I have a Cisco ASA 5505 with security plus license. I have been tasked with setting up a sg-300 in layer 3 mode to handle the inter-vlan routing instead of the asa. I'm new to cisco, I cut my teeth on Brocade and foundry and the ASA is a beast on its on. So far I have inter-vlan routing working on the switch but need advice on the asa to sg300 connection. Currently I have the asa with interfaces(inside,outside,) looking to dmz later a pass through to the sg300. My question is how should the connection to asa to sg300 be handled.
I have taken a look at the configs and have these observations and questions:
1) the switch config appears to be incomplete. in particular the only thing I see about routing is the config of a default gateway. In a cisco switch that would typically indicate that it was operating as a layer 2 switch and not routing for its own subnets. I am not sure how to interpret that on this switch.
2) what I see in the switch is 4 vlans that appear to be active and preparation for a DMZ vlan that does not appear to be active.
3) the 4 active vlans have DHCP pools configured with the switch interfaces as the gateway address. This would appear to support routing for the vlans.
4) The DMZ vlan is not active and I suggest that we do not worry about this until everything else is working
5) The ASA seems to have two active vlans with preparation for the DMZ
6) the DMZ interface has the same security level as the Inside interface. You probably want to change this as you work on DMZ
7) The ASA configured a vpn pool with an address that is the same as the vlan 2 on the switch. I hope that was not intentional.
8) The ASA seems to be learning a default route via DHCP on outside interface.
9) the ASA does have route statements for the active vlans on the switch with the switch interface in vlan 1 as the next hop.
10) so it looks like routing for the 4 active vlans is set up and should work on the ASA
11) it is not clear what is the intention for routing for DMZ
12) am I correct in assuming that you plan to have one active interface between switch and ASA for current traffic and then to have a separate interface between switch and ASA for DMZ? The ASA certainly can do that. I am not clear what the routing logic would be on switch to handle vlan 12 and keep it separate from the other vlans.
My config has changed. I will upload today. Currently I have asa with inside and outside. Inside is 192.168.1.0/24. Outside is dhcp. Inside interface on asa is 192.168.1.1. Sg300 is using an svi in vlan 1 to inside interface on asa as an access port on asa. My intent is to use sg300 as intervlan switch and use asa in routed mode as firewall/vpn/. My guess is all acls will be on switch and qos. My networks are 172.16.x.x and vlan 1 only is 192.168.1.0/24 on the switch with a default route to asa for internet. My sg300 is able to route because of the svi ipv4 interfaces. My current route to asa is port 19 on switch in vlan1 to inside interface on vlan1 on asa 192.168.1.1. I am able to ping networks behind asa from asa. Just doesn't route in vpn. I'm thinking my connection to asa and switch is issue. Any help is appreciated. I will upload the config in the am. My issue is now I have a vpn running but can't connect to any lan on sg300. Is this because it is inside interface is in the 192 and my networks are in 172.
You say that the config has changed. What you describe is very much what was in the previous posting of the configs. I pointed out that in those configs the subnet that appears to be used for VPN is the same as the subnet used on the switch for one of its vlans. That would explain why VPN is not able to access resources in the network. Is that what changed in the config? Please do post the current running configs so that we can see what is there.
I notice that the new switch config has added some vlans and has removed vlans 3 and 4. The original switch config had 4 pools for DHCP while the new config has only 2. In the original switch config the connection from switch to router was using vlan 1 and in the new switch config the connection from switch to router is a routed port which I believe is better. The new switch config does have a route for the VPN pool on the ASA and the new VPN pool has resolved the issue where the VPN pool subnet duplicated a subnet of the switch. I continue to wonder about the configuration of ip default-gateway on the switch rather than a static default route, but perhaps that is appropriate on this switch. The new config for the ASA appears to be ok. I do not see any particular issues. It is not obvious to me how the implementation of DMZ will be done on the switch, especially how to maintain separation of DMZ from user resources. But perhaps there is something on the switch that will handle that.
My issue still persist.. I have no connection to the network behind the asa once I am connected to the vpn. I don't see any errors. Any suggestions on where to start. Did anyone notice something wrong in the asa or switch config?
Can you tell us whether devices in inside vlans connected to the SG300 can successfully communicate with devices connected to other inside vlans of the SG300? (is inter vlan working correctly)
Can you tell us whether devices in inside vlans connected to the SG300 can successfully communicate with the Internet. (is routing from SG300 through ASA working correctly)
Would you post fresh copies of the current running config from ASA and from SG300?
Thanks for posting the configs. In a previous post I asked some questions about whether things other than VPN are working (can devices in some vlan on the SG access devices in other vlans on the SG and can devices in vlans on the SG access resources in the Internet). Can you answer these?
My first comment is about this address translation on the ASA
nat (inside,outside) source dynamic obj_any interface destination static obj_any obj_any
You have another translation for any and am not sure why you have this one. I suggest that you remove it, or at least move it so that it follows the translations for the VPN pool.
I notice that the ASA has a route for network 192.168.1.0. But there is no other reference for that network on the ASA. Do you intend to use it? If so for what?
I notice that the SG has vlan 1, an SVI in that vlan for the network 192.168.1.0, and a DHCP pool for it. Are you planning to use it on the SG?
In addition to the DHCP pool for 192.168.1.0 there is a pool for vlan for printers. But no other DHCP pools. Is this intentional?
There is an ACL for DMZ that I am not sure about but I suggest we wait for any DMZ things till the rest of the network is operating as you intend.
Why is interface G17 in vlan 17 which is identified as VPN? Why would the SG know anything about VPN or have an interface for it?
The SG has a route for network 18.104.22.168 which is the VPN pool. I would think that the default route should take care of that. But having the route does no harm and keeping it is ok if you want.
I continue to wonder about the SG having an ip default-gateway configured and not having a static default route. It seems strange to me. But perhaps that is how the SG is intended to work. The question about whether devices on the SG can access the Internet will clarify whether this is an issue or not.
Yes all devices can reach the internet and each other. Inter-vlan is working by the SVI for each vlan. I previously have the 192.168.1.0 network as a svi connection to the asa from the 300. I since moved it to a routed port. It is using 192.168.11.0 on the sg300 and asa. I will clean up the printer vlan, Dmz, and svi for 1.0 network. They were just left over. As for the asa I connect to the device over vpn. I can't however ping the asa or routed port on the asa or sg300. From the ASA not the vpn I can ping anything behind the asa to the sg300 and sg300 can ping the asa.. Any suggestions?