routing issue with ASA 525 and L3 switch 3560

oelolemy1979 · ‎12-01-2010

dear experts

appreciate your kind support to assist me in the following as it is currently affecting my production network , our core switch is currently connectedto ASA

3 vlans has been configured on the core switch

vlan 1 - 10.232.103.1 /22 -- inside network

vlan 3 - 10.232.116.1/22 --

vlan 4 - 10.232.128.1 /22 - guest

vlan 1 and vlan 3 should be routed to the default gateway of ASA inside interface 10.232.132.1 /22

vlan 4 should be the guest network and should be completely isolated from other vlans , guests on vlan should have internet access only without having to acces the inside LAN network

so i configured PBR on the core switch as follows

switch config

----------------------

interface FastEthernet0/1
description to ASA inside interface ethernet1
no switchport

nterface FastEthernet0/12
description to ASA remguest interface ethernet 3
switch mode access
switchport access vlan 10

interface Vlan1
ip address 10.232.103.1 255.255.252.0
!
interface Vlan4
ip address 10.232.128.1 255.255.252.0
ip policy route-map bar

intervlan 10

ip address10.232.108.2 255.255.252.0

ip route 0.0.0.0 0.0.0.0 10.232.132.1

ip access-list extended bar
deny ip 10.232.128.0 0.0.3.255 10.232.0.0 0.0.255.255
deny ip any 10.232.128.0 0.0.3.255
permit ip 10.232.108.0 0.0.3.255 10.232.128.0 0.0.3.255
permit ip 10.232.128.0 0.0.3.255 any

route-map bar permit 10
match ip address bar
set ip next-hop 10.232.108.1
!

ASA config

========

route inside 10.232.128.0 255.255.252.0 10.232.108.2 1
route inside 10.232.100.0 255.255.252.0 10.232.132.2 1
============================

but when i ping to 10.232.108.1 ( ASA remguest interface ) using source 10.232.128.1 ( vlan 4 ) , ping does not work , i applied the PBR once on vlan 4 and

pn both routed vlan interface vlan 10 and vlan 4 and still cannot reach firewall

------------------------
although when you look at below debug ip policy ,the PBR seems to be working

01:09:12: IP: s=10.232.128.1 (local), d=10.232.108.1, len 100, policy match
01:09:12: IP: route map bar, item 10, permit
01:09:12: IP: s=10.232.128.1 (local), d=10.232.108.1 (Vlan10), len 100, policy routed <<<<<<<<<<<<<<<<<<<<<<<<<
01:09:12: IP: local to Vlan10 10.232.108.1
================
Switch#sh route
Switch#sh route-map bar
route-map bar, permit, sequence 10
Match clauses:
ip address (access-lists): bar
Set clauses:
ip next-hop 10.232.108.1
Policy routing matches: 543 packets, 55620 bytes <<<<<<<<<<<<<<<<<<<<<<<

Switch#ping 10.232.108.2 source 10.232.128.1

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.232.108.2, timeout is 2 seconds:
Packet sent with a source address of 10.232.128.1
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms
Switch#ping 10.232.108.1 sou
Switch#ping 10.232.108.1 source 10.232.128.1

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.232.108.1, timeout is 2 seconds:
Packet sent with a source address of 10.232.128.1
.....
Success rate is 0 percent (0/5)

any help or advise would be much appreciated

Mathias Garcia · ‎12-07-2010

You dont show any of the ASA config. (wasnt aware that there was such a thing as asa525)

Is it configured to allow ping?

Have you tried to ping from the asa to the switch? Start with the link ip. (vlan10) then onwards.

Then im wondering about the following line for the switch.

ip route 0.0.0.0 0.0.0.0 10.232.132.1

You dont show any interface in that subnet. (but it shouldnt be related to the PBR issue anyways)