Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1593
Views
0
Helpful
28
Replies

Pinging, Tacacs, Radius, HSRP, Firewall Issues

daniel_growth
Level 1
Level 1

‎12-08-2019 03:13 AM - edited ‎12-08-2019 07:19 AM

Hi All,

 

I have had a few issues with my Packet tracer network recently. I am unable to ping my corp lan through my firewall also.

 

The next main issue is I need to configure AAA on my layer 3 switches. I feel like they are only acting as layer 2.

 

If you could take a look at my packet tracer file and try to troubleshoot with me it would be great.

admin is username and cisco is password.

 

As a requirement I need all switches to use the radius/tacacs server 10.10.15.7 and have the option to use local if the server is down.

 

Traffic needs to travel from the lower networks through the firewall and back.

Another issue I have encountered is the HSRP complaining the standby states are incorrect or IP's are not set correctly.

Thanks in advance!

Kind Regards,
Daniel Growth
Labels:
AE Network Simulation_v5_Radius.zip
0 Helpful
28 Replies 28

paul driver
VIP
VIP

‎12-08-2019 05:51 AM

Hello

What version of PT are you using, I dont seem to be able to open that file you have attached


Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul
0 Helpful

daniel_growth
Level 1
Level 1
In response to paul driver

‎12-08-2019 05:53 AM

Hey Paul. I'm using 7.2.2
Kind Regards,
Daniel Growth
0 Helpful

Georg Pauwen
VIP
VIP

‎12-08-2019 07:25 AM

Hello,

 

you have made some changes to the original design that seem to make the network malfunctioning. The security level on the ASA outside interface is set to 100, why is that ? Your S2 switch cannot even be accessed because you misconfigured the HSRP for Vlan 10 ? And what are you trying to ping from the switches, still Loopback 1 (172.168.1.100) ? Also, you have added a default route to the ASA that causes to not send the default route to the OSPF neighbor. You are also missing the 'default-information originate' on the ASA under the OSPF process.

 

If you still have the original design I sent you, have a look at the configs, basic connectivity was established with that design.

 

AAA new model seems to be accepted on S1, What are you trying to configure ?

0 Helpful

daniel_growth
Level 1
Level 1
In response to Georg Pauwen

‎12-08-2019 07:29 AM

Hey @Georg Pauwen 

The design you sent me would never allow me to ping the corp_lan/loopback_1

None of the switches have AAA configured to use 10.10.15.7 as the radius/tacacs server which i really want.

 

If you ping from the switches 1-6 to various locations you will struggle. I cant say that your file you sent fixed these issues so i tried myself. I got some things working for example I can ping the 192.168.1.1-2 address from S1 which i could before.

 

OSPF seems to just cause me issues. Id rather use static routes as I cant see the addresses changing in future. If you are able to get any of this fixed and sent back I would appreciate and I can learn from the new config.

Kind Regards,
Daniel Growth
0 Helpful

Georg Pauwen
VIP
VIP
In response to daniel_growth

‎12-08-2019 01:17 PM

Hello,

 

the reason why the original design doesn't work for you is because the ASA apparently does not save the configuration when the project file is sent. That is why I sent you the configuration numerous times, but for some reason, you don't apply it. Here it is again:

 

ASA Version 9.6(1)
!
hostname ciscoasa
domain-name wr
names
!
interface Port-channel1
no nameif
no security-level
no ip address
!
interface GigabitEthernet1/1
nameif OUTBOUND
security-level 0
ip address 192.168.1.1 255.255.255.0
!
interface GigabitEthernet1/2
description Link to S1
nameif INBOUND
security-level 100
ip address 10.10.15.20 255.255.255.224
!
interface GigabitEthernet1/3
description Link to S2
nameif inside2
security-level 100
ip address 10.10.15.21 255.255.255.224
shutdown
!
interface GigabitEthernet1/4
no nameif
no security-level
no ip address
shutdown
!
interface GigabitEthernet1/5
no nameif
no security-level
no ip address
shutdown
!
interface GigabitEthernet1/6
no nameif
no security-level
no ip address
shutdown
!
interface GigabitEthernet1/7
no nameif
no security-level
no ip address
shutdown
!
interface GigabitEthernet1/8
no nameif
security-level 0
no ip address
channel-group 1 mode on
shutdown
!
interface Management1/1
management-only
no nameif
no security-level
no ip address
!
object network inside-subnet
subnet 10.10.15.0 255.255.255.224
!
route OUTBOUND 0.0.0.0 0.0.0.0 192.168.1.2 1
!
access-list OUTBOUND extended permit ip any any
!
access-group OUTBOUND in interface OUTBOUND
!
object network inside-subnet
nat (INBOUND,OUTBOUND) dynamic interface
!
class-map inspection_default
!
policy-map global_policy
class inspection_default
inspect icmp
!
telnet timeout 5
ssh timeout 5
!
router ospf 1
log-adjacency-changes
network 0.0.0.0 255.255.255.255 area 0
default-information originate
!
ciscoasa#

0 Helpful

Georg Pauwen
VIP
VIP
In response to Georg Pauwen

‎12-08-2019 01:18 PM

After you have changed the ASA firewall configuration, the output of 'show run' must match what I sent you exactly.

0 Helpful

daniel_growth
Level 1
Level 1
In response to Georg Pauwen

‎12-09-2019 06:25 PM

I did apply it numerous times but it didn't work.
Your HSRP setup has a virtual IP or 10.10.10/15/20.3 but this range is already taken by S3 so i had to change it.
The TACACS+ issue is fixed. HSRP is fixed. Its just the firewall with the issue. I would be willing to have GI0/2-3 as 1.1.1.1/2.2.2.2 if it means it works. Also the 172 range corp_lan has been removed and replaced with 192.168.1.2.
Kind Regards,
Daniel Growth
0 Helpful

Georg Pauwen
VIP
VIP
In response to daniel_growth

‎12-09-2019 10:46 PM

Hello,

 

post the output of 'show run' from the firewall, with what you currently have configured. Don't send the file, as the ASA seems to not save the configuration when the project file is being saved.

0 Helpful

daniel_growth
Level 1
Level 1
In response to Georg Pauwen

‎12-10-2019 04:25 AM

This will have changed allot since as i have been trying to fix it.

 

ASA: 

ASA Version 9.6(1)

!

hostname firewall

domain-name wr

enable password 4IncP7vTjpaba2aF encrypted

names

!

interface Port-channel1

no nameif

no security-level

no ip address

!

interface GigabitEthernet1/1

nameif OUTBOUND

security-level 100

ip address 192.168.1.1 255.255.255.0

!

interface GigabitEthernet1/2

description Link to S1

nameif INBOUND

security-level 100

ip address 1.1.1.1 255.0.0.0

!

interface GigabitEthernet1/3

description Link to S2

nameif inside2

security-level 100

ip address 10.10.15.21 255.255.255.224

shutdown

!

interface GigabitEthernet1/4

no nameif

no security-level

no ip address

shutdown

!

interface GigabitEthernet1/5

no nameif

no security-level

no ip address

shutdown

!

interface GigabitEthernet1/6

no nameif

no security-level

no ip address

shutdown

!

interface GigabitEthernet1/7

no nameif

no security-level

no ip address

shutdown

!

interface GigabitEthernet1/8

no nameif

security-level 0

no ip address

channel-group 1 mode on

shutdown

!

interface Management1/1

management-only

no nameif

no security-level

no ip address

!

object network inside-subnet

subnet 10.10.15.0 255.255.255.224

!

route OUTBOUND 0.0.0.0 0.0.0.0 192.168.1.2 1

route INBOUND 0.0.0.0 0.0.0.0 10.10.15.2 1

route INBOUND 0.0.0.0 0.0.0.0 10.10.15.1 1

!

access-list INBOUND extended permit ip any any

access-list OUTBOUND extended permit ip any any

!

!

object network inside-subnet

nat (INBOUND,OUTBOUND) dynamic interface

!

aaa authentication ssh console LOCAL

!

ntp server 10.10.15.7

!

username admin password 4IncP7vTjpaba2aF encrypted

!

class-map inspection_default

!

policy-map global_policy

class inspection_default

inspect icmp

!

!

telnet timeout 5

ssh timeout 5

!

!

!

!

!

router ospf 1

log-adjacency-changes

network 0.0.0.0 255.255.255.255 area 0

network 0.0.0.0 0.0.0.0 area 0

 

S1:

version 16.3.2

no service timestamps log datetime msec

no service timestamps debug datetime msec

service password-encryption

!

hostname S1

!

enable secret 5 $1$mERr$hx5rVt7rPNoS4wqbXKX7m0

!

aaa new-model

!

aaa authentication login tacacs+ group tacacs+ local

!

no ip cef

ip routing

!

no ipv6 cef

!

username admin privilege 15 secret 5 $1$mERr$hx5rVt7rPNoS4wqbXKX7m0

username user secret 5 $1$mERr$hx5rVt7rPNoS4wqbXKX7m0

!

ip ssh version 2

no ip domain-lookup

ip domain-name AE

!

spanning-tree mode rapid-pvst

!

interface Port-channel1

switchport trunk allowed vlan 10,15,20

switchport trunk encapsulation dot1q

switchport mode trunk

!

interface GigabitEthernet1/0/1

!

interface GigabitEthernet1/0/2

switchport trunk allowed vlan 10,15,20

switchport trunk encapsulation dot1q

switchport mode trunk

switchport nonegotiate

!

interface GigabitEthernet1/0/3

switchport trunk allowed vlan 10,15,20

switchport trunk encapsulation dot1q

switchport mode trunk

channel-group 1 mode active

!

interface GigabitEthernet1/0/4

switchport trunk allowed vlan 10,15,20

switchport trunk encapsulation dot1q

switchport mode trunk

channel-group 1 mode active

!

interface GigabitEthernet1/0/5

switchport trunk allowed vlan 10,15,20

switchport trunk encapsulation dot1q

switchport mode trunk

!

interface GigabitEthernet1/0/6

switchport trunk allowed vlan 10,15,20

switchport trunk encapsulation dot1q

switchport mode trunk

!

interface GigabitEthernet1/0/7

switchport trunk allowed vlan 10,15,20

switchport trunk encapsulation dot1q

switchport mode trunk

!

interface GigabitEthernet1/0/8

switchport trunk allowed vlan 10,15,20

switchport trunk encapsulation dot1q

switchport mode trunk

!

interface GigabitEthernet1/0/9

!

interface GigabitEthernet1/0/10

!

interface GigabitEthernet1/0/11

!

interface GigabitEthernet1/0/12

!

interface GigabitEthernet1/0/13

!

interface GigabitEthernet1/0/14

!

interface GigabitEthernet1/0/15

!

interface GigabitEthernet1/0/16

!

interface GigabitEthernet1/0/17

!

interface GigabitEthernet1/0/18

!

interface GigabitEthernet1/0/19

!

interface GigabitEthernet1/0/20

!

interface GigabitEthernet1/0/21

!

interface GigabitEthernet1/0/22

!

interface GigabitEthernet1/0/23

!

interface GigabitEthernet1/0/24

!

interface GigabitEthernet1/1/1

!

interface GigabitEthernet1/1/2

!

interface GigabitEthernet1/1/3

!

interface GigabitEthernet1/1/4

!

interface Vlan1

no ip address

shutdown

!

interface Vlan10

description Dev_VLAN

mac-address 0030.a3d7.7d01

ip address 10.10.10.1 255.255.255.192

standby 10 ip 10.10.10.12

standby 10 priority 110

standby 10 preempt

!

interface Vlan15

description Mgmt_VLAN

mac-address 0030.a3d7.7d02

ip address 10.10.15.1 255.255.255.224

standby 15 ip 10.10.15.12

standby 15 priority 110

standby 15 preempt

!

interface Vlan20

description VSAN_Vlan

mac-address 0030.a3d7.7d03

ip address 10.10.20.1 255.255.255.0

standby 20 ip 10.10.20.12

standby 20 priority 110

standby 20 preempt

!

router ospf 1

log-adjacency-changes

network 0.0.0.0 0.0.0.0 area 0

network 172.168.1.0 0.0.0.0 area 0

network 192.168.1.0 0.0.0.0 area 0

!

ip default-gateway 10.10.15.12

ip classless

ip route 192.168.1.0 255.255.255.0 1.1.1.1

!

ip flow-export version 9

!

tacacs-server host 10.10.15.7 key cisco

!

line con 0

password 7 0822455D0A16

logging synchronous

login authentication tacacs+

!

line aux 0

password 7 0822455D0A16

logging synchronous

!

line vty 0 4

password 7 0822455D0A16

logging synchronous

login authentication tacacs+

transport input ssh

line vty 5 15

login authentication tacacs+

transport input ssh

!

ntp authenticate

ntp trusted-key 12345

ntp server 10.10.10.7

!

end

 

S2:

version 16.3.2

no service timestamps log datetime msec

no service timestamps debug datetime msec

no service password-encryption

!

hostname S2

!

enable secret 5 $1$mERr$hx5rVt7rPNoS4wqbXKX7m0

!

aaa new-model

!

aaa authentication login tacacs+ group tacacs+ local

!

no ip cef

ip routing

!

no ipv6 cef

!

username admin privilege 15 secret 5 $1$mERr$hx5rVt7rPNoS4wqbXKX7m0

username user secret 5 $1$mERr$hx5rVt7rPNoS4wqbXKX7m0

!

ip ssh version 2

no ip domain-lookup

ip domain-name AE

!

spanning-tree mode rapid-pvst

!

interface Port-channel1

switchport trunk allowed vlan 10,15,20

switchport trunk encapsulation dot1q

switchport mode trunk

!

interface GigabitEthernet1/0/1

switchport trunk encapsulation dot1q

switchport mode trunk

switchport nonegotiate

!

interface GigabitEthernet1/0/2

!

interface GigabitEthernet1/0/3

switchport trunk allowed vlan 10,15,20

switchport trunk encapsulation dot1q

switchport mode trunk

channel-group 1 mode active

!

interface GigabitEthernet1/0/4

switchport trunk allowed vlan 10,15,20

switchport trunk encapsulation dot1q

switchport mode trunk

channel-group 1 mode active

!

interface GigabitEthernet1/0/5

switchport trunk encapsulation dot1q

switchport mode trunk

!

interface GigabitEthernet1/0/6

switchport trunk encapsulation dot1q

switchport mode trunk

!

interface GigabitEthernet1/0/7

switchport trunk encapsulation dot1q

switchport mode trunk

!

interface GigabitEthernet1/0/8

switchport trunk encapsulation dot1q

switchport mode trunk

!

interface GigabitEthernet1/0/9

!

interface GigabitEthernet1/0/10

!

interface GigabitEthernet1/0/11

!

interface GigabitEthernet1/0/12

!

interface GigabitEthernet1/0/13

!

interface GigabitEthernet1/0/14

!

interface GigabitEthernet1/0/15

!

interface GigabitEthernet1/0/16

!

interface GigabitEthernet1/0/17

!

interface GigabitEthernet1/0/18

!

interface GigabitEthernet1/0/19

!

interface GigabitEthernet1/0/20

!

interface GigabitEthernet1/0/21

!

interface GigabitEthernet1/0/22

!

interface GigabitEthernet1/0/23

!

interface GigabitEthernet1/0/24

!

interface GigabitEthernet1/1/1

!

interface GigabitEthernet1/1/2

!

interface GigabitEthernet1/1/3

!

interface GigabitEthernet1/1/4

!

interface Vlan1

no ip address

shutdown

!

interface Vlan10

description Dev_VLAN

mac-address 0010.11c3.0601

ip address 10.10.10.2 255.255.255.192

standby 10 ip 10.10.10.12

!

interface Vlan15

description Mgmt_VLAN

mac-address 0010.11c3.0602

ip address 10.10.15.2 255.255.255.224

standby 15 ip 10.10.15.12

!

interface Vlan20

description VSAN_Vlan

mac-address 0010.11c3.0603

ip address 10.10.20.2 255.255.255.0

standby 20 ip 10.10.20.12

!

router ospf 1

log-adjacency-changes

network 0.0.0.0 255.255.255.255 area 0

!

ip default-gateway 10.10.15.12

ip classless

!

ip flow-export version 9

!

tacacs-server host 10.10.15.7 key cisco

!

line con 0

password 7 0822455D0A16

logging synchronous

login authentication tacacs+

!

line aux 0

password 7 0822455D0A16

logging synchronous

!

line vty 0 4

password 7 0822455D0A16

logging synchronous

login authentication tacacs+

transport input ssh

line vty 5 15

login authentication tacacs+

transport input ssh

!

ntp authenticate

ntp trusted-key 12345

ntp server 10.10.10.7

!

end

 

Kind Regards,
Daniel Growth
0 Helpful

Georg Pauwen
VIP
VIP
In response to daniel_growth

‎12-10-2019 05:03 AM

Hello,

 

unfortunately, there are still many, many misconfigurations, too many to comment on actually. I have corrected everything and marked the important parts in bold.

 

Try to make the running configs of your devices look EXACTLY like those below:

 

ASA:

 

ASA Version 9.6(1)
!
hostname firewall
domain-name wr
enable password 4IncP7vTjpaba2aF encrypted
names
!
interface Port-channel1
no nameif
no security-level
no ip address
!
interface GigabitEthernet1/1
nameif OUTBOUND
security-level 0
ip address 192.168.1.1 255.255.255.0
!
interface GigabitEthernet1/2
description Link to S1
nameif INBOUND
security-level 100
ip address 1.1.1.1 255.0.0.0
!
interface GigabitEthernet1/3
description Link to S2
nameif inside2
security-level 100
ip address 10.10.15.21 255.255.255.224
shutdown
!
interface GigabitEthernet1/4
no nameif
no security-level
no ip address
shutdown
!
interface GigabitEthernet1/5
no nameif
no security-level
no ip address
shutdown
!
interface GigabitEthernet1/6
no nameif
no security-level
no ip address
shutdown
!
interface GigabitEthernet1/7
no nameif
no security-level
no ip address
shutdown
!
interface GigabitEthernet1/8
no nameif
security-level 0
no ip address
channel-group 1 mode on
shutdown
!
interface Management1/1
management-only
no nameif
no security-level
no ip address
!
object network inside-subnet
subnet 10.10.15.0 255.255.255.224
!
route OUTBOUND 0.0.0.0 0.0.0.0 192.168.1.2 1
!
access-list INBOUND extended permit ip any any
!
access-group INBOUND in interface OUTBOUND
!
object network inside-subnet
nat (INBOUND,OUTBOUND) dynamic interface
!
aaa authentication ssh console LOCAL
!
ntp server 10.10.15.7
!
username admin password 4IncP7vTjpaba2aF encrypted
!
class-map inspection_default
!
policy-map global_policy
class inspection_default
inspect icmp
!
telnet timeout 5
ssh timeout 5
!
router ospf 1
log-adjacency-changes
default-information originate
network 0.0.0.0 255.255.255.255 area 0


S1:

version 16.3.2
no service timestamps log datetime msec
no service timestamps debug datetime msec
service password-encryption
!
hostname S1
!
enable secret 5 $1$mERr$hx5rVt7rPNoS4wqbXKX7m0
!
aaa new-model
!
aaa authentication login tacacs+ group tacacs+ local
!
no ip cef
ip routing
!
no ipv6 cef
!
username admin privilege 15 secret 5 $1$mERr$hx5rVt7rPNoS4wqbXKX7m0
username user secret 5 $1$mERr$hx5rVt7rPNoS4wqbXKX7m0
!
ip ssh version 2
no ip domain-lookup
ip domain-name AE
!
spanning-tree mode rapid-pvst
!
interface Port-channel1
switchport trunk allowed vlan 10,15,20
switchport trunk encapsulation dot1q
switchport mode trunk
!
interface GigabitEthernet1/0/1
!
interface GigabitEthernet1/0/2
no switchport
ip address 1.1.1.2 255.0.0.0
!
interface GigabitEthernet1/0/3
switchport trunk allowed vlan 10,15,20
switchport trunk encapsulation dot1q
switchport mode trunk
channel-group 1 mode active
!
interface GigabitEthernet1/0/4
switchport trunk allowed vlan 10,15,20
switchport trunk encapsulation dot1q
switchport mode trunk
channel-group 1 mode active
!
interface GigabitEthernet1/0/5
switchport trunk allowed vlan 10,15,20
switchport trunk encapsulation dot1q
switchport mode trunk
!
interface GigabitEthernet1/0/6
switchport trunk allowed vlan 10,15,20
switchport trunk encapsulation dot1q
switchport mode trunk
!
interface GigabitEthernet1/0/7
switchport trunk allowed vlan 10,15,20
switchport trunk encapsulation dot1q
switchport mode trunk
!
interface GigabitEthernet1/0/8
switchport trunk allowed vlan 10,15,20
switchport trunk encapsulation dot1q
switchport mode trunk
!
interface GigabitEthernet1/0/9
!
interface GigabitEthernet1/0/10
!
interface GigabitEthernet1/0/11
!
interface GigabitEthernet1/0/12
!
interface GigabitEthernet1/0/13
!
interface GigabitEthernet1/0/14
!
interface GigabitEthernet1/0/15
!
interface GigabitEthernet1/0/16
!
interface GigabitEthernet1/0/17
!
interface GigabitEthernet1/0/18
!
interface GigabitEthernet1/0/19
!
interface GigabitEthernet1/0/20
!
interface GigabitEthernet1/0/21
!
interface GigabitEthernet1/0/22
!
interface GigabitEthernet1/0/23
!
interface GigabitEthernet1/0/24
!
interface GigabitEthernet1/1/1
!
interface GigabitEthernet1/1/2
!
interface GigabitEthernet1/1/3
!
interface GigabitEthernet1/1/4
!
interface Vlan1
no ip address
shutdown
!
interface Vlan10
description Dev_VLAN
mac-address 0030.a3d7.7d01
ip address 10.10.10.1 255.255.255.192
standby 10 ip 10.10.10.12
standby 10 priority 110
standby 10 preempt
!
interface Vlan15
description Mgmt_VLAN
mac-address 0030.a3d7.7d02
ip address 10.10.15.1 255.255.255.224
standby 15 ip 10.10.15.12
standby 15 priority 110
standby 15 preempt
!
interface Vlan20
description VSAN_Vlan
mac-address 0030.a3d7.7d03
ip address 10.10.20.1 255.255.255.0
standby 20 ip 10.10.20.12
standby 20 priority 110
standby 20 preempt
!
router ospf 1
log-adjacency-changes
network 0.0.0.0 255.255.255.255 area 0
!
ip classless
!
ip flow-export version 9
!
tacacs-server host 10.10.15.7 key cisco
!
line con 0
password 7 0822455D0A16
logging synchronous
login authentication tacacs+
!
line aux 0
password 7 0822455D0A16
logging synchronous
!
line vty 0 4
password 7 0822455D0A16
logging synchronous
login authentication tacacs+
transport input ssh
line vty 5 15
login authentication tacacs+
transport input ssh
!
ntp authenticate
ntp trusted-key 12345
ntp server 10.10.10.7
!
end


S2:
version 16.3.2
no service timestamps log datetime msec
no service timestamps debug datetime msec
no service password-encryption
!
hostname S2
!
enable secret 5 $1$mERr$hx5rVt7rPNoS4wqbXKX7m0
!
aaa new-model
!
aaa authentication login tacacs+ group tacacs+ local
!
no ip cef
ip routing
!
no ipv6 cef
!
username admin privilege 15 secret 5 $1$mERr$hx5rVt7rPNoS4wqbXKX7m0
username user secret 5 $1$mERr$hx5rVt7rPNoS4wqbXKX7m0
!
ip ssh version 2
no ip domain-lookup
ip domain-name AE
!
spanning-tree mode rapid-pvst
!
interface Port-channel1
switchport trunk allowed vlan 10,15,20
switchport trunk encapsulation dot1q
switchport mode trunk
!
interface GigabitEthernet1/0/1
switchport trunk encapsulation dot1q
switchport mode trunk
switchport nonegotiate
!
interface GigabitEthernet1/0/2
!
interface GigabitEthernet1/0/3
switchport trunk allowed vlan 10,15,20
switchport trunk encapsulation dot1q
switchport mode trunk
channel-group 1 mode active
!
interface GigabitEthernet1/0/4
switchport trunk allowed vlan 10,15,20
switchport trunk encapsulation dot1q
switchport mode trunk
channel-group 1 mode active
!
interface GigabitEthernet1/0/5
switchport trunk encapsulation dot1q
switchport mode trunk
!
interface GigabitEthernet1/0/6
switchport trunk encapsulation dot1q
switchport mode trunk
!
interface GigabitEthernet1/0/7
switchport trunk encapsulation dot1q
switchport mode trunk
!
interface GigabitEthernet1/0/8
switchport trunk encapsulation dot1q
switchport mode trunk
!
interface GigabitEthernet1/0/9
!
interface GigabitEthernet1/0/10
!
interface GigabitEthernet1/0/11
!
interface GigabitEthernet1/0/12
!
interface GigabitEthernet1/0/13
!
interface GigabitEthernet1/0/14
!
interface GigabitEthernet1/0/15
!
interface GigabitEthernet1/0/16
!
interface GigabitEthernet1/0/17
!
interface GigabitEthernet1/0/18
!
interface GigabitEthernet1/0/19
!
interface GigabitEthernet1/0/20
!
interface GigabitEthernet1/0/21
!
interface GigabitEthernet1/0/22
!
interface GigabitEthernet1/0/23
!
interface GigabitEthernet1/0/24
!
interface GigabitEthernet1/1/1
!
interface GigabitEthernet1/1/2
!
interface GigabitEthernet1/1/3
!
interface GigabitEthernet1/1/4
!
interface Vlan1
no ip address
shutdown
!
interface Vlan10
description Dev_VLAN
mac-address 0010.11c3.0601
ip address 10.10.10.2 255.255.255.192
standby 10 ip 10.10.10.12
!
interface Vlan15
description Mgmt_VLAN
mac-address 0010.11c3.0602
ip address 10.10.15.2 255.255.255.224
standby 15 ip 10.10.15.12
!
interface Vlan20
description VSAN_Vlan
mac-address 0010.11c3.0603
ip address 10.10.20.2 255.255.255.0
standby 20 ip 10.10.20.12
!
router ospf 1
log-adjacency-changes
network 0.0.0.0 255.255.255.255 area 0
!
ip classless
!
ip flow-export version 9
!
tacacs-server host 10.10.15.7 key cisco
!
line con 0
password 7 0822455D0A16
logging synchronous
login authentication tacacs+
!
line aux 0
password 7 0822455D0A16
logging synchronous
!
line vty 0 4
password 7 0822455D0A16
logging synchronous
login authentication tacacs+
transport input ssh
line vty 5 15
login authentication tacacs+
transport input ssh
!
ntp authenticate
ntp trusted-key 12345
ntp server 10.10.10.7
!
end

0 Helpful

daniel_growth
Level 1
Level 1
In response to Georg Pauwen

‎12-10-2019 05:06 AM

interface GigabitEthernet1/2
description Link to S1
nameif INBOUND
security-level 100
ip address 1.1.1.1 255.0.0.0
!
interface GigabitEthernet1/3
description Link to S2
nameif inside2
security-level 100
ip address 10.10.15.21 255.255.255.224
shutdown

How come 1/3 hasnt been changes. The same for S2?
Kind Regards,
Daniel Growth
0 Helpful

Georg Pauwen
VIP
VIP
In response to daniel_growth

‎12-10-2019 05:50 AM

That is because I don't know what you want to do with the IP addressing. If you want to use this interface as well, configure it with an IP address, and the connecting interface on S2 as 'no switchport' and with an IP address from the same space. You also need to add a NAT entry for that interface, similar to the NAT entry you already have for the other interface.

 

interface GigabitEthernet1/3
description Link to S2
nameif inside2
security-level 100
ip address 2.2.2.2 255.0.0.0

0 Helpful

daniel_growth
Level 1
Level 1
In response to Georg Pauwen

‎12-11-2019 08:36 AM

@Georg Pauwen 

Progress!

 

I can ping to corp lan through S1. I am struggling to ping from the other switches including S2.

 

Also some of my switches are now unable to ping 10.10.15.7.

 

Could you take a look and see if you could maybe correct some of the connection issues so that everything is able to ping. I dont think there are any major issues. Just some that i may have missed. I am very nearly complete now.

 

I will need to add ACL's to some switches to prevent vlan 20 speaking to vlan 10 on switches 3 and 4.

Kind Regards,
Daniel Growth
AE Network Simulation_v7_FW.zip
0 Helpful

Georg Pauwen
VIP
VIP
In response to daniel_growth

‎12-11-2019 09:59 AM

Hello,

 

I cannot access the devices because you have changed the login information.

 

Either way, make sure the OSPF neighbors between S1, S2, and the ASA work. On the ASA, configure:

 

router ospf 1

network 0.0.0.0 0.0.0.0 area 0

default-information originate

 

and on both switches:

 

router ospf 1

network 0.0.0.0 0.0.0.0 area 0

 

On the switches, there should be no other stat.ic routes or default gateways

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card