cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
14803
Views
0
Helpful
24
Replies

ASA 5505 Trunk / intervlan routing issue

ciscoitzupport
Level 1
Level 1

Hi there

For one of my Clients I need to setup a network VLAN configuration which exists of an ASA 5505 (security plus license) and a cisco catalyst 2960

I already setup one of the ports of my ASA as trunk and did the same for my catalyst. Now here is my problem. Somehow I don't have intervlan connections. I cannot ping one host from VLAN 1 in VLAN 10 or vice versa. From the console of my switch and ASA however I can ping both my hosts in VLAN 10 and/or VLAN 1 (I left out what's not important concerning trunk setup) For now I only placed one switch port in VLAN 10, all other ports -except for the trunk port and the vlan 10 switch port- are member of Native VLAN 1

I think I'm close but something must be missing in my config. Any help is greatly appreciated. Here's my current setup.

ASA 5505:

ASA Version 7.2(4)
!

interface Vlan1
nameif inside
security-level 100
ip address 192.168.100.248 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address X.X.X.X 255.255.255.248
!
interface Vlan3
shutdown
nameif dmz
security-level 50
ip address 192.168.25.254 255.255.255.0
management-only
!
interface Vlan10
nameif voip
security-level 100
ip address 10.10.10.254 255.255.255.0
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
switchport trunk allowed vlan 1,10
switchport trunk native vlan 1
switchport mode trunk
speed 100
duplex full
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
ftp mode passive
clock timezone BOT -4
dns server-group DefaultDNS
domain-name yrausquin.local
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
access-list acl_out extended permit gre any interface outside
access-list acl_out extended permit tcp any interface outside eq pptp
access-list acl_out extended permit tcp any interface outside eq https
access-list acl_out extended permit tcp any interface outside eq www
access-list acl_out extended permit tcp any interface outside eq smtp
access-list acl_out extended permit tcp any interface outside eq 995
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
mtu dmz 1500
mtu voip 1500
ip verify reverse-path interface outside
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-524.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 192.168.100.0 255.255.255.0
nat (voip) 1 10.10.10.0 255.255.255.0
static (inside,outside) tcp interface https 192.168.100.6 https netmask 255.255.255.255
static (inside,outside) tcp interface www 192.168.100.6 www netmask 255.255.255.255
static (inside,outside) tcp interface smtp 192.168.100.6 smtp netmask 255.255.255.255
static (inside,outside) tcp interface pptp 192.168.100.4 pptp netmask 255.255.255.255
static (inside,outside) tcp interface 995 192.168.100.6 995 netmask 255.255.255.255
access-group acl_out in interface outside
route outside 0.0.0.0 0.0.0.0 201.229.36.17 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
http server enable
http 192.168.100.5 255.255.255.255 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
sysopt noproxyarp inside
telnet 192.168.100.0 255.255.255.0 inside
telnet timeout 15
!
console timeout 0

username itzupport password PkYOuWGiZUe1KFVX encrypted
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
  message-length maximum 512
policy-map global_policy
class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 h225
  inspect h323 ras
  inspect netbios
  inspect rsh
  inspect rtsp
  inspect skinny
  inspect sqlnet
  inspect sunrpc
  inspect tftp
  inspect sip
  inspect xdmcp
  inspect pptp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:80f67be57b3b5dd872601a654635365b
: end
[OK]

SWITCH 2960:

version 12.2
!
!
!
no file verify auto
!
spanning-tree mode pvst
spanning-tree extend system-id
no spanning-tree vlan 1
!
vlan internal allocation policy ascending
vlan 10
name voip
!
!
interface GigabitEthernet0/12
description Port configured as trunk
switchport trunk allowed vlan 1,10
switchport mode trunk
carrier-delay msec 0
speed 100
duplex full

interface Vlan1
ip address 192.168.100.251 255.255.255.0
no ip route-cache
!
interface Vlan10
ip address 10.10.10.253 255.255.255.0
no ip route-cache
!

end

24 Replies 24

Reza Sharifi
Hall of Fame
Hall of Fame

Hello Edwin,

Did you configure the correct gateway on the PC?

You need a default route on your 2960 to point to the interface of the firewall.

ip route 0.0.0.0 0.0.0.0 192.168.100.248

HTH

Reza

Dear Reza,

Could it be that simple? I will give it a try..Unfortunately I remotely disabled the nic which was in vlan 10 when I changed ip settings back to vlan 1, so that will be on Monday

Thnx for now

Hello Edwin,

If every thing work on Monday, I would suggest you change VLAN 1 to some other VLAN i.e 100 or 200.  VLAN 1 is usually used for control traffic (LACP, PAGP, VTP, CDP,etc.....) and should not be used for user traffic. Once you change VLAN one to some other VLAN, then shut down VLAN 1 completely

HTH

Reza

I read about it and was already considering changing this. However I wanted to make sure I did not overlook s'thing first. If I change this I of course have to place all switch ports in -let's say- VLAN100 right?

Yes, that is correct.  If this is a production environment, it is best to do any changes during an outage window.

Reza,

I did some research in a lab scenario and used a router on a stick configuration instead of an ASA 5505 for my InterVLAN Routing

The configuration was pretty straight forward (see below). I added PC01 in VLAN 100 (ip address 192.168.100.10/24, gateway 192.168.100.254) and PC02 in VLAN 200 (ip address 192.168.200.10/24, gateway 192.168.200.254). then I tried to ping from PC01 the host PC02 on VLAN 200 and no problem (the other way around worked also like a charm)

What I want to know is this. Why does my 2960 Switch in the real world need an additional default route to point to the interface of the firewall. (as you suggested), but is this not necessary with the router on a stick configuration? I can't figure this out.. Enlight me

Cisco 2620 Router

Hi Edwin,

The 2960 is a layer-2 switch.  I know you have multiple SVI configured on this box, but the 2960 can not route. So, in order to get to other subnets, you will need default-gateway pointing to the firewall.  I think in my previous post I wrote default route which in not correct. Only one management svi should be configured on it so you can telnet to the device other then this it is only a layer-2 box.

HTH

Reza

Okay Reza

Small update,

I added a default gateway to my 2960 switch configuration.

ip default-gateway 192.168.100.248. Unfortunately no luck. I can see my trunk is up

show interfaces TRUNK

Port Mode Encapsulation Status Native vlan

Gi0/12 on 802.1q trunking 1

Port Vlans allowed on trunk

Gi0/12 1-10

Port Vlans allowed and active in management domain

Gi0/12 1,10

Port Vlans in spanning tree forwarding state and not pruned

Gi0/12 1,10

I can ping from my switch console to VLAN10 PC Host (10.10.10.237 with gateway 10.10.10.254)

ping 10.10.10.237

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 10.10.10.237, timeout is 2 seconds:

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/10 ms

As soon as I try this from a host in VLAN1 (for example host 192.168.100.5, gateway 192.168.100.248) I get no response

C:\>ping 10.10.10.237

Pinging 10.10.10.237 with 32 bytes of data:

Request timed out.

Request timed out.

Request timed out.

Routing table on this PC:

IPv4 Route Table

Interface List

0x1 ........................... MS TCP Loopback interface

0x2 ...00 1d 09 69 45 b9 ...... Broadcom BCM5708C NetXtreme II GigE (NDIS VBD ient)

Active Routes:

Network Destination Netmask Gateway Interface Metric

0.0.0.0 0.0.0.0 192.168.100.248 192.168.100.5 10

127.0.0.0 255.0.0.0 127.0.0.1 127.0.0.1 1

192.168.100.0 255.255.255.0 192.168.100.5 192.168.100.5 10

192.168.100.5 255.255.255.255 127.0.0.1 127.0.0.1 10

192.168.100.255 255.255.255.255 192.168.100.5 192.168.100.5 10

224.0.0.0 240.0.0.0 192.168.100.5 192.168.100.5 10

255.255.255.255 255.255.255.255 192.168.100.5 192.168.100.5 1

Default Gateway: 192.168.100.248

I don't think an access list on my firewall is really necessary since I can ping from my switch console to the vlan 10 gateway interface on my asa (10.10.10.254) Furthermore I think the command same-security-traffic permit inter-interface would make an access-list redundant? I m really stuck here. Funny thing is a router on a stick config works right away. If you need any additional info concerning my license, ios version etc please let me know. I can use all the help I can get

end

Hi,

Can anyone help to find a resolution to this post? I would just like to know whats the cause of this problem and update my knowledge. I have tried to understand this scenario but cant get an answer.

Thanks

Sidkracker,

I still don't have a solution. As soon as I find one I'll update my case

end

Do you have logging enabled? If no, can you do the following and post the output of the log for the ping test. I would like to see what is causing it.

conf t

logging enable
logging timestamp
logging buffer-size 8192
logging buffered informational

exit

wri

clear logging buffer

Start your ping from VLAN1 to VLAN10, and post the log.

Regards,

jerry

Okay Jerry

I enabled logging on both the switch and the asa (both debugging level)

Syslog entries for switch don't give much info but for the ASA, as I start pinging a host in vlan 10 (ip addres 10.10.10.139) from a host in vlan 100 (ip address 192.168.100.5) the following is logged

02-22-2010 16:24:02 Local4.Debug 192.168.100.248 Feb 22 2010 08:54:08: %ASA-7-609002: Teardown local-host voip:10.10.10.139 duration 0:00:00

02-22-2010 16:24:02 Local4.Error 192.168.100.248 Feb 22 2010 08:54:08: %ASA-3-305005: No translation group found for icmp src inside:192.168.100.5 dst voip:10.10.10.139 (type 8, code 0)

02-22-2010 16:24:02 Local4.Debug 192.168.100.248 Feb 22 2010 08:54:08: %ASA-7-609001: Built local-host voip:10.10.10.139

02-22-2010 16:23:56 Local4.Debug 192.168.100.248 Feb 22 2010 08:54:03: %ASA-7-609002: Teardown local-host voip:10.10.10.139 duration 0:00:00

02-22-2010 16:23:56 Local4.Error 192.168.100.248 Feb 22 2010 08:54:03: %ASA-3-305005: No translation group found for icmp src inside:192.168.100.5 dst voip:10.10.10.139 (type 8, code 0)

02-22-2010 16:23:56 Local4.Debug 192.168.100.248 Feb 22 2010 08:54:03: %ASA-7-609001: Built local-host voip:10.10.10.139

02-22-2010 16:23:51 Local4.Debug 192.168.100.248 Feb 22 2010 08:53:58: %ASA-7-609002: Teardown local-host NP Identity Ifc:10.10.10.254 duration 0:00:02

02-22-2010 16:23:51 Local4.Info 192.168.100.248 Feb 22 2010 08:53:58: %ASA-6-302021: Teardown ICMP connection for faddr 192.168.100.5/512 gaddr 10.10.10.254/0 laddr 10.10.10.254/0

02-22-2010 16:23:49 Local4.Info 192.168.100.248 Feb 22 2010 08:53:55: %ASA-6-302020: Built inbound ICMP connection for faddr 192.168.100.5/512 gaddr 10.10.10.254/0 laddr 10.10.10.254/0

02-22-2010 16:23:49 Local4.Debug 192.168.100.248 Feb 22 2010 08:53:55: %ASA-7-609001: Built local-host NP Identity Ifc:10.10.10.254

02-22-2010 16:23:45 Local4.Debug 192.168.100.248 Feb 22 2010 08:53:52: %ASA-7-609002: Teardown local-host NP Identity Ifc:10.10.10.254 duration 0:00:02

02-22-2010 16:23:45 Local4.Info 192.168.100.248 Feb 22 2010 08:53:52: %ASA-6-302021: Teardown ICMP connection for faddr 192.168.100.5/512 gaddr 10.10.10.254/0 laddr 10.10.10.254/0

02-22-2010 16:23:43 Local4.Info 192.168.100.248 Feb 22 2010 08:53:50: %ASA-6-302020: Built inbound ICMP connection for faddr 192.168.100.5/512 gaddr 10.10.10.254/0 laddr 10.10.10.254/0

02-22-2010 16:23:43 Local4.Debug 192.168.100.248 Feb 22 2010 08:53:50: %ASA-7-609001: Built local-host NP Identity Ifc:10.10.10.254

02-22-2010 16:23:40 Local4.Debug 192.168.100.248 Feb 22 2010 08:53:47: %ASA-7-609002: Teardown local-host NP Identity Ifc:10.10.10.254 duration 0:00:02

02-22-2010 16:23:40 Local4.Info 192.168.100.248 Feb 22 2010 08:53:47: %ASA-6-302021: Teardown ICMP connection for faddr 192.168.100.5/512 gaddr 10.10.10.254/0 laddr 10.10.10.254/0

I mentioned a few times vlan 100...that should be vlan 1 (native vlan) of course

AxiomConsulting
Level 1
Level 1

Edwin,

Can you try changing the native VLAN on the trunk configuration...

switchport trunk native vlan

This will ensure that frames are tagged correctly as they pass through the trunk,

Steve


Review Cisco Networking for a $25 gift card