08-22-2019 11:21 PM - edited 08-22-2019 11:30 PM
The ASA does not seem to be doing ROUTING.
4507 and 3850 do not ping.
I attach the CONFIG_SCRIPT.
Do you know the cause ??
Please help me.
I did not find the cause.
I only believe you.
Solved! Go to Solution.
09-22-2019 09:40 PM
08-22-2019 11:52 PM
Hello,
you have posted only a partial configuration. Make sure you have:
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
configured.
If that doesn't work, post the full configuration.
08-23-2019 12:34 AM - edited 08-23-2019 12:35 AM
Thank you for reply.
I configured the command in the instrument but the result is the same...
08-22-2019 11:56 PM - edited 08-23-2019 12:00 AM
Hello Snika,
you are using redundant interfaces on the ASA.
For example you create the OA (outside aggregate )
interface Redundant1
member-interface GigabitEthernet1/1
member-interface GigabitEthernet1/2
nameif OA
security-level 0
ip address 192.168.94.11
!
Then you have a default static route using OA interface
route OA 0.0.0.0 0.0.0.0 192.168.94.1
Then looking at the C4500 switches configuration we find the following interfaces declared as connected to ASA member interfaces of OA:
C4500-1:
interface GigabitEthernet7/46
description 3F_MDF_OA_ASA5508(gi1/1)
spanning-tree portfast edge
!
C4500-2:
interface GigabitEthernet7/46
description 3F_MDF_OA_ASA5508(gi1/2)
spanning-tree portfast edge
!
Note: with this configuration C4500-1:gi7/46 and C4500-2:gi7/46 are access ports in Vlan 1 ( default).
C4500-1:
interface Vlan1 |
ip address 192.168.94.2 255.255.255.0 |
standby 1 ip 192.168.94.1 |
standby 1 priority 200 |
standby 1 preempt delay minimum 300 |
!
C4500-2:
interface Vlan1
For this setup to work well C4500-1 must be the root bridge for Vlan 1. the ASA must participate in STP.
|
This is actually configured we see:
C4500-1:
spanning-tree vlan 1-4094 priority 4096
C4500-2:
spanning-tree vlan 1-4094 priority 8192
I do not see any STP configuration on ASA.
check with show spanning-tree on ASA if a form of STP is running on it.
The same reasoning applies to the FA redundant interface on the ASA
interface Redundant2
member-interface GigabitEthernet1/7
member-interface GigabitEthernet1/8
nameif FA
security-level 0
ip address 192.168.247.11
!
route FA 192.168.0.0 255.255.255.0 192.168.247.1
Now we look at the C3850 switches
C3850-1
spanning-tree vlan 1-4094 priority 4096
ip routing
interface GigabitEthernet1/0/24
description ASA-g1/7
spanning-tree portfast edge
interface vlan1
ip address 192.168.247.2 255.255.255.0
standby 1 ip 192.168.247.1
standby 1 priority 200
standby 1 preempt delay minimum 300
!
C3850-2
spanning-tree vlan 1-4094 priority 8192
ip routing
interface GigabitEthernet1/0/24
description ASA-g1/8
spanning-tree portfast edge
!
interface vlan1
ip address 192.168.247.3 255.255.255.0
standby 1 ip 192.168.247.1
standby 1 preempt delay minimum 300
!
The switches configuration looks like fine C3850-1 is root bridge for vlan 1 and it is the HSRP active router.
Question:
there is a L2 trunk between C4500-1 and C4500-2 ?
and there is a L2 trunk between C3850-1 and C3850-2 ?
For example on C3850-1, C3850-2 there is a port-channel 1 using ports gi1/0/13 and gi1/0/14 mode on.
On C4500-1, C4500-2 I see a port-channel 1 mode on trunk on gi1/23, gi1/24.
Can you confirm these are the inter switch port channels ?
Can you ping IP 192.168.247.1 on interface FA?
Can you ping IP 192.168.94.1 on interface OA on the ASA?
Again STP should be running on ASA to make this setup to work. Check if it is active.
If it is not you need to enable it.
Edit:
Georg is right either change the security level on FA to a value different from zero or enable the commands proposed by Georg.
By default an ASA does not allow communication between interfaces with same security levels (unless you are using a firepower device in this case security-level is set to 0 but it is ignored)
Hope to help
Giuseppe
08-23-2019 12:40 AM
Thank you for reply.
I answer your question.
As far as I know, the ASA does not support STP.
Because the ASA doesn't have the "show spanning-tree" command itself.
there is a L2 trunk between C4500-1 and C4500-2 ? YES
and there is a L2 trunk between C3850-1 and C3850-2 ? YES
For example on C3850-1, C3850-2 there is a port-channel 1 using ports gi1/0/13 and gi1/0/14 mode on.
On C4500-1, C4500-2 I see a port-channel 1 mode on trunk on gi1/23, gi1/24.
Can you confirm these are the inter switch port channels ? YES
Can you ping IP 192.168.247.1 on interface FA? YES
Can you ping IP 192.168.94.1 on interface OA on the ASA? YES
Again STP should be running on ASA to make this setup to work. Check if it is active.
If it is not you need to enable it. HOW?
08-23-2019 01:04 AM
Hello,
can you post model and SW version of the ASA ?
a
show version
can be helpful.
Can you ping IP 192.168.247.1 on interface FA? YES
Can you ping IP 192.168.94.1 on interface OA on the ASA? YES
if you have basic connectivity working and you have also configured to allow traffic between interfaces with same security level it should work.
Hope to help
Giuseppe
08-24-2019 04:07 AM - edited 08-24-2019 04:09 AM
version : asa984-8-lfbff-k8
The attached script is missing commend but cofigured "same security level" later.
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
08-24-2019 04:16 AM
Hello,
post the full running configuration of the ASA...
08-24-2019 04:32 AM
08-24-2019 04:41 AM
Hello,
I don't see:
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
in the configuration...?
08-24-2019 05:48 AM - edited 08-24-2019 06:04 AM
Yes. The attached config is not included but I have "same security level" is configured
Is there any other problem? Is there a problem with routing?
08-24-2019 06:03 AM
08-24-2019 08:31 AM - edited 08-24-2019 08:33 AM
Hello Snika,
I see the ASA whole configuration.
Now you have the correct settings to allow traffic between interfaces with same security level.
>> same-security-traffic permit inter-interface
>>same-security-traffic permit intra-interface
I wonder about your internal static route:
You have configured the following:
>> route FA 192.168.0.0 255.255.255.0 192.168.247.1 1
This allows you to route packets for 192.168.0.0/24 to the internal C3850 switches.
Now, I think this subnet mask may be too much specific.
If you want to route traffic traffic to internal switches for multiple 192.168.x.0/24 you would need the following static route:
route FA 192.168.0.0 255.255.0.0 192.168.247.1 1
You haven't provided the full configuration of internal switches C3850 but it is unlike that you have only subnet 192.168.0.0/24 behind them.
Hope to help
Giuseppe
08-24-2019 09:00 AM
If I am understanding this discussion correctly the problem is that ping is not working. The suggestion is that it is a failure of routing. I would suggest that it is not a problem with routing. If the switches attempt some other type of communication, perhaps something like SSH from one to another I believe that it would work. This is because I believe that that problem with ping is that by default the ASA does not inspect icmp and so does not recognize the ping traffic. If the original poster will add inspect icmp to the policy map I believe that ping will begin to work.
HTH
Rick
08-24-2019 09:10 AM
Hello Rick,
so the original poster should add an inspect icmp in the following configuration:
>> policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
!
Very good note.
Best Regards
Giuseppe
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide