Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1816
Views
0
Helpful
6
Replies

SG500x VLAN routing with an ASA - ping but no data/DNS

sam.moles
Level 1
Level 1

‎06-25-2013 05:26 AM

Hi All,

I have setup my new SG500X with and access port allowing all traffic to be routed back to my main network on my ASA.

From a machine on VLAN103 I am able to ping machines on my main network 192.168.68.x and my main network is able to ping this machine (192.168.203.3) but I am unable to send / receive data or access DNS. I am so unable to access the internet unless I use an external DNS server.

I have a static route in my ASA which points traffic destined for 192.168.103.0/24 to the gateway on the switch 192.168.1.10

My config is below: any help would be appreciated

config-file-header

G4S-HV-SS-01

v1.3.0.62 / R750_NIK_1_3_647_260

CLI v1.0

set system queues-mode 4

file SSD indicator encrypted

@

ssd-control-start

ssd config

ssd file passphrase control unrestricted

no ssd file integrity control

ssd-control-end cb0a3fdb1f3a1af4e4430033719968c0

!

vlan database

vlan 101-110,115,170,250

exit

voice vlan oui-table add 0001e3 Siemens_AG_phone________

voice vlan oui-table add 00036b Cisco_phone_____________

voice vlan oui-table add 00096e Avaya___________________

voice vlan oui-table add 000fe2 H3C_Aolynk______________

voice vlan oui-table add 0060b9 Philips_and_NEC_AG_phone

voice vlan oui-table add 00d01e Pingtel_phone___________

voice vlan oui-table add 00e075 Polycom/Veritel_phone___

voice vlan oui-table add 00e0bb 3Com_phone______________

bonjour interface range vlan 1

hostname cisco

line ssh

exec-timeout 30

exit

line console

speed 9600

exit

no passwords complexity enable

passwords aging 0

username cisco password encrypted ***** privilege 15

username cisco password encrypted ***** privilege 15

ip ssh server

ip ssh password-auth

ip ssh-client username cisco

encrypted ip ssh-client password

ip ssh-client server authentication

snmp-server server

ip http timeout-policy 1800

clock timezone " " 0 minutes 0

no ip domain lookup

ip domain polling-interval 18

!

interface vlan 1

no ip address dhcp

!

interface vlan 101

name Network

ip address 192.168.101.1 255.255.255.192

!

interface vlan 102

name Servers

ip address 192.168.101.65 255.255.255.192

!

interface vlan 103

name Servers

ip address 192.168.101.129 255.255.255.192

!

interface vlan 104

name Phones

ip address 192.168.102.1 255.255.255.0

!

interface vlan 105

name DHCP

ip address 192.168.203.1 255.255.255.0

!

interface vlan 106

name RemoteManagement

ip address 192.168.104.1 255.255.255.0

!

interface vlan 107

name Maintenance

ip address 192.168.105.1 255.255.255.0

!

interface vlan 108

name Management

ip address 192.168.106.1 255.255.255.0

!

interface vlan 109

name Wireless

ip address 192.168.107.1 255.255.255.192

!

interface vlan 110

name Database

ip address 192.168.107.65 255.255.255.240

!

interface vlan 115

name AlarmDevices

!

interface vlan 170

name Hyper-V_HBeat

!

interface vlan 250

name iSCSI

!

interface gigabitethernet1/1/1

description "Link to ASA"

ip address 192.168.1.10 255.255.128.0

switchport mode access

!

ip default-gateway 192.168.1.1

cisco#sh ip route

Maximum Parallel Paths: 1 (1 after reset)

IP Forwarding: enabled

Codes: > - best, C - connected, S - static,

       R - RIP

S   0.0.0.0/0 [1/1] via 192.168.1.1, 0:19:15, gi1/1/1

C   192.168.0.0/17 is directly connected, gi1/1/1

C   192.168.203.0/24 is directly connected, vlan 105

Labels:
0 Helpful
6 Replies 6

sam.moles
Level 1
Level 1

‎06-25-2013 08:56 AM

To give a little more information. I wanted to setup the connection between the ASA and L3 switch without using a trunk, so have used an access port on the SG500X and setup SVI interfaces for each VLAN. I can see the traffic flow correctly within the ASA but as mentioned only ICMP is working. DNS resolution is seamingly the easiest to test but it looks as if no other data is able to pass.

I have setup a static route on the ASA so all traffic destined for 192.168.203.0/24 goes to 192.168.1.10 which is the interface for VLAN1. I dont think I had to setup the static route to the SVI of vlan 105 directly as the ASA is not able to see it.

I need help, how do i setup my connection back to the ASA without a trunk?!?!

Static Route on the SG500X

Static route on the ASA:

Many thanks in advance

0 Helpful

Brandon Svec
Level 7
Level 7
In response to sam.moles

‎06-25-2013 01:24 PM

I could be wrong, but I think:

interface gigabitethernet1/1/1

description "Link to ASA"

ip address 192.168.1.10 255.255.128.0

is only setting up an ip address for admin access when connected to that port.

I would try making another VLAN and then making that port access and a member of the new vlan like:

interface vlan 150

name to firewall

ip address 192.168.1.10 255.255.255.192

interface gigabitethernet1/1/1

description "Link to ASA"

switchport trunk native vlan 150 (by default ports on these switches are trunks I think.  You could also change it to access port probably and assign it)

Good luck.

-- please remember to rate and mark answered helpful posts --
0 Helpful

sam.moles
Level 1
Level 1
In response to Brandon Svec

‎06-26-2013 01:00 AM

Ok thanks for the suggestion, but im a little lost. would this mean setting up a trunk on the ASA as I dont think this configuration will work for me as I need to limit the change to the existing network as much as possible and I wanted to avoid putting sub interfaces on the inside interface.

192.168.1.10 is an IP address routable from the ASA who's inside interface is 192.168.1.1/17, I was hoping I would setup a route to the 192.168.203.0/24 network though the L3's interface 192.168.1.10 and have the L3 switch then route internally to 192.168.203.x is this not the case?

I am also confused as to why I would want to setup the vlan as native if I need to route multiple vlans though this port?

I may be very wrong but I have read that I can setup the port as a routed port which should do what I am requiring without the need of a trunk?

I really apreciate the help!

Thanks

0 Helpful

sam.moles
Level 1
Level 1
In response to sam.moles

‎06-26-2013 03:18 AM

Im not sure but since I am getting pings back correctly I think the routing is working. My only issue is that the data is being blocked somewhere, I have setup NAT Exempt rules in the firewall as was getting errors now this is working. unfortunatly when I try to do anything other than ping it fails with nothing untoward logged int he firewall. I am getting the occasional DENY TCP (no connection) flags SYN ACK on interface mainnetwork though? but dont know why or if this is important? .

Anybody please able to offer any more assistance!! I need to get these switches on the network ASAP, I feel I am so close but so far!

0 Helpful

Tom Watts
VIP Alumni
VIP Alumni
In response to sam.moles

‎06-26-2013 03:02 PM

Hi Sam, did you specify the correct security level on the ASA?

-Tom
Please mark answered for helpful posts

-Tom Please mark answered for helpful posts http://blogs.cisco.com/smallbusiness/
0 Helpful

sam.moles
Level 1
Level 1
In response to Tom Watts

‎06-26-2013 03:48 PM

Hi, yes I have my original network and this newly connected l3 switch is on the same interface on the asa and the security level is set to 100.

Thanks

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Switch products supported in this community
Cisco Business Product Family
  • CBS110
  • CBS220
  • CBS250
  • CBS350
Cisco Switching Product Family
  • 110
  • 200
  • 220
  • 250
  • 300
  • 350
  • 350X
  • 550X
Customers Also Viewed These Support Documents