07-27-2010 08:09 AM - edited 03-11-2019 11:16 AM
Hi there,
I am a complete novice at networking, but I was tasked to have an ASA 5520 do inter VLAN routing (since my shop doesn't have a layer 3 router).
As a basic setup, I am trying to have three workstations on three different VLANs communicate with each other. The attached screenshot shows the topology.
I am unable to ping from a PC to the ASA...therefore I can't ping to other VLANs. Any assistance would be greatly appreciated.
ROUTER CONFIG:
ciscoasa#
ciscoasa# show run
: Saved
:
ASA Version 8.3(1)
!
hostname ciscoasa
domain-name null
enable password ###### encrypted
passwd ###### encrypted
names
dns-guard
!
interface GigabitEthernet0/0
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/1
no nameif
security-level 100
ip address 10.10.1.1 255.255.255.0
!
interface GigabitEthernet0/1.10
vlan 10
nameif vlan10
security-level 100
ip address 10.10.10.1 255.255.255.0
!
interface GigabitEthernet0/1.20
vlan 20
nameif vlan20
security-level 100
ip address 10.10.20.1 255.255.255.0
!
interface GigabitEthernet0/1.30
vlan 30
nameif vlan30
security-level 100
ip address 10.10.30.1 255.255.255.0
!
interface GigabitEthernet0/2
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
nameif inside
security-level 100
ip address 192.168.1.1 255.255.255.0
management-only
!
boot system disk0:/asa831-k8.bin
ftp mode passive
dns server-group DefaultDNS
domain-name null
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
access-list global_access extended permit icmp any any
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu vlan10 1500
mtu vlan20 1500
mtu vlan30 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
icmp permit any inside
asdm image disk0:/asdm-631.bin
no asdm history enable
arp timeout 14400
access-group global_access global
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
telnet timeout 5
ssh timeout 5
console timeout 0
management-access inside
dhcpd address 192.168.1.2-192.168.1.5 inside
dhcpd enable inside
!
dhcpd address 10.10.10.101-10.10.10.253 vlan10
dhcpd enable vlan10
!
dhcpd address 10.10.20.101-10.10.20.253 vlan20
dhcpd enable vlan20
!
dhcpd address 10.10.30.101-10.10.30.253 vlan30
dhcpd enable vlan30
!
threat-detection basic-threat
threat-detection statistics host
threat-detection statistics port
threat-detection statistics protocol
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns migrated_dns_map_1
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns migrated_dns_map_1
inspect ftp
inspect h323 h225
inspect h323 ras
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
inspect ip-options
!
service-policy global_policy global
prompt hostname context
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DD
CEService
destination address email callhome@cisco.com
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:4ad1bba72f1f51b2a47e8cacb9d3606a
: end
SWITCH CONFIG
Switch#show run
Building configuration...
Current configuration : 2543 bytes
!
version 12.2
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Switch
!
boot-start-marker
boot-end-marker
!
!
no aaa new-model
system mtu routing 1500
ip subnet-zero
!
!
!
!
!
!
!
!
!
!
spanning-tree mode pvst
spanning-tree extend system-id
no spanning-tree vlan 1
!
vlan internal allocation policy ascending
!
!
!
interface GigabitEthernet0/1
description Port Configured As Trunk
switchport trunk allowed vlan 1,10,20,30,1002-1005
switchport mode trunk
!
interface GigabitEthernet0/2
switchport access vlan 10
switchport mode access
!
interface GigabitEthernet0/3
switchport access vlan 20
switchport mode access
!
interface GigabitEthernet0/4
switchport access vlan 30
switchport mode access
!
interface GigabitEthernet0/5
!
interface GigabitEthernet0/6
!
interface GigabitEthernet0/7
!
interface GigabitEthernet0/8
!
interface GigabitEthernet0/9
!
interface GigabitEthernet0/10
!
interface GigabitEthernet0/11
!
interface GigabitEthernet0/12
!
interface GigabitEthernet0/13
!
interface GigabitEthernet0/14
!
interface GigabitEthernet0/15
!
interface GigabitEthernet0/16
!
interface GigabitEthernet0/17
!
interface GigabitEthernet0/18
!
interface GigabitEthernet0/19
!
interface GigabitEthernet0/20
!
interface GigabitEthernet0/21
!
interface GigabitEthernet0/22
!
interface GigabitEthernet0/23
!
interface GigabitEthernet0/24
!
interface GigabitEthernet0/25
!
interface GigabitEthernet0/26
!
interface GigabitEthernet0/27
!
interface GigabitEthernet0/28
!
interface GigabitEthernet0/29
!
interface GigabitEthernet0/30
!
interface GigabitEthernet0/31
!
interface GigabitEthernet0/32
!
interface GigabitEthernet0/33
!
interface GigabitEthernet0/34
!
interface GigabitEthernet0/35
!
interface GigabitEthernet0/36
!
interface GigabitEthernet0/37
!
interface GigabitEthernet0/38
!
interface GigabitEthernet0/39
!
interface GigabitEthernet0/40
!
interface GigabitEthernet0/41
!
interface GigabitEthernet0/42
!
interface GigabitEthernet0/43
!
interface GigabitEthernet0/44
!
interface GigabitEthernet0/45
!
interface GigabitEthernet0/46
!
interface GigabitEthernet0/47
!
interface GigabitEthernet0/48
!
interface Vlan1
ip address 10.10.1.2 255.255.255.0
no ip route-cache
!
interface Vlan10
no ip address
no ip route-cache
!
interface Vlan20
no ip address
no ip route-cache
!
interface Vlan30
no ip address
no ip route-cache
!
ip default-gateway 10.10.1.1
ip http server
ip http secure-server
!
control-plane
!
!
line con 0
line vty 5 15
!
end
Solved! Go to Solution.
07-27-2010 11:23 AM
ICMPs are definitely being received, so it looks like the firewall is sending them through okay.
We see that the PC doing wireshark never responds.
Usually this indicates a firewall on the client, or other client related issue.
07-27-2010 12:05 PM
August,
Firewalls are disabled on both hosts. It seems to me that the destination host does not know where to send the reply packet to.
I found this in the log.
6 | Jul 27 2010 | 18:31:56 | 110002 | 10.10.10.101 | 1919 | Failed to locate egress interface for UDP from vlan10:10.10.10.101/1919 to 10.12.5.64/8906 |
But research on the error didn't lead me to anything specific...
Any clue?
-Drew
07-27-2010 12:15 PM
That seems to be unrelated to the traffic that we are interested in.
What happens when you try the ping the other way, and this time lets get some more specific captures.
access-list capture permit icmp host 10.10.20.101 host 10.10.10.101
access-list capture permit icmp host 10.10.10.101 host 10.10.20.101
no cap cap10
no cap cap20
cap cap10 access-list capture interface vlan10
cap cap20 access-list capture interface vlan20
And try the wireshark again on that PC. And try to ping the other way.
07-27-2010 12:39 PM
note: IP of vlan10 host was 10.10.10.103 for this exercise...
See attachment for wireshark screen capture and see below for captures...
ciscoasa(config)# show cap cap10
4 packets captured
1: 19:32:54.264085 802.1Q vlan#10 P0 10.10.20.101 > 10.10.10.103: icmp: echo
request
2: 19:32:59.482381 802.1Q vlan#10 P0 10.10.20.101 > 10.10.10.103: icmp: echo
request
3: 19:33:04.490407 802.1Q vlan#10 P0 10.10.20.101 > 10.10.10.103: icmp: echo
request
4: 19:33:09.498249 802.1Q vlan#10 P0 10.10.20.101 > 10.10.10.103: icmp: echo
request
4 packets shown
ciscoasa(config)# show cap cap20
4 packets captured
1: 19:32:54.263963 802.1Q vlan#20 P0 10.10.20.101 > 10.10.10.103: icmp: echo
request
2: 19:32:59.482274 802.1Q vlan#20 P0 10.10.20.101 > 10.10.10.103: icmp: echo
request
3: 19:33:04.490285 802.1Q vlan#20 P0 10.10.20.101 > 10.10.10.103: icmp: echo
request
4: 19:33:09.498127 802.1Q vlan#20 P0 10.10.20.101 > 10.10.10.103: icmp: echo
request
4 packets shown
ciscoasa(config)#
07-27-2010 12:50 PM
I think the 2960 can have multiple active SVIs, if so can you put an IP address on vlan 20?
interface Vlan20
ip address 10.10.20.X
And then change the default gateway like so?
ip default-gateway 10.10.20.1
From there can you try pinging using the switches IP address instead of the host 10.10.20.101?
Warning*** Changing your default gateway may cause issues with management if you are not directly connected.
07-28-2010 05:17 AM
No change...so I configured it back to how it was.
07-28-2010 05:39 AM
Sorry - been dealing with some urgent issues.
I see from your packet captures, icmp echo request, but no replies. Can you confirm the PC's have the correct DHCP mask & default gateway?
post the output of "ipconfg/all" from the workstations
07-28-2010 05:45 AM
No worries...
I'll just type the info as oppose to uploading screenshots.
IP: 10.10.20.101
Subnet Mask: 255.255.255.0
Default Gateway: 10.10.20.1
DHCP Server: 10.10.20.1
IP: 10.10.10.101
Subnet Mask: 255.255.255.0
Default Gateway: 10.10.10.1
DHCP Server: 10.10.10.1
07-28-2010 05:50 AM
OK - what is the output of "route print" from the machines
07-28-2010 05:56 AM
07-28-2010 06:00 AM
OK - the basics look OK. Can you perform the same ping test again between 10.10.10.104 & 10.10.20.101 and capture with wireshark on both machines?
07-28-2010 06:11 AM
07-28-2010 06:24 AM
Machine 10.10.20.101 has an issue, it is not replying to the ICMP request - check this machine for a firewall.
07-28-2010 06:33 AM
That is indeed correct. The machine had a firewall running, and upon disabling, replies were successfully sent back to host 10.10.10.104.
It would appear that things are working now.
Thanks so much for your help.
Drew
07-28-2010 06:43 AM
np - glad to help.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide