04-26-2018 12:47 PM - edited 02-21-2020 07:40 AM
So I have a switch that is directly connected to a ASA5585X.
I can't ping the 192.168.10.10 /24 IP Inside interface from the switch which has just one SVI/VLAN 10 (192.168.10.5).
Since it is directly connected no route is needed, only a route pointing to reach all internal subnets used 192.168.10.5. ( I tried entering static routes anyway)
Both interfaces are up/up including SVI on switch.
I am allowing icmp on the inside ACL.
Anything else I am missing?
04-26-2018 01:03 PM
What version ASA are you running?
Normally icmp on the ingress interface should answer. Check the configuration if you have any command for icmp deny any inside and remove it and perhaps enter a more specific command.
If this command is not present try adding icmp permit any inside for testing purpose.
If it still does not work, monitor the ASDM logging window while pinging to see if there are any drop messages for the ICMP packet.
04-26-2018 01:21 PM
There is no icmp deny any inside when doing show run } inc icmp.
Tried to add the icmp but this is what I get:
04-26-2018 01:23 PM
can you ping the switch from the ASA?
04-26-2018 01:25 PM
No I can't do that either. Switchport to ASA is trunked with no pruning.
Switch is directly connected with 1 SV1 for the same subnet (vlaan 10) 192.168.10.5)
04-26-2018 01:28 PM
Is the ASA interface configured with subinterfaces? if not then that is where the problem is.
04-26-2018 04:32 PM
See attached diagram.
I am no longer at the lab and will have to work on it next week.
First I had a router directly connected to the ASA - could ping between both - then added a switch in between them to be able to connect 2 routers to the ASA for redundancy and this is the problem switch I am referring to. So you are saying now that there is no directly connected device with sub-interfaces for subnet 10.1.10.X/Vlan 10 (InternalRt) the ASA must have a sub-interface for that subnet? What about all other 10.1.X.D subnets I have on the InternalRt and Accsw will I need sub-interfaces on teh ASA for those too?
See attached diagram.
I have never configured sub-int on ASA. Will I call all sub-int on the g0 interface "inside" and give same security level right?
04-26-2018 10:50 PM
So you are saying now that there is no directly connected device with sub-interfaces for subnet 10.1.10.X/Vlan 10 (InternalRt) the ASA must have a sub-interface for that subnet?
I am not sure what you mean by this. But to clarify, If you intend to do inter VLAN routing on the ASA then the ASA needs to have subinterfaces for each VLAN so that it tags packets with the correct VLAN.
04-27-2018 12:42 PM
Sorry for the confusion.
No I only want to do inter-vlan routing on the Access switches with SVIs, and routing on the Internal Routers with sub-interfaces. I simply want to be able pass allowed traffic (from the different vlan subnets in the lan) up through the interconnecting switch (sits between Internal routers and FW) on out through the FW then to ISP.
The side of the interfonnect switch that connects to the routers is trunked and I can ping between them. The side of the switch that connects to the FW, I changed to switchport access vlan 10 and I could then ping the FW. My worry is will all traffic from the internal subnets pass-through since it is not a trunk?
I have a switch there because I did not see how I can connect both routers to the FW - or is there a way to do it? I would need same ACL applied to both inside interfaces. Once and if I am able to implement another FW then the interconnect switch could go away right since I would just connect each FW to each router but then how do I connect both FWs to on router again? I guess my main question is how do you connect redundant routers (HSRP, same sub-interfaces, etc.) to 1 FW or switch, and vice versa?
I have attached my topology again.
04-28-2018 12:22 AM
My worry is will all traffic from the internal subnets pass-through since it is not a trunk?
If you are doing routing on the switch, then you need a default route on the switch pointing to the ASA. If this is in place then all traffic that does not match more specific routing entries will be sent to the ASA. If you must have the link to the ASA as a trunk then you need to implement subinterface.
Once and if I am able to implement another FW then the interconnect switch could go away right since I would just connect each FW to each router but then how do I connect both FWs to on router again? I guess my main question is how do you connect redundant routers (HSRP, same sub-interfaces, etc.) to 1 FW or switch, and vice versa?
To connect two routers on the same subnet to a single ASA you would need to use redundant interface configuraiton on the ASA. But this is not a good solution to use with routers and HSRP as the ASA monitors the link status to determine if a failover situation has occured. Lets say you connect router 1 and router 2 to a single ASA with redundant interfaces and router 1 connects to the active redundant interface. Then if the LAN link (not the link that goes towards the ASA) fails and HSRP switches to router 2 which is connected to the ASA interface which is in standby. The ASA still sees the link to router 1 as active and will not failover and then your network will effectively have no internet access. A better solution here would be to have both ASA links configured as redundant connect to a switch and also the routers connected to the switch. Now if the LAN link on router 1 fails and failover to router 2, router 2 will still send traffic to the active interface as the switch is monitoring where the active MAC address is located.
04-28-2018 07:32 AM
IIf you are doing routing on the switch, then you need a default route on the switch pointing to the ASA. If this is in place then all traffic that does not match more specific routing entries will be sent to the ASA. If you must have the link to the ASA as a trunk then you need to implement subinterface.
I have attached the topology again just to help as a reference.
Yes, right now I have the AccessSwitch doing routing and the Internal Routers doing routing.
The Accessswtiches have static routes that point to the Internal Routers as the GW
The Internal Routers point to the FW at the GW with a 0.0.0.0 default route.
Now that I have a interconnect/edge switch in between the FW and Router just so I can connect both Routers to the FW, I also have a 0.0.0.0 default route on this edge switch pointing to the FW.
Is this correct or best practice to do this way?
I will need to be able to send different VLAN traffic/subnets through the ASA so I would need trunk from Interconnect switch to the ASA correct instead of just doing switchport access or a routed port with a /30 (.4 is edge switch and .5 is FW)? By doing this I would have to create sub-interfaces on the g0/0 inside interface on the FW for every subnet that would need to go through the FW (e.g. int. g0/0.10 10.1.10.5, g0/0.11 10.1.11.5, etc.)?
To connect two routers on the same subnet .......
Sorry just need some clarification in the setup you are describing here. Ideally I would have 2 of everything. Right now I only have one edge switch that connects to the FW. You referenced ASA links configured as redundant. Are you referring to if I had 2 edge switches and still 1 FW?
So basically I would be able to configure both inside interfaces exactly the same on the FW (same ACLs, IP, etc.) and make one prim and secondary. Would I be doing the by configuring HSRP on these interfaces?
04-28-2018 11:49 AM
There are two ways of setting this up, and the method you use depends on your company's security policy and if one or all of the subnets contains sensitive information.
The first way is to set it up as you already have it. one interface on the ASA connected to an access port on the switch configured to be in the vlan of the subnet configured on the ASA interface. Then configure a default route on the switch pointing to the ASA interface. once this is done all you need is to configure the other VLANs with a VLAN interface and the switch will route traffic to the default route no matter which VLAN the traffic is coming from (that is if there is no other more specific route configure for that traffic).
The second method, and more secure method is to terminate all the VLANs on the ASA. Create subinterfaces for each VLAN on the ASA and remove all SVIs from the switch. Then the ASA will be doing all routing including inter VLAN. This also means that you will have control of which IPs are reachable for each VLAN, much more control.
The third option would be to have a combination of the two. The VLANs that should be allowed to communicate with each other have an SVI configured on the switch, which the VLANs that should be secured have the VLANs terminated on the ASA. This would mean that the ASA needs subinterfaces for each of the VLANs that are to be secured and one subinterface for the VLANs that are not restricted to communicate with each other. Then configure a default route on the switch pointing to the ASA interface for the none restricted VLANs, while the secured VLANs get the ASA IP via the DHCP.
I hope I managed to explain that so you understand.
As for redundancy, I though that was a different post / discussion?
In any case, ideally you would have two of everything for a full redundant configuration. However if you have just one ASA and one switch and two routers, then connect everything to the switch and do not interconnect them to each other. Then configure two interfaces on the ASA as redundant interfaces. This means that one interface will be active while the other will be standby. The ASA will now have one interface that you can configure ACLs, NAT, routing, etc. for. Ofcourse in this setup both the switch and the ASA are single-points-of-failure. If the ASA dies, traffic through the ASA will be down while traffic between the routers will be OK. If the switch dies, all traffic between the routers and ASA will be down.
04-29-2018 09:55 AM
Yes thanks this is awesome info!
Noticed I had few discrepencies on my topology (g3 showed wrong sub-interfaces, wrong subnet on FW, did not show g3 interface on Edgesw as switchport). I also added my route statements on ASA and Edge swtich. See new attached topology in case somethings were confusing.
The first way is to set it up as you already have it. one interface on the ASA connected to an access port on the switch configured to be in the vlan of the subnet configured on the ASA interface. Then configure a default route on the switch pointing to the ASA interface. once this is done all you need is to configure the other VLANs with a VLAN interface and the switch will route traffic to the default route no matter which VLAN the traffic is coming from (that is if there is no other more specific route configure for that traffic).
My main goal is just to simply allow any traffic that hits the Edge switch to be passed on to its destination. If route statement for 10.1.0.0 255.255.0.0 on the ASA points to the InternalRouters I want all this traffic to pass-through to the InternalRouters and like wise if I have a 10.1.X.0 255.255.255.0 on the InternaRouters that points to the ASA.
When I configured a SVI for VLAN 11 on that Edge switch, I could not ping the sub-interface for VLAN 11 on the InternalRt (InternalRouter has sub-int for VLAN10) and vice versa. I wanted to be able to use the VLAN 10 subnet and put it on all devices for mgmt. So whenever I create an SVI on the Edgeswitch for a sub-int/subnet on the InternalRouters, the Edgeswitch can only ping subnets that it is directly connected to and vice versa, so I only have SVI 11 on the edge switch and have not configured any other SVIs that need to go out to the internet on that Edgeswitch. Do you know why this is the case?
The second method, and more secure method is to terminate all the VLANs on the ASA. Create subinterfaces for each VLAN on the ASA and remove all SVIs from the switch. Then the ASA will be doing all routing including inter VLAN. This also means that you will have control of which IPs are reachable for each VLAN, much more control.
So right now, the Accessswitches will be doing routing for server vlans, and the InternalRouters are routing for everything else. So in order for the internal VLANS/subnets that need to go out to the internet, is it a must that I must have corresponding SVIs/VLANs on either the Edgeswitch or the ASA meaning I have to resolve the issue I explained above?
If not, will the g3 interface on the Edge switch that connects to the ASA will pass all this traffic through when that connection if configured for switch port access 11?
If I create sub-interfaces on the FW for all the VLANs that need to go out to the internet, I only keep SVI10 on the EdgeSw for mgmt correct? I guess the main thing I am trying to understand is will the Edge switch simply forward traffic if it connects to ASA via access port vlan 10 and trunk to InternalRouter which I am sure all traffic will go through trunk. I really just want all traffic that hits the EdgeSwitch to pass-through no matter what as I am only using it so both InternalRouters can be utilized via this setup. Once again, when I configured SVI10 on the Edgeswtich, it could not be pinged from the InternalRouters (internal Routers have sub-int for Vlan11/subnet). Once I shut it down I could ping.
In regards to control of IPs which are reachable on the LAN, you are referring to the ACL statements on the FW correct?
The third option would be to have a combination of the two. The VLANs that should be allowed to communicate with each other have an SVI configured on the switch, which the VLANs that should be secured have the VLANs terminated on the ASA. This would mean that the ASA needs subinterfaces for each of the VLANs that are to be secured and one subinterface for the VLANs that are not restricted to communicate with each other. Then configure a default route on the switch pointing to the ASA interface for the none restricted VLANs, while the secured VLANs get the ASA IP via the DHCP.
I really need all VLANs to communicate with each other, but only certain VLANs/subnets will need to go out to the internet. My question is how are the VLANs that are configured on the ASA being secured?
Just a question In regards to pointing to the inside, it is best the ASA use the InternalRouters as the next hop and not the Edgeswitch correct and vice versa?
In any case, ideally you would have two of everything for a full redundant configuration. However if you have just one ASA and one switch and two routers, then connect everything to the switch and do not interconnect them to each other. Then configure two interfaces on the ASA as redundant interfaces. This means that one interface will be active while the other will be standby. The ASA will now have one interface that you can configure ACLs, NAT, routing, etc. for. Ofcourse in this setup both the switch and the ASA are single-points-of-failure. If the ASA dies, traffic through the ASA will be down while traffic between the routers will be OK. If the switch dies, all traffic between the routers and ASA will be down.
If I have only one switch and one ASA, are you referring to configuring two redundant interfaces on the ASA and using two cables on the switch and connecting to these interfaces?
04-29-2018 12:22 PM
When I configured a SVI for VLAN 11 on that Edge switch, I could not ping the sub-interface for VLAN 11 on the InternalRt (InternalRouter has sub-int for VLAN10) and vice versa. I wanted to be able to use the VLAN 10 subnet and put it on all devices for mgmt. So whenever I create an SVI on the Edgeswitch for a sub-int/subnet on the InternalRouters, the Edgeswitch can only ping subnets that it is directly connected to and vice versa, so I only have SVI 11 on the edge switch and have not configured any other SVIs that need to go out to the internet on that Edgeswitch. Do you know why this is the case?
It is a very common practice to have a single VLAN for managment that is not accessible by other networks, i.e. out of band (OOB). However, the way you want to implement SVIs and only have them communicate with the directly connected interface on the router requires more configuration. One method for doing this is using VRFs, another is to use private VLANs. I suggest you read up on these two and then decide which is better for your setup.
When you configured VLAN 11 and you were unable to ping the router subinterface what troubleshooting did you do? At the very least you should be issuing commands like, show vlan brief, show ip int bri | exclude unassigned to see if the VLAN is active and if the line protocols are up / down. My guess is that the line protocol for the SVI is showing line up, protocol down. This indicates that the switch hasn't detected an interface with VLAN 11 assigned to it. Though trunk interfaces should be detected. You can get around this by assigning an interface to VLAN11 or disabling auto-state (I have never tried disabling auto-state but I have read this will solve the issue). I do not know if this feature is available in all releases of IOS. The command is given under the SVI, "no autostate" (without the quotes)
So right now, the Accessswitches will be doing routing for server vlans, and the InternalRouters are routing for everything else. So in order for the internal VLANS/subnets that need to go out to the internet, is it a must that I must have corresponding SVIs/VLANs on either the Edgeswitch or the ASA meaning I have to resolve the issue I explained above?
That is correct
So in order for the internal VLANS/subnets that need to go out to the internet, is it a must that I must have corresponding SVIs/VLANs on either the Edgeswitch or the ASA meaning I have to resolve the issue I explained above?
Yes, there must be some way of routing traffic to the default route. When there is an SVI associated with the VLAN and another VLAN that also has an SVI has a default route towards the ASA, the switch will see this route, route the traffic to the VLAN containing the default route, and then pass the traffic to the ASA. When the VLAN terminates on a subinterface on the ASA then the default gateway on PCs should point to the corresponding IP on the subinterface on the ASA for that VLAN.
If not, will the g3 interface on the Edge switch that connects to the ASA will pass all this traffic through when that connection if configured for switch port access 11?
If the switch port is an access port in VLAN 11, yes all traffic that is routed between VLANs on the switch will be passed to the ASA.
If I create sub-interfaces on the FW for all the VLANs that need to go out to the internet, I only keep SVI10 on the EdgeSw for mgmt correct?
Correct.
I only keep SVI10 on the EdgeSw for mgmt correct?
If you are just using the switch to connected the routers and ASA to, then just keep VLAN 10 for mgmt on the switch and configure subinterfaces on the ASA. When you say "Once I shut it down I could ping." where were you pinging from and what did you shut down?
In regards to control of IPs which are reachable on the LAN, you are referring to the ACL statements on the FW correct?
Yes ACL statements on the firewall will control what is reachable. You might also want to consider implementing zones on the ASA as this is a best practice.
I really need all VLANs to communicate with each other, but only certain VLANs/subnets will need to go out to the internet. My question is how are the VLANs that are configured on the ASA being secured?
ACLs, and zones.
Just a question In regards to pointing to the inside, it is best the ASA use the InternalRouters as the next hop and not the Edgeswitch correct and vice versa?
If the switch is just passing traffic and used for connecting serveral devices together, then yes, ASA points to routers and routers point to ASA.
If I have only one switch and one ASA, are you referring to configuring two redundant interfaces on the ASA and using two cables on the switch and connecting to these interfaces?
Yes, you first configure a redundant logical interface then assign the two interfaces you are going to use for this purpose. But now that I think about it, Configuring a port-channel on the switch and connected to a port-channel on the ASA would be a better solution for this scenario. This would also require two cables.
04-29-2018 05:22 PM
It is a very common practice to have a single VLAN for managment that is not accessible by other networks, i.e. out of band (OOB). However, the way you want to implement SVIs and only have them communicate with the directly connected interface on the router requires more configuration. One method for doing this is using VRFs, another is to use private VLANs. I suggest you read up on these two and then decide which is better for your setup.
For mgmt. OOBM, I am using VLAN 10 and 11 (SVI/Vlan 11 only on the Edge switch as I have not resolved the issue I spoke of with only being able to ping any directly connected sub-int on the router from the EdgeSw , g1 and g3, that the Edgesw also has a corresponding SVI for. I was going to apply ACLs and apply to each SVI/sub-int for these subnets on each device.
When you configured VLAN 11 and you were unable to ping the router subinterface what troubleshooting did you do? At the very least you should be issuing commands like, show vlan brief, show ip int bri | exclude unassigned to see if the VLAN is active and if the line protocols are up / down. My guess is that the line protocol for the SVI is showing line up, protocol down. This indicates that the switch hasn't detected an interface with VLAN 11 assigned to it. Though trunk interfaces should be detected. You can get around this by assigning an interface to VLAN11 or disabling auto-state (I have never tried disabling auto-state but I have read this will solve the issue). I do not know if this feature is available in all releases of IOS. The command is given under the SVI, "no autostate" (without the quotes)
Sorry it is when I configured VLAN 10 I experience pinging problems so I only have SVI 11 and the port that connects to the router is switchport access vlan 11. Yes all SVIs were up/up and all sub-ints on the Router was up/up. I issue debug ICMP on both devices and don't get any output. So if I configure any other SVI on the switch, as of now I will only be able to ping the directly connected interfaces.
Ok I will read up on auto-state and try it.
Yes, there must be some way of routing traffic to the default route. When there is an SVI associated with the VLAN and another VLAN that also has an SVI has a default route towards the ASA, the switch will see this route, route the traffic to the VLAN containing the default route, and then pass the traffic to the ASA. When the VLAN terminates on a subinterface on the ASA then the default gateway on PCs should point to the corresponding IP on the subinterface on the ASA for that VLAN.
So right now, the InterRouters route the vlans via sub-interfaces and there is a statement 0.0.0.0 pointing to the ASA, not the EdgeSw SVI11 ip, and the hosts use the .1 IPs for the sub-interfaces on the InterRt as the GW. The EdgeSw has a 0.0.0.0 route that points to the ASA. Is this not correct? Are you saying without the SVIs on the EdgeSw for the same subnets on the router that point to the ASA that traffic will not transverse the switch and continue to the ASA?
If the switch port is an access port in VLAN 11, yes all traffic that is routed between VLANs on the switch will be passed to the ASA.
Do you mean the traffic that is routed on the InterRt (only have SVI 11 on the switch) will be passed to the ASA?
If you are just using the switch to connected the routers and ASA to, then just keep VLAN 10 for mgmt on the switch and configure subinterfaces on the ASA. When you say "Once I shut it down I could ping." where were you pinging from and what did you shut down?
I was pinging the g1 sub-int for VLAN 10 on the InterRt that is NOT directly connected from the EdgeSw and I shut down SVI 10 on the EdgeSw. So once I shut down SVI 10 on the edge switch, I could ping the sub-int on the Router for VLAN 10. If the sub-int on the Router for VLAN 10 is on the directly connected interface g3, I will still be able to ping even if I have SVI 10 on the EdgeSw UP/UP. I only have a problem communicating between the EdgeSw and InterRt for subnets that are not on the directly connected interface on the InterRt that I have an SVI for on the EdgeSw. I don't care about having SVI on the EdgeSw other than a mgmt. SVI if I can get traffic that hits the switch to pass-through it with just a default route statement. I am not sure why ping does not work if I create the additional SVIs as I mentioned above.
Yes, you first configure a redundant logical interface then assign the two interfaces you are going to use for this purpose. But now that I think about it, Configuring a port-channel on the switch and connected to a port-channel on the ASA would be a better solution for this scenario. This would also require two cables.
Oh ok I did not know I could configure port-channel on an ASA. The 2 redundant interfaces on the ASA I would configure with HSRP and apply the same ACLs and even same nameifs correct?
I really appreciate all the help and I will let you know the status tomorrow.
 
					
				
				
			
		
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide