02-16-2021 06:35 PM
Hello
I have a 192.168.1.0 subnet from an ASA 5508-X (GE0/2) going to a Catalyst Switch for it's own management / Internet access from ASA IP which has a 192.168.1.5 IP Address assigned manually via vlan 1. I have several Interfaces dedicated to that's same vlan (1) that connect and grab an IP of, let's say, 192.168.1.4. This specific IP can PING the vlan 10 10.0.1.0 subnet and vlan 11 10.0.2.0 subnet but when I try to connect to the 10.0.2.111 NAS, it just times out.
When I am on either 10.0.1.0 or 10.0.2.0 they both connect to the NAS as well as Ping the 192.168.1.0 subnet (and even 192.168.1.5 IP).
I know this is an IP ROUTE issue but I am just unsure as to which Router needs the route made... Because I CAN see the IP's, just can not connect.
This is my Switch;
Current configuration : 5333 bytes
!
! Last configuration change at 00:59:56 UTC Tue Mar 2 1993
!
version 12.2
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Switch
!
boot-start-marker
boot-end-marker
!
!
no aaa new-model
switch 1 provision ws-c3750g-24ps
system mtu routing 1500
ip routing
!
!
!
!
crypto pki trustpoint TP-self-signed-29955072
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-29955072
revocation-check none
rsakeypair TP-self-signed-29955072
!
!
crypto pki certificate chain TP-self-signed-29955072
certificate self-signed 01
3082023A 308201A3 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
2F312D30 2B060355 04031324 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 32393935 35303732 301E170D 39333033 30313030 30323334
5A170D32 30303130 31303030 3030305A 302F312D 302B0603 55040313 24494F53
2D53656C 662D5369 676E6564 2D436572 74696669 63617465 2D323939 35353037
3230819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281 8100A65F
74202A89 76D25FA8 C7ED81DD 6800558E C377B8AD 0E9C26DD E23EFB16 13D19F33
E8B17063 CA28B794 5AF243D3 64EBBD2B 9E26BBCE 358DCA6C 0F540D6A F9F209AF
A59302E1 2A0C9E50 953DD959 1FF3F060 04A6BD71 4EE6E5E6 5E7B179E 36A7969E
7826FDE4 1A8879A7 413462E5 E37FADBC C6C103E4 495052BE 4F8CCA36 E3030203
010001A3 66306430 0F060355 1D130101 FF040530 030101FF 30110603 551D1104
0A300882 06537769 74636830 1F060355 1D230418 30168014 C03E07C1 6E991C9D
FAF8C1A0 2C538489 E1799507 301D0603 551D0E04 160414C0 3E07C16E 991C9DFA
F8C1A02C 538489E1 79950730 0D06092A 864886F7 0D010104 05000381 81004F6A
EB507D1D 80E269DF E29286DA 503C01BE 41F89DEA 60AF1952 FD30B9F3 5DDB929E
1FA39766 E8FDC791 D1B5E3B3 23D211CF F1293208 15252277 F7FF8918 75E493E9
27F915AE 5C1AB8CF BC2B4DE3 6A7E68BE B37A9DD9 6F0CC609 DBA27505 979B09A3
BE1D6C77 1FDC4040 D986CC6A 49F67E8B B5586A13 57ABA87B 8C956A87 DDE2
quit
!
!
!
spanning-tree mode pvst
spanning-tree extend system-id
!
vlan internal allocation policy ascending
!
!
!
!
!
!
interface GigabitEthernet1/0/1
switchport access vlan 10
switchport mode access
spanning-tree portfast
!
interface GigabitEthernet1/0/2
switchport access vlan 10
switchport mode access
spanning-tree portfast
!
interface GigabitEthernet1/0/3
switchport access vlan 10
switchport mode access
spanning-tree portfast
!
interface GigabitEthernet1/0/4
switchport access vlan 10
switchport mode access
spanning-tree portfast
!
interface GigabitEthernet1/0/5
switchport access vlan 10
switchport mode access
spanning-tree portfast
!
interface GigabitEthernet1/0/6
switchport access vlan 10
switchport mode access
spanning-tree portfast
!
interface GigabitEthernet1/0/7
switchport access vlan 10
switchport mode access
spanning-tree portfast
!
interface GigabitEthernet1/0/8
switchport access vlan 10
switchport mode access
spanning-tree portfast
!
interface GigabitEthernet1/0/9
switchport access vlan 10
switchport mode access
spanning-tree portfast
!
interface GigabitEthernet1/0/10
switchport access vlan 10
switchport mode access
spanning-tree portfast
!
interface GigabitEthernet1/0/11
switchport access vlan 11
switchport mode access
spanning-tree portfast
!
interface GigabitEthernet1/0/12
switchport access vlan 11
switchport mode access
spanning-tree portfast
!
interface GigabitEthernet1/0/13
switchport access vlan 11
switchport mode access
spanning-tree portfast
!
interface GigabitEthernet1/0/14
switchport access vlan 11
switchport mode access
spanning-tree portfast
!
interface GigabitEthernet1/0/15
switchport access vlan 11
switchport mode access
spanning-tree portfast
!
interface GigabitEthernet1/0/16
switchport access vlan 11
switchport mode access
spanning-tree portfast
!
interface GigabitEthernet1/0/17
switchport access vlan 11
switchport mode access
spanning-tree portfast
!
interface GigabitEthernet1/0/18
switchport access vlan 11
switchport mode access
spanning-tree portfast
!
interface GigabitEthernet1/0/19
switchport access vlan 11
switchport mode access
spanning-tree portfast
!
interface GigabitEthernet1/0/20
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 1,10,11
switchport mode trunk
!
interface GigabitEthernet1/0/21
description TPLink
switchport access vlan 12
spanning-tree portfast
!
interface GigabitEthernet1/0/22
description DLink
switchport access vlan 13
switchport mode access
spanning-tree portfast
!
interface GigabitEthernet1/0/23
switchport mode access
spanning-tree portfast
!
interface GigabitEthernet1/0/24
switchport mode access
spanning-tree portfast
!
interface GigabitEthernet1/0/25
!
interface GigabitEthernet1/0/26
!
interface GigabitEthernet1/0/27
!
interface GigabitEthernet1/0/28
!
interface Vlan1
description ASA
ip address 192.168.1.5 255.255.255.0
!
interface Vlan10
description Home LAN
no ip address
!
interface Vlan11
description Home VPN
no ip address
!
interface Vlan12
description TPlink
ip address 10.0.1.161 255.255.255.0
!
interface Vlan13
description DLink
ip address 10.0.2.124 255.255.255.0
!
ip http server
ip http secure-server
!
ip route 192.168.3.0 255.255.255.0 192.168.1.1
!
logging esm config
no cdp run
!
!
line con 0
line vty 0 4
login
line vty 5 15
login
!
end
Solved! Go to Solution.
02-23-2021 01:02 PM
As I think about it I believe that issues with DNS server of 205.171.3.65 and loss of Internet access when you changed the gateway address for the PC are probably related. When you changed the gateway address to use the switch IP then forwarding the PC traffic would be done by the switch. I am not clear whether the switch has a default route (which is a reason I asked for the output of show ip route from the switch). If there is no default route then that certainly explains why the PC loses Internet access when its gateway is the switch. And even if the switch does have a default route, what next hop does the switch use and would that path have address translation for the 192.168.1.0 network. If there is no address translation then certainly there is no Internet access.
So we need to go a step at a time in figuring what is the underlying issue and how to fix it.
02-16-2021 06:46 PM
192.168.1.4 - what is the gateway for this device? what is this device?
what is the gateway: for the below subnets :
Vlan 10 10.0.1.0 subnet and vlan 11 10.0.2.0
on this device you do not have any route other than below :
ip route 192.168.3.0 255.255.255.0 192.168.1.1
If the below device only connected to this switch - they able to talk each other no issue :
Vlan 10 10.0.1.0 subnet and VLAN 11 10.0.2.0
but if the device coming from external, that required route to go back to the same network in your case 192.168.1.X network
02-17-2021 01:05 AM
Hello,
--> This specific IP can PING the vlan 10 10.0.1.0 subnet and vlan 11 10.0.2.0 subnet but when I try to connect to the 10.0.2.111 NAS, it just times out.
Your post is rather confusing, as Vlan 10 and Vlan 11 do not have IP addresses.
Post a schematic drawing of your topology including all IP addressing, interfaces, and what is connected to what.
02-17-2021 08:17 AM
ASA 55508-X
- 207.108.121.X (ASA Gateway & Internet IP)
- GE 1/1 - 192.168.1.1 DHCP / Management (to Catalyst)
- GE 1/2 - 192.168.2.1 (to Wireless Router)
- GE 1/3 - 192.168.3.1 (Server)
- GE 1/3 - 192.168.4.1 (to Wireless Router)
- ip route inside 10.0.1.0 255.255.255.0 192.168.1.5 (this is the IP/Gateway of the L3 3750G Switch)
- ip route inside 10.0.2.0 255.255.255.0 192.168.1.5 (this is the IP/Gateway of the L3 3750G Switch)
- ip route outside 0.0.0.0 0.0.0.0 207.108.121.x
Catalyst 3750G
- vlan 1 192.168.1.5 255.255.255.0 (Switch IP)
- vlan 12 10.0.1.161 255.255.255.0 (Static IP used to "route" between 10.0.1.0 / 10.0.2.0 Subnets)
- vlan 13 10.0.2.124 255.255.255.0 (Static IP used to "route" between 10.0.1.0 / 10.0.2.0 Subnets)
- GE 1/0/23 - 24 (vlan 1 (GE 1/0/23 incoming from ASA and then GE 1/0/24 out to PC (192.168.1.4)
- GE 1/0/1 - 10 (vlan 10 L2 (GE 1/0/1 incoming from external Router with 10.0.1.0 subnet)
- GE 1/0/11 - 19 (vlan 11 L2 (GE 1/0/11 incoming from external Router with 10.0.2.0 subnet)
- GE 1/0/20 - Trunking vlans 10 / 11 to Cisco AP serving 2 SSIDS each connecting to their own vlan.
- ip route 192.168.3.0 255.255.255.0 192.168.1.1 (so vlan 1, 2 & 3 can connect to a Server @ 192.168.3.180)
As I mentioned, this setup has my whole network working where I want it to. 10.0.1.0 can PING and connect to 10.0.2.0 and vice versa, but 192.168.1.0 (192.168.1.4 specifically) can Ping but NOT connect to a 10.0.2.111.
I feel on one hand it is an ip route issue (on the ASA, Catalyst or the Wireless Router housing 10.0.2.0) but then it wouldn't ping without a route, I assume
02-18-2021 11:59 AM
I am confused. In your most recent response you tell us:
- GE 1/0/1 - 10 (vlan 10 L2 (GE 1/0/1 incoming from external Router with 10.0.1.0 subnet)
- GE 1/0/11 - 19 (vlan 11 L2 (GE 1/0/11 incoming from external Router with 10.0.2.0 subnet)
but in the switch config we see that these subnets are associated with vlans 12 and 13
interface Vlan12
description TPlink
ip address 10.0.1.161 255.255.255.0
!
interface Vlan13
description DLink
ip address 10.0.2.124 255.255.255.0
Can you provide clarification?
02-20-2021 06:28 PM
Yes because thus far I have not been able to get vlan 10 / vlan 11, or shall I say more literally, I have not been able to get "ip routing" across 10.0.1.0 and 10.0.2.0 w/out doing vlan 12/13 with static IP's. vlan 10/11 are simply L2 interfaces for their respective vlans I.E more Ethernet Ports for 10.0.1.0 (vlan 10) 10.0.2.0 (vlan 11).
vlan 12, 13 are just so that 10.0.1.0 / 10.0.2.0 communicate. If I disable them, they won't talk, when I enable them, they do.
02-21-2021 09:58 AM
Can you tell us what connects on this port
interface GigabitEthernet1/0/21
description TPLink
and what connects on this port
interface GigabitEthernet1/0/22
description DLink
and can you tell us what these represent: tplink and dlink
02-21-2021 04:37 PM
Going to do my best on a Packet Tracer setup, but for now;
interface GigabitEthernet1/0/21
vlan 12
description TPLink
interface GigabitEthernet1/0/22
vlan 13
description DLink
go with;
interface Vlan12
description TPlink
ip address 10.0.1.161 255.255.255.0
!
interface Vlan13
description DLink
ip address 10.0.2.124 255.255.255.0
I have it set this way so both Subnets (TPLink 10.0.1.0) and DLink (10.0.2.0) can communicate... TPLink and DLink are outside routers.
02-22-2021 07:22 AM
In the original post you tell us this "the vlan 10 10.0.1.0 subnet and vlan 11 10.0.2.0 subnet". Based on this I would expect to see interface vlan 10 configured with an IP address in the 10.0.1.0 subnet. But your configuration has that address on vlan 12. And I would expect to see interface vlan 11 with an IP address in the 10.0.2.0 subnet. But your configuration has that address on vlan 13. I am puzzled why it is this way. Can you clarify?
I am also thinking about this that you tell us " This specific IP can PING the vlan 10 10.0.1.0 subnet and vlan 11 10.0.2.0 subnet but when I try to connect to the 10.0.2.111 NAS, it just times out." The title of the post indicates that it can ping all IP but not access data and that is very strange. But I am wondering if that is actually the case. It would make sense that the device would be able to ping the address in the vlan 10.0.2.124. Can that device really ping 10.0.2.111?
02-22-2021 07:57 AM
Morning
I see what you are asking and my only answer is that, maybe that is my problem. Too many things going on.
I will exaggerate for better clarity.
I have DSL connected to a 5508-X and on that 5508-X , GE 1/2 (192.168.1.1) is connected to GE 1/0/23 on a 3750G Switch.
On that Switch I have vlan 1 ip address 192.168.1.5. Also, GE 1/0/24 is vlan 1 so my PC can plug into it and be able to access Switch and 5508-X obtaining a 192.168.1.x IP via DHCP on 5508-X DHCP Server.
I have a home Wireless Router (192.168.2.177 (Static NAT to a 207.108.131.177)) connected to GE 1/3 (192.168.2.1) on the 5508-X. That Wireless Router (TPLink) has a Subnet of 10.0.1.0.
I have CABLE Modem connected to another Wireless Router (DLink, NOT through my 5508-X) with a Subnet of 10.0.2.0.
What I did was make Switch GE 1/0/1-1/0/10 L2 vlan 10 for anything wanting to obtain a 10.0.1.0 IP Address and GE 1/0/1 is connected to an interface on the TPLink.
I then made Switch GE 1/0/11-1/0/19 L2 vlan 11 for anything wanting to obtain a 10.0.2.0 IP address and GE 1/0/11 is connected to an interface on the DLink.
#1 TPLink and DLink can not be routed via their WAN side because two different ISPs, nor do I want them to.
#2 I know that L2 can not get any routing protocols on the L3/3750G Switch IN L2 Config (or can it?)
#3 I then came to the conclusion, I will not assign an INTERFACE but create 2 new vlans in L3 so that I could allow ip routing thus I made vlan 12 ip address 10.0.1.161 255.255.255.0 and vlan 13 ip address 10.0.2.124 255.255.255.0
This is my result for wanting 10.0.1.0 to talk to 10.0.2.0. I assume L2 ports GE 1/0/1-1/0/10 CAN not be routed so I made 2 more vlans that allow ip routing.
Maybe I did that wrong? But it is how I got it to work, and yet it doesn't. As I say anything on 10.0.1.0 can ping 10.0.2.0, 192.168.1.0 and 192.168.3.0 and vice versa with all the rest but 192.168.1.4, lets say my PC, can access the Internet but not connect to a NAS on 10.0.2.111.
I wonder if I maybe have too many configurations ion the Switch? I would love to simplify.
TPLink static route : 10.0.2.0 255.255.255.0 10.0.1.161
192.168.1.0 255.255.255.0 10.0.1.161
Has a route to 192.168.3.0 via Switch static route
DLink static route : 10.0.1.0 255.255.255.0 10.0.2.124
192.168.1.0 255.255.255.0 10.0.2.124
Has a route to 192.168.3.0 via Switch static route
Switch static route: ip route 192.168.3.0 255.255.255.0 192.168.1.1 (to another server, Email, on GE 1/3 on 5508-X)
5508-X static route: outside 0.0.0.0 0.0.0.0 207.108.131.182
inside 10.0.1.0 255.255.255.0 192.168.1.5
inside 10.0.2.0 255.255.255.0 192.168.1.5
I hope to heck that this makes a little more sense. I may simply just have too much configurations. If this can be answered separately, so I can follow.
Based on 2 subnets, 10.0.1.0 from tplink and 10.0.2.0 from dlink, both WAN different ISP so routing HAS to be done via Switch, could I wipe out all vlans on switch except vlan1 and make vlan 10 10.0.1.161 and GE 1/0/1-1/0/10 vlan 10 and anything will grab a 10.0.1.0 IP and same with making a vlan 11 10.0.2.124 and GE 1/0/11-1/0/19 and anything will grab a 10.0.2.0. Would assigning an IP to vlan 10/11 take it (the other ports on same vlan) out of L2 or will they still grab their respective ip and still use the static ip as the route?
I say this because I have vlan 1 192.168.1.5 255.255.255.0 and my PC grabs 192.168.1.4 auto through that same vlan 1, so I assume the same can be said for the other? Maybe I have too much going on!
02-22-2021 08:51 AM
I asked what connects on 1/0/21 and 1/0/22 and you have not told us that answer. As a starting point please tell us what physically is connected to those ports.
I appreciate the additional information that you gave in your most recent response. While it does help a bit there is still much about this environment that I do not understand. But based on what I think I understand let me make these suggestions:
1) remove the IP address currently configured on vlan 12.
2) remove the IP address currently configured on vlan 13.
3) on interface vlan 10 configure ip address 10.0.1.161 255.255.255.0
4) on interface vlan 11 configure ip address 10.0.2.124 255.255.255.0
02-22-2021 09:20 AM
Hello
1/0/21 was connected to TPLink to obtain [it's] IP of 10.0.1.161
1/0/22 was connected to DLink to obtain [it's] IP of 10.0.2.124
Yes, 1/0/1 was connected to TPlink for a way to obtain DHCP for 1/0/2-10 and 1/0/11 was connected to DLink for a way to obtain DHCP for 1/0/12-19.
I had DLink and TPlink connecting to Switch twice. Once for the L2 and once for the vlan ip routing.
Again, this seems to have been too much.
I see on your response to eliminate vlan 12/13 and simply add the IP's to the existing vlan 10/11.
02-22-2021 10:02 AM
Thanks for explaining that "I had DLink and TPlink connecting to Switch twice. Once for the L2 and once for the vlan ip routing." This makes things much more complicated than they need to be. Remove the vlan 12 and 13 connections (or change them to vlan 10 and 11), remove vlan interfaces 12 and 13, and configure the IP addresses on vlan interfaces 10 and 11. Make those changes and let us know if the behavior changes.
02-22-2021 10:28 AM - edited 02-22-2021 10:52 AM
Alright that makes a lot more sense.
I just recreated this on Packet Tracer and it all looks fine, when I get home I will implement it into my real server and let you know.
Thank you.
02-22-2021 01:06 PM
Let me clarify a few things. A vlan is the layer 2 entity that provides Ethernet connectivity for a group of devices connected in that vlan. Interface vlan x is the layer 3 entity that provides IP addressing and routing for the devices connected in that vlan.
So you do not need (and I would suggest do not want) both vlan 10 and vlan 12 to provide layer 2 connectivity and layer 3 routing. vlan 10 provides the layer 2 connectivity and interface vlan 10 provides the layer 3 connectivity for those devices.
Another aspect to consider (and this gets a bit subtle, so hang in with me on this) is that there is generally a one to one relationship between a vlan and a broadcast domain. (a vlan is a broadcast domain, and a broadcast domain is a vlan) So when you assigned ports on the switch in vlan 10 they were in a broadcast domain on TPLink. And when you assigned a port in vlan 12 to TPLink it was also in the broadcast domain on TPLink (I am pretty sure that TPLink has only a single broadcast domain). So what you had on the switch was actually a single vlan that had two different names (and I am wondering if that might lead to some issues with spanning tree on the switch.
There might still be some issues (I am wondering if the ASA plays any part in the issue). But cleaning up the switch config is an important step toward a solution.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide