04-17-2021 08:07 AM - edited 04-17-2021 08:08 AM
Hello
As my Switch and ASA running-config's both show, my system is all working completely.
What it does not show is that the vlan 10 and vlan 11 IP's (10.0.1.161 and 10.0.2.124)
are getting their IP's from 2 separate Routers, TPLink and D-Link.
The TPLink is here in house and its only purpose it to server a 10.0.1.0 Subnet to the
Switch and then anyone on those vlan 10 ports will obtain a 10.0.1.0 IP.
The DLink is in the adjacent building with an Ethernet cable running from that router to
my Switch and then anyone on those vlan 11 ports will obtain a 10.0.2.0 IP.
My Switch has \ip routing' and every device everywhere can see each other and connect to
the internet; beautiful.
What I am trying to achieve here is to eliminate my TPLink (in house) and simply config an
interface on the ASA as it's own DHCP Server for 10.0.1.0.
My goal was to continue to use the existing GigabitEthernet 3 that the TPLink connects to
which is also configured with NAT to an 'outside' static IP.
What I have achieved is this.
After creating a POOL 10.0.1.50 - 10.0.1.200 on the ASA, after configuring Dynamic PAT with the
static IP I am wanting to use and with configuring the Interface on the ASA with 10.0.1.1 II then
connect GE 8 to GigabitEthernet 1/0/1 (what the TPLink was connected to originally), any PC that connects
to any vlan 10 port (GE 1/0/1- 1/0/10) obtains its respective 10.0.1.x IP and can surf the Web!
BUT NOW any device on the 10.0.1.0 can not connect to anything o the 10.0.2.0 Subnet!! Most importantly
the 10.0.2.111 and 10.0.2.126 NAS servers.
I then manually configured a PC with, let's say, 10.0.1.55 IP, 255.255.255.0 NM and 10.0.1.161 Gateway
(the IP of vlan 10 that will allow all vlans on Switch to communicate) and NOW I CAN connect to the NAS drives
BUT NO INTERNET!
What is weird is that it is trying to resolve but times out.
So I have a default route 0.0.0.0 0.0.0.0 192.168.1.1 on the Switch cause initially it was the only point
hitting the ASA for internet so I feel maybe 10.0.1.0 can not obviously use the 192.168.x.x as its default gateway
when setting the PC to use .161 as it's gateway.
I then created a separate default gateway, now 2, 0.0.0.0 0.0.0.0 10.0.1.1 and 0.0.0.0 0.0.0.0 192.168.1.1
but I feel they are still getting confused.
I then did 0.0.0.0 0.0.0.0 vlan 1 192.168.1.1 and 0.0.0.0 0.0.0.0 vlan 10 10.0.1.1 and they both connect to the internet
(10.0.1.0 and 192.168.1.0 devices) but still no NAS connectivity.
I get that I am changing from a TPLink to an ASA in house DHCP Server but nothing else changed, I just do not understand
Why I have to choose either Internet or LAN access but not both. Funny thing is when I am able to see internet I can
PING the NAS drives bu they never connect. I also notice when I DO set my PC gateway to 10.0.1.161 (the ONLY "IP" on the
Switch that allows IP routing of that subnet) I CAN connect to NAS but no internet.. Why isnt .161 being able to allow traffic?!
I am posting both running-configs NOT configured the new way, but the working way.
ASA Version 9.15(1)7
!
hostname Cisco
domain-name Cisco
enable password ***** pbkdf2
service-module 1 keepalive-timeout 4
service-module 1 keepalive-counter 6
service-module sfr keepalive-timeout 4
service-module sfr keepalive-counter 6
xlate per-session deny tcp any4 any4
xlate per-session deny tcp any4 any6
xlate per-session deny tcp any6 any4
xlate per-session deny tcp any6 any6
xlate per-session deny udp any4 any4 eq domain
xlate per-session deny udp any4 any6 eq domain
xlate per-session deny udp any6 any4 eq domain
xlate per-session deny udp any6 any6 eq domain
names
no mac-address auto
!
interface GigabitEthernet1/1
description WAN
nameif outside
security-level 0
pppoe client vpdn group pppoewan
ip address pppoe setroute
!
interface GigabitEthernet1/2
nameif inside
security-level 100
ip address 192.168.1.1 255.255.255.0
!
interface GigabitEthernet1/3
description TPLink
nameif TPLink
security-level 100
ip address 192.168.2.1 255.255.255.0
!
interface GigabitEthernet1/4
description Mail
nameif Mail
security-level 100
ip address 192.168.3.1 255.255.255.0
!
interface GigabitEthernet1/5
description ceyea
nameif ceyea
security-level 100
ip address 192.168.4.1 255.255.255.0
!
interface GigabitEthernet1/6
description DLink
nameif DLink
security-level 100
ip address 192.168.5.1 255.255.255.0
!
interface GigabitEthernet1/7
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet1/8
shutdown
no nameif
no security-level
no ip address
!
interface Management1/1
management-only
nameif management
security-level 0
no ip address
!
boot system disk0:/asa9-15-1-7-lfbff-k8.SPA
boot system disk0:/asa951-lfbff-k8.SPA
ftp mode passive
dns server-group DefaultDNS
domain-name Cisco
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object network TPLink
host 192.168.2.177
object network DLink
host 192.168.5.178
object network CeyeA
host 192.168.4.179
object network mail
host 192.168.3.180
object network inside
subnet 192.168.1.0 255.255.255.0
object-group service 993 tcp
description 993
port-object eq 993
object-group service TCP587 tcp
description TCP587
port-object eq 587
access-list OUTSIDE extended permit tcp any object mail eq 993
access-list OUTSIDE extended permit tcp any object mail eq smtp
pager lines 24
mtu outside 1500
mtu inside 1500
mtu TPLink 1500
mtu Mail 1500
mtu ceyea 1500
mtu DLink 1500
mtu management 1500
no failover
no failover wait-disable
no monitor-interface service-module
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
arp rate-limit 16384
!
object network TPLink
nat (TPLink,outside) static 207.108.X.X
object network DLink
nat (DLink,outside) static 207.108.X.X
object network CeyeA
nat (ceyea,outside) static 207.108.X.X
object network mail
nat (Mail,outside) static 207.108.X.X
object network inside
nat (inside,outside) dynamic interface
access-group OUTSIDE in interface outside
route outside 0.0.0.0 0.0.0.0 207.108.X.X1
route inside 10.0.1.0 255.255.255.0 192.168.1.5 1
route inside 10.0.2.0 255.255.255.0 192.168.1.5 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 sctp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
timeout conn-holddown 0:00:15
timeout igp stale-route 0:01:10
user-identity default-domain LOCAL
aaa authentication login-history
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
service sw-reset-button
crypto ipsec security-association pmtu-aging infinite
crypto ca trustpool policy
telnet timeout 5
ssh stricthostkeycheck
ssh timeout 5
ssh version 2
ssh key-exchange group dh-group1-sha1
console timeout 0
vpdn group pppoewan request dialout pppoe
vpdn group pppoewan localname XX
vpdn group pppoewan ppp authentication chap
vpdn username XX password *****
dhcpd auto_config outside
!
dhcpd address 192.168.1.5-192.168.1.254 inside
dhcpd enable inside
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
dynamic-access-policy-record DfltAccessPolicy
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns migrated_dns_map_1
parameters
message-length maximum client auto
message-length maximum 512
no tcp-inspection
policy-map global_policy
class inspection_default
inspect dns migrated_dns_map_1
inspect ftp
inspect h323 h225
inspect h323 ras
inspect ip-options
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
inspect snmp
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email callhome@cisco.com
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:22619cfc6ab198b00446a2a2bcdbfd21
: end
Current configuration : 5275 bytes
!
! Last configuration change at 15:31:23 UTC Mon Mar 8 1993
!
version 12.2
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Switch
!
boot-start-marker
boot-end-marker
!
!
username cisco privilege 15 password 0 cisco
no aaa new-model
switch 1 provision ws-c3750g-24ps
system mtu routing 1500
ip routing
!
!
!
!
crypto pki trustpoint TP-self-signed-29955072
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-29955072
revocation-check none
rsakeypair TP-self-signed-29955072
!
!
crypto pki certificate chain TP-self-signed-29955072
certificate self-signed 01
3082023A 308201A3 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
2F312D30 2B060355 04031324 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 32393935 35303732 301E170D 39333033 30313030 30323334
5A170D32 30303130 31303030 3030305A 302F312D 302B0603 55040313 24494F53
2D53656C 662D5369 676E6564 2D436572 74696669 63617465 2D323939 35353037
3230819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281 8100A65F
74202A89 76D25FA8 C7ED81DD 6800558E C377B8AD 0E9C26DD E23EFB16 13D19F33
E8B17063 CA28B794 5AF243D3 64EBBD2B 9E26BBCE 358DCA6C 0F540D6A F9F209AF
A59302E1 2A0C9E50 953DD959 1FF3F060 04A6BD71 4EE6E5E6 5E7B179E 36A7969E
7826FDE4 1A8879A7 413462E5 E37FADBC C6C103E4 495052BE 4F8CCA36 E3030203
010001A3 66306430 0F060355 1D130101 FF040530 030101FF 30110603 551D1104
0A300882 06537769 74636830 1F060355 1D230418 30168014 C03E07C1 6E991C9D
FAF8C1A0 2C538489 E1799507 301D0603 551D0E04 160414C0 3E07C16E 991C9DFA
F8C1A02C 538489E1 79950730 0D06092A 864886F7 0D010104 05000381 81004F6A
EB507D1D 80E269DF E29286DA 503C01BE 41F89DEA 60AF1952 FD30B9F3 5DDB929E
1FA39766 E8FDC791 D1B5E3B3 23D211CF F1293208 15252277 F7FF8918 75E493E9
27F915AE 5C1AB8CF BC2B4DE3 6A7E68BE B37A9DD9 6F0CC609 DBA27505 979B09A3
BE1D6C77 1FDC4040 D986CC6A 49F67E8B B5586A13 57ABA87B 8C956A87 DDE2
quit
!
!
!
spanning-tree mode pvst
spanning-tree extend system-id
!
vlan internal allocation policy ascending
!
!
!
!
!
!
interface GigabitEthernet1/0/1
switchport access vlan 10
switchport mode access
spanning-tree portfast
!
interface GigabitEthernet1/0/2
switchport access vlan 10
switchport mode access
spanning-tree portfast
!
interface GigabitEthernet1/0/3
switchport access vlan 10
switchport mode access
spanning-tree portfast
!
interface GigabitEthernet1/0/4
switchport access vlan 10
switchport mode access
spanning-tree portfast
!
interface GigabitEthernet1/0/5
switchport access vlan 10
switchport mode access
spanning-tree portfast
!
interface GigabitEthernet1/0/6
switchport access vlan 10
switchport mode access
spanning-tree portfast
!
interface GigabitEthernet1/0/7
switchport access vlan 10
switchport mode access
spanning-tree portfast
!
interface GigabitEthernet1/0/8
switchport access vlan 10
switchport mode access
spanning-tree portfast
!
interface GigabitEthernet1/0/9
switchport access vlan 10
switchport mode access
spanning-tree portfast
!
interface GigabitEthernet1/0/10
switchport access vlan 10
switchport mode access
spanning-tree portfast
!
interface GigabitEthernet1/0/11
switchport access vlan 11
switchport mode access
spanning-tree portfast
!
interface GigabitEthernet1/0/12
switchport access vlan 11
switchport mode access
spanning-tree portfast
!
interface GigabitEthernet1/0/13
switchport access vlan 11
switchport mode access
spanning-tree portfast
!
interface GigabitEthernet1/0/14
switchport access vlan 11
switchport mode access
spanning-tree portfast
!
interface GigabitEthernet1/0/15
switchport access vlan 11
switchport mode access
spanning-tree portfast
!
interface GigabitEthernet1/0/16
switchport access vlan 11
switchport mode access
spanning-tree portfast
!
interface GigabitEthernet1/0/17
switchport access vlan 11
switchport mode access
spanning-tree portfast
!
interface GigabitEthernet1/0/18
switchport access vlan 11
switchport mode access
spanning-tree portfast
!
interface GigabitEthernet1/0/19
switchport access vlan 11
switchport mode access
spanning-tree portfast
!
interface GigabitEthernet1/0/20
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 1,10,11
switchport mode trunk
!
interface GigabitEthernet1/0/21
switchport mode access
spanning-tree portfast
!
interface GigabitEthernet1/0/22
switchport mode access
spanning-tree portfast
!
interface GigabitEthernet1/0/23
switchport mode access
spanning-tree portfast
!
interface GigabitEthernet1/0/24
switchport mode access
spanning-tree portfast
!
interface GigabitEthernet1/0/25
!
interface GigabitEthernet1/0/26
!
interface GigabitEthernet1/0/27
!
interface GigabitEthernet1/0/28
!
interface Vlan1
description ASA
ip address 192.168.1.5 255.255.255.0
!
interface Vlan10
description L3 to TPLink
ip address 10.0.1.161 255.255.255.0
!
interface Vlan11
description L3 to DLink
ip address 10.0.2.124 255.255.255.0
!
ip http server
ip http authentication local
ip http secure-server
!
ip route 0.0.0.0 0.0.0.0 192.168.1.1
ip route 192.168.3.0 255.255.255.0 192.168.1.1
ip route 10.0.2.126 255.255.255.255 10.0.2.1
!
logging esm config
no cdp run
!
!
line con 0
line vty 0 4
login
line vty 5 15
login
!
end
Solved! Go to Solution.
05-09-2021 04:22 PM - edited 05-09-2021 04:31 PM
Alright I see your point exactly. This makes complete sense and you are exactly spot on with what I am wanting, as in, eliminate one of the routers I have and just use the ASA as that (10.0.1.0 subnet).
I am all for eliminating any L3 capability on the Switch, aside from as you said the Management, and using the rest for vlan 10 L2 and vlan 11 L2 but here’s would be my question….. DLink router, 10.0.2.0 is coming from a external router in a different building, how would I incorporate that? Would I then create an ip route on the asa?
Or would the 10.0.2.0 still be L3 and then create a route to it through the ASA, which I wouldn’t see how, unless I used the vlan 1 management IP as the “gateway” to it.
or do I Make an interface on the ASA, let’s say GE 4 with static ip 10.0.2.124 with no DHCP and have IT as the L3 which the ASA can route to?
05-10-2021 12:53 PM
In terms of "here’s would be my question" the DLink router has an IP address in 10.0.2.0? If so it is in the vlan that connects to your switch. You describe it as an "external" router. But being in a different building does not make it external. If it is in the same vlan then it is local to your switch.
A related point is about "Would I then create an ip route on the asa?" If the DLink is in subnet 10.0.2.0 then it is in a subnet that is locally connected on the ASA and no static route is required.
Perhaps I should ask a little but more about the DLink. I understand that it is providing DHCP for devices in that vlan. Is it doing routing for that vlan? (in that DHCP scope is the default router the DLink or is it the switch)?
05-10-2021 05:19 PM
The DLink has its own ISP from Comcast in the next room not my Router. It’s internet IP is non related to my account. It (DLink) is 10.0.2.1 and has a DHCP server 10.0.2.101-10.0.2.150.
One if it’s Ethernet Ports goes through a wall and into MY Catalyst switch, which, on it, I have created a vlan 11 so that anything in my room/a can connect to GE 1/0/12-1/0/20 and be vlan 11 and communicate with whatever else is connected to the DLink. It is it’s own DHCP etc I just have it “routed” through my Catalyst.
So I can see about removing my TPLink (10.0.1.0 subnet (10.0.1.1 Gateway)) and move THAT to the ASA and configure PAT for that subnet but I am unsure how to incorporate the DLink 10.0.2.0 (vlan 11 only on Catalyst) for routing.
05-11-2021 07:09 AM
I had not realized that DLink had a separate Internet connection. And I am wondering how it works in your original environment. For devices in the 10.0.2.0 subnet what is their default gateway?
In looking at the configurations in your earlier post I had assumed that your switch was routing for all vlans, and that the switch was the default gateway for all the devices on all the vlans. But if that were true there would need to be some routing logic to send 10.0.2.0 traffic to Internet on a different path. So I am wondering if DLink might be the default gateway for devices in 10.0.2.0, which would suggest that DLink probably has a route for 10.0.1.0 with your switch as the next hop. If that is the case then it seems that changing that route on DLink to use the ASA address in 10.0.1.0 would solve this issue.
05-11-2021 10:04 AM - edited 05-11-2021 10:08 AM
Hello
Yeah the DLink is literally from another source and only part of/ connected to my LAN via the Catalyst and IP ROUTING. The devices connected to the DLink (10.0.2.0) have their Gateway as 10.0.2.1 for the Internet (as I assume that bypasses the Catalyst for Internet) BUT devices on the TPLink vlan 10 (10.0.1.0) and vlan 1 (192.168.1.0) can see vlan 11 (10.0.2.0) and connect to it's devices if those particular devices have the CATALYST IP's as their Gateway (10.0.1.161 for vlan 10 and 192.168.1.5 for vlan 1).
With mentioned above, DLink is as we stated, isolated but connecting only through Catalyst and TPLink is a Router that has its own Internet IP via NAT (192.168.2.177 from ASA and ASA NAT's 192.168.2.177 to 207.108.121.177) and then TPlink has 10.0.1.0 Subnet.
I want to eliminate the TPLink, have ASA GE 1/2 as 10.0.1.1 w/ PAT to 207.108.121.177 and then everything communicate, but I can EITHER have devices talk to LAN (vlan 11, vlan 1) or Internet and no connectivity to other vlans. I assume this is due to ONE Static Route on the Catalyst and how would 10.0.1.0 even know what 192.168.1.1 as a route is anyway, not even mentioning if it were to know it, it would have the wrong Internet facing IP.
How do I send a .pkt file?
05-12-2021 12:35 AM
I am a bit confused. In a previous post you said
3 - GE 1/2 10.0.2.1 (NAT 207.108.1.3)
If you want 10.0.2.x to get to the Internet using DLink then why is there a NAT for that subnet on the ASA?
I asked a question before about the DLink which might not have been clear. So let me ask it in a slightly different way: does the DLink have routing statements for 10.0.1.0 and for 192.168.1.0?
I understand that if you zip the pkt file that you can post the zipped file. I do not use PT so if you post a pkt file then someone else would need to use it to answer your questions.
05-12-2021 06:52 AM
Hello!
Yes, I have a NAT for DLink cause we were playing with DUAL WAN his ISP and mine….
The DLink has 2 routes I believe;
10.0.1.0 255.255.255.0 10.0.2.124
192.168.1.0 255.255.255.0 10.0.2.124 which I did cause .124 bless the “common” IP address to the other vlans on the Catalyst.
What holds true at this point is DLINK has Internet IP on diff ISP and only thing MY network shares with it is GE 1/0/11-1/0/20 vlan 11 on Catalyst.
And then wanting to eliminate TPLink and it’s 10.0.1.0 and move that to ASA.
05-12-2021 10:47 AM
Thanks for the information. Based on this I believe that if you change the routes on DLink from using next hop 10.0.2.124 and have them use the vlan 11 address of ASA that you should have the connectivity between vlan 11 and vlans 1 and 10. Using this if a host in vlan 11 wants to communicate with a host in either vlan 1 or 10 then the vlan 11 host will send the packet to its default gateway (which is DLink), DLink will use its route and forward the packet to ASA, ASA has vlans 1 and 10 as connected subnets and will forward to the destination host. Similarly if a host in vlan 1 or 10 wants to communicate with a host in vlan 11 the host will forward the packet to its default gateway (which is the ASA), the ASA sees vlan 11 as a connected subnet and will forward the packet to its destination host.
05-12-2021 12:37 PM
Perfectly said! Tonight I will give it a shot and let you know if the results. Thank you for your patience.
05-12-2021 03:36 PM
One simple stupid question…..
In keeping what you mentioned mostly, is there a way to save the ASA Interface for the 10.0.2.0 and just make a segment of the Switch that subnet? Kind of how it is, but still moving the TPLink 10.0.1.0 to the ASA.
Just for the sake of saving 1 of 7 usable Interfaces.
05-12-2021 11:02 PM
It would be cleaner and more simple to make the switch operate as layer 2 and to connect all 3 vlans to the ASA and have the ASA perform the inter vlan routing. If you want to save an interface of the ASA by not connecting to 10.0.2.0 then you would need to keep the switch as layer 3 and have it route between 10.0.2.0 and the other vlans. In that case you probably want the switch to be the default gateway for all three vlans/subnets.
If you want the ASA to provide DHCP for 10.0.1.0 then that vlan needs to connect to the ASA. I do not see much point to having 2 vlans from the switch connect to the ASA, especially if the switch is to operate as layer 3 and to perform inter vlan routing. I would suggest that you could remove the connection of 192.168.1.0 from the ASA and let the switch to ASA connection be the 10.0.1.0 interface. This would require making changes in the routing logic of the ASA (now it would see 10.0.1.0 as locally connected and 192.168.1.0 as remote - so changes needed in the route statements) but the address translation etc would remain the same. The default route on the switch would need to change its next hop to be the ASA address in 10.0.1.0 but I am not sure that anything else on the switch would change.
05-13-2021 10:36 AM
Well that seems to have indeed works, I thank you. Has been quite the feat for me. I suppose I was too heavily focused on utilizing the L3 aspect of the Catalyst that I created this overcomplicated scenario.
Which of course has me thinking why even have a L3 Switch but that’s for tomorrow.
thank you
05-13-2021 03:09 PM
You are welcome. I am glad that we have found something that works for you in the new environment. There are multiple approaches that could work, some of them use the Catalyst as layer 2 and some use Catalyst as layer 3. There is not any absolute one that is better than the other. Which is best depends on the environment and depends on the organization and the people who support the network. If one feels better to you, or seems easier to support for you then that is the better choice for you.
You ask an interesting question "Which of course has me thinking why even have a L3 Switch". There are situations where having a L3 switch makes very good sense. For example an organization might have a network with multiple vlans/multiple subnets and a firewall connecting to the Internet. If the organization wants the firewall to focus on protecting traffic to and from the Internet and not to be used for inside traffic then a L3 switch is a very good solution.
05-09-2021 04:25 PM
Also I appreciate your response, I wanted to mention that. Every day I come home and try something new but NEVER WORKS!
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide