Re: ASA 5505 Trunk / intervlan routing issue - Page 2

ciscoitzupport · ‎02-05-2010

Hi there

For one of my Clients I need to setup a network VLAN configuration which exists of an ASA 5505 (security plus license) and a cisco catalyst 2960

I already setup one of the ports of my ASA as trunk and did the same for my catalyst. Now here is my problem. Somehow I don't have intervlan connections. I cannot ping one host from VLAN 1 in VLAN 10 or vice versa. From the console of my switch and ASA however I can ping both my hosts in VLAN 10 and/or VLAN 1 (I left out what's not important concerning trunk setup) For now I only placed one switch port in VLAN 10, all other ports -except for the trunk port and the vlan 10 switch port- are member of Native VLAN 1

I think I'm close but something must be missing in my config. Any help is greatly appreciated. Here's my current setup.

ASA 5505:

ASA Version 7.2(4)
!

interface Vlan1
nameif inside
security-level 100
ip address 192.168.100.248 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address X.X.X.X 255.255.255.248
!
interface Vlan3
shutdown
nameif dmz
security-level 50
ip address 192.168.25.254 255.255.255.0
management-only
!
interface Vlan10
nameif voip
security-level 100
ip address 10.10.10.254 255.255.255.0
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
switchport trunk allowed vlan 1,10
switchport trunk native vlan 1
switchport mode trunk
speed 100
duplex full
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
ftp mode passive
clock timezone BOT -4
dns server-group DefaultDNS
domain-name yrausquin.local
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
access-list acl_out extended permit gre any interface outside
access-list acl_out extended permit tcp any interface outside eq pptp
access-list acl_out extended permit tcp any interface outside eq https
access-list acl_out extended permit tcp any interface outside eq www
access-list acl_out extended permit tcp any interface outside eq smtp
access-list acl_out extended permit tcp any interface outside eq 995
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
mtu dmz 1500
mtu voip 1500
ip verify reverse-path interface outside
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-524.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 192.168.100.0 255.255.255.0
nat (voip) 1 10.10.10.0 255.255.255.0
static (inside,outside) tcp interface https 192.168.100.6 https netmask 255.255.255.255
static (inside,outside) tcp interface www 192.168.100.6 www netmask 255.255.255.255
static (inside,outside) tcp interface smtp 192.168.100.6 smtp netmask 255.255.255.255
static (inside,outside) tcp interface pptp 192.168.100.4 pptp netmask 255.255.255.255
static (inside,outside) tcp interface 995 192.168.100.6 995 netmask 255.255.255.255
access-group acl_out in interface outside
route outside 0.0.0.0 0.0.0.0 201.229.36.17 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
http server enable
http 192.168.100.5 255.255.255.255 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
sysopt noproxyarp inside
telnet 192.168.100.0 255.255.255.0 inside
telnet timeout 15
!
console timeout 0

username itzupport password PkYOuWGiZUe1KFVX encrypted
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 h225
inspect h323 ras
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
inspect pptp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:80f67be57b3b5dd872601a654635365b
: end
[OK]

SWITCH 2960:

version 12.2
!
!
!
no file verify auto
!
spanning-tree mode pvst
spanning-tree extend system-id
no spanning-tree vlan 1
!
vlan internal allocation policy ascending
vlan 10
name voip
!
!
interface GigabitEthernet0/12
description Port configured as trunk
switchport trunk allowed vlan 1,10
switchport mode trunk
carrier-delay msec 0
speed 100
duplex full

interface Vlan1
ip address 192.168.100.251 255.255.255.0
no ip route-cache
!
interface Vlan10
ip address 10.10.10.253 255.255.255.0
no ip route-cache
!

end

ciscoitzupport · ‎02-22-2010

AxiomConsulting,

My native LAN is still 100. If I change this now into for example 200 my running network goes down right?

I can do this but only after closing hours

Jeye

Do you mean I should enable logging on my switch or the ASA. Let me know So I can send you some data

~~end~~

Jerry Ye · ‎02-22-2010

Yes, enable logging and let's see what errors or syslog messages when you start your ping.

Regards,

jerry

Jerry Ye · ‎02-22-2010

Hi Edwin,

First, I am not sure why Netpro is not updating the message. Here is what I got on my email

02-22-2010 16:24:02 Local4.Debug 192.168.100.248 Feb 22 2010 08:54:08: %ASA-7-609001: Built local-host voip:10.10.10.139

02-22-2010 16:23:56 Local4.Debug 192.168.100.248 Feb 22 2010 08:54:03: %ASA-7-609002: Teardown local-host voip:10.10.10.139 duration 0:00:00

02-22-2010 16:23:56 Local4.Error 192.168.100.248 Feb 22 2010 08:54:03: %ASA-3-305005: No translation group found for icmp src inside:192.168.100.5 dst voip:10.10.10.139 (type 8, code 0)

The ASA is trying to NAT and it is missing NAT statement between the inside and voip. You can create a nat(0) or static rule to by pass NAT for traffics between these two interfaces. For static, you can do the following

static (inside,voip) 192.168.100.0 192.168.100.0 netmask 255.255.255.0 0 0

static (voip,inside) 10.10.10.0 10.10.10.0 netmask 255.255.255.0 0 0

HTH,

jerry

ciscoitzupport · ‎02-22-2010

I guess it will take some time before thread is updated. Okay I added both static rules in my asa and watched syslog results carefully. No more translation errors, but ping response gives me a request time out

(from host 192.168.100.5). As a matter of fact I don't see any entries in my syslog at all that relates to my host 192.168.100.5. Perhaps I should change my logging trap level?

Jerry Ye · ‎02-22-2010

How do you update your post? Via email? I am doing it via the website and it is working fine on the update.

Hm... interesting. Can you do a clear xlate and try again? I don't think you need to change the logging level, informational is good enough. Can you post the show xlate and show run? Just want to double check.

Regards,

jerry

ciscoitzupport · ‎02-22-2010

Has to wait till tmrrw jerry. I just finished working. I'll update you 2mrrw

ciscoitzupport · ‎02-23-2010

Jerry,

Here we go! Ran a clear xlate. Results show xlate displayed below:

sho xlate
16 in use, 156 most used
Global 192.168.100.0 Local 192.168.100.0
PAT Global 201.229.x.x(443) Local 192.168.100.6(443)
PAT Global 201.229.x.x(80) Local 192.168.100.6(80)
PAT Global 201.229.x.x(25) Local 192.168.100.6(25)
PAT Global 201.229.x.x(1723) Local 192.168.100.4(1723)
PAT Global 201.229.x.x(995) Local 192.168.100.6(995)
Global 10.10.10.0 Local 10.10.10.0
PAT Global 201.229.x.x(56115) Local 192.168.100.123(1560)
PAT Global 201.229.x.x(56090) Local 192.168.100.123(1559)
PAT Global 201.229.x.x(56089) Local 192.168.100.123(1558)
PAT Global 201.229.x.x(56088) Local 192.168.100.123(1557)
PAT Global 201.229.x.x(56085) Local 192.168.100.123(1555)
PAT Global 201.229.x.x(4) Local 192.168.100.4(1723)
PAT Global 201.229.x.x(3) Local 192.168.100.4(13282)
PAT Global 201.229.x.x(56106) Local 192.168.100.8(4647)
PAT Global 201.229.x.x(56092) Local 192.168.100.8(4633)

sho ru

ASA Version 7.2(4)
!
hostname fw-yrausquin
domain-name yrausquin.local
enable password j9QuOQhd05AWLf8v encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface Vlan1
nameif inside
security-level 100
ip address 192.168.100.248 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address 201.229.36.18 255.255.255.248
!
interface Vlan3
shutdown
nameif dmz
security-level 50
ip address 192.168.25.254 255.255.255.0
management-only
!
interface Vlan10
nameif voip
security-level 100
ip address 10.10.10.254 255.255.255.0
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
switchport trunk allowed vlan 1,10
switchport trunk native vlan 1
switchport mode trunk
speed 100
duplex full
!
interface Ethernet0/2
!
interface Ethernet0/3
switchport access vlan 3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
ftp mode passive
clock timezone BOT -4
dns server-group DefaultDNS
domain-name yrausquin.local
same-security-traffic permit inter-interface
access-list acl_out extended permit gre any interface outside
access-list acl_out extended permit tcp any interface outside eq pptp
access-list acl_out extended permit tcp any interface outside eq https
access-list acl_out extended permit tcp any interface outside eq www
access-list acl_out extended permit tcp any interface outside eq smtp
access-list acl_out extended permit tcp any interface outside eq 995
access-list acl_in extended deny tcp any any eq 135
access-list acl_in extended deny udp any any eq 135
access-list acl_in extended deny tcp any any eq 137
access-list acl_in extended deny udp any any eq netbios-ns
access-list acl_in extended deny tcp any any eq 138
access-list acl_in extended deny udp any any eq netbios-dgm
access-list acl_in extended deny tcp any any eq netbios-ssn
access-list acl_in extended deny udp any any eq 139
access-list acl_in extended deny tcp any any eq 445
access-list acl_in extended permit tcp any any
access-list acl_in extended permit udp any any
access-list acl_in extended permit ip any any
pager lines 24
logging enable
logging timestamp
logging buffer-size 8192
logging buffered informational
logging trap debugging
logging asdm informational
logging host inside 192.168.100.5
mtu inside 1500
mtu outside 1500
mtu dmz 1500
mtu voip 1500
ip verify reverse-path interface outside
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-524.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 192.168.100.0 255.255.255.0
nat (voip) 1 10.10.10.0 255.255.255.0
static (inside,outside) tcp interface https 192.168.100.6 https netmask 255.255.255.255
static (inside,outside) tcp interface www 192.168.100.6 www netmask 255.255.255.255
static (inside,outside) tcp interface smtp 192.168.100.6 smtp netmask 255.255.255.255
static (inside,outside) tcp interface pptp 192.168.100.4 pptp netmask 255.255.255.255
static (inside,outside) tcp interface 995 192.168.100.6 995 netmask 255.255.255.255
static (inside,voip) 192.168.100.0 192.168.100.0 netmask 255.255.255.0
static (voip,inside) 10.10.10.0 10.10.10.0 netmask 255.255.255.0
access-group acl_in in interface inside
access-group acl_out in interface outside
route outside 0.0.0.0 0.0.0.0 201.229.36.17 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
http server enable
http 192.168.100.5 255.255.255.255 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
sysopt noproxyarp inside
telnet 192.168.100.0 255.255.255.0 inside
telnet timeout 15
ssh 192.168.100.0 255.255.255.0 inside
ssh timeout 15
ssh version 1
console timeout 0

username itzupport password PkYOuWGiZUe1KFVX encrypted
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
inspect pptp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:a93163309837f207b4c0cb8089c89db5
: end

Jerry Ye · ‎02-23-2010

Just realized that you have an inbound ACL on the inside interface. Can you add the following and try again (clear logging buffer first)? If it is not working, check the log to see anything is on it.

access-list acl_in extended permit icmp any any

HTH,

jerry

ciscoitzupport · ‎02-23-2010

Ok Jerry

Expanded access-list with the icmp line. After this I tried a ping from host 192.168.100.5 (vlan1) to host 10.10.10.139 (vlan10)

Pinging 10.10.10.139 with 32 bytes of data:

Reply from 10.10.10.139: bytes=32 time=1ms TTL=128
Reply from 10.10.10.139: bytes=32 time<1ms TTL=128
Reply from 10.10.10.139: bytes=32 time<1ms TTL=128
Reply from 10.10.10.139: bytes=32 time<1ms TTL=128

As you can see...it works! Thnk you so much. I guess this answers my question...problem solved

Jerry Ye · ‎02-23-2010

Great, glad that solve your problem.

You are actually hitting 2 issues.

1) NAT - because you have NAT control turned, you need to create NAT excemption between voip and inside

2) ACL - since you have inbound acl on the inside interface, you need to permit ICMP because it is not IP/TCP/UDP. If you want to create an ACL for voip later, remember to include ICMP for ping

Regards,

jerry