10-28-2013 05:36 AM - edited 03-04-2019 09:25 PM
Hi Dears,
I attache my network topology and configuration here. i configurate vrf lite in cisco 6500 series switch. router and asa connected to cisco 6500 switch.
i want to do ping from router to asa inside subnet and also ping from asa to router inside subnet. i configurate eigrp dynamic routing in router and asa,coresw.
the problem is. Ping is not going from router to asa inside network and same thing in asa. is this problem in import/export? May i change some config in my configuration?
configuration in core switch:
ip vrf asa
rd 65515:1
route-target export 65515:1
route-target import 65515:100
route-target import 65515:101
ip vrf mapas
rd 65515:100
route-target export 65515:100
route-target import 65515:101
route-target import 65515:1
!
ip vrf mapas1
rd 65515:101
route-target export 65515:101
route-target import 65515:100
route-target import 65515:1
interface GigabitEthernet1/1/2
description connecte_to_ASA_outside
switchport
switchport access vlan 1000
switchport mode access
speed 100
!
interface GigabitEthernet1/1/3
description connect-to-Router-outside
switchport
switchport access vlan 1000
switchport mode access
interface Vlan340
ip vrf forwarding mapas
ip address 10.30.40.254 255.255.255.0
!
interface Vlan344
ip vrf forwarding mapas1
ip address 10.30.44.254 255.255.255.0
interface Vlan1000
ip vrf forwarding asa
ip address 10.100.100.254 255.255.255.0
router eigrp 2008
!
address-family ipv4 vrf mapas
redistribute connected
redistribute bgp 65515 metric 128 10000 255 1 1500
network 10.30.40.0 0.0.0.255
autonomous-system 2008
exit-address-family
!
address-family ipv4 vrf mapas1
redistribute connected
redistribute bgp 65515 metric 128 10000 255 1 1500
network 10.30.44.0 0.0.0.255
autonomous-system 2008
exit-address-family
!
address-family ipv4 vrf asa
redistribute connected
redistribute bgp 65515 metric 128 10000 255 1 1500
network 10.100.100.0 0.0.0.255
autonomous-system 2008
exit-address-family
router bgp 65515
bgp log-neighbor-changes
redistribute eigrp 2008
!
address-family ipv4 vrf asa
redistribute connected
redistribute eigrp 2008
exit-address-family
!
address-family ipv4 vrf mapas
redistribute connected
redistribute eigrp 2008
exit-address-family
!
address-family ipv4 vrf mapas1
redistribute connected
redistribute eigrp 2008
exit-address-family
CORE-VSS#show ip bgp vpnv4 all
BGP table version is 31, local router ID is 172.31.40.105
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
r RIB-failure, S Stale, m multipath, b backup-path, f RT-Filter,
x best-external, a additional-path, c RIB-compressed,
Origin codes: i - IGP, e - EGP, ? - incomplete
RPKI validation codes: V valid, I invalid, N Not found
Network Next Hop Metric LocPrf Weight Path
Route Distinguisher: 65515:1 (default for vrf asa)
*> 10.30.40.0/24 0.0.0.0 0 32768 ?
*> 10.30.44.0/24 0.0.0.0 0 32768 ?
*> 10.100.100.0/24 0.0.0.0 0 32768 ?
Route Distinguisher: 65515:100 (default for vrf mapas)
*> 10.30.40.0/24 0.0.0.0 0 32768 ?
*> 10.30.44.0/24 0.0.0.0 0 32768 ?
*> 10.100.100.0/24 0.0.0.0 0 32768 ?
Route Distinguisher: 65515:101 (default for vrf mapas1)
*> 10.30.40.0/24 0.0.0.0 0 32768 ?
*> 10.30.44.0/24 0.0.0.0 0 32768 ?
*> 10.100.100.0/24 0.0.0.0 0 32768 ?
Route Distinguisher: 65515:102 (default for vrf mapa2)
*> 10.30.40.0/24 0.0.0.0 0 32768 ?
Network Next Hop Metric LocPrf Weight Path
*> 10.30.44.0/24 0.0.0.0 0 32768 ?
Route Distinguisher: 65515:105 (default for vrf brs)
*> 10.30.40.0/24 0.0.0.0 0 32768 ?
*> 10.30.44.0/24 0.0.0.0 0 32768 ?
Route Distinguisher: 65515:110 (default for vrf wlan1)
*> 10.30.3.0/24 0.0.0.0 0 32768 ?
CORE-VSS#
CORE-VSS#show ip route vrf mapas
Routing Table: mapas
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP
+ - replicated route, % - next hop override
Gateway of last resort is not set
10.0.0.0/8 is variably subnetted, 6 subnets, 2 masks
C 10.30.40.0/24 is directly connected, Vlan340
L 10.30.40.254/32 is directly connected, Vlan340
B 10.30.44.0/24 is directly connected (mapas1), 00:10:33, Vlan344
L 10.30.44.254/32 is directly connected, Vlan344
B 10.100.100.0/24 is directly connected (asa), 00:10:35, Vlan1000
L 10.100.100.254/32 is directly connected, Vlan1000
CORE-VSS#
CORE-VSS#show ip route vrf mapas1
Routing Table: mapas1
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP
+ - replicated route, % - next hop override
Gateway of last resort is not set
10.0.0.0/8 is variably subnetted, 6 subnets, 2 masks
B 10.30.40.0/24 is directly connected (mapas), 00:13:20, Vlan340
L 10.30.40.254/32 is directly connected, Vlan340
C 10.30.44.0/24 is directly connected, Vlan344
L 10.30.44.254/32 is directly connected, Vlan344
B 10.100.100.0/24 is directly connected (asa), 00:12:47, Vlan1000
L 10.100.100.254/32 is directly connected, Vlan1000
CORE-VSS#
------------------------------------------------------------------------------------------------------------------------------
Router configuration:
Router# sh runn
Building configuration...
Current configuration : 1043 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Router
!
boot-start-marker
boot-end-marker
!
enable password cisco
!
no aaa new-model
!
!
ip cef
!
!
ip auth-proxy max-nodata-conns 3
ip admission max-nodata-conns 3
!
!
voice-card 0
no dspfarm
!
!
!
!
!
!
!
!
!
!
!
!
!
!
username risk privilege 15 password 0 cisco
!
!
!
!
!
!
!
interface FastEthernet0/0
description outside
ip address 10.100.100.1 255.255.255.0
duplex auto
speed auto
!
interface FastEthernet0/1
description inside
ip address 10.30.40.1 255.255.255.0
duplex auto
speed auto
!
interface Serial0/0/0
no ip address
shutdown
clock rate 2000000
!
interface Serial0/0/1
no ip address
shutdown
clock rate 2000000
!
router eigrp 2008
network 10.30.40.0 0.0.0.255
network 10.100.100.0 0.0.0.255
no auto-summary
!
ip forward-protocol nd
!
!
no ip http server
no ip http secure-server
!
!
!
!
control-plane
!
!
!
!
!
!
!
!
!
!
line con 0
line aux 0
line vty 0 4
password cisco
login
!
scheduler allocate 20000 1000
!
end
Router#sho ip route
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route
Gateway of last resort is not set
10.0.0.0/24 is subnetted, 3 subnets
C 10.100.100.0 is directly connected, FastEthernet0/0
D 10.30.44.0 [90/28416] via 10.100.100.254, 00:11:48, FastEthernet0/0
[90/28416] via 10.100.100.2, 00:11:48, FastEthernet0/0
[90/28416] via 10.30.40.254, 00:11:48, FastEthernet0/1
C 10.30.40.0 is directly connected, FastEthern
-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
ASA configuration:
ciscoasa# sh runn
: Saved
:
ASA Version 8.6(1)2
!
hostname ciscoasa
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface GigabitEthernet0/0
nameif outside
security-level 0
ip address 10.100.100.2 255.255.255.0
!
interface GigabitEthernet0/1
nameif inside
security-level 100
ip address 10.30.44.1 255.255.255.0
!
interface GigabitEthernet0/2
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/4
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/5
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/6
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/7
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
nameif management
security-level 100
ip address 192.168.1.1 255.255.255.0
management-only
!
interface GigabitEthernet1/0
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet1/1
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet1/2
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet1/3
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet1/4
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet1/5
shutdown
no nameif
no security-level
no ip address
!
boot system disk0:/asa861-2-smp-k8.bin
ftp mode passive
access-list 101 extended permit ip any any
pager lines 24
logging asdm informational
mtu outside 1500
mtu inside 1500
mtu management 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-66114.bin
no asdm history enable
arp timeout 14400
access-group 101 in interface outside
!
router eigrp 2008
no auto-summary
network 10.30.44.0 255.255.255.0
network 10.100.100.0 255.255.255.0
!
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
http server enable
http 192.168.1.0 255.255.255.0 management
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd address 192.168.1.2-192.168.1.254 management
dhcpd enable management
!
!
tls-proxy maximum-session 1000
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
inspect icmp
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
Cryptochecksum:d41d8cd98f00b204e9800998ecf8427e
: end
ciscoasa# sh route
Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP
i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
* - candidate default, U - per-user static route, o - ODR
P - periodic downloaded static route
Gateway of last resort is not set
C 10.100.100.0 255.255.255.0 is directly connected, outside
C 10.30.44.0 255.255.255.0 is directly connected, inside
D 10.30.40.0 255.255.255.0 [90/3072] via 10.100.100.254, 0:10:59, outside
ciscoasa#
Thanks.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide