Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1339
Views
0
Helpful
2
Replies

3560X and ASA 5520 routing issues

Go to solution
Todd Willoughby
Level 1
Level 1

‎04-30-2012 12:04 PM - edited ‎03-07-2019 06:25 AM

Any help would be greatly appreciated.

I have a cisco 3560X 48 port Ip base switch with vlan configured and ip routing. Ports 1 and 2 are in etherchannel and routed ports to ASA and have their own network of 192.168.22.49/30. The ASA is configured with the same config for ports 1 and 2. The channel group ip address on the 3560X is 192.168.22.49/30 while the other end of the uplink is the ASA and its configured with .50/30.

I have 6 vlans plus the one native vlan. They are all configured with ip addresses. Each Vlan should be able to talk to one another other than DMZ vlan which is trunked and routed directly in the ASA. On the switch I can ping the IP address on the ASAs uplink .50/30 but I cannot ping the ASA from any host on any of the Vlans. My switch config file is posted below. The ASA seems to be able to ping any host in the VLANS due to static routes that are in place.

Any idea as to why Im not able to communicate to other vlans or even ping the ASA?

Config for 3560X

L3Switch#sh run
Building configuration...
Current configuration : 8056 bytes
!
! Last configuration change at 00:45:43 UTC Mon Mar 8 1993
!
version 15.0
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname M3TL3Switch
!
boot-start-marker
boot-end-marker
!
no logging console
enable secret 5 $1$1WJH$POoIZXDxzNRFaXhxFEXzz.
!
username m3t privilege 15 secret 5 $1$K1hH$G2xenff6IkQ5PEaQ7H8.K/
no aaa new-model
clock timezone UTC -5 0
clock summer-time UTC recurring
system mtu routing 1500
ip routing
!
!
no ip domain-lookup
!
mls qos map cos-dscp 0 8 16 24 32 46 48 56
mls qos srr-queue input bandwidth 70 30
mls qos srr-queue input threshold 1 80 90
mls qos srr-queue input priority-queue 2 bandwidth 30
mls qos srr-queue input cos-map queue 1 threshold 2 3
mls qos srr-queue input cos-map queue 1 threshold 3 6 7
mls qos srr-queue input cos-map queue 2 threshold 1 4
mls qos srr-queue input dscp-map queue 1 threshold 2 24
mls qos srr-queue input dscp-map queue 1 threshold 3 48 49 50 51 52 53 54 55
mls qos srr-queue input dscp-map queue 1 threshold 3 56 57 58 59 60 61 62 63
mls qos srr-queue input dscp-map queue 2 threshold 3 32 33 40 41 42 43 44 45
mls qos srr-queue input dscp-map queue 2 threshold 3 46 47
mls qos srr-queue output cos-map queue 1 threshold 3 4 5
mls qos srr-queue output cos-map queue 2 threshold 1 2
mls qos srr-queue output cos-map queue 2 threshold 2 3
mls qos srr-queue output cos-map queue 2 threshold 3 6 7
mls qos srr-queue output cos-map queue 3 threshold 3 0
mls qos srr-queue output cos-map queue 4 threshold 3 1
mls qos srr-queue output dscp-map queue 1 threshold 3 32 33 40 41 42 43 44 45
mls qos srr-queue output dscp-map queue 1 threshold 3 46 47
mls qos srr-queue output dscp-map queue 2 threshold 1 16 17 18 19 20 21 22 23
mls qos srr-queue output dscp-map queue 2 threshold 1 26 27 28 29 30 31 34 35
mls qos srr-queue output dscp-map queue 2 threshold 1 36 37 38 39
mls qos srr-queue output dscp-map queue 2 threshold 2 24
mls qos srr-queue output dscp-map queue 2 threshold 3 48 49 50 51 52 53 54 55
mls qos srr-queue output dscp-map queue 2 threshold 3 56 57 58 59 60 61 62 63
mls qos srr-queue output dscp-map queue 3 threshold 3 0 1 2 3 4 5 6 7
mls qos srr-queue output dscp-map queue 4 threshold 1 8 9 11 13 15
mls qos srr-queue output dscp-map queue 4 threshold 2 10 12 14
mls qos queue-set output 1 threshold 1 100 100 50 200
mls qos queue-set output 1 threshold 2 125 125 100 400
mls qos queue-set output 1 threshold 3 100 100 100 400
mls qos queue-set output 1 threshold 4 60 150 50 200
mls qos queue-set output 1 buffers 15 25 40 20
mls qos
!
crypto pki trustpoint HTTPS_SS_CERT_KEYPAIR
 enrollment selfsigned
 serial-number
 revocation-check none
 rsakeypair HTTPS_SS_CERT_KEYPAIR
!
!
crypto pki certificate chain HTTPS_SS_CERT_KEYPAIR
 certificate self-signed 01
  3082026C 308201D5 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
  45311530 13060355 0403130C 4D33544C 33537769 7463682E 312C300F 06035504
  05130844 42323146 41303030 1906092A 864886F7 0D010902 160C4D33 544C3353
  77697463 682E301E 170D3132 30343230 31333032 32335A17 0D323030 31303130
  30303030 305A3045 31153013 06035504 03130C4D 33544C33 53776974 63682E31
  2C300F06 03550405 13084442 32314641 30303019 06092A86 4886F70D 01090216
  0C4D3354 4C335377 69746368 2E30819F 300D0609 2A864886 F70D0101 01050003
  818D0030 81890281 8100C824 ED355533 A7CA3DA9 AC843314 3F61490F 51E24C29
  DE3DE381 05517B1A 688FE082 B2F851E5 9AAD6267 AFD20AEB 1E239DB4 E974A035
  8B7A0787 6187C4CF EC39B6A2 35B95939 3E56B2BD 46AA3D93 A98CA5EE 915F45A6
  C4569E54 B84D0080 7BC4D770 3A88660F 32799B2E EA808020 040F3AEA F8317190
  3D9EC780 4A264730 21270203 010001A3 6C306A30 0F060355 1D130101 FF040530
  030101FF 30170603 551D1104 10300E82 0C4D3354 4C335377 69746368 2E301F06
  03551D23 04183016 80146A32 3C69940D 8611DFCD 23B74DA8 01AD93FC 466B301D
  0603551D 0E041604 146A323C 69940D86 11DFCD23 B74DA801 AD93FC46 6B300D06
  092A8648 86F70D01 01040500 03818100 B542D588 AB9A41BD 7204F977 822BF30E
  F4F844B0 739126FC FC6A6E39 6CAF859D 145233B8 52D7A55C 851AE8F5 641B928F
  5F7E1A32 608BE894 8C6A9BC4 29B3F6BD EEBA1E1D 022BB434 976E9306 44F0EC3B
  82FD06BD 07D97B58 61BA3C8D 7ECA6082 9DA350DA 6A550FAF 0348CE2D EE9F98CD
  D4CD82A8 B55AF8D8 97070E56 2D02CEA8
        quit
!
!
spanning-tree mode rapid-pvst
spanning-tree extend system-id
auto qos srnd4
!
!
!
!
vlan internal allocation policy ascending
!
!
!
!
!
!
interface Port-channel1
 no switchport
 ip address 192.168.22.49 255.255.255.252
!
interface FastEthernet0
 no ip address
 no ip route-cache
!
interface GigabitEthernet0/1
 description uplink to asa
 no switchport
 no ip address
 channel-group 1 mode active
!
interface GigabitEthernet0/2
 description uplink to asa 2
 no switchport
 no ip address
 channel-group 1 mode active
!
interface GigabitEthernet0/3
 description DMZ uplink to asa
 switchport trunk encapsulation dot1q
 switchport trunk allowed vlan 10
 switchport mode trunk
!
interface GigabitEthernet0/4
!
interface GigabitEthernet0/5
!
interface GigabitEthernet0/6
!
interface GigabitEthernet0/7
!
interface GigabitEthernet0/8
!
interface GigabitEthernet0/9
!
interface GigabitEthernet0/10
!
interface GigabitEthernet0/11
!
interface GigabitEthernet0/12
!
interface GigabitEthernet0/13
!
interface GigabitEthernet0/14
!
interface GigabitEthernet0/15
!
interface GigabitEthernet0/16
!
interface GigabitEthernet0/17
!
interface GigabitEthernet0/18
!
interface GigabitEthernet0/19
!
interface GigabitEthernet0/20
!
interface GigabitEthernet0/21
!
interface GigabitEthernet0/22
!
interface GigabitEthernet0/23
!
interface GigabitEthernet0/24
!
interface GigabitEthernet0/25
!
interface GigabitEthernet0/26
!
interface GigabitEthernet0/27
!
interface GigabitEthernet0/28
!
interface GigabitEthernet0/29
!
interface GigabitEthernet0/30
!
interface GigabitEthernet0/31
!
interface GigabitEthernet0/32
!
interface GigabitEthernet0/33
!
interface GigabitEthernet0/34
!
interface GigabitEthernet0/35
!
interface GigabitEthernet0/36
!
interface GigabitEthernet0/37
!
interface GigabitEthernet0/38
!
interface GigabitEthernet0/39
!
interface GigabitEthernet0/40
!
interface GigabitEthernet0/41
!
interface GigabitEthernet0/42
!
interface GigabitEthernet0/43
!
interface GigabitEthernet0/44
!
interface GigabitEthernet0/45
!
interface GigabitEthernet0/46
!
interface GigabitEthernet0/47
!
interface GigabitEthernet0/48
!
interface GigabitEthernet1/1
!
interface GigabitEthernet1/2
!
interface GigabitEthernet1/3
!
interface GigabitEthernet1/4
 switchport trunk encapsulation dot1q
 switchport mode trunk
 srr-queue bandwidth share 1 30 35 5
 queue-set 2
 priority-queue out
  mls qos trust cos
 macro description cisco-switch
 auto qos trust
 spanning-tree link-type point-to-point
!
interface TenGigabitEthernet1/1
!
interface TenGigabitEthernet1/2
!
interface Vlan1
 ip address 10.1.7.2 255.255.255.0
!
interface Vlan10
 ip address 10.1.1.2 255.255.255.0
 ip helper-address 192.168.195.11
!
interface Vlan20
 ip address 10.1.2.1 255.255.255.0
 ip helper-address 192.168.195.11
!
interface Vlan30
 ip address 192.168.195.1 255.255.255.0
 ip helper-address 192.168.195.11
!
interface Vlan40
 ip address 10.1.4.1 255.255.255.0
 ip helper-address 192.168.195.11
!
interface Vlan50
 ip address 10.1.5.1 255.255.255.0
 ip helper-address 192.168.195.11
!
interface Vlan60
 ip address 10.1.6.1 255.255.255.0
 ip helper-address 192.168.195.11
!
ip default-gateway 192.168.22.49
ip http server
ip http secure-server
!
!
ip sla enable reaction-alerts
logging esm config
!
!
line con 0
 password 
 login
line vty 0 1
 timeout login response 300
 password 
 login
 length 0
 transport preferred ssh
 transport input telnet
line vty 2 4
 timeout login response 300
 password 
 login
 length 0
 transport input telnet
line vty 5
 timeout login response 300
 password 
 login
 length 0
 transport input telnet
line vty 6 15
 login
 length 0
!
!
monitor session 2 source interface Po1
monitor session 2 destination interface Gi0/27
end
M3TL3Switch#sh ip route
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
       ia - IS-IS inter area, * - candidate default, U - per-user static route
       o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP
       + - replicated route, % - next hop override
Gateway of last resort is 192.168.22.50 to network 0.0.0.0
S*    0.0.0.0/0 [1/0] via 192.168.22.50
      10.0.0.0/8 is variably subnetted, 12 subnets, 2 masks
C        10.1.1.0/24 is directly connected, Vlan10
L        10.1.1.2/32 is directly connected, Vlan10
C        10.1.2.0/24 is directly connected, Vlan20
L        10.1.2.1/32 is directly connected, Vlan20
C        10.1.4.0/24 is directly connected, Vlan40
L        10.1.4.1/32 is directly connected, Vlan40
C        10.1.5.0/24 is directly connected, Vlan50
L        10.1.5.1/32 is directly connected, Vlan50
C        10.1.6.0/24 is directly connected, Vlan60
L        10.1.6.1/32 is directly connected, Vlan60
C        10.1.7.0/24 is directly connected, Vlan1
L        10.1.7.2/32 is directly connected, Vlan1
      192.168.22.0/24 is variably subnetted, 2 subnets, 2 masks
C        192.168.22.48/30 is directly connected, Port-channel1
L        192.168.22.49/32 is directly connected, Port-channel1
      192.168.195.0/24 is variably subnetted, 2 subnets, 2 masks
C        192.168.195.0/24 is directly connected, Vlan30
L        192.168.195.1/32 is directly connected, Vlan30
Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
rizwanr74
Level 7
Level 7

‎04-30-2012 01:09 PM

Please copy this on your ASA.

interface GigabitEthernet0/1
channel-group 1 mode active
!
interface GigabitEthernet0/2
channel-group 1 mode active


Interface prot-channel1
port-channel load-balance src-dst-ip-port
port-channel min-bundle 1
lacp max-bundle 8
no shutdown
speed auto
duplex auto
nameif inside
security-level 100
ip address 192.168.22.50 255.255.255.252

let me know, if this helps.

thanks

Rizwan Rafeek

Reference link below.

http://www.cisco.com/en/US/docs/security/asa/asa84/command/reference/i3.html

View solution in original post

0 Helpful
2 Replies 2

Go to solution
rizwanr74
Level 7
Level 7

‎04-30-2012 01:09 PM

Please copy this on your ASA.

interface GigabitEthernet0/1
channel-group 1 mode active
!
interface GigabitEthernet0/2
channel-group 1 mode active


Interface prot-channel1
port-channel load-balance src-dst-ip-port
port-channel min-bundle 1
lacp max-bundle 8
no shutdown
speed auto
duplex auto
nameif inside
security-level 100
ip address 192.168.22.50 255.255.255.252

let me know, if this helps.

thanks

Rizwan Rafeek

Reference link below.

http://www.cisco.com/en/US/docs/security/asa/asa84/command/reference/i3.html

0 Helpful

Go to solution
Todd Willoughby
Level 1
Level 1
In response to rizwanr74

‎05-01-2012 06:25 AM

Thanks for the reply. My port channel interface looks identical to your config posted above. The other settings in the ASA look like yours posted above also. I am also unable to ping any other vlan default gateway on the switch itself, other than the default gateway the host is in. From my understanding all hosts on the switch should be able to communicate wih other vlans as long as ip routing is enabled on the switch, correct? The switch is running the latest version 15 of ios.

      

UPDATE this has been solved.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card