network 10.1.30.0 0.0.0.255 area 0
network 10.1.50.0 0.0.0.255 area 0
network 10.1.99.0 0.0.0.255 area 0
Thanks
07-30-2016 07:26 PM
Hi;
As per recommendation, your client/user gateway should be VIP (in your case 10.1.10.5) on your Distribution layer switch. Switch should have the route to reach outside network it’s either via static route or dynamic routing.
By default OSPF will exchange the route which is advertise in OSPF, It will not advertise default route (which is required to access the internet).
Now you have 2 options either configure the static default route on switch:
ip route 0.0.0.0 0.0.0.0 10.1.10.4
(OR)
Inject the default route in OSPF from ASA firewall.
Thanks & Best regards;
07-31-2016 03:39 PM
Hi;
Im a little pusled about how to inject the default route from all vlans into ospf fra ASA Firewall,
i have tried to use ip route 0.0.0.0 0.0.0.0 10.1.10.4 but then it will only allow internet access for host on that vlan all other vlans are not allowed.
my head is twisting when it comes to routing, but i guess it will come to me in time.
i have desperately tried to add ip route like this
0.0.0.0.0 0.0.0.0 10.1.10.4
0.0.0.0.0 0.0.0.0 10.1.20.4
not working at all or only one of them.
I have tried to use this instead just for trying.
10.1.10.0 255.255.255.0 10.1.10.4
10.1.20.0 255.255.255.0 10.1.20.4
Not working also.
Thanks
07-31-2016 03:52 PM
Hi;
Can you confirm me that all the SVI are created on Cisco 3560 Switch? If yes then it should work, if there are other devices also then you can redistribute the default route into ospf so all other vlan also know the route toward firewall.
ip route 0.0.0.0 0.0.0.0 10.1.10.4
router ospf 1
network static subnets
Thanks & Best regards;
08-01-2016 02:59 AM
08-01-2016 02:14 PM
Hi;
Now you network topology is cleared after review the configuration and found the below are my recommendation:
First remove all the SVI from Access switch
no int vlan 10
no int vlan 20
no int vlan 30
no int vlan 40
no int vlan 60
Second native vlan don’t required any IP add (on all the switches, if you are using vlan 666 for some other purpose then no need to remove from 3560).
no int vlan 666
Third you need to decide whether you want to use DS Switches (3560) as a user’s default gateway (vlan 10 - 10.1.10.5) or Firewall will be default gateway (vlan 10 – 10.1.10.4).
Once you decide you need to remove all other SVI (Vlan 10 till Vlan 50) you need to remove.
Example 1: if you decide Firewall will be users gateway (vlan 10 – 10.1.10.4) then you need to remove all the SVI from your DS Switches (3560) and on DNS you need to modify the default gateway field to be Firewall IP Address:
no int vlan 10
no int vlan 20
no int vlan 30
no int vlan 40
no int vlan 60
Example 2: You decide DS (3560) will be user’s gateway (vlan 10 – 10.1.10.5) then you need modify the following configuration: And also need to create a separate vlan b/w DS switches and Firewall for back and forth traffic.
i.e. create new vlan 100 b/w distribution switch & Firewall.
DS1:
vlan 100
int vlan 100
ip address 10.1.100.1 255.255.255.0
standby 100 ip 10.1.100.5
standby 100 preempt
standby 100 priority 110
no shutdown
ip route 0.0.0.0 0.0.0.0 10.1.100.4
router ospf 1
redistribute static subnets metric 10
DS2:
vlan 100
int vlan 100
ip address 10.1.100.2 255.255.255.0
standby 100 ip 10.1.100.5
standby 100 preempt
no shutdown
ip route 0.0.0.0 0.0.0.0 10.1.100.4
router ospf 1
redistribute static subnets metric 100
Firewall:
no interface redundant 2.10
no interface redundant 2.20
no interface redundant 2.30
no interface redundant 2.40
no interface redundant 2.50
no interface redundant 2.99
interface redundant 2
description LAN
nameif LAN
security-level 100
ip address 10.1.100.4 255.255.255.0
no shutdown
exit
route inside 10.1.0.0 255.255.0.0 10.1.100.5
object network VLAN10
subnet 10.1.10.0 255.255.255.0
nat (LAN,WAN) dynamic interface
object network VLAN20
subnet 10.1.20.0 255.255.255.0
nat (LAN,WAN) dynamic interface
object network VLAN30
subnet 10.1.30.0 255.255.255.0
nat (LAN,WAN) dynamic interface
object network VLAN40
subnet 10.1.40.0 255.255.255.0
nat (LAN,WAN) dynamic interface
object network VLAN50
subnet 10.1.50.0 255.255.255.0
nat (LAN,WAN) dynamic interface
exit
Thanks & Best regards;
08-01-2016 02:14 PM
Hi,
I can't thank you enough for helping me out, but i still can't get it to work :)
after i change the configuration to what you suggest in example 2 i get a
%ADJ-3-RESOLVE_REQ: Adj resolve request: Failed to resolve 10.1.100.4 Vlan100 on DS2 it do apear only once on DS1 but i do not have any conectivity to the ASA firewall,
Thanks
08-01-2016 02:32 PM
Hi;
Hi;
It's my mistake in the configuration:
DS1:
router ospf 1
redistribute static subnets metric 10
DS2:
router ospf 1
redistribute static subnets metric 100
Can you try it and let me know?
Thanks & Best regards;
08-01-2016 03:21 PM
Hi;
I did changed to redistribute static subnets metric 10 on DS1 and 100 on DS2
But it did not work
Do i need to add the network of vlan 100 to ospf
router ospf 1
network 10.1.100.0 0.0.0.0.255 area 0
Could it have something to do with the IOS version i'm running
c3560-ipservicesk9-mz.150-2.SE9
c2960-lanbasek9-mz.150-2.SE9
asa916-K8
Or perhaps i just need to get some sleep and have a look at it again in the morning with some fresh eyes
08-01-2016 03:54 PM
Hi;
Yes you need to advertise the vlan 100 in ospf:
router ospf 1
network 10.1.100.0 0.0.0.0.255 area 0 (DS1 & DS2)
redistribute static subnets metric 10 (DS1)
redistribute static subnets metric 100 (DS2)
Firewall:
no route inside 10.1.0.0 255.255.0.0 10.1.100.1
route inside 10.1.0.0 255.255.0.0 10.1.100.5
Please also let me know you can ping the firewall IP Address (10.1.100.4) from all vlan (10, 20, 30, 40, 50)
Thanks & Best regards;
08-02-2016 05:20 AM
Hi;
I have tried what you suggest, but i still can't get any connectivity between ASA and SW or VLAN
I have tried from scratch and removed the Access Switch just to make it a bit more simple.
I'm not able to ping 10.1.100.5 or 10.1.100.1 from ASA and i'm not able to ping 10.1.100.4 fra any DLSW.
I'm able to ping 10.1.100.1 and 10.1.100.2 and 10.1.100.5 from any DLSW
Thank You
08-02-2016 05:48 AM
Hi;
The reason why you can’t ping the 10.1.100.5 from Firewall and 10.1.100.4 from DLSW, because you still have the trunk configuration on DLSW switches. You need to remove the trunk configuration and make as an access port vlan 100. (On both DLSW switches)
default interface fasethernet 0/2
interface FastEthernet0/2
description DLSW TO FWH1
switchport mode access
switchport access vlan 100
speed 100
duplex full
no shut
Firewall & DLSW switches on vlan 100 should ping each other. Please configure and verify. Hopefully now it will fixed your problem.
Thanks & Best regards;
08-02-2016 06:41 AM
Hi;
Thank you sooo much for all of your help, i can't thank you enough.
Everything is working, and i must say i have learned a lot from this, i have been to focused on the issue every els then the link between the asa and DLSW. yes of course it has to be an access port, i feel a bit stupid at the moment that i did not see that myself :)
Thanks again,
Would it be possible to route the internet over a MPLS connection to a second site.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide