04-30-2012 12:04 PM - edited 03-07-2019 06:25 AM
Any help would be greatly appreciated.
I have a cisco 3560X 48 port Ip base switch with vlan configured and ip routing. Ports 1 and 2 are in etherchannel and routed ports to ASA and have their own network of 192.168.22.49/30. The ASA is configured with the same config for ports 1 and 2. The channel group ip address on the 3560X is 192.168.22.49/30 while the other end of the uplink is the ASA and its configured with .50/30.
I have 6 vlans plus the one native vlan. They are all configured with ip addresses. Each Vlan should be able to talk to one another other than DMZ vlan which is trunked and routed directly in the ASA. On the switch I can ping the IP address on the ASAs uplink .50/30 but I cannot ping the ASA from any host on any of the Vlans. My switch config file is posted below. The ASA seems to be able to ping any host in the VLANS due to static routes that are in place.
Any idea as to why Im not able to communicate to other vlans or even ping the ASA?
Config for 3560X
L3Switch#sh run
Building configuration...
Current configuration : 8056 bytes
!
! Last configuration change at 00:45:43 UTC Mon Mar 8 1993
!
version 15.0
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname M3TL3Switch
!
boot-start-marker
boot-end-marker
!
no logging console
enable secret 5 $1$1WJH$POoIZXDxzNRFaXhxFEXzz.
!
username m3t privilege 15 secret 5 $1$K1hH$G2xenff6IkQ5PEaQ7H8.K/
no aaa new-model
clock timezone UTC -5 0
clock summer-time UTC recurring
system mtu routing 1500
ip routing
!
!
no ip domain-lookup
!
mls qos map cos-dscp 0 8 16 24 32 46 48 56
mls qos srr-queue input bandwidth 70 30
mls qos srr-queue input threshold 1 80 90
mls qos srr-queue input priority-queue 2 bandwidth 30
mls qos srr-queue input cos-map queue 1 threshold 2 3
mls qos srr-queue input cos-map queue 1 threshold 3 6 7
mls qos srr-queue input cos-map queue 2 threshold 1 4
mls qos srr-queue input dscp-map queue 1 threshold 2 24
mls qos srr-queue input dscp-map queue 1 threshold 3 48 49 50 51 52 53 54 55
mls qos srr-queue input dscp-map queue 1 threshold 3 56 57 58 59 60 61 62 63
mls qos srr-queue input dscp-map queue 2 threshold 3 32 33 40 41 42 43 44 45
mls qos srr-queue input dscp-map queue 2 threshold 3 46 47
mls qos srr-queue output cos-map queue 1 threshold 3 4 5
mls qos srr-queue output cos-map queue 2 threshold 1 2
mls qos srr-queue output cos-map queue 2 threshold 2 3
mls qos srr-queue output cos-map queue 2 threshold 3 6 7
mls qos srr-queue output cos-map queue 3 threshold 3 0
mls qos srr-queue output cos-map queue 4 threshold 3 1
mls qos srr-queue output dscp-map queue 1 threshold 3 32 33 40 41 42 43 44 45
mls qos srr-queue output dscp-map queue 1 threshold 3 46 47
mls qos srr-queue output dscp-map queue 2 threshold 1 16 17 18 19 20 21 22 23
mls qos srr-queue output dscp-map queue 2 threshold 1 26 27 28 29 30 31 34 35
mls qos srr-queue output dscp-map queue 2 threshold 1 36 37 38 39
mls qos srr-queue output dscp-map queue 2 threshold 2 24
mls qos srr-queue output dscp-map queue 2 threshold 3 48 49 50 51 52 53 54 55
mls qos srr-queue output dscp-map queue 2 threshold 3 56 57 58 59 60 61 62 63
mls qos srr-queue output dscp-map queue 3 threshold 3 0 1 2 3 4 5 6 7
mls qos srr-queue output dscp-map queue 4 threshold 1 8 9 11 13 15
mls qos srr-queue output dscp-map queue 4 threshold 2 10 12 14
mls qos queue-set output 1 threshold 1 100 100 50 200
mls qos queue-set output 1 threshold 2 125 125 100 400
mls qos queue-set output 1 threshold 3 100 100 100 400
mls qos queue-set output 1 threshold 4 60 150 50 200
mls qos queue-set output 1 buffers 15 25 40 20
mls qos
!
crypto pki trustpoint HTTPS_SS_CERT_KEYPAIR
enrollment selfsigned
serial-number
revocation-check none
rsakeypair HTTPS_SS_CERT_KEYPAIR
!
!
crypto pki certificate chain HTTPS_SS_CERT_KEYPAIR
certificate self-signed 01
3082026C 308201D5 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
45311530 13060355 0403130C 4D33544C 33537769 7463682E 312C300F 06035504
05130844 42323146 41303030 1906092A 864886F7 0D010902 160C4D33 544C3353
77697463 682E301E 170D3132 30343230 31333032 32335A17 0D323030 31303130
30303030 305A3045 31153013 06035504 03130C4D 33544C33 53776974 63682E31
2C300F06 03550405 13084442 32314641 30303019 06092A86 4886F70D 01090216
0C4D3354 4C335377 69746368 2E30819F 300D0609 2A864886 F70D0101 01050003
818D0030 81890281 8100C824 ED355533 A7CA3DA9 AC843314 3F61490F 51E24C29
DE3DE381 05517B1A 688FE082 B2F851E5 9AAD6267 AFD20AEB 1E239DB4 E974A035
8B7A0787 6187C4CF EC39B6A2 35B95939 3E56B2BD 46AA3D93 A98CA5EE 915F45A6
C4569E54 B84D0080 7BC4D770 3A88660F 32799B2E EA808020 040F3AEA F8317190
3D9EC780 4A264730 21270203 010001A3 6C306A30 0F060355 1D130101 FF040530
030101FF 30170603 551D1104 10300E82 0C4D3354 4C335377 69746368 2E301F06
03551D23 04183016 80146A32 3C69940D 8611DFCD 23B74DA8 01AD93FC 466B301D
0603551D 0E041604 146A323C 69940D86 11DFCD23 B74DA801 AD93FC46 6B300D06
092A8648 86F70D01 01040500 03818100 B542D588 AB9A41BD 7204F977 822BF30E
F4F844B0 739126FC FC6A6E39 6CAF859D 145233B8 52D7A55C 851AE8F5 641B928F
5F7E1A32 608BE894 8C6A9BC4 29B3F6BD EEBA1E1D 022BB434 976E9306 44F0EC3B
82FD06BD 07D97B58 61BA3C8D 7ECA6082 9DA350DA 6A550FAF 0348CE2D EE9F98CD
D4CD82A8 B55AF8D8 97070E56 2D02CEA8
quit
!
!
spanning-tree mode rapid-pvst
spanning-tree extend system-id
auto qos srnd4
!
!
!
!
vlan internal allocation policy ascending
!
!
!
!
!
!
interface Port-channel1
no switchport
ip address 192.168.22.49 255.255.255.252
!
interface FastEthernet0
no ip address
no ip route-cache
!
interface GigabitEthernet0/1
description uplink to asa
no switchport
no ip address
channel-group 1 mode active
!
interface GigabitEthernet0/2
description uplink to asa 2
no switchport
no ip address
channel-group 1 mode active
!
interface GigabitEthernet0/3
description DMZ uplink to asa
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 10
switchport mode trunk
!
interface GigabitEthernet0/4
!
interface GigabitEthernet0/5
!
interface GigabitEthernet0/6
!
interface GigabitEthernet0/7
!
interface GigabitEthernet0/8
!
interface GigabitEthernet0/9
!
interface GigabitEthernet0/10
!
interface GigabitEthernet0/11
!
interface GigabitEthernet0/12
!
interface GigabitEthernet0/13
!
interface GigabitEthernet0/14
!
interface GigabitEthernet0/15
!
interface GigabitEthernet0/16
!
interface GigabitEthernet0/17
!
interface GigabitEthernet0/18
!
interface GigabitEthernet0/19
!
interface GigabitEthernet0/20
!
interface GigabitEthernet0/21
!
interface GigabitEthernet0/22
!
interface GigabitEthernet0/23
!
interface GigabitEthernet0/24
!
interface GigabitEthernet0/25
!
interface GigabitEthernet0/26
!
interface GigabitEthernet0/27
!
interface GigabitEthernet0/28
!
interface GigabitEthernet0/29
!
interface GigabitEthernet0/30
!
interface GigabitEthernet0/31
!
interface GigabitEthernet0/32
!
interface GigabitEthernet0/33
!
interface GigabitEthernet0/34
!
interface GigabitEthernet0/35
!
interface GigabitEthernet0/36
!
interface GigabitEthernet0/37
!
interface GigabitEthernet0/38
!
interface GigabitEthernet0/39
!
interface GigabitEthernet0/40
!
interface GigabitEthernet0/41
!
interface GigabitEthernet0/42
!
interface GigabitEthernet0/43
!
interface GigabitEthernet0/44
!
interface GigabitEthernet0/45
!
interface GigabitEthernet0/46
!
interface GigabitEthernet0/47
!
interface GigabitEthernet0/48
!
interface GigabitEthernet1/1
!
interface GigabitEthernet1/2
!
interface GigabitEthernet1/3
!
interface GigabitEthernet1/4
switchport trunk encapsulation dot1q
switchport mode trunk
srr-queue bandwidth share 1 30 35 5
queue-set 2
priority-queue out
mls qos trust cos
macro description cisco-switch
auto qos trust
spanning-tree link-type point-to-point
!
interface TenGigabitEthernet1/1
!
interface TenGigabitEthernet1/2
!
interface Vlan1
ip address 10.1.7.2 255.255.255.0
!
interface Vlan10
ip address 10.1.1.2 255.255.255.0
ip helper-address 192.168.195.11
!
interface Vlan20
ip address 10.1.2.1 255.255.255.0
ip helper-address 192.168.195.11
!
interface Vlan30
ip address 192.168.195.1 255.255.255.0
ip helper-address 192.168.195.11
!
interface Vlan40
ip address 10.1.4.1 255.255.255.0
ip helper-address 192.168.195.11
!
interface Vlan50
ip address 10.1.5.1 255.255.255.0
ip helper-address 192.168.195.11
!
interface Vlan60
ip address 10.1.6.1 255.255.255.0
ip helper-address 192.168.195.11
!
ip default-gateway 192.168.22.49
ip http server
ip http secure-server
!
!
ip sla enable reaction-alerts
logging esm config
!
!
line con 0
password
login
line vty 0 1
timeout login response 300
password
login
length 0
transport preferred ssh
transport input telnet
line vty 2 4
timeout login response 300
password
login
length 0
transport input telnet
line vty 5
timeout login response 300
password
login
length 0
transport input telnet
line vty 6 15
login
length 0
!
!
monitor session 2 source interface Po1
monitor session 2 destination interface Gi0/27
end
M3TL3Switch#sh ip route
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP
+ - replicated route, % - next hop override
Gateway of last resort is 192.168.22.50 to network 0.0.0.0
S* 0.0.0.0/0 [1/0] via 192.168.22.50
10.0.0.0/8 is variably subnetted, 12 subnets, 2 masks
C 10.1.1.0/24 is directly connected, Vlan10
L 10.1.1.2/32 is directly connected, Vlan10
C 10.1.2.0/24 is directly connected, Vlan20
L 10.1.2.1/32 is directly connected, Vlan20
C 10.1.4.0/24 is directly connected, Vlan40
L 10.1.4.1/32 is directly connected, Vlan40
C 10.1.5.0/24 is directly connected, Vlan50
L 10.1.5.1/32 is directly connected, Vlan50
C 10.1.6.0/24 is directly connected, Vlan60
L 10.1.6.1/32 is directly connected, Vlan60
C 10.1.7.0/24 is directly connected, Vlan1
L 10.1.7.2/32 is directly connected, Vlan1
192.168.22.0/24 is variably subnetted, 2 subnets, 2 masks
C 192.168.22.48/30 is directly connected, Port-channel1
L 192.168.22.49/32 is directly connected, Port-channel1
192.168.195.0/24 is variably subnetted, 2 subnets, 2 masks
C 192.168.195.0/24 is directly connected, Vlan30
L 192.168.195.1/32 is directly connected, Vlan30
Solved! Go to Solution.
04-30-2012 01:09 PM
Please copy this on your ASA.
interface GigabitEthernet0/1
channel-group 1 mode active
!
interface GigabitEthernet0/2
channel-group 1 mode active
Interface prot-channel1
port-channel load-balance src-dst-ip-port
port-channel min-bundle 1
lacp max-bundle 8
no shutdown
speed auto
duplex auto
nameif inside
security-level 100
ip address 192.168.22.50 255.255.255.252
let me know, if this helps.
thanks
Rizwan Rafeek
Reference link below.
http://www.cisco.com/en/US/docs/security/asa/asa84/command/reference/i3.html
04-30-2012 01:09 PM
Please copy this on your ASA.
interface GigabitEthernet0/1
channel-group 1 mode active
!
interface GigabitEthernet0/2
channel-group 1 mode active
Interface prot-channel1
port-channel load-balance src-dst-ip-port
port-channel min-bundle 1
lacp max-bundle 8
no shutdown
speed auto
duplex auto
nameif inside
security-level 100
ip address 192.168.22.50 255.255.255.252
let me know, if this helps.
thanks
Rizwan Rafeek
Reference link below.
http://www.cisco.com/en/US/docs/security/asa/asa84/command/reference/i3.html
05-01-2012 06:25 AM
Thanks for the reply. My port channel interface looks identical to your config posted above. The other settings in the ASA look like yours posted above also. I am also unable to ping any other vlan default gateway on the switch itself, other than the default gateway the host is in. From my understanding all hosts on the switch should be able to communicate wih other vlans as long as ip routing is enabled on the switch, correct? The switch is running the latest version 15 of ios.
UPDATE this has been solved.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide