Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1231
Views
0
Helpful
6
Replies

InterVlan Routing and an ASA5520

Go to solution
GattsuTaicho
Level 1
Level 1

‎11-19-2013 07:39 AM - edited ‎03-11-2019 08:06 PM

Hey Guys,

I'm having problems getting something to work. First off, let me give you the topology and the configs:

Config R1

Vlan Database:

VLAN Name                             Status    Ports
---- -------------------------------- --------- -------------------------------
1    default                          active    Fa1/1, Fa1/2, Fa1/3, Fa1/4
                                                Fa1/5, Fa1/6, Fa1/7, Fa1/8
                                                Fa1/9, Fa1/10
10   SERVER                           active    Fa1/14
30   CLIENTS                          active    Fa1/13
100  Inside                           active
101  LIFESIZE                         active    Fa1/12
250  Mgmt                             active    Fa1/11
1000 Outside                          active    Fa1/15
1002 fddi-default                     active
1003 token-ring-default               active
1004 fddinet-default                  active
1005 trnet-default                    active

Trunks:

Port      Mode         Encapsulation  Status        Native vlan
Fa1/0     on           802.1q         trunking      1
Port      Vlans allowed on trunk
Fa1/0     1-1005
Port      Vlans allowed and active in management domain
Fa1/0     1,10,30,100-101,250,1000
Port      Vlans in spanning tree forwarding state and not pruned
Fa1/0     1,10,30,100-101,250,1000

Running Config:

interface FastEthernet1/0
 switchport mode trunk

!
 
interface FastEthernet1/11
 switchport access vlan 250
 duplex full
 speed 100
 spanning-tree portfast
!
interface FastEthernet1/12
 switchport access vlan 101
 duplex full
 speed 100
 spanning-tree portfast
!
interface FastEthernet1/13
 switchport access vlan 30
 duplex full
 speed 100
 spanning-tree portfast
!
interface FastEthernet1/14
 switchport access vlan 10
 duplex full
 speed 100
 spanning-tree portfast
!
interface FastEthernet1/15
 switchport access vlan 1000
!
interface Vlan1
 no ip address
!
interface Vlan10
 description SERVER
 no ip address
!
interface Vlan20
 description DRUCKER
 ip address 10.11.20.254 255.255.255.0
!
interface Vlan30
 description CLIENTS
 ip address 10.11.30.254 255.255.255.0
!
interface Vlan101
 description LifeSize
 no ip address
!
interface Vlan250
 description Management
 ip address 10.11.250.254 255.255.255.0
!
ip default-gateway 10.11.250.251
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 10.11.250.251
ip route 10.0.0.0 255.0.0.0 10.11.250.251

Config ASA:

ASA Version 8.4(2)
!
hostname ciscoasa
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface GigabitEthernet0
 nameif Outside
 security-level 0
 ip address 186.89.54.20 255.255.255.248
!
interface GigabitEthernet1
 description Trunk to SW
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet1.10
 vlan 10
 nameif Server
 security-level 100
 ip address 10.11.10.251 255.255.255.0
!
interface GigabitEthernet1.30
 vlan 30
 nameif Clients
 security-level 100
 ip address 10.11.30.251 255.255.255.0
!
interface GigabitEthernet1.101
 vlan 101
 nameif DMZ
 security-level 50
 ip address 10.11.101.251 255.255.255.0
!
interface GigabitEthernet1.250
 vlan 250
 nameif Mgmt
 security-level 100
 ip address 10.11.250.251 255.255.255.0
!
interface GigabitEthernet2
 shutdown
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet3
 shutdown
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet4
 shutdown
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet5
 nameif Martin
 security-level 100
 ip address 10.11.15.254 255.255.255.0
!
ftp mode passive
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
access-list global_access extended permit ip any any
access-list Clients_access_in extended deny ip any 10.11.101.0 255.255.255.0 inactive
access-list Clients_access_in extended permit ip any 10.11.10.0 255.255.255.0 inactive
access-list Server_access_in extended permit ip any any
access-list Server_access_in extended deny ip 10.11.250.0 255.255.255.0 10.11.250.0 255.255.255.0 inactive
access-list Mgmt_access_in extended deny icmp any 10.11.10.0 255.255.255.0 inactive
access-list Mgmt_access_in extended permit ip any any inactive
pager lines 24
logging enable
logging buffered debugging
mtu Outside 1500
mtu Server 1500
mtu Clients 1500
mtu DMZ 1500
mtu Mgmt 1500
mtu Martin 1500
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-702.bin
no asdm history enable
arp timeout 14400
access-group Server_access_in in interface Server
access-group Clients_access_in in interface Clients
access-group Mgmt_access_in in interface Mgmt
access-group global_access global
route Mgmt 10.11.0.0 255.255.0.0 10.11.250.254 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
http server enable
http 10.0.0.0 255.0.0.0 Martin
http 10.11.250.0 255.255.255.0 Mgmt
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
telnet timeout 5
ssh timeout 5
console timeout 0
management-access Mgmt
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
!
class-map global-class
 match default-inspection-traffic
!
!
policy-map global-policy
 class global-class
  inspect dns
  inspect ftp
  inspect http
  inspect icmp
  inspect icmp error
  inspect rtsp
  inspect sip
  inspect snmp
  inspect tftp
!
service-policy global-policy global
prompt hostname context
no call-home reporting anonymous
call-home
 profile CiscoTAC-1
  no active
  destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
  destination address email callhome@cisco.com
  destination transport-method http
  subscribe-to-alert-group diagnostic
  subscribe-to-alert-group environment
  subscribe-to-alert-group inventory periodic monthly
  subscribe-to-alert-group configuration periodic monthly
  subscribe-to-alert-group telemetry periodic daily
crashinfo save disable
Cryptochecksum:e5a96d671ff3b5453c8f1de5c39f1f63
: end

Problem:

What I'm planning is, having an InterVlan routed network that is done by the switch and only certain Networks should be protected by the ASA.

  • The Networks that should not be protected will have the GW of the L3 SVI
  • The protected hosts will have the GW of the ASA and send their traffic there first
  • The ASA has a Trunk to the Switch receiving all L2 Vlans from there (E1)
  • The ASA has an Interface called Mgmt to which it can send all the traffic back (Asymmetric Routing problem?)
  • The Inside (called Mgmt, sorry for the confusion) has a default route pointing to the Switch R1
    Mgmt 10.11.0.0 255.255.0.0 10.11.250.254
  • I'm stuck with the basics

What won't work:

  • From R1 i can ping Mgmt and Client Network but not Server and DMZ
  • Pinging from R1 (10.11.250.254) to ASA Server (10.11.10.251) Interface gives me this Teardown but i have a global permit any any?
  • %ASA-6-302021: Teardown ICMP connection for faddr 10.11.250.254/20 gaddr 10.11.10.251/0 laddr 10.11.10.251/0
    %ASA-7-609002: Teardown local-host Mgmt:10.11.250.254 duration 0:00:03
    %ASA-7-609002: Teardown local-host identity:10.11.10.251 duration 0:00:03
  • R2 (Server Host) has the ASA Gateway for its interface and it can ping it. But when i'm trying to ping another interface on the ASA that i can ping from R1, it's like it is not even reaching the ASA. I can see no traffic at all.

Can somebody tell me what what i'm doing wrong and why? I'm kinda getting a little bit frustrated since i've been working on this from quite some time but i fail to get it working properly.

Cheers

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
jumora
Level 7
Level 7
In response to GattsuTaicho

‎11-22-2013 10:32 AM

Great job!!!!!!

Value our effort and rate the assistance!

Value our effort and rate the assistance!

View solution in original post

0 Helpful
6 Replies 6

Go to solution
jumora
Level 7
Level 7

‎11-19-2013 02:08 PM

Easy, remove IP addresses from the VLANs at the switch level that do need to route through the ASA, if the switch has the IP address it will route to the the servers through the switch.

Value our effort and rate the assistance!
0 Helpful

Go to solution
jumora
Level 7
Level 7
In response to jumora

‎11-19-2013 02:09 PM

Rate the assistance

Value our effort and rate the assistance!
0 Helpful

Go to solution
jumora
Level 7
Level 7
In response to jumora

‎11-20-2013 11:42 AM

Help is for free then we need you to rate the assistance.

Value our effort and rate the assistance!
0 Helpful

Go to solution
GattsuTaicho
Level 1
Level 1
In response to jumora

‎11-22-2013 12:04 AM

I'm sorry very sorry i'm responding so late i've been very busy lately.

This forum doesn't show the topology diagram i posted so let me try that again first:

http://s14.directupload.net/images/131122/8zx2cz74.png

Now, as you can see, R2 has the GW of the ASA which is 10.11.10.251/24. R1 is the L3-Switch and doesn't have an Interface IP for the Server and DMZ but a default-gateway and default-network pointing to 10.11.250.251/24 which is the Mgmt Interface of the ASA. Additionally, it has has a Trunk Port to the ASA to pass all L2-Vlans.

  • The ASA can ping all L3-Vlans of the Switch R1 e.g. 10.11.30.254/24 and the host 10.11.30.5/24
  • The L3-Switch can only ping the Mgmt to which it is directly connected and in the same Network 10.11.250.0/24 but not all other Interfaces
  • Pinging fom 10.11.250.254/24 (L3 Interface of R1) to 10.11.10.251/24 (Server Interface ASA) gives me this logging output:

%ASA-6-302021: Teardown ICMP connection for faddr 10.11.250.254/3 gaddr 10.11.10.251/0 laddr 10.11.10.251/0
%ASA-7-609002: Teardown local-host Mgmt:10.11.250.254 duration 0:00:05
%ASA-7-609002: Teardown local-host identity:10.11.10.251 duration 0:00:05

And that is the major problem for me right now. I don't know what i'm doing wrong.

Thx

0 Helpful

Go to solution
GattsuTaicho
Level 1
Level 1
In response to GattsuTaicho

‎11-22-2013 02:30 AM

Solved it!

I did everything right. The problem was, i was trying to ping an interface that was too far to reach and that is actually a security feature of the ASA existing since the PIX era.

Example:

  • From R1 which is directly connected through the Mgmt Interface 10.11.250.0/254, i was able to ping the ASA because it is on the same network. But reaching a "too far" interface like 10.11.10.251/24 which is also on the ASA but not "directly connected" or directly adjecent won't work by design.
  • Beginner Mistake

But thank you for looking into my problem! Appreaciate that.

0 Helpful

Go to solution
jumora
Level 7
Level 7
In response to GattsuTaicho

‎11-22-2013 10:32 AM

Great job!!!!!!

Value our effort and rate the assistance!

Value our effort and rate the assistance!
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card