12-08-2019 03:13 AM - edited 12-08-2019 07:19 AM
Hi All,
I have had a few issues with my Packet tracer network recently. I am unable to ping my corp lan through my firewall also.
The next main issue is I need to configure AAA on my layer 3 switches. I feel like they are only acting as layer 2.
If you could take a look at my packet tracer file and try to troubleshoot with me it would be great.
admin is username and cisco is password.
As a requirement I need all switches to use the radius/tacacs server 10.10.15.7 and have the option to use local if the server is down.
Traffic needs to travel from the lower networks through the firewall and back.
Another issue I have encountered is the HSRP complaining the standby states are incorrect or IP's are not set correctly.
Thanks in advance!
12-11-2019 10:02 AM
12-11-2019 11:19 AM
admin/cisco don't work.
On the ASA, try and configure OSPF as below:
router ospf 1
network 1.1.1.1 0.0.0.0 area 0
network 2.2.2.1 0.0.0.0 area 0
network 192.168.1.1. 0.0.0.0 area 0
default-information originate
12-11-2019 11:21 AM
12-11-2019 11:30 AM
12-11-2019 10:07 AM
12-11-2019 11:02 AM
Hello,
the ASA, S1 and S2 should only communicate via OSPF. You need to troubleshoot why the OSPF neighbors are not established between these three devices...
12-11-2019 11:04 AM
12-11-2019 12:19 PM
Hello,
with the configs below, I have full connectivity:
ASA
ASA Version 9.6(1)
!
hostname firewall-asa
domain-name wr
enable password 4IncP7vTjpaba2aF encrypted
names
!
interface Port-channel1
no nameif
no security-level
no ip address
!
interface GigabitEthernet1/1
nameif OUTBOUND
security-level 0
ip address 192.168.1.1 255.255.255.0
!
interface GigabitEthernet1/2
description Link to S1
nameif INBOUND
security-level 100
ip address 1.1.1.1 255.0.0.0
!
interface GigabitEthernet1/3
description Link to S2
nameif inside2
security-level 100
ip address 2.2.2.1 255.0.0.0
!
interface GigabitEthernet1/4
no nameif
no security-level
no ip address
shutdown
!
interface GigabitEthernet1/5
no nameif
no security-level
no ip address
shutdown
!
interface GigabitEthernet1/6
no nameif
no security-level
no ip address
shutdown
!
interface GigabitEthernet1/7
no nameif
no security-level
no ip address
shutdown
!
interface GigabitEthernet1/8
no nameif
security-level 0
no ip address
channel-group 1 mode on
shutdown
!
interface Management1/1
management-only
no nameif
no security-level
no ip address
!
object network inside-subnet
subnet 10.10.15.0 255.255.255.224
!
route OUTBOUND 0.0.0.0 0.0.0.0 192.168.1.2 1
!
access-list INBOUND extended permit ip any any
!
access-group INBOUND in interface OUTBOUND
access-group INBOUND in interface INBOUND
access-group INBOUND in interface inside2
!
object network inside-subnet
nat (INBOUND,OUTBOUND) dynamic interface
!
aaa authentication ssh console LOCAL
!
ntp server 10.10.15.7
!
username admin password 4IncP7vTjpaba2aF encrypted
!
class-map inspection_default
!
policy-map global_policy
class inspection_default
inspect icmp
!
telnet timeout 5
ssh timeout 5
!
router ospf 1
log-adjacency-changes
network 1.1.1.1 255.255.255.255 area 0
network 2.2.2.1 255.255.255.255 area 0
network 192.168.1.1 255.255.255.255 area 0
S1
version 16.3.2
no service timestamps log datetime msec
no service timestamps debug datetime msec
service password-encryption
!
hostname S1
!
!
enable secret 5 $1$mERr$hx5rVt7rPNoS4wqbXKX7m0
!
aaa new-model
!
aaa authentication login tacacs+ group tacacs+ local
!
no ip cef
ip routing
!
no ipv6 cef
!
username admin privilege 15 secret 5 $1$mERr$hx5rVt7rPNoS4wqbXKX7m0
username user secret 5 $1$mERr$hx5rVt7rPNoS4wqbXKX7m0
!
ip ssh version 2
no ip domain-lookup
ip domain-name AE
!
spanning-tree mode rapid-pvst
!
interface Port-channel1
switchport trunk allowed vlan 10,15,20
switchport trunk encapsulation dot1q
switchport mode trunk
!
interface GigabitEthernet1/0/1
!
interface GigabitEthernet1/0/2
no switchport
ip address 1.1.1.2 255.0.0.0
duplex auto
speed auto
!
interface GigabitEthernet1/0/3
switchport trunk allowed vlan 10,15,20
switchport trunk encapsulation dot1q
switchport mode trunk
channel-group 1 mode active
!
interface GigabitEthernet1/0/4
switchport trunk allowed vlan 10,15,20
switchport trunk encapsulation dot1q
switchport mode trunk
channel-group 1 mode active
!
interface GigabitEthernet1/0/5
switchport trunk allowed vlan 10,15,20
switchport trunk encapsulation dot1q
switchport mode trunk
!
interface GigabitEthernet1/0/6
switchport trunk allowed vlan 10,15,20
switchport trunk encapsulation dot1q
switchport mode trunk
!
interface GigabitEthernet1/0/7
switchport trunk allowed vlan 10,15,20
switchport trunk encapsulation dot1q
switchport mode trunk
!
interface GigabitEthernet1/0/8
switchport trunk allowed vlan 10,15,20
switchport trunk encapsulation dot1q
switchport mode trunk
!
interface GigabitEthernet1/0/9
!
interface GigabitEthernet1/0/10
!
interface GigabitEthernet1/0/11
!
interface GigabitEthernet1/0/12
!
interface GigabitEthernet1/0/13
!
interface GigabitEthernet1/0/14
!
interface GigabitEthernet1/0/15
!
interface GigabitEthernet1/0/16
!
interface GigabitEthernet1/0/17
!
interface GigabitEthernet1/0/18
!
interface GigabitEthernet1/0/19
!
interface GigabitEthernet1/0/20
!
interface GigabitEthernet1/0/21
!
interface GigabitEthernet1/0/22
!
interface GigabitEthernet1/0/23
!
interface GigabitEthernet1/0/24
!
interface GigabitEthernet1/1/1
!
interface GigabitEthernet1/1/2
!
interface GigabitEthernet1/1/3
!
interface GigabitEthernet1/1/4
!
interface Vlan1
no ip address
shutdown
!
interface Vlan10
description Dev_VLAN
mac-address 0030.a3d7.7d01
ip address 10.10.10.1 255.255.255.192
standby 10 ip 10.10.10.12
standby 10 priority 110
standby 10 preempt
!
interface Vlan15
description Mgmt_VLAN
mac-address 0030.a3d7.7d02
ip address 10.10.15.1 255.255.255.224
standby 15 ip 10.10.15.12
standby 15 priority 110
standby 15 preempt
!
interface Vlan20
description VSAN_Vlan
mac-address 0030.a3d7.7d03
ip address 10.10.20.1 255.255.255.0
standby 20 ip 10.10.20.12
standby 20 priority 110
standby 20 preempt
!
router ospf 1
log-adjacency-changes
network 0.0.0.0 255.255.255.255 area 0
!
ip classless
!
ip flow-export version 9
!
tacacs-server host 10.10.15.7 key cisco
!
line con 0
password 7 0822455D0A16
logging synchronous
login authentication tacacs+
!
line aux 0
password 7 0822455D0A16
logging synchronous
!
line vty 0 4
password 7 0822455D0A16
logging synchronous
login authentication tacacs+
transport input ssh
line vty 5 15
login authentication tacacs+
transport input ssh
!
ntp authenticate
ntp trusted-key 12345
ntp server 10.10.10.7
!
end
S2
Building configuration...
Current configuration : 3316 bytes
!
version 16.3.2
no service timestamps log datetime msec
no service timestamps debug datetime msec
no service password-encryption
!
hostname S2
!
enable secret 5 $1$mERr$hx5rVt7rPNoS4wqbXKX7m0
!
aaa new-model
!
aaa authentication login tacacs+ group tacacs+ local
!
no ip cef
ip routing
!
no ipv6 cef
!
username admin privilege 15 secret 5 $1$mERr$hx5rVt7rPNoS4wqbXKX7m0
username user secret 5 $1$mERr$hx5rVt7rPNoS4wqbXKX7m0
!
ip ssh version 2
no ip domain-lookup
ip domain-name AE
!
spanning-tree mode rapid-pvst
!
interface Port-channel1
switchport trunk allowed vlan 10,15,20
switchport trunk encapsulation dot1q
switchport mode trunk
!
interface GigabitEthernet1/0/1
switchport trunk encapsulation dot1q
switchport mode trunk
switchport nonegotiate
!
interface GigabitEthernet1/0/2
no switchport
ip address 2.2.2.2 255.0.0.0
duplex auto
speed auto
!
interface GigabitEthernet1/0/3
switchport trunk allowed vlan 10,15,20
switchport trunk encapsulation dot1q
switchport mode trunk
channel-group 1 mode active
!
interface GigabitEthernet1/0/4
switchport trunk allowed vlan 10,15,20
switchport trunk encapsulation dot1q
switchport mode trunk
channel-group 1 mode active
!
interface GigabitEthernet1/0/5
switchport trunk encapsulation dot1q
switchport mode trunk
!
interface GigabitEthernet1/0/6
switchport trunk encapsulation dot1q
switchport mode trunk
!
interface GigabitEthernet1/0/7
switchport trunk encapsulation dot1q
switchport mode trunk
!
interface GigabitEthernet1/0/8
switchport trunk encapsulation dot1q
switchport mode trunk
!
interface GigabitEthernet1/0/9
!
interface GigabitEthernet1/0/10
!
interface GigabitEthernet1/0/11
!
interface GigabitEthernet1/0/12
!
interface GigabitEthernet1/0/13
!
interface GigabitEthernet1/0/14
!
interface GigabitEthernet1/0/15
!
interface GigabitEthernet1/0/16
!
interface GigabitEthernet1/0/17
!
interface GigabitEthernet1/0/18
!
interface GigabitEthernet1/0/19
!
interface GigabitEthernet1/0/20
!
interface GigabitEthernet1/0/21
!
interface GigabitEthernet1/0/22
!
interface GigabitEthernet1/0/23
!
interface GigabitEthernet1/0/24
!
interface GigabitEthernet1/1/1
!
interface GigabitEthernet1/1/2
!
interface GigabitEthernet1/1/3
!
interface GigabitEthernet1/1/4
!
interface Vlan1
no ip address
shutdown
!
interface Vlan10
description Dev_VLAN
mac-address 0010.11c3.0601
ip address 10.10.10.2 255.255.255.192
standby 10 ip 10.10.10.12
!
interface Vlan15
description Mgmt_VLAN
mac-address 0010.11c3.0602
ip address 10.10.15.2 255.255.255.224
standby 15 ip 10.10.15.12
!
interface Vlan20
description VSAN_Vlan
mac-address 0010.11c3.0603
ip address 10.10.20.2 255.255.255.0
standby 20 ip 10.10.20.12
!
router ospf 1
log-adjacency-changes
network 0.0.0.0 255.255.255.255 area 0
!
ip classless
!
ip flow-export version 9
!
tacacs-server host 10.10.15.7 key cisco
!
line con 0
password 7 0822455D0A16
logging synchronous
login authentication tacacs+
!
line aux 0
password 7 0822455D0A16
logging synchronous
!
line vty 0 4
password 7 0822455D0A16
logging synchronous
login authentication tacacs+
transport input ssh
line vty 5 15
login authentication tacacs+
transport input ssh
!
ntp authenticate
ntp trusted-key 12345
ntp server 10.10.10.7
!
end
12-11-2019 01:56 PM
12-11-2019 03:51 PM
Hello,
what did not work ? Do your configurations match what I sent you, line by line ? Post the configs of the ASA, S1 and S2 with the changes you have implemented...
12-12-2019 12:24 AM
Hello,
attached is the working version. Just in case the ASA did not save the correct configuration, here is what it should look like:
ASA Version 9.6(1)
!
hostname firewall-asa
domain-name wr
enable password 4IncP7vTjpaba2aF encrypted
names
!
interface Port-channel1
no nameif
no security-level
no ip address
!
interface GigabitEthernet1/1
nameif OUTBOUND
security-level 0
ip address 192.168.1.1 255.255.255.0
!
interface GigabitEthernet1/2
description Link to S1
nameif INBOUND
security-level 100
ip address 1.1.1.1 255.0.0.0
!
interface GigabitEthernet1/3
description Link to S2
nameif inside2
security-level 100
ip address 2.2.2.1 255.0.0.0
!
interface GigabitEthernet1/4
no nameif
no security-level
no ip address
shutdown
!
interface GigabitEthernet1/5
no nameif
no security-level
no ip address
shutdown
!
interface GigabitEthernet1/6
no nameif
no security-level
no ip address
shutdown
!
interface GigabitEthernet1/7
no nameif
no security-level
no ip address
shutdown
!
interface GigabitEthernet1/8
no nameif
security-level 0
no ip address
channel-group 1 mode on
shutdown
!
interface Management1/1
management-only
no nameif
no security-level
no ip address
!
object network inside-subnet
subnet 10.10.15.0 255.255.255.224
!
route OUTBOUND 0.0.0.0 0.0.0.0 192.168.1.2 1
!
access-list INBOUND extended permit ip any any
!
!
access-group INBOUND in interface OUTBOUND
object network inside-subnet
nat (INBOUND,OUTBOUND) dynamic interface
!
aaa authentication ssh console LOCAL
!
ntp server 10.10.15.7
!
username admin password 4IncP7vTjpaba2aF encrypted
!
class-map inspection_default
!
policy-map global_policy
class inspection_default
inspect icmp
!
!
telnet timeout 5
ssh timeout 5
!
!
!
!
!
router ospf 1
log-adjacency-changes
network 0.0.0.0 255.255.255.255 area 0
network 1.1.1.1 255.255.255.255 area 0
network 2.2.2.1 255.255.255.255 area 0
default-information originate
!
firewall-asa#
12-12-2019 01:22 AM
12-12-2019 01:51 AM
Hello,
S1 is your HSRP active switch, that is probably the reason it is going through 1.1.1.1. You can manipulate the OSPF path by changing the cost of an interface, you might want to give that a try...
12-13-2019 08:23 AM
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide