Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1550
Views
0
Helpful
28
Replies

Pinging, Tacacs, Radius, HSRP, Firewall Issues

daniel_growth
Level 1
Level 1

‎12-08-2019 03:13 AM - edited ‎12-08-2019 07:19 AM

Hi All,

 

I have had a few issues with my Packet tracer network recently. I am unable to ping my corp lan through my firewall also.

 

The next main issue is I need to configure AAA on my layer 3 switches. I feel like they are only acting as layer 2.

 

If you could take a look at my packet tracer file and try to troubleshoot with me it would be great.

admin is username and cisco is password.

 

As a requirement I need all switches to use the radius/tacacs server 10.10.15.7 and have the option to use local if the server is down.

 

Traffic needs to travel from the lower networks through the firewall and back.

Another issue I have encountered is the HSRP complaining the standby states are incorrect or IP's are not set correctly.

Thanks in advance!

Kind Regards,
Daniel Growth
Labels:
AE Network Simulation_v5_Radius.zip
0 Helpful
28 Replies 28

daniel_growth
Level 1
Level 1
In response to Georg Pauwen

‎12-11-2019 10:02 AM

Apologies. admin, cisco if tacacs can not be reached. dan, cisco if it can be.
I do not know why some of the devices cant contact 192 or contact certain switches or the aaa server.
Kind Regards,
Daniel Growth
0 Helpful

Georg Pauwen
VIP
VIP
In response to daniel_growth

‎12-11-2019 11:19 AM

admin/cisco don't work.

 

On the ASA, try and configure OSPF as below:

 

router ospf 1

network 1.1.1.1 0.0.0.0 area 0

network 2.2.2.1 0.0.0.0 area 0

network 192.168.1.1. 0.0.0.0 area 0

default-information originate

0 Helpful

daniel_growth
Level 1
Level 1
In response to Georg Pauwen

‎12-11-2019 11:21 AM

if admin/cisco dont work it means tacacs/aaa is working. try dan and cisco
Kind Regards,
Daniel Growth
0 Helpful

daniel_growth
Level 1
Level 1
In response to Georg Pauwen

‎12-11-2019 11:30 AM

I tried that config it did not work sorry.
Kind Regards,
Daniel Growth
0 Helpful

daniel_growth
Level 1
Level 1
In response to Georg Pauwen

‎12-11-2019 10:07 AM

Also on S1 i removed the static route ip route 192.168.1.0 255.255.255.0 1.1.1.1 and it wont ping the corp lan if i do this.
Kind Regards,
Daniel Growth
0 Helpful

Georg Pauwen
VIP
VIP
In response to daniel_growth

‎12-11-2019 11:02 AM

Hello,

 

the ASA, S1 and S2 should only communicate via OSPF. You need to troubleshoot why the OSPF neighbors are not established between these three devices...

0 Helpful

daniel_growth
Level 1
Level 1
In response to Georg Pauwen

‎12-11-2019 11:04 AM

I have been troubleshooting and am unable to fix it. Static routing was my fix but this seems to be only temporary.
Were you able to see why certain devices wont ping and S2 despite having a static route wont ping the firewall?
Kind Regards,
Daniel Growth
0 Helpful

Georg Pauwen
VIP
VIP
In response to daniel_growth

‎12-11-2019 12:19 PM

Hello,

 

with the configs below, I have full connectivity:

 

ASA

 

ASA Version 9.6(1)
!
hostname firewall-asa
domain-name wr
enable password 4IncP7vTjpaba2aF encrypted
names
!
interface Port-channel1
no nameif
no security-level
no ip address
!
interface GigabitEthernet1/1
nameif OUTBOUND
security-level 0
ip address 192.168.1.1 255.255.255.0
!
interface GigabitEthernet1/2
description Link to S1
nameif INBOUND
security-level 100
ip address 1.1.1.1 255.0.0.0
!
interface GigabitEthernet1/3
description Link to S2
nameif inside2
security-level 100
ip address 2.2.2.1 255.0.0.0
!
interface GigabitEthernet1/4
no nameif
no security-level
no ip address
shutdown
!
interface GigabitEthernet1/5
no nameif
no security-level
no ip address
shutdown
!
interface GigabitEthernet1/6
no nameif
no security-level
no ip address
shutdown
!
interface GigabitEthernet1/7
no nameif
no security-level
no ip address
shutdown
!
interface GigabitEthernet1/8
no nameif
security-level 0
no ip address
channel-group 1 mode on
shutdown
!
interface Management1/1
management-only
no nameif
no security-level
no ip address
!
object network inside-subnet
subnet 10.10.15.0 255.255.255.224
!
route OUTBOUND 0.0.0.0 0.0.0.0 192.168.1.2 1
!
access-list INBOUND extended permit ip any any
!
access-group INBOUND in interface OUTBOUND
access-group INBOUND in interface INBOUND
access-group INBOUND in interface inside2
!
object network inside-subnet
nat (INBOUND,OUTBOUND) dynamic interface
!
aaa authentication ssh console LOCAL
!
ntp server 10.10.15.7
!
username admin password 4IncP7vTjpaba2aF encrypted
!
class-map inspection_default
!
policy-map global_policy
class inspection_default
inspect icmp
!
telnet timeout 5
ssh timeout 5
!
router ospf 1
log-adjacency-changes
network 1.1.1.1 255.255.255.255 area 0
network 2.2.2.1 255.255.255.255 area 0
network 192.168.1.1 255.255.255.255 area 0

 

S1


version 16.3.2
no service timestamps log datetime msec
no service timestamps debug datetime msec
service password-encryption
!
hostname S1
!
!
enable secret 5 $1$mERr$hx5rVt7rPNoS4wqbXKX7m0
!
aaa new-model
!
aaa authentication login tacacs+ group tacacs+ local
!
no ip cef
ip routing
!
no ipv6 cef
!
username admin privilege 15 secret 5 $1$mERr$hx5rVt7rPNoS4wqbXKX7m0
username user secret 5 $1$mERr$hx5rVt7rPNoS4wqbXKX7m0
!
ip ssh version 2
no ip domain-lookup
ip domain-name AE
!
spanning-tree mode rapid-pvst
!
interface Port-channel1
switchport trunk allowed vlan 10,15,20
switchport trunk encapsulation dot1q
switchport mode trunk
!
interface GigabitEthernet1/0/1
!
interface GigabitEthernet1/0/2
no switchport
ip address 1.1.1.2 255.0.0.0
duplex auto
speed auto
!
interface GigabitEthernet1/0/3
switchport trunk allowed vlan 10,15,20
switchport trunk encapsulation dot1q
switchport mode trunk
channel-group 1 mode active
!
interface GigabitEthernet1/0/4
switchport trunk allowed vlan 10,15,20
switchport trunk encapsulation dot1q
switchport mode trunk
channel-group 1 mode active
!
interface GigabitEthernet1/0/5
switchport trunk allowed vlan 10,15,20
switchport trunk encapsulation dot1q
switchport mode trunk
!
interface GigabitEthernet1/0/6
switchport trunk allowed vlan 10,15,20
switchport trunk encapsulation dot1q
switchport mode trunk
!
interface GigabitEthernet1/0/7
switchport trunk allowed vlan 10,15,20
switchport trunk encapsulation dot1q
switchport mode trunk
!
interface GigabitEthernet1/0/8
switchport trunk allowed vlan 10,15,20
switchport trunk encapsulation dot1q
switchport mode trunk
!
interface GigabitEthernet1/0/9
!
interface GigabitEthernet1/0/10
!
interface GigabitEthernet1/0/11
!
interface GigabitEthernet1/0/12
!
interface GigabitEthernet1/0/13
!
interface GigabitEthernet1/0/14
!
interface GigabitEthernet1/0/15
!
interface GigabitEthernet1/0/16
!
interface GigabitEthernet1/0/17
!
interface GigabitEthernet1/0/18
!
interface GigabitEthernet1/0/19
!
interface GigabitEthernet1/0/20
!
interface GigabitEthernet1/0/21
!
interface GigabitEthernet1/0/22
!
interface GigabitEthernet1/0/23
!
interface GigabitEthernet1/0/24
!
interface GigabitEthernet1/1/1
!
interface GigabitEthernet1/1/2
!
interface GigabitEthernet1/1/3
!
interface GigabitEthernet1/1/4
!
interface Vlan1
no ip address
shutdown
!
interface Vlan10
description Dev_VLAN
mac-address 0030.a3d7.7d01
ip address 10.10.10.1 255.255.255.192
standby 10 ip 10.10.10.12
standby 10 priority 110
standby 10 preempt
!
interface Vlan15
description Mgmt_VLAN
mac-address 0030.a3d7.7d02
ip address 10.10.15.1 255.255.255.224
standby 15 ip 10.10.15.12
standby 15 priority 110
standby 15 preempt
!
interface Vlan20
description VSAN_Vlan
mac-address 0030.a3d7.7d03
ip address 10.10.20.1 255.255.255.0
standby 20 ip 10.10.20.12
standby 20 priority 110
standby 20 preempt
!
router ospf 1
log-adjacency-changes
network 0.0.0.0 255.255.255.255 area 0
!
ip classless
!
ip flow-export version 9
!
tacacs-server host 10.10.15.7 key cisco
!
line con 0
password 7 0822455D0A16
logging synchronous
login authentication tacacs+
!
line aux 0
password 7 0822455D0A16
logging synchronous
!
line vty 0 4
password 7 0822455D0A16
logging synchronous
login authentication tacacs+
transport input ssh
line vty 5 15
login authentication tacacs+
transport input ssh
!
ntp authenticate
ntp trusted-key 12345
ntp server 10.10.10.7
!
end

 

S2


Building configuration...

Current configuration : 3316 bytes
!
version 16.3.2
no service timestamps log datetime msec
no service timestamps debug datetime msec
no service password-encryption
!
hostname S2
!
enable secret 5 $1$mERr$hx5rVt7rPNoS4wqbXKX7m0
!
aaa new-model
!
aaa authentication login tacacs+ group tacacs+ local
!
no ip cef
ip routing
!
no ipv6 cef
!
username admin privilege 15 secret 5 $1$mERr$hx5rVt7rPNoS4wqbXKX7m0
username user secret 5 $1$mERr$hx5rVt7rPNoS4wqbXKX7m0
!
ip ssh version 2
no ip domain-lookup
ip domain-name AE
!
spanning-tree mode rapid-pvst
!
interface Port-channel1
switchport trunk allowed vlan 10,15,20
switchport trunk encapsulation dot1q
switchport mode trunk
!
interface GigabitEthernet1/0/1
switchport trunk encapsulation dot1q
switchport mode trunk
switchport nonegotiate
!
interface GigabitEthernet1/0/2
no switchport
ip address 2.2.2.2 255.0.0.0
duplex auto
speed auto
!
interface GigabitEthernet1/0/3
switchport trunk allowed vlan 10,15,20
switchport trunk encapsulation dot1q
switchport mode trunk
channel-group 1 mode active
!
interface GigabitEthernet1/0/4
switchport trunk allowed vlan 10,15,20
switchport trunk encapsulation dot1q
switchport mode trunk
channel-group 1 mode active
!
interface GigabitEthernet1/0/5
switchport trunk encapsulation dot1q
switchport mode trunk
!
interface GigabitEthernet1/0/6
switchport trunk encapsulation dot1q
switchport mode trunk
!
interface GigabitEthernet1/0/7
switchport trunk encapsulation dot1q
switchport mode trunk
!
interface GigabitEthernet1/0/8
switchport trunk encapsulation dot1q
switchport mode trunk
!
interface GigabitEthernet1/0/9
!
interface GigabitEthernet1/0/10
!
interface GigabitEthernet1/0/11
!
interface GigabitEthernet1/0/12
!
interface GigabitEthernet1/0/13
!
interface GigabitEthernet1/0/14
!
interface GigabitEthernet1/0/15
!
interface GigabitEthernet1/0/16
!
interface GigabitEthernet1/0/17
!
interface GigabitEthernet1/0/18
!
interface GigabitEthernet1/0/19
!
interface GigabitEthernet1/0/20
!
interface GigabitEthernet1/0/21
!
interface GigabitEthernet1/0/22
!
interface GigabitEthernet1/0/23
!
interface GigabitEthernet1/0/24
!
interface GigabitEthernet1/1/1
!
interface GigabitEthernet1/1/2
!
interface GigabitEthernet1/1/3
!
interface GigabitEthernet1/1/4
!
interface Vlan1
no ip address
shutdown
!
interface Vlan10
description Dev_VLAN
mac-address 0010.11c3.0601
ip address 10.10.10.2 255.255.255.192
standby 10 ip 10.10.10.12
!
interface Vlan15
description Mgmt_VLAN
mac-address 0010.11c3.0602
ip address 10.10.15.2 255.255.255.224
standby 15 ip 10.10.15.12
!
interface Vlan20
description VSAN_Vlan
mac-address 0010.11c3.0603
ip address 10.10.20.2 255.255.255.0
standby 20 ip 10.10.20.12
!
router ospf 1
log-adjacency-changes
network 0.0.0.0 255.255.255.255 area 0
!
ip classless
!
ip flow-export version 9
!
tacacs-server host 10.10.15.7 key cisco
!
line con 0
password 7 0822455D0A16
logging synchronous
login authentication tacacs+
!
line aux 0
password 7 0822455D0A16
logging synchronous
!
line vty 0 4
password 7 0822455D0A16
logging synchronous
login authentication tacacs+
transport input ssh
line vty 5 15
login authentication tacacs+
transport input ssh
!
ntp authenticate
ntp trusted-key 12345
ntp server 10.10.10.7
!
end

0 Helpful

daniel_growth
Level 1
Level 1
In response to Georg Pauwen

‎12-11-2019 01:56 PM

It didn't work. Can you attach the file with it working so i can check?
Kind Regards,
Daniel Growth
0 Helpful

Georg Pauwen
VIP
VIP
In response to daniel_growth

‎12-11-2019 03:51 PM

Hello,

 

what did not work ? Do your configurations match what I sent you, line by line ? Post the configs of the ASA, S1 and S2 with the changes you have implemented...

0 Helpful

Georg Pauwen
VIP
VIP
In response to Georg Pauwen

‎12-12-2019 12:24 AM

Hello,

 

attached is the working version. Just in case the ASA did not save the correct configuration, here is what it should look like:

 

ASA Version 9.6(1)
!
hostname firewall-asa
domain-name wr
enable password 4IncP7vTjpaba2aF encrypted
names
!
interface Port-channel1
no nameif
no security-level
no ip address
!
interface GigabitEthernet1/1
nameif OUTBOUND
security-level 0
ip address 192.168.1.1 255.255.255.0
!
interface GigabitEthernet1/2
description Link to S1
nameif INBOUND
security-level 100
ip address 1.1.1.1 255.0.0.0
!
interface GigabitEthernet1/3
description Link to S2
nameif inside2
security-level 100
ip address 2.2.2.1 255.0.0.0
!
interface GigabitEthernet1/4
no nameif
no security-level
no ip address
shutdown
!
interface GigabitEthernet1/5
no nameif
no security-level
no ip address
shutdown
!
interface GigabitEthernet1/6
no nameif
no security-level
no ip address
shutdown
!
interface GigabitEthernet1/7
no nameif
no security-level
no ip address
shutdown
!
interface GigabitEthernet1/8
no nameif
security-level 0
no ip address
channel-group 1 mode on
shutdown
!
interface Management1/1
management-only
no nameif
no security-level
no ip address
!
object network inside-subnet
subnet 10.10.15.0 255.255.255.224
!
route OUTBOUND 0.0.0.0 0.0.0.0 192.168.1.2 1
!
access-list INBOUND extended permit ip any any
!
!
access-group INBOUND in interface OUTBOUND
object network inside-subnet
nat (INBOUND,OUTBOUND) dynamic interface
!
aaa authentication ssh console LOCAL
!
ntp server 10.10.15.7
!
username admin password 4IncP7vTjpaba2aF encrypted
!
class-map inspection_default
!
policy-map global_policy
class inspection_default
inspect icmp
!
!
telnet timeout 5
ssh timeout 5
!
!
!
!
!
router ospf 1
log-adjacency-changes
network 0.0.0.0 255.255.255.255 area 0
network 1.1.1.1 255.255.255.255 area 0
network 2.2.2.1 255.255.255.255 area 0
default-information originate
!
firewall-asa#

AE Network Simulation_v7_FW_REV.zip
0 Helpful

daniel_growth
Level 1
Level 1
In response to Georg Pauwen

‎12-12-2019 01:22 AM

Hey,
S2 is now pinging but very slowly. When i do a traceroute it is going through 1.1.1.1 rather than 2.2.2.2. any reason for this?
Also would you be able to look into why some of my switches cant contact the AAA server. I think spanning tree may be cutting of links, this said they should still be enough redundant links to be followed?
Kind Regards,
Daniel Growth
0 Helpful

Georg Pauwen
VIP
VIP
In response to daniel_growth

‎12-12-2019 01:51 AM

Hello,

 

S1 is your HSRP active switch, that is probably the reason it is going through 1.1.1.1. You can manipulate the OSPF path by changing the cost of an interface, you might want to give that a try...

0 Helpful

daniel_growth
Level 1
Level 1
In response to Georg Pauwen

‎12-13-2019 08:23 AM

Would this explain why TACACS+ is not communicating with all the switches?
Kind Regards,
Daniel Growth
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card