01-24-2020 11:20 AM
Okay, this is my first time here. I am setting up a home lab. Router(2921) to a layer 3 switch(3560) to an ASA(5520). The router to layer 3 switch works fine. On the switch I have 2 vlans setup (vlan 1 10.4.0.1/24, vlan 2 10.3.0.1/24) connected directly to the switch is my ASA in which I gave the outside interface the ip address of 10.4.0.2/24. From the switch I can ping the outside interface of the ASA. However, from my ASA I cannot ping anything except 10.4.0.1.
switch config
!
spanning-tree mode pvst
spanning-tree extend system-id
!
vlan internal allocation policy ascending
!
vlan 2,99
!
!
!
interface FastEthernet2/0/1
no switchport
ip address 10.2.0.2 255.255.255.0
!
interface FastEthernet2/0/2
!
interface FastEthernet2/0/3
switchport access vlan 2
switchport mode access
!
interface FastEthernet2/0/4
switchport access vlan 2
switchport mode access
!
interface FastEthernet2/0/5
switchport access vlan 2
switchport mode access
!
interface FastEthernet2/0/6
!
interface FastEthernet2/0/7
!
interface FastEthernet2/0/8
!
interface FastEthernet2/0/9
!
interface FastEthernet2/0/10
!
interface FastEthernet2/0/11
!
interface FastEthernet2/0/12
!
interface FastEthernet2/0/13
!
interface FastEthernet2/0/14
!
interface FastEthernet2/0/15
!
interface FastEthernet2/0/16
!
interface FastEthernet2/0/17
!
interface FastEthernet2/0/18
!
interface FastEthernet2/0/19
!
interface FastEthernet2/0/20
!
interface FastEthernet2/0/21
!
interface FastEthernet2/0/22
!
interface FastEthernet2/0/23
!
interface FastEthernet2/0/24
!
interface FastEthernet2/0/25
!
interface FastEthernet2/0/26
!
interface FastEthernet2/0/27
!
interface FastEthernet2/0/28
!
interface FastEthernet2/0/29
!
interface FastEthernet2/0/30
!
interface FastEthernet2/0/31
!
interface FastEthernet2/0/32
!
interface FastEthernet2/0/33
!
interface FastEthernet2/0/34
!
interface FastEthernet2/0/35
!
interface FastEthernet2/0/36
!
interface FastEthernet2/0/37
!
interface FastEthernet2/0/38
!
interface FastEthernet2/0/39
!
interface FastEthernet2/0/40
!
interface FastEthernet2/0/41
!
interface FastEthernet2/0/42
!
interface FastEthernet2/0/43
!
interface FastEthernet2/0/44
!
interface FastEthernet2/0/45
!
interface FastEthernet2/0/46
!
interface FastEthernet2/0/47
!
interface FastEthernet2/0/48
!
interface GigabitEthernet2/0/1
!
interface GigabitEthernet2/0/2
!
interface GigabitEthernet2/0/3
!
interface GigabitEthernet2/0/4
!
interface Vlan1
ip address 10.4.0.1 255.255.255.0
!
interface Vlan2
ip address 10.3.0.1 255.255.255.0
!
ip classless
ip route 0.0.0.0 0.0.0.0 10.0.0.1
ip route 0.0.0.0 0.0.0.0 10.2.0.1
ip http server
ip http secure-server
!
!
control-plane
!
!
line con 0
line vty 0 4
login
line vty 5 15
login
!
ASA config
ciscoasa(config)# show run
: Saved
:
: Serial Number: JMX1629X0T3
: Hardware: ASA5520, 2048 MB RAM, CPU Pentium 4 Celeron 2000 MHz
:
ASA Version 9.1(7)32
!
hostname ciscoasa
enable password 8Ry2YjIyt7RRXU24 encrypted
names
!
interface GigabitEthernet0/0
nameif outside
security-level 0
ip address 10.4.0.2 255.255.255.0
!
interface GigabitEthernet0/1
nameif inside
security-level 100
ip address 10.5.0.1 255.255.255.0
!
interface GigabitEthernet0/2
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
management-only
nameif management
security-level 100
ip address 192.168.1.1 255.255.255.0
!
ftp mode passive
pager lines 24
logging asdm informational
mtu management 1500
mtu outside 1500
mtu inside 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
icmp permit any outside
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
route outside 0.0.0.0 0.0.0.0 10.2.0.1 1
route outside 0.0.0.0 0.0.0.0 10.2.0.2 1
route outside 0.0.0.0 0.0.0.0 10.4.0.1 1
route inside 10.0.0.0 255.0.0.0 10.2.0.1 1
route inside 10.0.0.0 255.0.0.0 10.2.0.2 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
http server enable
http 192.168.1.0 255.255.255.0 management
http 10.3.0.0 255.255.255.0 outside
Solved! Go to Solution.
01-24-2020 01:37 PM
01-24-2020 11:28 AM - edited 01-24-2020 11:33 AM
Hi,
How are the ASA's outside and inside interfaces connected to the switch?
Is the ASA outside interface connected to the router?
I think you have the wrong IP address on your inside interface of the ASA - 10.5.0.1?.
interface GigabitEthernet0/1
nameif inside
security-level 100
ip address 10.5.0.1 255.255.255.0
...but your route to the inside network is 10.2.0.1? which is not on the same network as the ASA's inside interface.
Your routing table also has routes inside and outside via the same IP address. Remove the incorrect routes
route outside 0.0.0.0 0.0.0.0 10.2.0.1 1
route outside 0.0.0.0 0.0.0.0 10.2.0.2 1
route outside 0.0.0.0 0.0.0.0 10.4.0.1 1
route inside 10.0.0.0 255.0.0.0 10.2.0.1 1
route inside 10.0.0.0 255.0.0.0 10.2.0.2 1
HTH
01-24-2020 11:38 AM
The ASA is directly connected to an interface on the switch which is in vlan 1. The switch can ping the outside interface of the ASA which is configure on the ASA as 10.4.0.2. However, from the ASA I cannot reach the internet. From the switch I can ping anywhere. I can actually from the switch ping the default gateway (10.2.0.2) with the source of 10.4.0.1.
01-24-2020 11:53 AM
01-24-2020 12:07 PM
Correct, the (Fa2/0/1) is plugged into the router. From the router I can ping the 10.4.0.1 address but not 10.4.0.2(outside interface of the ASA)
Router config
Current configuration : 1526 bytes
!
! Last configuration change at 16:54:12 UTC Fri Jan 24 2020
version 15.1
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Rackrouter
!
boot-start-marker
boot-end-marker
!
!
! card type command needed for slot/vwic-slot 0/0
!
no aaa new-model
!
!
dot11 syslog
ip source-route
!
!
ip cef
!
ip dhcp pool RACKROUTER
network 10.2.0.0 255.255.255.0
default-router 10.2.0.1
dns-server 8.8.8.8
!
!
!
no ipv6 cef
!
multilink bundle-name authenticated
!
!
!
!
!
!
!
!
!
!
!
voice-card 0
!
crypto pki token default removal timeout 0
!
!
!
!
license udi pid CISCO2821 sn FTX1220A07F
!
redundancy
!
!
!
!
!
!
!
!
!
!
interface GigabitEthernet0/0
ip address dhcp
ip nat outside
ip virtual-reassembly in
duplex auto
speed auto
!
interface GigabitEthernet0/1
ip address 10.2.0.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
duplex auto
speed auto
!
ip forward-protocol nd
no ip http server
no ip http secure-server
!
!
ip nat inside source list 1 interface GigabitEthernet0/0 overload
ip route 0.0.0.0 0.0.0.0 10.0.0.1
ip route 10.3.0.0 255.255.255.0 10.2.0.2
ip route 10.4.0.0 255.255.255.0 10.2.0.2
!
access-list 1 permit any
01-24-2020 12:22 PM
01-24-2020 12:26 PM
Yes, It is enabled. From the switch i can ping the 10.4.0.2 (outside interface of the ASA) however, from the ASA I am unable to reach any IP.
01-24-2020 12:33 PM
01-24-2020 01:12 PM
Those routes were removed. I received this from the debug.
ciscoasa(config)# ICMP echo request from 10.2.0.1 to 10.4.0.2 ID=3 seq=0 len=72
ICMP echo request from 10.2.0.1 to 10.4.0.2 ID=3 seq=1 len=72
ICMP echo request from 10.2.0.1 to 10.4.0.2 ID=3 seq=2 len=72
ICMP echo request from 10.2.0.1 to 10.4.0.2 ID=3 seq=3 len=72
ICMP echo request from 10.2.0.1 to 10.4.0.2 ID=3 seq=4 len=72
01-24-2020 01:25 PM
01-24-2020 01:34 PM
routes were removed and attempted to ping 10.2.0.2 (100% loss)
ASA show route
Gateway of last resort is 10.2.0.2 to network 0.0.0.0
C 10.4.0.0 255.255.255.0 is directly connected, outside
S* 0.0.0.0 0.0.0.0 [1/0] via 10.2.0.2, outside
01-24-2020 01:37 PM
01-24-2020 01:46 PM
FINALLY!!!!!!!!!! THANK YOU!!!!
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide