05-27-2015 08:25 AM - edited 03-11-2019 11:00 PM
I have an ASA that is situated behind a cisco router and I'm unable to ping the router's interface that is on the same subnet as the outside interface of the ASA. I can ping the router's interface from the same switch that the ASA is connected. Wireshark on the router's switchport shows arp query but no reply from either the router or the ASA. Here is the config of the ASA and the router. Just want to see if someone could help in letting me know what I'm missing. Thanks
ASA Version 9.3(1)
!
hostname guinep1
domain-name
enable password encrypted
names
!
interface GigabitEthernet0/0
speed 1000
duplex full
nameif outside
security-level 0
ip address 192.168.29.4 255.255.255.240
!
interface GigabitEthernet0/1
nameif inside
security-level 100
ip address 192.168.45.196 255.255.255.0
!
interface GigabitEthernet0/2
shutdown
no nameif
security-level 0
no ip address
!
interface GigabitEthernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/4
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/5
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/6
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/7
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/8
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
management-only
shutdown
nameif management
security-level 100
no ip address
!
ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
dns server-group DefaultDNS
domain-name
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object network inside-net
subnet 192.168.45.0 255.255.255.0
object network obj-192.168.45.0
subnet 192.168.45.0 255.255.255.0
object-group network obj-inside-net
description Inside Networks
network-object 192.168.20.0 255.255.255.0
network-object 192.168.25.0 255.255.255.0
network-object 192.168.35.0 255.255.255.0
network-object 192.168.37.0 255.255.255.0
network-object 192.168.45.0 255.255.255.0
pager lines 23
logging enable
logging asdm informational
mtu outside 1500
mtu inside 1500
mtu management 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
icmp permit 192.168.29.0 255.255.255.240 outside
asdm image disk0:/asdm-742.bin
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
route outside 0.0.0.0 0.0.0.0 192.168.29.1 1
route inside 192.168.20.0 255.255.255.0 192.168.45.1 1
route inside 192.168.25.0 255.255.255.0 192.168.45.1 1
route inside 192.168.37.0 255.255.255.0 192.168.45.1 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
user-identity default-domain LOCAL
http server enable
http 192.168.20.0 255.255.255.0 inside
http 192.168.25.0 255.255.255.0 inside
http 192.168.37.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
crypto ipsec security-association pmtu-aging infinite
crypto ca trustpool policy
telnet timeout 5
no ssh stricthostkeycheck
ssh timeout 5
ssh key-exchange group dh-group1-sha1
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
dynamic-access-policy-record DfltAccessPolicy
username password encrypted privilege 15
!
class-map class_default
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect rtsp
inspect sunrpc
inspect xdmcp
inspect netbios
inspect tftp
inspect ip-options
inspect icmp
inspect icmp error
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect esmtp
inspect sqlnet
inspect sip
inspect skinny
class class-default
set connection decrement-ttl
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
Cryptochecksum:05f2fcabf2b29546da648900fbcc1cca
: end
ROUTER
router#sh run
Building configuration...
Current configuration : 6030 bytes
!
! Last configuration change at 10:49:25 EDT Wed May 27 2015 by
version 15.1
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname router
!
boot-start-marker
boot system flash:c3825-adventerprisek9-mz.151-4.M9.bin
interface GigabitEthernet0/0
description $FW_OUTSIDE$$ETH-WAN$
ip dhcp relay information trusted
ip address dhcp client-id GigabitEthernet0/0
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat outside
ip virtual-reassembly in
duplex auto
speed auto
media-type rj45
no cdp enable
!
interface GigabitEthernet0/1
description $ETH-LAN$$FW_INSIDE$
no ip address
no ip unreachables
no ip proxy-arp
duplex full
speed 1000
media-type rj45
no mop enabled
!
interface GigabitEthernet0/1.29
encapsulation dot1Q 29
ip address 192.168.29.1 255.255.255.240
ip nat inside
ip virtual-reassembly in
!
interface FastEthernet1/0
no ip address
duplex full
speed auto
!
interface FastEthernet1/0.35
encapsulation dot1Q 35
ip address 192.168.35.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
!
interface FastEthernet1/0.37
encapsulation dot1Q 37
ip address 192.168.37.16 255.255.255.0
ip nat inside
ip virtual-reassembly in
!
interface FastEthernet1/0.45
encapsulation dot1Q 45
ip address 192.168.45.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
!
interface FastEthernet1/1
no ip address
shutdown
duplex auto
speed auto
!
!
router eigrp 37
network 192.168.0.0 0.0.255.255
passive-interface GigabitEthernet0/0
!
ip forward-protocol nd
ip http server
ip http authentication local
ip http secure-server
!
!
ip nat inside source list 1 interface GigabitEthernet0/0 overload
ip nat inside source static udp 192.168.29.4 500 interface GigabitEthernet0/0 500
ip nat inside source static udp 192.168.29.4 4500 interface GigabitEthernet0/0 4500
ip nat inside source static esp 192.168.29.4 interface GigabitEthernet0/0
!
logging trap notifications
logging facility local6
logging 192.168.37.185
access-list 1 permit 192.168.29.0 0.0.0.15
access-list 1 permit 192.168.20.0 0.0.0.255
access-list 1 permit 192.168.25.0 0.0.0.255
access-list 1 permit 192.168.35.0 0.0.0.255
access-list 1 permit 192.168.37.0 0.0.0.255
access-list 1 permit 192.168.45.0 0.0.0.255
access-list 1 remark SDM_ACL Category=2
access-list 111 permit icmp host 192.168.29.1 host 192.168.29.5
access-list 111 permit icmp host 192.168.29.1 host 192.168.29.4
access-list 111 permit icmp host 192.168.35.12 host 192.168.29.1
!
router#
05-27-2015 08:55 AM
So the port on the switch connected to the router is configured as a trunk ?
And the port the firewall connects to on the switch is in vlan 29 ?
And the native vlan on the trunk is not vlan 29 ?
Jon
05-27-2015 09:36 AM
Hi Jon,
So the port on the switch connected to the router is configured as a trunk ? ---- Yes
And the port the firewall connects to on the switch is in vlan 29 ? ---- This is a trunk port
And the native vlan on the trunk is not vlan 29 ? Native vlan 29 is not configured on the ports
Thanks
05-27-2015 09:40 AM
Hi Jon,
Here are the interface configs:
interface GigabitEthernet1/0/2
description Router interface
switchport access vlan 29
switchport trunk encapsulation dot1q
switchport mode trunk
switchport nonegotiate
spanning-tree portfast trunk
interface GigabitEthernet1/0/13
description ASA outside
switchport trunk encapsulation dot1q
switchport mode trunk
speed 1000
duplex full
spanning-tree portfast
interface GigabitEthernet1/0/14
description ASA inside
switchport access vlan 45
switchport mode access
speed 1000
duplex full
spanning-tree portfast
05-27-2015 10:34 AM
Your connection to the ASA outside interface is configured as a trunk but your ASA is not using subinterfaces.
The ASA will not be sending tagged packets to the switch.
Can you -
1) on the switch router port remove "switchport access vlan 29" ie. it is either an access port or a trunk port, not both, and it is meant to be a trunk port.
It should work as is but it is better to only have the configuration you need in there.
2) on the switch ASA port change it from a trunk to an access port ie. -
switchport mode access
switchport access vlan 29
Jon
05-27-2015 10:36 AM
Hi Jon,
I made the changes but I'm still having the same issue:
Broadcast ARP 60 Who has 192.168.29.4? Tell 192.168.29.1
Thanks
05-27-2015 10:39 AM
Can you post a "sh int trunk" from the switch ?
Jon
05-27-2015 10:47 AM
Hi Jon,
Here is the result of the command:
Switch#sh int trunk
Port Mode Encapsulation Status Native vlan
Gi1/0/1 on 802.1q trunking 1
Gi1/0/2 on 802.1q trunking 1
Gi1/0/10 on 802.1q trunking 1
Gi1/0/11 on 802.1q trunking 1
Gi1/0/15 on 802.1q trunking 1
Gi1/0/26 on 802.1q trunking 1
Gi1/0/28 on 802.1q trunking 1
Port Vlans allowed on trunk
Gi1/0/1 1-4094
Gi1/0/2 1-4094
Gi1/0/10 1-4094
Gi1/0/11 20,25,29,37
Gi1/0/15 1-4094
Gi1/0/26 20,25,37
Gi1/0/28 1-4094
Port Vlans allowed and active in management domain
Gi1/0/1 1,15,20,25,29-30,35,37,45
Gi1/0/2 1,15,20,25,29-30,35,37,45
Gi1/0/10 1,15,20,25,29-30,35,37,45
Gi1/0/11 20,25,29,37
Gi1/0/15 1,15,20,25,29-30,35,37,45
Gi1/0/26 20,25,37
Gi1/0/28 1,15,20,25,29-30,35,37,45
Port Vlans in spanning tree forwarding state and not pruned
Port Vlans in spanning tree forwarding state and not pruned
Gi1/0/1 1,15,20,25,29-30,35,37,45
Gi1/0/2 1,15,20,25,29-30,35,37,45
Gi1/0/10 1,15,20,25,29-30,35,37,45
Gi1/0/11 20,25,29,37
Gi1/0/15 1,15,20,25,29-30,35,37,45
Gi1/0/26 20,25,37
Gi1/0/28 1,15,20,25,29-30,35,37,45
Switch#
05-27-2015 10:58 AM
The switch configuration looks okay from what I can see.
Are both interfaces ie. the ASA outside and the port on the switch it connects to in the up/up state ?
Jon
05-27-2015 11:17 AM
They are up/up state.
This is driving me crazy for a week because I don't see why there is an issue. To make sure there is nothing wrong, I connected a laptop to the same port as the "outside" interface and configured it with a vlan 29 ip address and I was able to ping the interface of the router. I can also ping it from the switch, so I'm a little confused. The other info that I get from the arp debug on the ASA is this:
arp-in: request at inside from 192.168.29.4 0050.56ac.aede for 192.168.29.1 0000.0000.0000 having smac 0050.56ac.aede dmac ffff.ffff.ffff
arp-in: Arp packet received from 192.168.29.4 which is in different subnet than the connected interface 192.168.45.196/255.255.255.0
arp-send: arp request built from 192.168.29.4 0050.56ac.aede for 192.168.29.1 at 123975080
05-27-2015 11:28 AM
When did you do the laptop test because if the port was configured as a trunk port it should not have worked.
Can you post a "sh vlan brief" from the switch ?
Jon
05-27-2015 11:42 AM
No, I had it configured as an "access" port for the laptop.
Switch#sh vlan brief
VLAN Name Status Ports
---- -------------------------------- --------- -------------------------------
1 default active Gi1/0/3, Gi1/0/4, Gi1/0/5, Gi1/0/16, Gi1/0/17, Gi1/0/18, Gi1/0/19, Gi1/0/21, Gi1/0/22, Gi1/0/23, Gi1/0/27
15 VLAN0015 active
20 VLAN0020 active
25 VLAN0025 active
29 VLAN0029 active Gi1/0/13
30 VLAN0030 active
35 VLAN0035 active
37 VLAN0037 active Gi1/0/6, Gi1/0/7, Gi1/0/8, Gi1/0/9, Gi1/0/24, Gi1/0/25
45 VLAN0045 active Gi1/0/12, Gi1/0/14
1002 fddi-default act/unsup
1003 token-ring-default act/unsup
1004 fddinet-default act/unsup
1005 trnet-default act/unsup
Switch#
05-27-2015 11:48 AM
Can you explain the physical connectivity ?
Why does the router have an interface in vlan 45 which is the same vlan as the ASA inside interface as well as in vlan 29 ie. the outside interface of the ASA ?
What is the switch ie. is it L2 only or L3 ?
Jon
05-27-2015 11:59 AM
It's a layer 3 --- Cisco 3750
The router is doing routing for 192.168.45.x on a subinterface
05-27-2015 12:22 PM
Right, but if the router has interfaces for both the outside and inside interfaces of the ASA then it can just route around the firewall.
Is everything routed off the router ie. does the 3750 have any SVIs for internal subnets.
It sounds like the physical connectivity is amiss somewhere but I'm trying to understand what the setup is ie. you wouldn't normally have the outside interface of your ASA connecting to a router which also has an interface to the ASA's inside interface vlan.
How is the traffic flow from an inside vlan/IP subnet to the router and presumably beyond to the internet meant to flow.
You have an EIGRP network statement on the router 192.168.0.0 0.0.255.255.
If you also have the same statement on your L3 switch and you have SVIs for your internal vlans/IP subnets on the 3750 then all traffic will, as I say, be routed around the firewall.
Jon
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide