09-29-2010 09:52 PM - edited 03-06-2019 01:15 PM
I have some problem with intervlan and would like to ask some idea from you... appreciate your help..
- from vlan 1 i can access internet and can ping vlan 30, and vlan 40
- from vlan 30 i can ping vlan 1 and vlan 40 except for 192.168.20.254 which is the asa5505 and cannot go to internet all host but when i telnet to the 192.168.30.254 and ping to internet it can ping
- from vlan 40 i can ping vlan 1 and vlan 30 except for 192.168.20.254 which is the asa5505 and cannot go to internet all host but when i telnet to the 192.168.40.254 and ping to internet it can ping
my running config for both asa and switch. i think problem is intervlan routing
09-30-2010 02:12 AM
Is there routes on the ASA pointing back to the 3560 for vlan 30 and 40 ? The ASA needs to know what to do with those subnets. Had trouble opening your file.
09-30-2010 02:17 AM
Hi Glen,
Yes, i reattached my running config as below:
ASA CONFIG:
User Access Verification
Password:
Type help or '?' for a list of available commands.
ASA5505-VRG> en
Password:
ASA5505-VRG# sh ru
: Saved
:
ASA Version 8.2(1)
!
hostname ASA5505-VRG
domain-name rutratoco.com.vn
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
name 192.168.20.11 KSServer description KingSmart Server
name 192.168.20.1 DC description DC
dns-guard
!
interface Vlan1
nameif Internal
security-level 100
ip address 192.168.20.254 255.255.255.0
!
interface Vlan2
description ISP Internet Line
nameif External
security-level 0
pppoe client vpdn group VDCISP
ip address pppoe setroute
!
interface Vlan30
nameif Office
security-level 100
ip address 192.168.30.253 255.255.255.0
!
interface Vlan40
nameif Guest
security-level 100
ip address 192.168.40.253 255.255.255.0
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
switchport trunk allowed vlan 1,30,40
switchport trunk native vlan 1
switchport mode trunk
speed 100
duplex full
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
ftp mode passive
dns domain-lookup Internal
dns domain-lookup External
dns domain-lookup Office
dns domain-lookup Guest
dns server-group DefaultDNS
name-server DC
name-server 192.168.20.2
name-server 8.8.8.8
domain-name rutratoco.com.vn
same-security-traffic permit inter-interface
access-list Internal_access_in extended permit ip 192.168.20.0 255.255.255.0 any
access-list External_access_in extended permit ip any 192.168.20.0 255.255.255.0
access-list External_access_in extended permit icmp any any echo-reply
access-list External_access_in extended permit tcp any interface External eq 338
9
access-list External_access_in extended permit tcp any interface External eq 630
8
access-list External_access_internal extended permit tcp any interface External
eq 3389
access-list External_access_internal extended permit tcp any interface External
eq 6308
access-list acl_in extended permit icmp any any
access-list acl_in extended permit tcp any any
access-list acl_in extended permit udp any any
access-list acl_in extended permit ip any any
access-list acl_out extended permit gre any interface External
pager lines 24
mtu Internal 1500
mtu External 1492
mtu Office 1500
mtu Guest 1500
ip verify reverse-path interface External
no failover
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (External) 1 interface
nat (Internal) 1 192.168.20.0 255.255.255.0
nat (Internal) 1 0.0.0.0 0.0.0.0
nat (Office) 1 192.168.30.0 255.255.255.0
nat (Guest) 1 192.168.40.0 255.255.255.0
static (Internal,External) tcp interface 6308 DC 6308 netmask 255.255.255.255
static (Internal,External) tcp interface 3389 KSServer 3389 netmask 255.255.255.
255
static (Internal,Office) 192.168.20.0 192.168.20.0 netmask 255.255.255.0
static (Office,Internal) 192.168.30.0 192.168.30.0 netmask 255.255.255.0
static (Internal,Guest) 192.168.20.0 192.168.20.0 netmask 255.255.255.0
static (Guest,Internal) 192.168.40.0 192.168.40.0 netmask 255.255.255.0
access-group Internal_access_in in interface Internal
access-group External_access_in in interface External
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 192.168.20.0 255.255.255.0 Internal
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
telnet 192.168.20.0 255.255.255.0 Internal
telnet timeout 5
ssh timeout 5
console timeout 0
vpdn group VDCISP request dialout pppoe
vpdn group VDCISP localname ctycpcaosu
vpdn group VDCISP ppp authentication pap
vpdn username ctycpcaosu password *********
dhcpd dns 203.162.4.190 8.8.8.8 interface Internal
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:e612c0ce31908fdbeee196b74192e6e8
: end
SWITCH CONFIG
User Access Verification
Password:
Geruco_CoreSW>en
Password:
Geruco_CoreSW#conf t
Enter configuration commands, one per line. End with CNTL/Z.
Geruco_CoreSW(config)#no spanning-tree vlan 1
Geruco_CoreSW(config)#
Geruco_CoreSW(config)#
Geruco_CoreSW(config)#
Geruco_CoreSW(config)#
Geruco_CoreSW(config)#end
Geruco_CoreSW#sh r
% Ambiguous command: "sh r"
Geruco_CoreSW#sh ru
Building configuration...
Current configuration : 3383 bytes
!
version 12.2
no service pad
service timestamps debug uptime
service timestamps log uptime
service password-encryption
!
hostname Geruco_CoreSW
!
enable password 7 03174218090B234F
!
no aaa new-model
system mtu routing 1500
ip subnet-zero
ip routing
ip dhcp excluded-address 192.168.20.1 192.168.20.20
!
ip dhcp pool Guest
network 192.168.30.0 255.255.255.0
default-router 192.168.30.254
dns-server 8.8.8.8
!
ip dhcp pool Office
network 192.168.40.0 255.255.255.0
default-router 192.168.40.254
dns-server 8.8.8.8
!
ip dhcp pool Hotel
network 192.168.20.0 255.255.255.0
default-router 192.168.20.253
dns-server 8.8.8.8
!
!
!
!
no file verify auto
!
spanning-tree mode pvst
spanning-tree extend system-id
no spanning-tree vlan 1
!
vlan internal allocation policy ascending
!
interface GigabitEthernet0/1
switchport access vlan 30
switchport mode access
!
interface GigabitEthernet0/2
switchport access vlan 30
switchport mode access
!
interface GigabitEthernet0/3
switchport access vlan 30
switchport mode access
!
interface GigabitEthernet0/4
!
interface GigabitEthernet0/5
switchport access vlan 30
switchport mode access
!
interface GigabitEthernet0/6
switchport access vlan 30
switchport mode access
!
interface GigabitEthernet0/7
switchport access vlan 30
switchport mode access
!
interface GigabitEthernet0/8
switchport access vlan 30
switchport mode access
!
interface GigabitEthernet0/9
switchport access vlan 30
switchport mode access
!
interface GigabitEthernet0/10
switchport access vlan 30
switchport mode access
!
interface GigabitEthernet0/11
switchport access vlan 30
switchport mode access
!
interface GigabitEthernet0/12
switchport access vlan 30
switchport mode access
!
interface GigabitEthernet0/13
switchport access vlan 40
switchport mode access
!
interface GigabitEthernet0/14
switchport access vlan 40
switchport mode access
!
interface GigabitEthernet0/15
switchport access vlan 40
switchport mode access
!
interface GigabitEthernet0/16
switchport access vlan 40
switchport mode access
!
interface GigabitEthernet0/17
switchport mode access
!
interface GigabitEthernet0/18
switchport mode access
!
interface GigabitEthernet0/19
switchport mode access
!
interface GigabitEthernet0/20
switchport mode access
!
interface GigabitEthernet0/21
switchport mode access
!
interface GigabitEthernet0/22
switchport mode access
!
interface GigabitEthernet0/23
switchport mode access
!
interface GigabitEthernet0/24
description Up-link to ASA
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 1,30,40
switchport mode trunk
carrier-delay msec 0
speed 100
duplex full
!
interface GigabitEthernet0/25
!
interface GigabitEthernet0/26
!
interface GigabitEthernet0/27
!
interface GigabitEthernet0/28
!
interface Vlan1
ip address 192.168.20.253 255.255.255.0
no ip route-cache cef
no ip route-cache
!
interface Vlan30
ip address 192.168.30.254 255.255.255.0
no ip route-cache cef
no ip route-cache
!
interface Vlan40
ip address 192.168.40.254 255.255.255.0
no ip route-cache cef
no ip route-cache
!
ip default-gateway 192.168.20.254
ip classless
ip route 0.0.0.0 0.0.0.0 192.168.20.254
ip http server
!
!
control-plane
!
!
line con 0
password 7 02151D4804020D22
login
line vty 0 4
password 7 06151632434A0B1A
login
line vty 5 15
password 7 06151632434A0B1A
login
!
end
Geruco_CoreSW# \
09-30-2010 06:04 AM
Hello Roy,
What you see with respect to ping to 192.168.20.254 is normal.You cannon ping an interface on the ASA that is not directly connected to you.
With regard to internet access, I guess the issue is with DNS. Can you use 4.2.2.2 as DNS server for VLAN 30 and 40 and see if that helps?
Regards,
NT
09-30-2010 06:11 AM
Hello Roy,
Please ignore second part of my earlier response. The issue is with Asymmetric routing. The Switch is doing inter-vlan routing and its default gateway points to the ASA's Internal interface. However, ASA also has subnets for 192.168.30.x and 40.x. So, whenever ASA gets a packet belonging to these subnets, it will reject the packets. You have two options.
Option 1: Remove VLAN 30 and VLAN 40 configurations from the ASA. All traffic will enter through the Internal interface and will work fine.
Option 2: You need to configure Policy Based Routing on the switch so that it will route traffic generated from each VLAN to respective interface on the ASA. You can also change the default router value in the DHCP configuration to that of the ASA and force all traffic to hit the ASA.
I would suggest Option 1 as, in your setup, it seems like you need full connectivity between the internal VLANs. So, Option 1 will ensure that ASA will not interfere with the internal communication.
Hope this helps.
Regards,
NT
09-30-2010 06:08 PM
Hello NT,
thanks for your reply, i did try option 1 and seems to be the same. Any alternatives?
Thanks,
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide