06-25-2013 05:26 AM
Hi All,
I have setup my new SG500X with and access port allowing all traffic to be routed back to my main network on my ASA.
From a machine on VLAN103 I am able to ping machines on my main network 192.168.68.x and my main network is able to ping this machine (192.168.203.3) but I am unable to send / receive data or access DNS. I am so unable to access the internet unless I use an external DNS server.
I have a static route in my ASA which points traffic destined for 192.168.103.0/24 to the gateway on the switch 192.168.1.10
My config is below: any help would be appreciated
config-file-header
G4S-HV-SS-01
v1.3.0.62 / R750_NIK_1_3_647_260
CLI v1.0
set system queues-mode 4
file SSD indicator encrypted
@
ssd-control-start
ssd config
ssd file passphrase control unrestricted
no ssd file integrity control
ssd-control-end cb0a3fdb1f3a1af4e4430033719968c0
!
vlan database
vlan 101-110,115,170,250
exit
voice vlan oui-table add 0001e3 Siemens_AG_phone________
voice vlan oui-table add 00036b Cisco_phone_____________
voice vlan oui-table add 00096e Avaya___________________
voice vlan oui-table add 000fe2 H3C_Aolynk______________
voice vlan oui-table add 0060b9 Philips_and_NEC_AG_phone
voice vlan oui-table add 00d01e Pingtel_phone___________
voice vlan oui-table add 00e075 Polycom/Veritel_phone___
voice vlan oui-table add 00e0bb 3Com_phone______________
bonjour interface range vlan 1
hostname cisco
line ssh
exec-timeout 30
exit
line console
speed 9600
exit
no passwords complexity enable
passwords aging 0
username cisco password encrypted ***** privilege 15
username cisco password encrypted ***** privilege 15
ip ssh server
ip ssh password-auth
ip ssh-client username cisco
encrypted ip ssh-client password
ip ssh-client server authentication
snmp-server server
ip http timeout-policy 1800
clock timezone " " 0 minutes 0
no ip domain lookup
ip domain polling-interval 18
!
interface vlan 1
no ip address dhcp
!
interface vlan 101
name Network
ip address 192.168.101.1 255.255.255.192
!
interface vlan 102
name Servers
ip address 192.168.101.65 255.255.255.192
!
interface vlan 103
name Servers
ip address 192.168.101.129 255.255.255.192
!
interface vlan 104
name Phones
ip address 192.168.102.1 255.255.255.0
!
interface vlan 105
name DHCP
ip address 192.168.203.1 255.255.255.0
!
interface vlan 106
name RemoteManagement
ip address 192.168.104.1 255.255.255.0
!
interface vlan 107
name Maintenance
ip address 192.168.105.1 255.255.255.0
!
interface vlan 108
name Management
ip address 192.168.106.1 255.255.255.0
!
interface vlan 109
name Wireless
ip address 192.168.107.1 255.255.255.192
!
interface vlan 110
name Database
ip address 192.168.107.65 255.255.255.240
!
interface vlan 115
name AlarmDevices
!
interface vlan 170
name Hyper-V_HBeat
!
interface vlan 250
name iSCSI
!
interface gigabitethernet1/1/1
description "Link to ASA"
ip address 192.168.1.10 255.255.128.0
switchport mode access
!
ip default-gateway 192.168.1.1
cisco#sh ip route
Maximum Parallel Paths: 1 (1 after reset)
IP Forwarding: enabled
Codes: > - best, C - connected, S - static,
R - RIP
S 0.0.0.0/0 [1/1] via 192.168.1.1, 0:19:15, gi1/1/1
C 192.168.0.0/17 is directly connected, gi1/1/1
C 192.168.203.0/24 is directly connected, vlan 105
06-25-2013 08:56 AM
To give a little more information. I wanted to setup the connection between the ASA and L3 switch without using a trunk, so have used an access port on the SG500X and setup SVI interfaces for each VLAN. I can see the traffic flow correctly within the ASA but as mentioned only ICMP is working. DNS resolution is seamingly the easiest to test but it looks as if no other data is able to pass.
I have setup a static route on the ASA so all traffic destined for 192.168.203.0/24 goes to 192.168.1.10 which is the interface for VLAN1. I dont think I had to setup the static route to the SVI of vlan 105 directly as the ASA is not able to see it.
I need help, how do i setup my connection back to the ASA without a trunk?!?!
Static Route on the SG500X
Static route on the ASA:
Many thanks in advance
06-25-2013 01:24 PM
I could be wrong, but I think:
interface gigabitethernet1/1/1
description "Link to ASA"
ip address 192.168.1.10 255.255.128.0
is only setting up an ip address for admin access when connected to that port.
I would try making another VLAN and then making that port access and a member of the new vlan like:
interface vlan 150
name to firewall
ip address 192.168.1.10 255.255.255.192
interface gigabitethernet1/1/1
description "Link to ASA"
switchport trunk native vlan 150 (by default ports on these switches are trunks I think. You could also change it to access port probably and assign it)
Good luck.
06-26-2013 01:00 AM
Ok thanks for the suggestion, but im a little lost. would this mean setting up a trunk on the ASA as I dont think this configuration will work for me as I need to limit the change to the existing network as much as possible and I wanted to avoid putting sub interfaces on the inside interface.
192.168.1.10 is an IP address routable from the ASA who's inside interface is 192.168.1.1/17, I was hoping I would setup a route to the 192.168.203.0/24 network though the L3's interface 192.168.1.10 and have the L3 switch then route internally to 192.168.203.x is this not the case?
I am also confused as to why I would want to setup the vlan as native if I need to route multiple vlans though this port?
I may be very wrong but I have read that I can setup the port as a routed port which should do what I am requiring without the need of a trunk?
I really apreciate the help!
Thanks
06-26-2013 03:18 AM
Im not sure but since I am getting pings back correctly I think the routing is working. My only issue is that the data is being blocked somewhere, I have setup NAT Exempt rules in the firewall as was getting errors now this is working. unfortunatly when I try to do anything other than ping it fails with nothing untoward logged int he firewall. I am getting the occasional DENY TCP (no connection) flags SYN ACK on interface mainnetwork though? but dont know why or if this is important? .
Anybody please able to offer any more assistance!! I need to get these switches on the network ASAP, I feel I am so close but so far!
06-26-2013 03:02 PM
Hi Sam, did you specify the correct security level on the ASA?
-Tom
Please mark answered for helpful posts
06-26-2013 03:48 PM
Hi, yes I have my original network and this newly connected l3 switch is on the same interface on the asa and the security level is set to 100.
Thanks
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide