Solved: Hello;

j_j624001 · ‎07-03-2016

Having a few problems with my outside vlan 5 and inside vlan 10; my outside vlan are all pingable; but when i try to ping from the or switch my inside vlan10 gateway its unpingable to inside gateway. I have two route setup on the ASA5510 firewall; one for my outside network default 0.0.0.0 0.0.0.0 Outside and i have another to allow my internal vlans to reach the outside network 10.0.0.0 255.0.0.0 Outside. I don't what else can be blocking ping access to my internal gateway; all of my acl are allowing traffic. Does any else have this problem where your outside network are pingable but your internal network is not pingable to the gateway; Could it be a switch port on the switch or could it be the router ??

Please if any have some suggestions feel free

thanks

Francesco Molino · ‎07-06-2016

In routed mode:

all vlans including dhcp are done on the switch. The switch will be the default gateway
create interconnection subnet between switch and firewall. (Could be an existing vlan for example vlan 10)
default route on the switch to the firewall.
create interconnection subnet between firewall and router
default route on firewall to the router
nat on router.

these are the high level steps.

if you want to filter inter vlan communications, you can remove the first 2 steps and replace them by this one:

all vlan layer 2 on switch.
Default gateway are subinterfaces on the firewall. The firewall should also act as dhcp (even if I don't recommend that). If you have a dhcp server, firewall can be configured as dhcp relay.

hope that's clear.

thanks

PS: Please don't forget to rate and mark as correct answer if this solved your issue

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

View solution in original post

Francesco Molino · ‎07-09-2016

Hi

on your switch the default route should be: ip route 0.0.0.0 0.0.0.0 10.10.0.1 instead of 10.10.0.0

on your router, your acl should be more restrictive like access-list 50 permit ip 10.10.0.0 255.255.255.0

When you run a ping from switch to 8.8.8.8, do you see some traffic on the firewall and do you see nat on the router?

thanks

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

View solution in original post

Francesco Molino · ‎07-03-2016

Hi

I would be happy to help however I'll need your asa config and switch config. Please attach a little drawing to indicate which switch port is inside.

Your issue could be asa (sub-interfaces, Same-security-traffic,..) or switch (trunk, access) configuration or acl as well.

Thanks

PS: Please don't forget to rate and mark as correct answer if this solved your issue

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

j_j624001 · ‎07-03-2016

Hello;

Thanks for the response; ive been struggling too long on this lol; here is my config you requested; excuse the drawing i tried my best lol

ASA Config

Result of the command: "show ru"

: Saved
:
ASA Version 8.2(3)
!
hostname JFW
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
name 10.10.0.1 Inside
name 10.85.85.1 Outside
!
interface Ethernet0/0
nameif Outside_Network
security-level 0
ip address 10.85.85.2 255.255.255.0
!
interface Ethernet0/1
nameif Inside_Network
security-level 100
ip address 10.10.0.2 255.255.255.0
!
interface Ethernet0/2
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
nameif TEST
security-level 100
ip address dhcp
!
banner login 1
banner login WELCOME TO THE DEAD ZONE !!!!
banner login WELCOME TO J-WALL !!!
banner motd LEARN HOW TO BLOCK OUTSIDE TRAFFIC !!!
ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
dns domain-lookup Inside_Network
dns server-group DefaultDNS
name-server 10.10.15.4
name-server 10.10.15.5
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object-group protocol DM_INLINE_PROTOCOL_1
protocol-object ip
protocol-object icmp
protocol-object udp
protocol-object tcp
object-group protocol DM_INLINE_PROTOCOL_2
protocol-object ip
protocol-object icmp
protocol-object udp
protocol-object tcp
object-group network DM_INLINE_NETWORK_1
network-object 10.10.0.0 255.255.255.0
network-object host Outside
object-group network DM_INLINE_NETWORK_2
network-object host Inside
network-object 0.0.0.0 0.0.0.0
object-group protocol DM_INLINE_PROTOCOL_3
protocol-object ip
protocol-object icmp
protocol-object udp
protocol-object tcp
access-list Outside_Network_access_in extended permit object-group DM_INLINE_PROTOCOL_1 host Outside object-group DM_INLINE_NETWORK_2 log debugging
access-list Inside_Network_access_in extended permit object-group DM_INLINE_PROTOCOL_2 host Inside object-group DM_INLINE_NETWORK_1 log debugging
access-list TEST_access_in extended permit object-group DM_INLINE_PROTOCOL_3 any any
pager lines 24
logging enable
logging timestamp
logging emblem
logging asdm-buffer-size 512
logging console debugging
logging monitor debugging
logging buffered debugging
logging trap debugging
logging asdm debugging
logging debug-trace
mtu Outside_Network 1500
mtu Inside_Network 1500
mtu TEST 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
access-group Outside_Network_access_in in interface Outside_Network
access-group Inside_Network_access_in in interface Inside_Network
access-group TEST_access_in in interface TEST
route Outside_Network 0.0.0.0 0.0.0.0 Outside 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
aaa authentication enable console LOCAL
aaa authentication http console LOCAL
aaa authentication serial console LOCAL
aaa authentication ssh console LOCAL
aaa authentication telnet console LOCAL
http server enable
http 192.168.0.0 255.255.255.0 TEST
http 10.10.0.0 255.255.255.0 Inside_Network
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
service resetinbound interface TEST
no service resetoutbound interface Outside_Network
no service resetoutbound interface Inside_Network
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
telnet timeout 5
ssh scopy enable
ssh 10.10.0.0 255.255.255.0 Inside_Network
ssh timeout 30
console timeout 0
dhcpd address 10.10.0.85-10.10.0.100 Inside_Network
dhcpd dns 10.10.15.4 10.10.15.5 interface Inside_Network
dhcpd option 3 ip Inside interface Inside_Network
dhcpd option 6 ip 10.10.15.4 10.10.15.5 interface Inside_Network
dhcpd enable Inside_Network
!
threat-detection basic-threat
threat-detection scanning-threat
threat-detection statistics
threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
webvpn
username JEJ password cX0yeH.p3WpM25f0 encrypted privilege 15
!
class-map type inspect http match-all asdm_high_security_methods
match not request method get
match not request method head
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
id-randomization
id-mismatch action log
tsig enforced action log
policy-map type inspect ftp FTP
parameters
mask-banner
mask-syst-reply
policy-map type inspect netbios NETBIOS
parameters
protocol-violation action drop log
policy-map type inspect ip-options Options
parameters
eool action clear
nop action clear
router-alert action clear
policy-map type inspect http HTTP
parameters
protocol-violation action drop-connection log
class asdm_high_security_methods
drop-connection
match request header non-ascii
drop-connection
!
prompt hostname context
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email callhome@cisco.com
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:6e49ea09880a8584795ecc8bccb8cc85
: end

Here is my switch config

SW#s
Building configuration...

Current configuration : 5624 bytes
!
version 12.2
no service pad
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname SW
!
!
no aaa new-model
clock timezone EST 4 1
switch 1 provision ws-c3750e-24td
system mtu routing 1500
ip subnet-zero
ip icmp redirect host
no ip domain-lookup
ip domain-name IN_Switch.com
ip name-server 10.10.15.4
ip name-server 10.10.15.5
!
ip port-map dns port 53
ip port-map smtp port 161
ip port-map pop2 port 109
ip port-map pop3 port 110
ip port-map nntp port 119
ip port-map ldap port 389
ip port-map imap port 143
ip port-map nfs port 944
ip dhcp-server 10.10.0.1
ip dhcp-server 10.10.20.1
ip dhcp-server 10.10.25.1
!
password encryption aes

spanning-tree mode pvst
spanning-tree extend system-id
!
vlan internal allocation policy ascending
!
ip tcp selective-ack
ip tcp timestamp
ip tcp queuemax 50
ip tcp path-mtu-discovery
!
interface FastEthernet0
no ip address
no ip route-cache
no ip mroute-cache
!
interface GigabitEthernet1/0/1
description Outside R1 - SW
switchport access vlan 5
switchport mode access
!
interface GigabitEthernet1/0/2
description Outside FW - SW
switchport access vlan 5
switchport mode access
!
interface GigabitEthernet1/0/3
description Inside Network FW
switchport trunk encapsulation dot1q
switchport trunk native vlan 10
switchport trunk allowed vlan 10,15,20,25
switchport mode trunk
!
interface GigabitEthernet1/0/4
description **************
!
interface GigabitEthernet1/0/5
description Servers
switchport access vlan 15
switchport mode access

interface GigabitEthernet1/0/6
description Servers
switchport access vlan 15
switchport mode access
!
interface GigabitEthernet1/0/7
description Inside
switchport access vlan 10
switchport mode access
!
interface GigabitEthernet1/0/8
description Inside
switchport access vlan 10
switchport mode access

interface GigabitEthernet1/0/13
description Backups
switchport access vlan 20
switchport mode access
!
interface GigabitEthernet1/0/14
description Backups
switchport access vlan 20
switchport mode access
!
interface GigabitEthernet1/0/15
description Storage
switchport access vlan 25
switchport mode access
!
interface GigabitEthernet1/0/16
description Storage
switchport access vlan 25
switchport mode access
!
interface GigabitEthernet1/0/17
description Storage
switchport access vlan 25
switchport mode access

interface Vlan5
ip address 10.85.85.3 255.255.255.0
ip helper-address 10.85.85.1
arp snap
spanning-tree portfast
!
interface Vlan10
ip address 10.10.0.3 255.255.255.0
ip helper-address 10.10.0.1
arp snap
spanning-tree portfast
!
interface Vlan15
ip address 10.10.15.3 255.255.255.0
ip helper-address 10.10.15.1
no ip route-cache
no ip mroute-cache
arp snap
spanning-tree portfast
!
interface Vlan20
ip address 10.10.20.3 255.255.255.0
ip helper-address 10.10.20.1
no ip route-cache
no ip mroute-cache
arp snap
spanning-tree portfast
!
interface Vlan25
ip address 10.10.25.3 255.255.255.0
ip helper-address 10.10.25.1
no ip route-cache
no ip mroute-cache
arp snap
spanning-tree portfast

ip default-gateway 10.85.85.1
no ip classless
no ip http server

Francesco Molino · ‎07-04-2016

Hi

Form your switch vlan 10, are you able to ping your FW inside (10.10.0.2)?

To reach other vlans from your firewall:

1. You have configured trunk from your switch to your firewall then you need to adapt your ASA config

2. OR you leave it with 1 vlan and do a route inside on your firewall pointing to your SW vlan 10 as next-hop for all other vlans.

If you want to keep trunking, the ASA config would be:

interface Ethernet0/1.10

vlan 10

nameif Inside_Network
security-level 100
ip address 10.10.0.2 255.255.255.0

interface Ethernet0/1.15

vlan 15

nameif Inside_Network_2
security-level 100
ip address 10.10.15.2 255.255.255.0

Hope this is clear.

Thanks

PS: Please don't forget to rate and mark as correct answer if this solved your issue

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

j_j624001 · ‎07-04-2016

Hello;

From the switch i can ping to the FW (10.10.0.2)

SW#ping 10.10.0.2

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.10.0.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/4/9 ms

Also from the firewall i can ping back to the switch (Vlan 10 10.10.0.3)

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.10.0.3, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/10 ms

But from pinging from the switch and/or Firewall to the Vlan10 gateway is where i have the problem, even from my firewall can't ping vlan 10 gateway

SW#ping 10.10.0.1

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.10.0.1, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)

this is from the firewall gui

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to Inside, timeout is 2 seconds:
?????
Success rate is 0 percent (0/5) (10.10.0.1 Vlan 10 gateway)

if you can see on the switch config i have a trunk port from the firewall to the switch

description Inside Network FW <----- FW to Switch
switchport trunk encapsulation dot1q
switchport trunk native vlan 10
switchport trunk allowed vlan 10,15,20,25
switchport mode trunk

So your saying have ethernet0/1 empty and create an subnet underneath ethernet0/1 to ethernet0/1.10 for my internal vlans; and also how would I configure an route; would it be 10.10.0.0 255.255.0.0 10.10.0.3 <---- would the inside route look like this; I'm rarely new to this routing stuff lol. I would like to keep the trunk and have all traffic stop by my firewall first; it seems like all my internal vlans gateway i can't ping from the firewall or switch.

Francesco Molino · ‎07-04-2016

Ok wait a minute. Let's forgot about the trunk configuration now. Let's concentrate on your problem.

The switch vlan 10 ip is 10.10.0.3 and you can't reach 10.10.0.1. Who is this 10.10.0.1? You said your default gateway... It's the switch your default gateway? Where this device is connected to?

Do you see a show ip arp entry for that 10.10.0.1 device?

Thanks

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

j_j624001 · ‎07-04-2016

Hello;

10.10.0.1 is my default gw from vlan 10 off my router; on my router i have 4 subinterfaces; here is my router config

hostname R1
!
boot-start-marker
boot-end-marker
!
no aaa new-model
!
resource policy
!
ip cef
no ip dhcp use vrf connected
ip dhcp excluded-address 10.10.0.1 10.10.0.84
ip dhcp excluded-address 10.10.0.101 10.10.0.255
ip dhcp excluded-address 10.10.20.1 10.10.20.84
ip dhcp excluded-address 10.10.20.101 10.10.20.255
ip dhcp excluded-address 10.10.25.101 10.10.25.255
ip dhcp excluded-address 10.10.25.1 10.10.25.84
!
ip dhcp pool 10_Net_POOL
   import all
   network 10.10.0.0 255.255.255.0
   update dns
   default-router 10.10.0.1
   domain-name Internal_Net.com
   dns-server 10.10.15.4 10.10.15.5
   update arp
!
ip dhcp pool 20_NET_POOL
   import all
   network 10.10.20.0 255.255.255.0
   update dns
   default-router 10.10.20.1
   domain-name Backup_Internal_Net.com
   dns-server 10.10.15.4 10.10.15.5
   update arp
!
ip dhcp pool 25_NET_POOL
   import all
   network 10.10.25.0 255.255.255.0
   update dns
   default-router 10.10.25.1
   domain-name Storage_Internal_Net.com
   dns-server 10.10.15.4 10.10.15.5
   update arp
!
!
ip domain name Internal.com
ip ssh source-interface FastEthernet1
ip ssh logging events
ip ssh version 2
!
!
!
username JEJ privilege 15 secret 5 $1$jyg2$ZDr0KASZP.8CbSZyBdIw61
!
!
!
!
!
!
interface FastEthernet0
description OUT
ip address 192.168.0.85 255.255.255.0
ip access-group filter-inbond in
ip access-group filter-outbond out
ip nat outside
ip irdp
ip virtual-reassembly
duplex auto
speed auto
!
interface FastEthernet1
description Internal
ip address 10.85.85.1 255.255.255.0
ip nat outside
ip irdp
ip virtual-reassembly
duplex auto
speed auto
no snmp trap link-status
!
interface FastEthernet1.10
description Clients
encapsulation dot1Q 10
ip address 10.10.0.1 255.255.255.0
ip nat inside
ip irdp
ip virtual-reassembly
no snmp trap link-status
!
interface FastEthernet1.15
description Servers
encapsulation dot1Q 15
ip address 10.10.15.1 255.255.255.0
ip nat inside
ip irdp
ip virtual-reassembly
no snmp trap link-status
!
interface FastEthernet1.20
description Backup
encapsulation dot1Q 20
ip address 10.10.20.1 255.255.255.0
ip nat inside
ip irdp
ip virtual-reassembly
no snmp trap link-status
!
interface FastEthernet1.25
description Storage
encapsulation dot1Q 25
ip address 10.10.25.1 255.255.255.0
ip nat inside
ip irdp
ip virtual-reassembly
no snmp trap link-status
!
interface Vlan1
no ip address
!
interface Async1
no ip address
encapsulation slip
!
ip route 0.0.0.0 0.0.0.0 192.168.0.X
!
!
no ip http server
no ip http secure-server
ip nat inside source list 50 interface FastEthernet0 overload
!
ip access-list extended filter-inbond
permit icmp any any echo-reply
permit tcp any eq www any established
permit tcp any eq 443 any established
permit tcp any eq 8080 any established
permit udp any eq domain any
deny   ip any any
deny   udp any any
deny   tcp any any
ip access-list extended filter-outbond
permit icmp any any echo
permit udp any any eq domain
permit tcp any any eq www
permit tcp any any eq 443
permit tcp any any eq 8080
deny   ip any any
deny   tcp any any
deny   udp any any
!
access-list 40 permit 0.0.0.0 255.0.0.0
access-list 50 permit 0.0.0.0 255.0.0.0

from Switch arp table

SW#sarp
Protocol Address          Age (min) Hardware Addr   Type   Interface
Internet 10.10.0.1             209   0026.cb6e.da17 ARPA   Vlan10 <----- this is the gw for vlan10; but its pointing to the wrong mac address; (FW Mac 0026.cb6e.da17, its supposed to be my R1 mac address 001e.7aa1.8ca7)
Internet 10.10.0.2             130   0026.cb6e.da17 ARPA   Vlan10
Internet 10.10.0.3               -   0026.0a7c.01c2 ARPA   Vlan10

Internet 10.85.85.1              0   001e.7aa1.8ca7 ARPA   Vlan5
Internet 10.85.85.2            139   0026.cb6e.da16 ARPA   Vlan5
Internet 10.85.85.3              -   0026.0a7c.01c1 ARPA   Vlan5
Internet 10.10.15.3              -   0026.0a7c.01c3 ARPA   Vlan15
Internet 10.10.20.3              -   0026.0a7c.01c4 ARPA   Vlan20
Internet 10.10.25.3              -   0026.0a7c.01c5 ARPA   Vlan25

My switch default gw is 10.85.85.1

my R1 is connect directly to the switch on vlan5 on SW FA0/1

Please see drawing for confirmation

Francesco Molino · ‎07-04-2016

Ok I understand. It would be better in this design to put your asa in transparent mode.

I'm at work right now. I will paste a config example this evening

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

j_j624001 · ‎07-04-2016

Ok; thats fine; ill be up here; i just want traffic to hit my firewall first before heading to my router; i never thought about transparent mode; but hopefully it will work so all traffic will pass thru the firewall first. Thanks for your help

Francesco Molino · ‎07-04-2016

Hi

as promise, here as a sample config with ASA as transparent. I've created acls with permit any any as it's a lab. You need to open everything to test and then build up your own acls.

On my design ASA e0 is GigabitEthernet 0 and e1 is GigabitEthernet 1.

I've attached all configs.

Another thing, be careful with inspect as you can have asymmetric traffic (e.g: If you try a ping from VLAN10 on my R2 design to VLAN20 on my R1 design, if you are doing icmp inspection, it will failed.) You can use tcp-bypass feature to eliminate the stateful. But this is config tweaks.

Thanks

PS: Please don't forget to rate and mark as correct answer if this answered your question.

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

j_j624001 · ‎07-04-2016

Hello;

Thanks again for the response; what ill do is take my config and modify it to what you have in your previous response; and paste what i got; i want to make sure on what you requested is correct before i implemented this change

So First is my router after it has been modified; does this look correct to you

Building configuration...

Current configuration : 4436 bytes

!

version 12.4

service timestamps debug datetime msec

service timestamps log datetime msec

no service password-encryption

!

hostname R1

!

boot-start-marker

boot-end-marker

!

no aaa new-model

resource policy

memory-size iomem 5

no ip icmp rate-limit unreachable

ip cef

no ip dhcp use vrf connected

ip dhcp excluded-address 10.10.0.1 10.10.0.84

ip dhcp excluded-address 10.10.0.101 10.10.0.255

ip dhcp excluded-address 10.10.20.1 10.10.20.84

ip dhcp excluded-address 10.10.20.101 10.10.20.255

ip dhcp excluded-address 10.10.25.101 10.10.25.255

ip dhcp excluded-address 10.10.25.1 10.10.25.84

!

ip dhcp pool 10_Net_POOL

import all

network 10.10.0.3 255.255.255.0

update dns

default-router 10.10.0.3

domain-name J_Internal_Net.com

dns-server 10.10.15.4 10.10.15.5

update arp

!

ip dhcp pool 20_NET_POOL

import all

network 10.10.20.0 255.255.255.0

update dns

default-router 10.10.20.3

domain-name Backup_Internal_Net.com

dns-server 10.10.15.4 10.10.15.5

update arp

!

ip dhcp pool 25_NET_POOL

import all

network 10.10.25.0 255.255.255.0

update dns

default-router 10.10.25.3

domain-name Storage_Internal_Net.com

dns-server 10.10.15.4 10.10.15.5

update arp

!

no ip domain lookup

!

ip tcp synwait-time 5

multilink bundle-name authenticated

!

ip ssh logging events

ip ssh version 2

!

Outside Vlan & inside Vlan ASA5510