cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
4728
Views
0
Helpful
50
Replies

ASA 5545 & L3 configuration help

sachinc01
Level 1
Level 1

Hi,

Please read following configuration & Issue & please help to resolve this.(Network Structure Router to ASA to L3 Switch) 

Router 3945

R1 WAN 10.84.35.202/30
R1 LAN 10.84.35.211/28 (Primary router)


ASA (5545):-10.84.35.210/28 Outside
                   10.84.35.65/26 Inside
                  Default route for 0.0.0.0 0.0.0.0 10.84.35.211

L3:- L3 VLAN on Switch
Vlan 2 10.84.32.1/23
Vlan 3 10.84.34.1/24
Vlan 4 10.84.35.1/26
VLAN 5 10.84.35.65/26


In this case from ASA i will be reach to router (35.211 & 202) & switch (10.84.35.66)
From router able to reach ASA (10.84.35.210) & Switch also able to rech 10.84.35.65

Issue:- From L3 Switch uable to reach 10.84.35.210 (ASA) & router (10.84.35.211 )also

So some can help me what configuration i wil ned to reach ASA outside interface & Router
From L3 Switch....


Sachin

50 Replies 50

Hello,

can you post the config of your layer 3 switch ?

Hi Sir, Thanks for response. Please help this is urgent for me..

Hello,

which interface is connected to the inside interface of the ASA ?

Your default route is:

ip route 0.0.0.0 0.0.0.0 10.84.35.213

The next hop for the L3 switch would be 10.84.35.211, try and change the default route to:

ip route 0.0.0.0 0.0.0.0 10.84.35.211

Hi Sir,

ASA gi0/1  IP is 10.84.35.213 connected to router able to reach 

ASA gi0/3 ip  10.84.35.65 connected to switch able to reach

L3 I have remove S* route 213 & add ip route 0.0.0.0 0.0.0.0 10.84.35.211

But unable to reach ASA Ip 10.84.35.213

Hi sir, 

Please,Someone help to resolved this issue on priority

Hello,

which interface of the L3 switch is the one connected to the ASA ?

If this is the interface connected to the ASA, remove the trunk configuration:

interface GigabitEthernet1/0/10
switchport access vlan 4
--> no switchport trunk encapsulation dot1q
switchport mode access

Hi Sir,Thanks for response

.I have remove trunk ..but no effect..

Switch Gi1/0/10  (VLAN4 IP address 10.84.35.66/26)is connected to ASA  gi0/3 Ip address (10.84.35.66/26) both are reach together

 But unable to reach ASA (Outside interface)& router from Switch

10.84.35.210/28 ASAGi0/1

& router interface 10.84.35.211/28 

But ASA to router reachable ...waht config need on ASA.

Hello,

Vlan 4 is on a different subnet than the inside interface of the ASA:

IP Address ASA Inside

10.84.35.65/26

Host Range


10.84.35.65 - 10.84.35.126

IP Address Vlan 4


Vlan 4 10.84.35.1/26

Host Range


10.84.35.1 - 10.84.35.62

--> Change the IP address of the ASA inside interface to e.g.  10.84.35.62

Hello@gpauwen it just looks like a typo in the OP as SVI vlan 4 subnet on the SW and the inside interface of the ASA are in the same subnet

res

paul


Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

Paul,

you are right. The switch config shows that Vlan 4 has the 66 address...

Either way, you are also right about the default route on the L3 switch, it has to be:

ip route 0.0.0.0 0.0.0.0 10.84.35.65 (the inside interface of the ASA).

Hello,

here is what (I hope) should work (important bits in bold):

R1

Primary-Router#show run
Building configuration...


Current configuration : 2403 bytes
!
! Last configuration change at 11:19:16 UTC Fri Dec 23 2016
! NVRAM config last updated at 11:19:17 UTC Fri Dec 23 2016
! NVRAM config last updated at 11:19:17 UTC Fri Dec 23 2016
version 15.2
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Primary-Router
!
boot-start-marker
boot-end-marker
!
!
! card type command needed for slot/vwic-slot 0/0
enable secret 5 $1$4GgZ$Pocj5q/v5/jTiBjhWVldp.
!
no aaa new-model
!
no ipv6 cef
!
--More--  !
!
!
!
ip cef
multilink bundle-name authenticated
!
!
!
!
!
crypto pki token default removal timeout 0
!
!
voice-card 0
!
!
!
!
!
!
!
!
license udi pid C3900-SPE250/K9 sn FOC18161VCT
--More--  !
!
hw-module pvdm 0/0
!
!
redundancy
!
!
!
!
!
!
interface GigabitEthernet0/0
ip address 10.84.35.201 255.255.255.252
duplex auto
speed auto
!
interface GigabitEthernet0/1
no ip address
shutdown
duplex auto
speed auto
!
interface GigabitEthernet0/2
ip address 10.84.35.210 255.255.255.240
standby 8 ip 10.84.35.209
standby 8 timers 2 6
standby 8 priority 200
standby 8 preempt delay minimum 5
duplex auto
speed auto
!
interface GigabitEthernet0/3
no ip address
shutdown
duplex auto
speed auto
!
ip forward-protocol nd
!
no ip http server
no ip http secure-server
!
ip route 10.84.64.0 255.255.255.0 10.84.35.202
ip route 10.84.71.71 255.255.255.255 10.84.35.202
ip route 10.84.71.72 255.255.255.252 10.84.35.202
ip route 10.84.71.72 255.255.255.254 10.84.35.202
ip route 10.84.71.72 255.255.255.255 10.84.35.202
ip route 10.84.71.73 255.255.255.255 10.84.35.202
ip route 10.84.71.74 255.255.255.255 10.84.35.202
ip route 10.84.75.107 255.255.255.255 10.84.35.202
ip route 10.84.86.24 255.255.255.254 10.84.35.202
ip route 10.84.86.26 255.255.255.254 10.84.35.202
ip route 10.84.86.39 255.255.255.255 10.84.35.202
ip route 10.84.86.40 255.255.255.254 10.84.35.202
ip route 10.84.86.42 255.255.255.254 10.84.35.202
ip route 10.84.86.44 255.255.255.254 10.84.35.202
ip route 10.84.86.46 255.255.255.254 10.84.35.202
ip route 10.84.89.106 255.255.255.254 10.84.35.202
ip route 103.0.0.0 255.255.255.0 10.84.35.202
ip route 103.255.172.177 255.255.255.255 10.84.35.202
ip route 10.84.35.0 255.255.255.0 10.84.35.213

ASA:

GITFirewall# show run
: Saved
:
: Serial Number: FCH193478NR
: Hardware: ASA5545, 12288 MB RAM, CPU Lynnfield 2660 MHz, 1 CPU (8 cores)
:
ASA Version 9.2(2)4
!
hostname GITFirewall
enable password 2KFQnbNIdI.2KYOU encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface GigabitEthernet0/0
nameif management
security-level 100
ip address 10.84.32.5 255.255.254.0
!
interface GigabitEthernet0/1
description "Connected to R1"
management-only
nameif OUTSIDE1
security-level 0
ip address 10.84.35.213 255.255.255.240 standby 10.84.35.209
!
interface GigabitEthernet0/1.1
<--- More --->

no vlan
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/2
description "CONNECTED TO R2"
management-only
nameif OUTSIDE2
security-level 0
no ip address
!
interface GigabitEthernet0/3
nameif inside
security-level 100
ip address 10.84.35.65 255.255.255.192
!
interface GigabitEthernet0/4
nameif WAN-Secondary
security-level 0
no ip address
!
interface GigabitEthernet0/5
shutdown

no nameif
no security-level
no ip address
!
interface GigabitEthernet0/6
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/7
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
management-only
no nameif
security-level 0
ip address 10.0.0.1 255.255.255.0
!
ftp mode passive
object network obj_any
<--- More --->

subnet 0.0.0.0 0.0.0.0
object network asai
host 10.84.35.65
description test
object network inside-subnet
subnet 10.84.0.0 255.255.255.0
access-list Primary-WAN extended permit ip any any
access-list OUTSIDE1 extended permit ip any any
access-list 100 standard permit any4
pager lines 24
logging enable
logging asdm informational
mtu management 1500
mtu OUTSIDE1 1500
mtu OUTSIDE2 1500
mtu inside 1500
mtu WAN-Secondary 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm history enable
arp timeout 14400
no arp permit-nonconnected
!
object network obj_any

nat (any,OUTSIDE1) dynamic interface
route OUTSIDE1 0.0.0.0 0.0.0.0 10.84.35.210
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
http server enable
http 192.168.1.0 255.255.255.0 management
http 10.84.32.0 255.255.254.0 management
no snmp-server location
no snmp-server contact
crypto ipsec security-association pmtu-aging infinite
crypto ca trustpool policy
telnet 10.84.32.50 255.255.255.255 management
telnet 10.84.32.0 255.255.254.0 management
telnet 10.84.32.4 255.255.255.254 management
telnet 10.84.32.5 255.255.255.255 management
telnet timeout 5
<--- More --->

no ssh stricthostkeycheck
ssh timeout 5
ssh key-exchange group dh-group1-sha1
console timeout 0
dhcpd ping_timeout 750
dhcpd auto_config management
!
dhcpd address 10.84.32.3-10.84.32.4 management
dhcpd enable management
!
!
tls-proxy maximum-session 1000
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
username cisco password ffIRPGpDSOJh9YLq encrypted
!
class-map inspection_default
match default-inspection-traffic

Switch

Current configuration : 4664 bytes
!
version 12.2
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname Core-Switch
!
boot-start-marker
boot-end-marker
!
enable secret 5 $1$IagS$/fGTqA8BL663p3p.L.F2Z.
enable password 7 0028120B26570A0F01781B
!
no aaa new-model
switch 1 provision ws-c3750g-24ts-1u
system mtu routing 1500
ip subnet-zero
ip routing
no ip domain-lookup
--More--  !
!
!
crypto pki trustpoint TP-self-signed-1202638080
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-1202638080
revocation-check none
rsakeypair TP-self-signed-1202638080
!
!
crypto pki certificate chain TP-self-signed-1202638080
certificate self-signed 01
30820244 308201AD A0030201 02020101 300D0609 2A864886 F70D0101 04050030
31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 31323032 36333830 3830301E 170D3933 30333031 30303031
33365A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D31 32303236
33383038 3030819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
8100C163 2981568E 4B94F0F1 5020B55C 1C04A6E3 98E7023B 01AB252E 32B4EF24
E89FA940 1CED8CC9 DC1AEF92 FADC7A1A 3042CE29 6336CB23 DECECE5C 6166BDEC
F3F83893 713F3840 DAC80486 AB1D876A 396772B5 8FDF8EAE 5C629BA5 E6EC55D9
561AE05D 6AE7F8BB 6A4DC503 2FFFDD27 3A3811AF 2F3A2156 8B246372 6AFF91C6
E5690203 010001A3 6C306A30 0F060355 1D130101 FF040530 030101FF 30170603
--More--   551D1104 10300E82 0C436F72 652D5377 69746368 2E301F06 03551D23 04183016
8014C013 DC43A976 00A29223 50EBDC8E 1FA5722D EB53301D 0603551D 0E041604
14C013DC 43A97600 A2922350 EBDC8E1F A5722DEB 53300D06 092A8648 86F70D01
01040500 03818100 7530D149 0F509AFE 4F9A31B4 F44F95F5 3CB50F34 B9525133
E2AE6F92 8AA59CA0 0A749E89 FE9CFD5D EC9EBCA0 DFC402D4 A9552CE7 212875C5
88697781 22692FDA E4770A2A C47E7937 CB18BA6A 585D7FC6 BC337435 45FF4755
AED26905 157406B6 93D957A3 132644D7 E1DFEE63 946DCF78 C1A0AEDD 4929547B
954C1047 8E5B0431
quit
!
!
!
!
!
spanning-tree mode pvst
spanning-tree extend system-id
!
vlan internal allocation policy ascending
!
!
!
!
interface GigabitEthernet1/0/1
--More--   switchport access vlan 2
switchport mode access
!
interface GigabitEthernet1/0/2
switchport access vlan 2
switchport mode access
!
interface GigabitEthernet1/0/3
switchport access vlan 2
switchport mode access
no cdp enable
!
interface GigabitEthernet1/0/4
switchport access vlan 2
switchport mode access
!
interface GigabitEthernet1/0/5
switchport access vlan 5
switchport mode access
!
interface GigabitEthernet1/0/6
switchport access vlan 5
switchport mode access
--More--  !
interface GigabitEthernet1/0/7
switchport access vlan 3
switchport mode access
!
interface GigabitEthernet1/0/8
switchport access vlan 3
switchport mode access
!
interface GigabitEthernet1/0/9
switchport access vlan 3
switchport mode access
!
interface GigabitEthernet1/0/10
switchport access vlan 4
switchport mode access
!
interface GigabitEthernet1/0/11
switchport access vlan 4
switchport mode access
!
interface GigabitEthernet1/0/12
--More--   switchport access vlan 4
switchport mode access
!
interface GigabitEthernet1/0/13
switchport access vlan 10
switchport trunk encapsulation dot1q
switchport mode access
!
interface GigabitEthernet1/0/14
switchport access vlan 10
switchport mode access
!
interface GigabitEthernet1/0/15
switchport access vlan 10
switchport mode access
!
interface GigabitEthernet1/0/16
!
interface GigabitEthernet1/0/17
!
interface GigabitEthernet1/0/18
!
interface GigabitEthernet1/0/19
--More--  !
interface GigabitEthernet1/0/20
!
interface GigabitEthernet1/0/21
!
interface GigabitEthernet1/0/22
!
interface GigabitEthernet1/0/23
!
interface GigabitEthernet1/0/24
!
interface GigabitEthernet1/0/25
!
interface GigabitEthernet1/0/26
!
interface GigabitEthernet1/0/27
!
interface GigabitEthernet1/0/28
!
interface Vlan1
no ip address
!
interface Vlan2
--More--   ip address 10.84.32.1 255.255.254.0
!
interface Vlan3
ip address 10.84.35.1 255.255.255.192
!
interface Vlan4
ip address 10.84.35.66 255.255.255.192
!
interface Vlan5
ip address 10.84.34.1 255.255.255.0
!
interface Vlan10
ip address 10.84.35.215 255.255.255.240
!
ip classless
ip route 0.0.0.0 0.0.0.0 10.84.35.65
ip http server
ip http secure-server
!
!
!
control-plane

Not done same issue.

Hello,

try and remove all the standby configuration from R1:

standby 8 ip 10.84.35.209
standby 8 timers 2 6
standby 8 priority 200
standby 8 preempt delay minimum 5

Also, can you post the output of traceroute from switch to router, and frpm router to switch ?

Review Cisco Networking for a $25 gift card