Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3791
Views
0
Helpful
50
Replies

ASA 5545 & L3 configuration help

sachinc01
Level 1
Level 1

‎12-30-2016 04:31 AM - edited ‎03-08-2019 08:45 AM

Hi,

Please read following configuration & Issue & please help to resolve this.(Network Structure Router to ASA to L3 Switch) 

Router 3945

R1 WAN 10.84.35.202/30
R1 LAN 10.84.35.211/28 (Primary router)


ASA (5545):-10.84.35.210/28 Outside
                   10.84.35.65/26 Inside
                  Default route for 0.0.0.0 0.0.0.0 10.84.35.211

L3:- L3 VLAN on Switch
Vlan 2 10.84.32.1/23
Vlan 3 10.84.34.1/24
Vlan 4 10.84.35.1/26
VLAN 5 10.84.35.65/26


In this case from ASA i will be reach to router (35.211 & 202) & switch (10.84.35.66)
From router able to reach ASA (10.84.35.210) & Switch also able to rech 10.84.35.65

Issue:- From L3 Switch uable to reach 10.84.35.210 (ASA) & router (10.84.35.211 )also

So some can help me what configuration i wil ned to reach ASA outside interface & Router
From L3 Switch....


Sachin

Labels:
0 Helpful
50 Replies 50

Georg Pauwen
VIP
VIP
In response to Georg Pauwen

‎12-30-2016 01:58 PM

Also, can you post the output of 'show ip route' from all three devices ?

0 Helpful

sachinc01
Level 1
Level 1
In response to Georg Pauwen

‎12-30-2016 02:21 PM

Hi Sir,

Thanks for support :)

Please find attachment...

Preview file
120 KB
Preview file
91 KB
Preview file
76 KB
Preview file
131 KB
0 Helpful

Georg Pauwen
VIP
VIP
In response to sachinc01

‎12-30-2016 03:06 PM

Hello,

on the firewall, add:

route inside 0 0 10.84.35.65

and on the switch, remove the IP address from the Vlan 4 interface and configure the uplink port to the ASA as following:

interface GigabitEthernet1/0/10
description uplink to ASA
no switchport
ip address 10.84.35.66 255.255.255.192

0 Helpful

sachinc01
Level 1
Level 1
In response to Georg Pauwen

‎12-31-2016 12:38 AM

Hi ,

I have try but unable to add route on Firewall

Preview file
20 KB
0 Helpful

Georg Pauwen
VIP
VIP
In response to sachinc01

‎12-31-2016 12:44 AM

Hello, 

it needs to be:

route inside 0 0 10.84.35.66

My mistake, sorry.

If adding the route doesn't help, add the other config bit:

interface GigabitEthernet1/0/10
description uplink to ASA
no switchport
ip address 10.84.35.66 255.255.255.192

0 Helpful

sachinc01
Level 1
Level 1
In response to Georg Pauwen

‎12-31-2016 11:38 PM

Hi,

ASA

Ip have add route inside 0 0 10.84.35.66 1

& also make changes done on ASA but not reach ASA outside interface.

Sir,I have one daut I thing routing not work on ASA

I have received attached key with ASA Didi i need to add this key or activated my product if yes please guide me.

Preview file
85 KB
0 Helpful

sachinc01
Level 1
Level 1
In response to sachinc01

‎01-01-2017 12:48 AM

Please guide its urgent ..

Regards,
Sachin

0 Helpful

Georg Pauwen
VIP
VIP
In response to sachinc01

‎01-01-2017 01:12 AM

Hello,

what is the output of:

GITFirewall# show activation-key detail

0 Helpful

sachinc01
Level 1
Level 1
In response to Georg Pauwen

‎01-01-2017 01:27 AM

Hi sir,

Please see output.

also  please see when I will try traceroute from ASA

#traceroute 10.84.35.66 source outside1 (10.84.35.213 Asa int gi0/1)

Received following log on ASA (See attch lg & lg2)

Preview file
449 KB
Preview file
25 KB
Preview file
431 KB
0 Helpful

Georg Pauwen
VIP
VIP
In response to sachinc01

‎01-01-2017 01:52 AM

Hello,

the license looks good.

I think the problem is with the 'management-only' command on your interface. Try and remove the 'management-only':

interface GigabitEthernet0/1
description "Connected to R1"
management-only
nameif OUTSIDE1
security-level 0

When the management-only command is enabled under an interface, routing out of that interface is not allowed. In this instance, the interface only accepts direct communication. Traffic cannot pass through it.

0 Helpful

sachinc01
Level 1
Level 1
In response to Georg Pauwen

‎01-01-2017 02:08 AM

hi sir,

remove management-only but same issue..

Please see my all config .txt (SW,router ASA)& guide me to resolved on priority.

interface GigabitEthernet0/1
description "Connected to R1"
nameif OUTSIDE1
security-level 0
ip address 10.84.35.213 255.255.255.240

0 Helpful

Georg Pauwen
VIP
VIP
In response to sachinc01

‎01-01-2017 02:41 AM

Hello,

revert back to the original configuration, the one you had when you originally started this post.

I don't know what the configurations look right now after all the changes. Post all three, the ASA, the router, and the switch, again. I am pretty sure it will work with removing the 'management-only' command, that was the underlying issue to start out with.

0 Helpful

sachinc01
Level 1
Level 1
In response to Georg Pauwen

‎01-01-2017 03:01 AM

Hi Sir,

Thanks for response..

Please see  all3 device config.attached Please see this.

& revert ASAP..

Rs,

Sachin

Preview file
11 KB
Preview file
9 KB
Preview file
3 KB
0 Helpful

sachinc01
Level 1
Level 1
In response to sachinc01

‎01-01-2017 03:11 AM

Hi sir ,

Please phocas on only ASA & switch not able to reach ASA out side interface from Switch it this will happened then we will able able to reach router....

You will understand issue quickly.

Sachin

0 Helpful

sachinc01
Level 1
Level 1
In response to sachinc01

‎01-01-2017 04:23 AM

Hi,

Can any one revert to resolved this issue.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card