I don't have any experience

rfuentes1111 · ‎03-24-2016

Hi,

I need some help I have the following issue I'm not able to ping any of my switches from the core switch I create subinterfaces on the firewall with vlans.

I'm able to ping from the ASA Firewall all the way to the vendor switch but not able to ping back from any of the switches to the Core any help with be helpfull see picture. and some o my config.

ASA 5510
interface Ethernet0/0.40
vlan 183
nameif outside
security-level 0
ip address 192.168.40.4 255.255.255.0

interface Ethernet0/1.17
vlan 17
nameif inside
security-level 100
ip address 192.168.50.2 255.255.255.0

==================================================

core
interface GigabitEthernet1/0/1
switchport access vlan 17
switchport trunk encapsulation dot1q
switchport mode trunk
!
interface Vlan17
ip address 192.168.50.3 255.255.255.0
!
router ospf 10
log-adjacency-changes
network 192.168.50.0 0.0.0.255 area 20
network 192.168.30.0 0.0.0.255 area 20

===================================================

IDF SWITCH
interface GigabitEthernet1/0/1
Description connect to vendor switch
switchport access vlan 30
switchport trunk encapsulation dot1q
switchport mode trunk
!
interface GigabitEthernet1/0/3
description to ASA
switchport access vlan 40
switchport trunk encapsulation dot1q
switchport mode trunk

interface Vlan30
ip address 192.168.30.4 255.255.255.0
!
interface Vlan40
ip address 192.168.40.2 255.255.255.0
!
router ospf 10
log-adjacency-changes
redistribute static subnets
network 192.168.50.0 0.0.0.255 area 20
network 192.168.30.0 0.0.0.255 area 20
network 192.168.40.0 0.0.0.255 area 20
!
ip classless
ip route 192.168.20.0 255.255.255.0 192.168.30.2
ip http server

TIMOTHY MILLER · ‎04-01-2016

To be completely sure of what's going on, it would be nice to see the configs on the "vendor switch" if possible.

But, here's what I see that doesn't look right at first glance:

Based on the configuration you provide, the outside interface of the ASA and the two interfaces on the IDF that create the path to your vendor switch are trunks that are configured to carry all VLANs.

While VLAN settings are configured on the interfaces, they are set using access mode settings, not trunk mode. So, they are not used.

The outside interface of your firewall is set to use VLAN 183.

So traffic is being placed on VLAN 183 all the way to the vendor switch.

You can verify the trunking status on the IDF via 'show interfaces trunk' and determine if the interfaces are actually trunking and propagating VLAN 183.

While there is a little ambiguity in what you mean by "pings make it to the vendor switch but not all the way back" - my best estimation is that there is a routing interface in VLAN 183 from the vendor switch which is receiving the ping but trying to reply on a VLAN/interface other than 183.

Again, switch configs for the vendor switch would be very helpful here to know for sure.

Quite likely, the solution you are looking for is to change VLAN 183 on the outside interface to VLAN 40... Unless you are doing some other higher level network functionality (load balancing or other security services).

rfuentes1111 · ‎04-01-2016

Hi Timothy

This is a new project and I don't have access to the Vendor Switch we are only giving him an IP that it will be part of our network but we want to keep them separate from our Internal Network. That is why we are doing a P2P Connection and Inject a static route into OSPF and redistribute the route. Also we are not going to trunk the Interface we don't want to shared our vlans. Now we are changing the ASA for a Fortinet Firewall 100D. My question will be how to route inside the fortinet that only traffic flows to one interface to the vendor and to our network.

TIMOTHY MILLER · ‎04-01-2016

I don't have any experience with a Fortinet Firewall so I'll base my comments on the ASA you were previously going to use.

It's not stated but it seems pretty clear that you are using the ASA/Fortinet firewall in routed mode and not transparent mode. I'm also going to assume your ASA is not participating in the OSPF routing protocol.

If both of those are true, you need a static route on the IDF switch for the 192.168.50.0/24 network, for a similar reason that you need the static route to your vendor network. The IDF switch does not know how to get to the inside network. A static such as:

ip route 192.168.50.0 255.255.255.0 192.168.40.4

You likely need other static route(s) on the core switch if they don't exist already to route traffic destined for the 192.168.20.0, 192.168.30.0, and 192.168.40.0 networks to the inside interface of the firewall.

Presumably, the firewall also knows to send traffic to those networks out the outside interface (pointed at the IDF switch interface).

The diagram and the code snippets don't exactly match (Fa0/1 vs Gi1/0/3, e.g) so some assumptions are needed on my part. However, there's still a lot of clean up in your configs that are needed:

Your OSPF area 20 is split into two on each side of the firewall.
Remove the switchport mode trunk on the IDF interface connecting to the vendor switch (your point-to-point link)
Correct the VLAN used between the IDF and firewall
The OSPF network statements (while not wrong) could be deceiving:

This one (network 192.168.50.0 0.0.0.255 area 20) on the IDF doesn't find any interfaces (that network is on the inside of the firewall)
This one (network 192.168.30.0 0.0.0.255 area 20) on the core doesn't find any interfaces (that network is on the outside of the firewall)

I hope that help gives you an idea of what's involved. Essentially, the firewall is going to require a lot of additional routes on the switches on each side indicating how to get to networks on the other side of the firewall.

Some of those can be default routes if they make sense for your network. But, I can't tell that from the information provided.

How to route vlans to communicate with a cisco ASA Firewall 5510