When did you do the laptop

kc1978 · ‎05-27-2015

I have an ASA that is situated behind a cisco router and I'm unable to ping the router's interface that is on the same subnet as the outside interface of the ASA. I can ping the router's interface from the same switch that the ASA is connected. Wireshark on the router's switchport shows arp query but no reply from either the router or the ASA. Here is the config of the ASA and the router. Just want to see if someone could help in letting me know what I'm missing. Thanks

ASA Version 9.3(1)

!

hostname guinep1

domain-name

enable password encrypted

names

!

interface GigabitEthernet0/0

speed 1000

duplex full

nameif outside

security-level 0

ip address 192.168.29.4 255.255.255.240

!

interface GigabitEthernet0/1

nameif inside

security-level 100

ip address 192.168.45.196 255.255.255.0

!

interface GigabitEthernet0/2

shutdown

no nameif

security-level 0

no ip address

!

interface GigabitEthernet0/3

shutdown

no nameif

no security-level

no ip address

!

interface GigabitEthernet0/4

shutdown

no nameif

no security-level

no ip address

!

interface GigabitEthernet0/5

shutdown

no nameif

no security-level

no ip address

!

interface GigabitEthernet0/6

shutdown

no nameif

no security-level

no ip address

!

interface GigabitEthernet0/7

shutdown

no nameif

no security-level

no ip address

!

interface GigabitEthernet0/8

shutdown

no nameif

no security-level

no ip address

!

interface Management0/0

management-only

shutdown

nameif management

security-level 100

no ip address

!

ftp mode passive

clock timezone EST -5

clock summer-time EDT recurring

dns server-group DefaultDNS

domain-name

same-security-traffic permit inter-interface

same-security-traffic permit intra-interface

object network inside-net

subnet 192.168.45.0 255.255.255.0

object network obj-192.168.45.0

subnet 192.168.45.0 255.255.255.0

object-group network obj-inside-net

description Inside Networks

network-object 192.168.20.0 255.255.255.0

network-object 192.168.25.0 255.255.255.0

network-object 192.168.35.0 255.255.255.0

network-object 192.168.37.0 255.255.255.0

network-object 192.168.45.0 255.255.255.0

pager lines 23

logging enable

logging asdm informational

mtu outside 1500

mtu inside 1500

mtu management 1500

no failover

icmp unreachable rate-limit 1 burst-size 1

icmp permit 192.168.29.0 255.255.255.240 outside

asdm image disk0:/asdm-742.bin

no asdm history enable

arp timeout 14400

no arp permit-nonconnected

route outside 0.0.0.0 0.0.0.0 192.168.29.1 1

route inside 192.168.20.0 255.255.255.0 192.168.45.1 1

route inside 192.168.25.0 255.255.255.0 192.168.45.1 1

route inside 192.168.37.0 255.255.255.0 192.168.45.1 1

timeout xlate 3:00:00

timeout pat-xlate 0:00:30

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

timeout floating-conn 0:00:00

user-identity default-domain LOCAL

http server enable

http 192.168.20.0 255.255.255.0 inside

http 192.168.25.0 255.255.255.0 inside

http 192.168.37.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

crypto ipsec security-association pmtu-aging infinite

crypto ca trustpool policy

telnet timeout 5

no ssh stricthostkeycheck

ssh timeout 5

ssh key-exchange group dh-group1-sha1

console timeout 0

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

dynamic-access-policy-record DfltAccessPolicy

username password encrypted privilege 15

!

class-map class_default

class-map inspection_default

match default-inspection-traffic

!

policy-map type inspect dns preset_dns_map

parameters

message-length maximum client auto

message-length maximum 512

policy-map global_policy

class inspection_default

inspect rtsp

inspect sunrpc

inspect xdmcp

inspect netbios

inspect tftp

inspect ip-options

inspect icmp

inspect icmp error

inspect dns preset_dns_map

inspect ftp

inspect h323 h225

inspect h323 ras

inspect rsh

inspect esmtp

inspect sqlnet

inspect sip

inspect skinny

class class-default

set connection decrement-ttl

!

service-policy global_policy global

prompt hostname context

no call-home reporting anonymous

Cryptochecksum:05f2fcabf2b29546da648900fbcc1cca

: end

ROUTER

router#sh run

Building configuration...

Current configuration : 6030 bytes

!

! Last configuration change at 10:49:25 EDT Wed May 27 2015 by

version 15.1

service timestamps debug datetime msec

service timestamps log datetime msec

service password-encryption

!

hostname router

!

boot-start-marker

boot system flash:c3825-adventerprisek9-mz.151-4.M9.bin

interface GigabitEthernet0/0

description $FW_OUTSIDE$$ETH-WAN$

ip dhcp relay information trusted

ip address dhcp client-id GigabitEthernet0/0

no ip redirects

no ip unreachables

no ip proxy-arp

ip nat outside

ip virtual-reassembly in

duplex auto

speed auto

media-type rj45

no cdp enable

!

interface GigabitEthernet0/1

description $ETH-LAN$$FW_INSIDE$

no ip address

no ip unreachables

no ip proxy-arp

duplex full

speed 1000

media-type rj45

no mop enabled

!

interface GigabitEthernet0/1.29

encapsulation dot1Q 29

ip address 192.168.29.1 255.255.255.240

ip nat inside

ip virtual-reassembly in

!

interface FastEthernet1/0

no ip address

duplex full

speed auto

!

interface FastEthernet1/0.35

encapsulation dot1Q 35

ip address 192.168.35.1 255.255.255.0

ip nat inside

ip virtual-reassembly in

!

interface FastEthernet1/0.37

encapsulation dot1Q 37

ip address 192.168.37.16 255.255.255.0

ip nat inside

ip virtual-reassembly in

!

interface FastEthernet1/0.45

encapsulation dot1Q 45

ip address 192.168.45.1 255.255.255.0

ip nat inside

ip virtual-reassembly in

!

interface FastEthernet1/1

no ip address

shutdown

duplex auto

speed auto

!

router eigrp 37

network 192.168.0.0 0.0.255.255

passive-interface GigabitEthernet0/0

!

ip forward-protocol nd

ip http server

ip http authentication local

ip http secure-server

!

ip nat inside source list 1 interface GigabitEthernet0/0 overload

ip nat inside source static udp 192.168.29.4 500 interface GigabitEthernet0/0 500

ip nat inside source static udp 192.168.29.4 4500 interface GigabitEthernet0/0 4500

ip nat inside source static esp 192.168.29.4 interface GigabitEthernet0/0

!

logging trap notifications

logging facility local6

logging 192.168.37.185

access-list 1 permit 192.168.29.0 0.0.0.15

access-list 1 permit 192.168.20.0 0.0.0.255

access-list 1 permit 192.168.25.0 0.0.0.255

access-list 1 permit 192.168.35.0 0.0.0.255

access-list 1 permit 192.168.37.0 0.0.0.255

access-list 1 permit 192.168.45.0 0.0.0.255

access-list 1 remark SDM_ACL Category=2

access-list 111 permit icmp host 192.168.29.1 host 192.168.29.5

access-list 111 permit icmp host 192.168.29.1 host 192.168.29.4

access-list 111 permit icmp host 192.168.35.12 host 192.168.29.1

!

router#

Jon Marshall · ‎05-27-2015

So the port on the switch connected to the router is configured as a trunk ?

And the port the firewall connects to on the switch is in vlan 29 ?

And the native vlan on the trunk is not vlan 29 ?

Jon

kc1978 · ‎05-27-2015

Hi Jon,

So the port on the switch connected to the router is configured as a trunk ? ---- Yes

And the port the firewall connects to on the switch is in vlan 29 ? ---- This is a trunk port

And the native vlan on the trunk is not vlan 29 ? Native vlan 29 is not configured on the ports

Thanks

kc1978 · ‎05-27-2015

Hi Jon,

Here are the interface configs:

interface GigabitEthernet1/0/2

description Router interface

switchport access vlan 29

switchport trunk encapsulation dot1q

switchport mode trunk

switchport nonegotiate

spanning-tree portfast trunk

interface GigabitEthernet1/0/13

description ASA outside

switchport trunk encapsulation dot1q

switchport mode trunk

speed 1000

duplex full

spanning-tree portfast

interface GigabitEthernet1/0/14

description ASA inside

switchport access vlan 45

switchport mode access

speed 1000

duplex full

spanning-tree portfast

Jon Marshall · ‎05-27-2015

Your connection to the ASA outside interface is configured as a trunk but your ASA is not using subinterfaces.

The ASA will not be sending tagged packets to the switch.

Can you -

1) on the switch router port remove "switchport access vlan 29" ie. it is either an access port or a trunk port, not both, and it is meant to be a trunk port.

It should work as is but it is better to only have the configuration you need in there.

2) on the switch ASA port change it from a trunk to an access port ie. -

switchport mode access
switchport access vlan 29

Jon

kc1978 · ‎05-27-2015

Hi Jon,

I made the changes but I'm still having the same issue:

Broadcast ARP 60 Who has 192.168.29.4? Tell 192.168.29.1

Thanks

Jon Marshall · ‎05-27-2015

Can you post a "sh int trunk" from the switch ?

Jon

kc1978 · ‎05-27-2015

Hi Jon,

Here is the result of the command:

Switch#sh int trunk

Port Mode Encapsulation Status Native vlan
Gi1/0/1 on 802.1q trunking 1
Gi1/0/2 on 802.1q trunking 1
Gi1/0/10 on 802.1q trunking 1
Gi1/0/11 on 802.1q trunking 1
Gi1/0/15 on 802.1q trunking 1
Gi1/0/26 on 802.1q trunking 1
Gi1/0/28 on 802.1q trunking 1

Port Vlans allowed on trunk
Gi1/0/1 1-4094
Gi1/0/2 1-4094
Gi1/0/10 1-4094
Gi1/0/11 20,25,29,37
Gi1/0/15 1-4094
Gi1/0/26 20,25,37
Gi1/0/28 1-4094

Port Vlans allowed and active in management domain
Gi1/0/1 1,15,20,25,29-30,35,37,45
Gi1/0/2 1,15,20,25,29-30,35,37,45
Gi1/0/10 1,15,20,25,29-30,35,37,45
Gi1/0/11 20,25,29,37
Gi1/0/15 1,15,20,25,29-30,35,37,45
Gi1/0/26 20,25,37
Gi1/0/28 1,15,20,25,29-30,35,37,45

Port Vlans in spanning tree forwarding state and not pruned

Port Vlans in spanning tree forwarding state and not pruned
Gi1/0/1 1,15,20,25,29-30,35,37,45
Gi1/0/2 1,15,20,25,29-30,35,37,45
Gi1/0/10 1,15,20,25,29-30,35,37,45
Gi1/0/11 20,25,29,37
Gi1/0/15 1,15,20,25,29-30,35,37,45
Gi1/0/26 20,25,37
Gi1/0/28 1,15,20,25,29-30,35,37,45
Switch#

Jon Marshall · ‎05-27-2015

The switch configuration looks okay from what I can see.

Are both interfaces ie. the ASA outside and the port on the switch it connects to in the up/up state ?

Jon

kc1978 · ‎05-27-2015

They are up/up state.

This is driving me crazy for a week because I don't see why there is an issue. To make sure there is nothing wrong, I connected a laptop to the same port as the "outside" interface and configured it with a vlan 29 ip address and I was able to ping the interface of the router. I can also ping it from the switch, so I'm a little confused. The other info that I get from the arp debug on the ASA is this:

arp-in: request at inside from 192.168.29.4 0050.56ac.aede for 192.168.29.1 0000.0000.0000 having smac 0050.56ac.aede dmac ffff.ffff.ffff

arp-in: Arp packet received from 192.168.29.4 which is in different subnet than the connected interface 192.168.45.196/255.255.255.0

arp-send: arp request built from 192.168.29.4 0050.56ac.aede for 192.168.29.1 at 123975080

Jon Marshall · ‎05-27-2015

When did you do the laptop test because if the port was configured as a trunk port it should not have worked.

Can you post a "sh vlan brief" from the switch ?

Jon

kc1978 · ‎05-27-2015

No, I had it configured as an "access" port for the laptop.

Switch#sh vlan brief

VLAN Name Status Ports
---- -------------------------------- --------- -------------------------------
1 default active Gi1/0/3, Gi1/0/4, Gi1/0/5, Gi1/0/16, Gi1/0/17, Gi1/0/18, Gi1/0/19, Gi1/0/21, Gi1/0/22, Gi1/0/23, Gi1/0/27
15 VLAN0015 active
20 VLAN0020 active
25 VLAN0025 active
29 VLAN0029 active Gi1/0/13
30 VLAN0030 active
35 VLAN0035 active
37 VLAN0037 active Gi1/0/6, Gi1/0/7, Gi1/0/8, Gi1/0/9, Gi1/0/24, Gi1/0/25
45 VLAN0045 active Gi1/0/12, Gi1/0/14
1002 fddi-default act/unsup
1003 token-ring-default act/unsup
1004 fddinet-default act/unsup
1005 trnet-default act/unsup
Switch#

Jon Marshall · ‎05-27-2015

Can you explain the physical connectivity ?

Why does the router have an interface in vlan 45 which is the same vlan as the ASA inside interface as well as in vlan 29 ie. the outside interface of the ASA ?

What is the switch ie. is it L2 only or L3 ?

Jon

kc1978 · ‎05-27-2015

It's a layer 3 --- Cisco 3750

The router is doing routing for 192.168.45.x on a subinterface

Jon Marshall · ‎05-27-2015

Right, but if the router has interfaces for both the outside and inside interfaces of the ASA then it can just route around the firewall.

Is everything routed off the router ie. does the 3750 have any SVIs for internal subnets.

It sounds like the physical connectivity is amiss somewhere but I'm trying to understand what the setup is ie. you wouldn't normally have the outside interface of your ASA connecting to a router which also has an interface to the ASA's inside interface vlan.

How is the traffic flow from an inside vlan/IP subnet to the router and presumably beyond to the internet meant to flow.

You have an EIGRP network statement on the router 192.168.0.0 0.0.255.255.

If you also have the same statement on your L3 switch and you have SVIs for your internal vlans/IP subnets on the 3750 then all traffic will, as I say, be routed around the firewall.

Jon

Unable to ping router's interface from ASA