Solved: Routing ASA to ISR to Switch

Senbonzakura · ‎04-02-2020

Current ASA configuration is working for Internet for 192.168.10.0 network but I want the others to work as well.

So what I want to do next is feed the Firewall to the ISR which is then feeding my switch.

On my Firewall on E0/2 I have 192.168.200.1 255.255.255.252 configured.

On my Router Interface G0/1 that is connected to the Firewall I have 192.168.200.2 255.255.255.252

On my Router Interface G0/0.1 that is connected to my switch I have 192.168.80.1 255.255.255.0 (Encap DOTQ1 200 (For VLAN 200)

Then on my Switch that's feeding the Router I have:

Switchport mode trunk

Switchport trunk allowed vlan 200

no shut

VLAN 200 has an IP of 192.168.80.2 255.255.255.0 on the switch which is port G1/0/40

Port: G1/0/39 is configured as an access of course.

How would I get the internet through the firewall to the switches VLAN statically? Not sure what the routing table should be for the firewall and the ISR to Switch

Below is ASA Configuration

ASA Version 8.2(5)59
!
hostname ASA
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface Ethernet0/0
description WAN
nameif outside
security-level 0
ip address dhcp setroute
!
interface Ethernet0/1
description LAN
nameif inside
security-level 100
ip address 192.168.50.1 255.255.255.0
!
interface Ethernet0/2
description ISR
nameif inside-ISR
security-level 100
ip address 192.168.200.1 255.255.255.252
!
interface Ethernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
description ASDM GUI
nameif management
security-level 100
ip address 192.168.100.2 255.255.255.0
management-only
!
ftp mode passive
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object-group network inside-subnet
object-group network obj_ISR
object-group network management_any
pager lines 24
logging asdm informational
mtu outside 1500
mtu inside 1500
mtu inside-ISR 1500
mtu management 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
route inside-ISR 192.168.200.0 255.255.255.0 10.0.0.1 1
route inside-ISR 192.168.200.0 255.255.255.0 192.168.200.2 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 192.168.100.0 255.255.255.0 management
no snmp-server location
no snmp-server contact
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd address 192.168.50.10-192.168.50.254 inside
dhcpd dns 75.75.75.75 75.75.76.76 interface inside
dhcpd enable inside
!
dhcpd address 192.168.100.10-192.168.100.254 management
dhcpd dns 75.75.75.75 75.75.76.76 interface management
dhcpd enable management
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:77cfb5a40d21d93057330e405e354625
: end

Below is Routers configuration

Current configuration : 1291 bytes
!
! Last configuration change at 20:19:14 UTC Thu Apr 2 2020
!
version 15.7
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Router
!
boot-start-marker
boot-end-marker
!
!
!
no aaa new-model
memory-size iomem 25
!
!
!
!
!
!
!
!
!
!
!
!
ip cef
no ipv6 cef
!
multilink bundle-name authenticated
!
!
!
license udi pid CISCO1921/K9 sn FTX18508441
!
!
!
redundancy
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
interface Embedded-Service-Engine0/0
no ip address
shutdown
!
interface GigabitEthernet0/0
no ip address
duplex auto
speed auto
!
interface GigabitEthernet0/0.1
encapsulation dot1Q 200
ip address 192.168.80.1 255.255.255.0
!
interface GigabitEthernet0/1
description ISR-ASA
ip address 192.168.200.2 255.255.255.252
duplex auto
speed auto
!
ip forward-protocol nd
!
no ip http server
no ip http secure-server
!
ip route 0.0.0.0 0.0.0.0 192.168.200.1
ip route 192.168.80.0 255.255.255.0 192.168.200.0
ip route 192.168.80.0 255.255.255.0 192.168.200.1
!
!
!
!
control-plane
!
!
line con 0
line aux 0
line 2
no activation-character
no exec
transport preferred none
transport output pad telnet rlogin lapb-ta mop udptn v120 ssh
stopbits 1
line vty 0 4
login
transport input none
!
scheduler allocate 20000 1000
!
end

Richard Burts · ‎04-04-2020

If you did not have the ISR router it would be possible to connect the switch directly to the ASA. If the switch has just a single vlan it would make sense to connect an access port on the switch (a port in that vlan) to the ASA interface. If you connect this way you would change the IP address configured on the ASA interface from 192.168.200.1 to 192.168.80.1 with the /24 mask. You would configure a DHCP pool for that network. And you would remove the static route to that network

route Inside-ISR 192.168.80.0 255.255.255.0 192.168.200.2 1

You would need to create an object for network 192.168.80.0 and would need to configure a nat for it.

But I see that the current router to switch connection is a trunk which suggests that the switch has multiple vlans. If you want to connect the switch to ASA using a trunk that can be done. You would change the ASA interface configuration to indicate that it is connected to a trunk and would identify the appropriate vlan and the ASA would process the dot1Q encapsulation. You would still do the other things that I described (remove the static route, create the object and configure the nat.

You also ask about configuring network objects. Sometimes it is convenient to configure a network object that has multiple networks in it. Other times it is convenient to configure a network object with just a single network in it.

Looking through the configs I have these comments and suggestions

- you have this static route on the router

ip route 192.168.80.0 255.255.255.0 192.168.200.1

That network is a connected network so you do not need a static route for it. And I do not understand why you put the ASA as the next hop to reach that network. You should remove this static route.

- the ASA has an object and a nat for the 192.168.200.0 network

object network obj_isr
nat (Inside-ISR,outside) dynamic interface

I do not know why you are doing a translate for this network. This network is just a transit connection between the ASA and the router. Why would anything with a source address in 192.168.200.0 be going to the Internet? I dont think this huts anything, but I dont see it as helping anything.

- the ASA does not have an object and does not have a nat for the 192.168.80.0 network. You need to configure these. This is the main reason that network can not get to the Internet.

HTH

Rick

View solution in original post

Abzal · ‎04-02-2020

On ASA you will need to configure static route back to your LAN subnet like this:

route inside-ISR 192.168.80.0 255.255.255.0 192.168.200.2

If your firewall connected to ISP providing you the Internet then configure PAT on ASA and ACL:

nat (inside-ISR) 1 192.168.80.0 255.255.255.0

global (outside) 1 interface

access-list acl_out permit ip any any

access-group acl_out in interface outside

Best regards,
Abzal

Richard Burts · ‎04-03-2020

There are several issues to be addressed. I see these static routes on the ASA

route inside-ISR 192.168.200.0 255.255.255.0 10.0.0.1 1
route inside-ISR 192.168.200.0 255.255.255.0 192.168.200.2 1

Since 192.168.200.0 is on a connected interface you do not need either of these static routes. And I am very puzzled at the first one which specifies a next hop of 10.0.0.1. Where is that address supposed to be?

I do not see any static route for the network you want to reach inside 192.168.80.0. That needs to be added.

I do not see any address translation configured on the ASA (not for the original inside subnet and not for the new subnet). You need to add address translation to the configuration of the ASA.

Your description of the environment says that the inside network is 192.168.10.0 but the configuration says that it is 192.168.50.0.

On the router I see these static routes

ip route 192.168.80.0 255.255.255.0 192.168.200.0
ip route 192.168.80.0 255.255.255.0 192.168.200.1

Since 192.168.80.0 is a connected subnet you do not need either of those static routes. And the first static route specified an invalid next hop. Both of these static routes should be removed.

HTH

Rick

Senbonzakura · ‎04-03-2020

Yeah, it got messy so I cleared the configuration and pretty much just did it over again.

The 10.0.0.1 is from the ISP. The E0/0 is set to be assigned from the modem which is doing DHCP I believe thats why I have ip address dhcp setroute configured on it. I removed all of those routes that you mentioned because they didn't make any sense as you mentioned.

Based on the current addresses for the interfaces, what Routes should I have in place for the hops?

I'm not sure how to configure the address translation for the other networks.

Also, do I even need to add a route to the outside or does the address translation automatically do that?

192.168.200.1 - .2 255.255.255.252 is for the connection between the ASA and ISR then 192.168.80.0 network is for the VLAN on the switch.

Abzal · ‎04-03-2020

If you assign e0/0 a static from ISP then they shoud've provided you a default gateway to go outside world for example 10.0.0.2.

Let's say default gateway is 10.0.0.2 and e0/0 IP is 10.0.0.1 then ip route would look like this:

route outside 0.0.0.0 0.0.0.0 10.0.0.2 1

This would your default route from ASA to the Internet.

Because your 192.168.80.0/24 is behind router you'll need static route for that too:

route inside-ISR 192.168.80.0 255.255.255.0 192.168.200.2 1

192.168.80.0/24 is directly subnet to your router so no static route is needed.

Regarding NAT you can either NAT everything to outside interface coming from the router or put an ACL:

global (outside) 1 interface
nat (inside-ISR) 1 0.0.0.0 0.0.0.0

access-list LAN ext permit ip 192.168.80.0 255.255.255.0 any
nat (inside-ISR) 1 access-list LAN
global (outside) 1 interface

Best regards,
Abzal

Richard Burts · ‎04-03-2020

Thank you for clarifying that 10.0.0.1 is the address of the ISP. Since you are using this configuration

ip address dhcp setroute

it takes care of the address on the interface and also takes care of the default route so you do not need to configure a default route. The address translation does not take care of this. You would need to configure a static route on the ASA for the 192.168.80.0 network which is reached via the router. That would be the only route you need to configure on the ASA. On the router you would want a static default route with the ASA as the next hop.

HTH

Rick

Senbonzakura · ‎04-03-2020

Okay, thank you so much for your help :) Now only one last few questions then we will be all set.

If I wasn't an ISR, how else would I configure to route VLAN traffic from my switches after it's been configured on the switch? What would the process and commands be?

Also, when I configure the command below. Do all the networks need to be under the same network object or does each network have its own network object?

network object (anyname)

subnet 192.168.50.0 255.255.255.0

nat (inside,outside) dynamic interface

Senbonzakura · ‎04-03-2020

ISR Configuration

Building configuration...

Current configuration : 1345 bytes
!
! Last configuration change at 23:38:38 UTC Fri Apr 3 2020
!
version 15.7
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Router
!
boot-start-marker
boot-end-marker
!
!
!
no aaa new-model
memory-size iomem 25
!
!
!
!
!
!
!
!
!
!
ip dhcp pool MYPOOL1
network 192.168.80.0 255.255.255.0
default-router 192.168.80.1
dns-server 75.75.75.75 75.75.76.76
!
!
!
ip cef
no ipv6 cef
!
multilink bundle-name authenticated
!
!
!
license udi pid CISCO1921/K9 sn FTX18508441
!
!
!
redundancy
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
interface Embedded-Service-Engine0/0
no ip address
shutdown
!
interface GigabitEthernet0/0
ip address 192.168.200.2 255.255.255.252
duplex auto
speed auto
!
interface GigabitEthernet0/1
no ip address
duplex auto
speed auto
!
interface GigabitEthernet0/1.1
encapsulation dot1Q 80
ip address 192.168.80.1 255.255.255.0
!
ip forward-protocol nd
!
no ip http server
no ip http secure-server
!
ip route 0.0.0.0 0.0.0.0 192.168.200.1
ip route 192.168.80.0 255.255.255.0 192.168.200.1
!
!
!
!
control-plane
!
!
line con 0
line aux 0
line 2
no activation-character
no exec
transport preferred none
transport output pad telnet rlogin lapb-ta mop udptn v120 ssh
stopbits 1
line vty 0 4
login
transport input none
!
scheduler allocate 20000 1000
!
end

ASA Configuration

ASA# show run
: Saved
:
: Serial Number: JMX0949K0DM
: Hardware: ASA5510, 1024 MB RAM, CPU Pentium 4 Celeron 1600 MHz
:
ASA Version 9.1(7)32
!
hostname ASA
domain-name www.domain.com
enable password 8Ry2YjIyt7RRXU24 encrypted
names
!
interface Ethernet0/0
description WAN
nameif outside
security-level 0
ip address dhcp setroute
!
interface Ethernet0/1
description Inside-Ruckus
nameif Inside-Ruckus
security-level 100
ip address 192.168.50.1 255.255.255.0
!
interface Ethernet0/2
description ISR
nameif Inside-ISR
security-level 100
ip address 192.168.200.1 255.255.255.252
!
interface Ethernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
nameif management
security-level 0
ip address 192.168.100.1 255.255.255.0
!
ftp mode passive
dns server-group DefaultDNS
domain-name www.domain.com
object network inside-subnet
subnet 192.168.50.0 255.255.255.0
object network obj_isr
subnet 192.168.200.0 255.255.255.252
pager lines 24
mtu outside 1500
mtu Inside-Ruckus 1500
mtu management 1500
mtu Inside-ISR 1500
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
!
object network inside-subnet
nat (Inside-Ruckus,outside) dynamic interface
object network obj_isr
nat (Inside-ISR,outside) dynamic interface
route Inside-ISR 192.168.80.0 255.255.255.0 192.168.200.2 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
http server enable
http 192.168.100.2 255.255.255.255 management
no snmp-server location
no snmp-server contact
no service password-recovery
crypto ipsec security-association pmtu-aging infinite
crypto ca trustpool policy
telnet timeout 5
ssh stricthostkeycheck
ssh timeout 5
ssh key-exchange group dh-group1-sha1
console timeout 0
dhcpd address 192.168.50.10-192.168.50.254 Inside-Ruckus
dhcpd dns 75.75.75.75 75.75.76.76 interface Inside-Ruckus
dhcpd enable Inside-Ruckus
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns migrated_dns_map_1
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns migrated_dns_map_1
inspect ftp
inspect h323 h225
inspect h323 ras
inspect ip-options
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email callhome@cisco.com
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:d2d0a835adbef41de0882854d761d1c2
: end

I'm getting internet only out of my E0/1 port but not the switch thats connected to the ISR. I believe I went through and fixed it all. Take a look at it and tell me if there is anything else that I need to add?

Richard Burts · ‎04-04-2020

If you did not have the ISR router it would be possible to connect the switch directly to the ASA. If the switch has just a single vlan it would make sense to connect an access port on the switch (a port in that vlan) to the ASA interface. If you connect this way you would change the IP address configured on the ASA interface from 192.168.200.1 to 192.168.80.1 with the /24 mask. You would configure a DHCP pool for that network. And you would remove the static route to that network

route Inside-ISR 192.168.80.0 255.255.255.0 192.168.200.2 1

You would need to create an object for network 192.168.80.0 and would need to configure a nat for it.

But I see that the current router to switch connection is a trunk which suggests that the switch has multiple vlans. If you want to connect the switch to ASA using a trunk that can be done. You would change the ASA interface configuration to indicate that it is connected to a trunk and would identify the appropriate vlan and the ASA would process the dot1Q encapsulation. You would still do the other things that I described (remove the static route, create the object and configure the nat.

You also ask about configuring network objects. Sometimes it is convenient to configure a network object that has multiple networks in it. Other times it is convenient to configure a network object with just a single network in it.

Looking through the configs I have these comments and suggestions

- you have this static route on the router

ip route 192.168.80.0 255.255.255.0 192.168.200.1

That network is a connected network so you do not need a static route for it. And I do not understand why you put the ASA as the next hop to reach that network. You should remove this static route.

- the ASA has an object and a nat for the 192.168.200.0 network

object network obj_isr
nat (Inside-ISR,outside) dynamic interface

I do not know why you are doing a translate for this network. This network is just a transit connection between the ASA and the router. Why would anything with a source address in 192.168.200.0 be going to the Internet? I dont think this huts anything, but I dont see it as helping anything.

- the ASA does not have an object and does not have a nat for the 192.168.80.0 network. You need to configure these. This is the main reason that network can not get to the Internet.

HTH

Rick

Senbonzakura · ‎04-04-2020

Thank you for everything, it works perfectly. Now, the reason why I'm using the ISR is for learning purposes and I'm trying something newer like running HSRP and configuring two ISR's for redundancy after the firewall just to try something new.

Now I'll mark yours as the resolution, just have one more question. What would be the process/commands for configuring the ports on the ASA if I was to connect them to a switch for making it a trunk port and allowing VLAN traffic like I would on the ISR? I haven't learned that yet but that would help me :) Thank you once again.