Solved: Lost with configuration. Can either choose LAN or WAN access, not both!

fbeye · ‎04-17-2021

Hello

As my Switch and ASA running-config's both show, my system is all working completely.
What it does not show is that the vlan 10 and vlan 11 IP's (10.0.1.161 and 10.0.2.124)
are getting their IP's from 2 separate Routers, TPLink and D-Link.
The TPLink is here in house and its only purpose it to server a 10.0.1.0 Subnet to the
Switch and then anyone on those vlan 10 ports will obtain a 10.0.1.0 IP.
The DLink is in the adjacent building with an Ethernet cable running from that router to
my Switch and then anyone on those vlan 11 ports will obtain a 10.0.2.0 IP.
My Switch has \ip routing' and every device everywhere can see each other and connect to
the internet; beautiful.
What I am trying to achieve here is to eliminate my TPLink (in house) and simply config an
interface on the ASA as it's own DHCP Server for 10.0.1.0.
My goal was to continue to use the existing GigabitEthernet 3 that the TPLink connects to
which is also configured with NAT to an 'outside' static IP.

What I have achieved is this.
After creating a POOL 10.0.1.50 - 10.0.1.200 on the ASA, after configuring Dynamic PAT with the
static IP I am wanting to use and with configuring the Interface on the ASA with 10.0.1.1 II then
connect GE 8 to GigabitEthernet 1/0/1 (what the TPLink was connected to originally), any PC that connects
to any vlan 10 port (GE 1/0/1- 1/0/10) obtains its respective 10.0.1.x IP and can surf the Web!
BUT NOW any device on the 10.0.1.0 can not connect to anything o the 10.0.2.0 Subnet!! Most importantly
the 10.0.2.111 and 10.0.2.126 NAS servers.
I then manually configured a PC with, let's say, 10.0.1.55 IP, 255.255.255.0 NM and 10.0.1.161 Gateway
(the IP of vlan 10 that will allow all vlans on Switch to communicate) and NOW I CAN connect to the NAS drives
BUT NO INTERNET!
What is weird is that it is trying to resolve but times out.
So I have a default route 0.0.0.0 0.0.0.0 192.168.1.1 on the Switch cause initially it was the only point
hitting the ASA for internet so I feel maybe 10.0.1.0 can not obviously use the 192.168.x.x as its default gateway
when setting the PC to use .161 as it's gateway.
I then created a separate default gateway, now 2, 0.0.0.0 0.0.0.0 10.0.1.1 and 0.0.0.0 0.0.0.0 192.168.1.1
but I feel they are still getting confused.
I then did 0.0.0.0 0.0.0.0 vlan 1 192.168.1.1 and 0.0.0.0 0.0.0.0 vlan 10 10.0.1.1 and they both connect to the internet
(10.0.1.0 and 192.168.1.0 devices) but still no NAS connectivity.
I get that I am changing from a TPLink to an ASA in house DHCP Server but nothing else changed, I just do not understand
Why I have to choose either Internet or LAN access but not both. Funny thing is when I am able to see internet I can
PING the NAS drives bu they never connect. I also notice when I DO set my PC gateway to 10.0.1.161 (the ONLY "IP" on the
Switch that allows IP routing of that subnet) I CAN connect to NAS but no internet.. Why isnt .161 being able to allow traffic?!

I am posting both running-configs NOT configured the new way, but the working way.

ASA Version 9.15(1)7
!
hostname Cisco
domain-name Cisco
enable password ***** pbkdf2
service-module 1 keepalive-timeout 4
service-module 1 keepalive-counter 6
service-module sfr keepalive-timeout 4
service-module sfr keepalive-counter 6
xlate per-session deny tcp any4 any4
xlate per-session deny tcp any4 any6
xlate per-session deny tcp any6 any4
xlate per-session deny tcp any6 any6
xlate per-session deny udp any4 any4 eq domain
xlate per-session deny udp any4 any6 eq domain
xlate per-session deny udp any6 any4 eq domain
xlate per-session deny udp any6 any6 eq domain
names
no mac-address auto

!
interface GigabitEthernet1/1
description WAN
nameif outside
security-level 0
pppoe client vpdn group pppoewan
ip address pppoe setroute
!
interface GigabitEthernet1/2
nameif inside
security-level 100
ip address 192.168.1.1 255.255.255.0
!
interface GigabitEthernet1/3
description TPLink
nameif TPLink
security-level 100
ip address 192.168.2.1 255.255.255.0
!
interface GigabitEthernet1/4
description Mail
nameif Mail
security-level 100
ip address 192.168.3.1 255.255.255.0
!
interface GigabitEthernet1/5
description ceyea
nameif ceyea
security-level 100
ip address 192.168.4.1 255.255.255.0
!
interface GigabitEthernet1/6
description DLink
nameif DLink
security-level 100
ip address 192.168.5.1 255.255.255.0
!
interface GigabitEthernet1/7
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet1/8
shutdown
no nameif
no security-level
no ip address
!
interface Management1/1
management-only
nameif management
security-level 0
no ip address
!
boot system disk0:/asa9-15-1-7-lfbff-k8.SPA
boot system disk0:/asa951-lfbff-k8.SPA
ftp mode passive
dns server-group DefaultDNS
domain-name Cisco
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object network TPLink
host 192.168.2.177
object network DLink
host 192.168.5.178
object network CeyeA
host 192.168.4.179
object network mail
host 192.168.3.180
object network inside
subnet 192.168.1.0 255.255.255.0
object-group service 993 tcp
description 993
port-object eq 993
object-group service TCP587 tcp
description TCP587
port-object eq 587
access-list OUTSIDE extended permit tcp any object mail eq 993
access-list OUTSIDE extended permit tcp any object mail eq smtp
pager lines 24
mtu outside 1500
mtu inside 1500
mtu TPLink 1500
mtu Mail 1500
mtu ceyea 1500
mtu DLink 1500
mtu management 1500
no failover
no failover wait-disable
no monitor-interface service-module
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
arp rate-limit 16384
!
object network TPLink
nat (TPLink,outside) static 207.108.X.X
object network DLink
nat (DLink,outside) static 207.108.X.X
object network CeyeA
nat (ceyea,outside) static 207.108.X.X
object network mail
nat (Mail,outside) static 207.108.X.X
object network inside
nat (inside,outside) dynamic interface
access-group OUTSIDE in interface outside
route outside 0.0.0.0 0.0.0.0 207.108.X.X1
route inside 10.0.1.0 255.255.255.0 192.168.1.5 1
route inside 10.0.2.0 255.255.255.0 192.168.1.5 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 sctp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
timeout conn-holddown 0:00:15
timeout igp stale-route 0:01:10
user-identity default-domain LOCAL
aaa authentication login-history
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
service sw-reset-button
crypto ipsec security-association pmtu-aging infinite
crypto ca trustpool policy
telnet timeout 5
ssh stricthostkeycheck
ssh timeout 5
ssh version 2
ssh key-exchange group dh-group1-sha1
console timeout 0
vpdn group pppoewan request dialout pppoe
vpdn group pppoewan localname XX
vpdn group pppoewan ppp authentication chap
vpdn username XX password *****

dhcpd auto_config outside
!
dhcpd address 192.168.1.5-192.168.1.254 inside
dhcpd enable inside
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
dynamic-access-policy-record DfltAccessPolicy
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns migrated_dns_map_1
parameters
message-length maximum client auto
message-length maximum 512
no tcp-inspection
policy-map global_policy
class inspection_default
inspect dns migrated_dns_map_1
inspect ftp
inspect h323 h225
inspect h323 ras
inspect ip-options
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
inspect snmp
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email callhome@cisco.com
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:22619cfc6ab198b00446a2a2bcdbfd21
: end

Current configuration : 5275 bytes
!
! Last configuration change at 15:31:23 UTC Mon Mar 8 1993
!
version 12.2
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Switch
!
boot-start-marker
boot-end-marker
!
!
username cisco privilege 15 password 0 cisco
no aaa new-model
switch 1 provision ws-c3750g-24ps
system mtu routing 1500
ip routing
!
!
!
!
crypto pki trustpoint TP-self-signed-29955072
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-29955072
revocation-check none
rsakeypair TP-self-signed-29955072
!
!
crypto pki certificate chain TP-self-signed-29955072
certificate self-signed 01
3082023A 308201A3 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
2F312D30 2B060355 04031324 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 32393935 35303732 301E170D 39333033 30313030 30323334
5A170D32 30303130 31303030 3030305A 302F312D 302B0603 55040313 24494F53
2D53656C 662D5369 676E6564 2D436572 74696669 63617465 2D323939 35353037
3230819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281 8100A65F
74202A89 76D25FA8 C7ED81DD 6800558E C377B8AD 0E9C26DD E23EFB16 13D19F33
E8B17063 CA28B794 5AF243D3 64EBBD2B 9E26BBCE 358DCA6C 0F540D6A F9F209AF
A59302E1 2A0C9E50 953DD959 1FF3F060 04A6BD71 4EE6E5E6 5E7B179E 36A7969E
7826FDE4 1A8879A7 413462E5 E37FADBC C6C103E4 495052BE 4F8CCA36 E3030203
010001A3 66306430 0F060355 1D130101 FF040530 030101FF 30110603 551D1104
0A300882 06537769 74636830 1F060355 1D230418 30168014 C03E07C1 6E991C9D
FAF8C1A0 2C538489 E1799507 301D0603 551D0E04 160414C0 3E07C16E 991C9DFA
F8C1A02C 538489E1 79950730 0D06092A 864886F7 0D010104 05000381 81004F6A
EB507D1D 80E269DF E29286DA 503C01BE 41F89DEA 60AF1952 FD30B9F3 5DDB929E
1FA39766 E8FDC791 D1B5E3B3 23D211CF F1293208 15252277 F7FF8918 75E493E9
27F915AE 5C1AB8CF BC2B4DE3 6A7E68BE B37A9DD9 6F0CC609 DBA27505 979B09A3
BE1D6C77 1FDC4040 D986CC6A 49F67E8B B5586A13 57ABA87B 8C956A87 DDE2
quit
!
!
!
spanning-tree mode pvst
spanning-tree extend system-id
!
vlan internal allocation policy ascending
!
!
!
!
!
!
interface GigabitEthernet1/0/1
switchport access vlan 10
switchport mode access
spanning-tree portfast
!
interface GigabitEthernet1/0/2
switchport access vlan 10
switchport mode access
spanning-tree portfast
!
interface GigabitEthernet1/0/3
switchport access vlan 10
switchport mode access
spanning-tree portfast
!
interface GigabitEthernet1/0/4
switchport access vlan 10
switchport mode access
spanning-tree portfast
!
interface GigabitEthernet1/0/5
switchport access vlan 10
switchport mode access
spanning-tree portfast
!
interface GigabitEthernet1/0/6
switchport access vlan 10
switchport mode access
spanning-tree portfast
!
interface GigabitEthernet1/0/7
switchport access vlan 10
switchport mode access
spanning-tree portfast
!
interface GigabitEthernet1/0/8
switchport access vlan 10
switchport mode access
spanning-tree portfast
!
interface GigabitEthernet1/0/9
switchport access vlan 10
switchport mode access
spanning-tree portfast
!
interface GigabitEthernet1/0/10
switchport access vlan 10
switchport mode access
spanning-tree portfast
!
interface GigabitEthernet1/0/11
switchport access vlan 11
switchport mode access
spanning-tree portfast
!
interface GigabitEthernet1/0/12
switchport access vlan 11
switchport mode access
spanning-tree portfast
!
interface GigabitEthernet1/0/13
switchport access vlan 11
switchport mode access
spanning-tree portfast
!
interface GigabitEthernet1/0/14
switchport access vlan 11
switchport mode access
spanning-tree portfast
!
interface GigabitEthernet1/0/15
switchport access vlan 11
switchport mode access
spanning-tree portfast
!
interface GigabitEthernet1/0/16
switchport access vlan 11
switchport mode access
spanning-tree portfast
!
interface GigabitEthernet1/0/17
switchport access vlan 11
switchport mode access
spanning-tree portfast
!
interface GigabitEthernet1/0/18
switchport access vlan 11
switchport mode access
spanning-tree portfast
!
interface GigabitEthernet1/0/19
switchport access vlan 11
switchport mode access
spanning-tree portfast
!
interface GigabitEthernet1/0/20
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 1,10,11
switchport mode trunk
!
interface GigabitEthernet1/0/21
switchport mode access
spanning-tree portfast
!
interface GigabitEthernet1/0/22
switchport mode access
spanning-tree portfast
!
interface GigabitEthernet1/0/23
switchport mode access
spanning-tree portfast
!
interface GigabitEthernet1/0/24
switchport mode access
spanning-tree portfast
!
interface GigabitEthernet1/0/25
!
interface GigabitEthernet1/0/26
!
interface GigabitEthernet1/0/27
!
interface GigabitEthernet1/0/28
!
interface Vlan1
description ASA
ip address 192.168.1.5 255.255.255.0
!
interface Vlan10
description L3 to TPLink
ip address 10.0.1.161 255.255.255.0
!
interface Vlan11
description L3 to DLink
ip address 10.0.2.124 255.255.255.0
!
ip http server
ip http authentication local
ip http secure-server
!
ip route 0.0.0.0 0.0.0.0 192.168.1.1
ip route 192.168.3.0 255.255.255.0 192.168.1.1
ip route 10.0.2.126 255.255.255.255 10.0.2.1
!
logging esm config
no cdp run
!
!
line con 0
line vty 0 4
login
line vty 5 15
login
!
end

Richard Burts · ‎05-12-2021

Thanks for the information. Based on this I believe that if you change the routes on DLink from using next hop 10.0.2.124 and have them use the vlan 11 address of ASA that you should have the connectivity between vlan 11 and vlans 1 and 10. Using this if a host in vlan 11 wants to communicate with a host in either vlan 1 or 10 then the vlan 11 host will send the packet to its default gateway (which is DLink), DLink will use its route and forward the packet to ASA, ASA has vlans 1 and 10 as connected subnets and will forward to the destination host. Similarly if a host in vlan 1 or 10 wants to communicate with a host in vlan 11 the host will forward the packet to its default gateway (which is the ASA), the ASA sees vlan 11 as a connected subnet and will forward the packet to its destination host.

HTH

Rick

View solution in original post

Georg Pauwen · ‎04-17-2021

Hello,

it is very difficult from your description to figure out what you are trying to achieve, and what your topology looks like. Post a schematic drawing of your topology, and somehow make what you want to accomplish visual in that topology drawing.

fbeye · ‎04-18-2021

hmmmm. Ok.

So, not sure why the interfaces on the 5506-X do not stay "enabled" after I reload the file (yes I did 'no shut') but either way... Here is what I have more or less. I want to REMOVE the device TPLink and have the 5506-X be the server of the 10.0.1.0 Subnet.

I can get it working but if I use the 10.0.1.1 as Gateway on a PC, I get internet but no connectivity to any IP (NAS) on any LAN, most importantly 10.0.2.0. If I use 10.0.1.161 as the Gateway (vlan 10 on the Catalyst to associate "routing") I can then see the other LAN's and connect to 10.0.2.0 NAS... But no Internet.

My 5508-X in real life is using correct PAT settings etc.. Though vlan 1, 192.168.1.0, is using the 5508-X outside (static) IP as its Internet access, I have a PAT also set for 10.0.1.0 using another Static IP I own. As I said, when using 10.0.1.1 as gateway, I connect to the internet and it uses correct OUTSIDE IP address.

I just want to eliminate TPLink and have everyone talk through Catalyst but it seems I can either choose LAN connectivity or WAN, but not both.

The diagram is how it is currently, now how I want it.

um, how do i insert my .pkt?

Richard Burts · ‎04-18-2021

It is difficult to understand your issue. You give a confusing and incomplete description of what you want to accomplish and what you have reconfigured. You post the configurations as they were before the changes but nothing that details what changed.

A little bit we can guess at. If a host uses the previous default gateway 10.0.1.161 (on the switch) it can access 10.0.2.0 but not Internet and if it uses the new default gateway 10.0.1.1 it can access Internet but it can not access 10.0.2.0. So the routing logic between vlans on the switch is still good. But it looks like the configured default route on the switch no longer works

ip route 0.0.0.0 0.0.0.0 192.168.1.1

So one of the questions is what happened to 192.168.1.0 on the switch?

Another aspect is that if a host uses the new gateway of 10.0.1.1 it can access Internet but not 10.0.2.0. So the new gateway sends traffic from the host to the ASA but it can not then get to the other vlan subnet. If we look at the ASA config routing logic we see

route inside 10.0.1.0 255.255.255.0 192.168.1.5 1
route inside 10.0.2.0 255.255.255.0 192.168.1.5 1

And another one of the questions is what happened to 192.168.1.0 on the ASA?

HTH

Rick

fbeye · ‎04-18-2021

You are correct.. I have only posted what is, which is that 10.0.1.0 is coming from a 3rd party Router, a TPLink (which is assigned 1 of my static ips (207.108.121.x) and is connected to the Catalyst (vlan 10 with a vlan IP of 10.0.1.161 for routing purposes). My idea was to eliminate an unnecessary device, TPLink, and simply in its place (1/3 on ASA) have 1/3 be the 10.0.1.0 DHCP Server and still connect to the Catalyst and use 10.0.1.161 as the routing IP as it was.. All while the outside (internet) IP staying 207.108.121.x via PAT.

Being that in the current example of my Catalyst, the 0.0.0.0 0.0.0.0 192.168.1.1 was the Internet Gateway for the 192.168.1.0, I did not need a static route to the internet for the 10.0.1.0 or 10.0.2.0 as they got onto the Internet through their own Gateways, 10.0.1.1 and 10.0.2.1.

Now that I want to eliminate TPLink and have the ASA be the dhcp server, I realize I may need an ip route for the 10.0.1.0 as well and I did 0.0.0.0 0.0.0.0 10.0.1.1 but then what happened was it would timeout on many sites.. I am assuming because it got confused on which 0.0.0.0 0.0.0.0 to use?

Also the

route inside 10.0.1.0 255.255.255.0 192.168.1.5 1
route inside 10.0.2.0 255.255.255.0 192.168.1.5 1

was for the ASA 1/4 (192.168.3.0) Device to be able to route and see the 10.0.x.x networks, so that has naothing to do with what I was trying to achieve. Just mentioning.

The 192.168.1.0 was initially created to give the Catalyst its own management IP and vlan 1 IP. Which is the 192.168.1.5 on the Catalyst.

With that said, I want to eliminate TPLink and host my own 10.0.1.0 on the ASA. I want to have my devices be 192.168.1.4 (which is my PC IP) and have access to 10.0.1.0, 10.0.2.0 and Internet... It currently DOES. But when I try my new way I want, then as I said, 10.0.1.0 can either access LAN or Internet. Ugh it does sound confusing. All I wanna do is remove another device and safe the complication. Seems it is becoming more complicated.

paul driver · ‎04-19-2021

Hello

Whats the need for the TPLINK after the ASA is taking on the dhcp allocation and having a L3 for the 10.0.1.x subnet?, Is it servicing something you havnet made us aware of?

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

fbeye · ‎04-19-2021

Well that is the whole purpose of this initial post! I am trying TO eliminate the TPLink... I agree that if the ASA can take on the DHCP Allocation as you have mentioned, then why have it at all? So yes, I am trying to trash it and be done with it [TPLink].

Problem is apparently there is a difference with routes when moving from a 3rd party external router which connects to a shared Catalyst to the ASA itself. As I mention.... After the "transition" I can either see the LAN devices and connect, or connect to the Internet, but not both.

As mentioned the 2 running-configs are with the TPLink allocating the DHCP and am trying to remove.

fbeye · ‎04-22-2021

On the Switch am I able to have;

0.0.0.0 0.0.0.0 vlan 1 192.168.1.1

0.0.0.0 0.0.0.0 vlan 10 10.0.1.1

And each vlan will go to its associated Gateway/Route?

Richard Burts · ‎04-24-2021

Unfortunately what you suggest would not work the way that you want it to work. You can certainly configure 2 static default routes and the switch would use both of them, sharing the traffic over both paths. But it would not send vlan 1 traffic through one and vlan 10 traffic through the other one. To send traffic to a particular gateway based on the vlan it originated on you need a feature called Policy Based Routing. Whether that feature is available on your 3750g might depend on the version of code and perhaps on the licensing of your switch. If you go into configuration mode on a vlan interface and type "ip policy ?" and get a response showing parameters you could use then the feature is available. And if the response is invalid command then the feature is not available.

HTH

Rick

fbeye · ‎04-29-2021

Hello my friend I apologize for the delay.

The response I get is ;

Switch(config-if)#ip policy ?
route-map Policy route map

Richard Burts · ‎04-30-2021

I am quite confused. Originally we were talking about vlan 10 and 11 which use 10.0.1.0 and 10.0.2.0. Now we seem to be talking about vlan 1 and 10 which use 10.0.1.0 and 192.168.1.0. In the preceding discussion both vlans were routed the same. When you posted this

0.0.0.0 0.0.0.0 vlan 1 192.168.1.1

0.0.0.0 0.0.0.0 vlan 10 10.0.1.1

I assumed that you wanted to route 2 vlans differently and so I suggested PBR. But in looking at the discussion I do not see where PBR would help you very much. Can you help me understand what it is that you are trying to do?

HTH

Rick

fbeye · ‎04-30-2021

Alright. What I am saying is this.. I hope this makes sense!

I have an ASA 5508-X with a Static IP outside. Through Interface 1/2 (192.168.1.1) it connects to a Catalyst Switch on 1/0/21. I have GE 1/0/21-1/0/24 (vlan1 Interface IP 192.168.1.5 and anything that connects to 1/0/21-24 will grab a 192.168.1.X and use 192.168.1.5 as it's Gateway to the Internet. If they were to use DHCP Gateway (192.168.1.1) I could not access the servers on either 10.0.1.0/10.0.2.0 (later) but only the Internet.

My ASA 1/3 (192.168.3.1) connects to a TPLink which has NAT for it's own Static IP Outside and the TPLink has a DHCP Server 10.0.1.0. The TPLink connects to Catalyst Switch 1/0/1 and I have 1/0/1-1/0/10 (vlan10 Interface IP 10.0.1.166).

My ASA 1/6 (192.168.5.1) connects to a DLink which has NAT for it's own Staic IP Outside and the DLink has a DHCP Server 10.0.2.0. The DLink connects to the Catalyst Switch 1/0/11 and I have 1/0/11-1/0/20 (vlan 11 Interface 10.0.2.124).

Everything works as I want it by any 10.0.X.X connecting to each other and also the NET as well as 192.168.1.X connecting to each other and the NET.

My goal is, why do I have a TPLink that serves no purpose as a device when my ASA 1/3 can act as it's own DHCP Server with the NAT for its own Outside IP. So on the ASA I set up NAT, I set up 10.0.1.1 as 1/3 Interface and then a DHCP Server. I leave 1/3 connected to the Catalyst 1/0/1 and leave vlan 10 as 10.0.1.124 for consistency. My issue is that with everything set up as it was via TPlink, any device on 1/0/1-1/0/10 (on Catalyst) that has DHCP can access the NET but NOT other vlans. If I set any device with STATIC Gateway 10.0.1.124, it can then access the OTHER vlans but no internet!

It can not be about static routes on other devices cause they are routed to each other with the same subnets as I have always used. It has to be something on the Cat or my ASA.

fbeye · ‎05-04-2021

Maybe this can simplify.

ASA 5508-X with 5 Static IPS.

ASA itself and OUTSIDE interface is 207.108.1.1

2 - GE 1/1 10.0.1.1 (NAT 207.108.1.2)

3 - GE 1/2 10.0.2.1 (NAT 207.108.1.3)

4 - GE 1/3 192.168.1.1 (NAT 207.108.1.1)

GE 1/1 (from ASA) goes to GE 1/0/01(Catalyst Switch)

1/0/1-1/0/10 are vlan 10 and interface vlan 10 10.0.1.161

GE 1/2 (from ASA) goes to GE 1/0/11 (Catalyst Switch)

1/0/11-1/0/20 are vlan 11 and interface vlan 11 10.0.2.124

GE 1/3 (from ASA) goes to GE 1/0/21(Catalyst Switch)

1/0/21- 1/0/24 are vlan 1 and interface vlan 1 is 192.168.1.5

Currently on the Switch, the default route is 0.0.0.0 0.0.0.0 192.168.1.1

The reason for this is that my main station is 1 ip, 192.168.1.4, and through it I can connect to everything and anything.

What this does is allow anything from vlan 10,11 and 1 talk to each other as well as (the 192.168.1.x) get onto the Internet.

My problem is that anything that connects to vlan 10 or 11 can either get ON the internet and NOT see other vlans (if the default gateway is dhcp (vlan 10 would be 10.0.1.1 and vlan 11 would be 10.0.2.1)) OR anything on vlan 10 or 11 CAN connect to each other but NOT the Internet if the device that connects to the uses 10.0.1.161 (vlan 10 interface IP)or 10.0.2.124 (vlan 11 interface IP).

So how am I able to connect to any vlan I choose to and still be able to talk to each other (not just ping but access data) as well as internet.

Clearly making the device have the Catalyst switch vlan (10 or 11) as the gateway allows them to route to each other but I feel I am having a default route out to the internet, as 192.168.1.1 is the only route. Now, I need the vlans to have their OWN routes as they have their OWN static IP's for their own purposes so forcing all IP's (diff vlans/subnets) to use 192.168.1.1 as default route fixes nothing.\

In my head this is all clear as day so I hope this makes sense.

How do 3 vlans on a switch which have their OWN internet address all talk to each other via switch yet touch the internet via their own internet IP.

fbeye · ‎05-05-2021

I wonder if this does go back to what you said about PBR. Being I have 3 vlans each with it's own Internet Static IP/Gateway to the Internet and being I can only have 1 0.0.0.0 0.0.0.0 default route on the Switch not using PBR, Maybe this is my solution?

Richard Burts · ‎05-09-2021

Thanks for the clarification and simplification. I do not see anything in the new description that would need PBR. My suggestion to maybe use PBR was a reaction to this

0.0.0.0 0.0.0.0 vlan 1 192.168.1.1

0.0.0.0 0.0.0.0 vlan 10 10.0.1.1

which I thought meant that you wanted to route the vlans differently. But in retrospect that was not what you were indicating. As long as each vlan will continue to use the ASA to get to the Internet I do not see any benefit to PBR for you.

Here is what I think I understand. Please let me know if I have something not correct. The original environment used the switch as a Layer 3 switch which provided the inter vlan routing. Devices in each vlan used the switch IP address in that vlan as their default gateway. The switch used its default route to forward traffic for the Internet to the ASA. The ASA provided nat for the traffic and forwarded Internet traffic to the ISP. In the new environment each vlan will have its own connection to the ASA. I believe that you should use the switch as a Layer 2 switch providing vlan connectivity but leaving the inter vlan routing to the ASA. For this the switch does not need ip routing enabled and does not need a vlan interface with an IP address in each of the vlans. The switch needs a single vlan interface with an IP address for management purposes. The devices in each vlan should have their default gateway as the ASA address in that subnet. The ASA would not need the static routes for the vlan subnets because those subnets are now directly connected to the ASA.

HTH

Rick