10-31-2011 12:09 PM - edited 03-07-2019 03:08 AM
Here is what i need.
Servers at Vlan 6 must see servers at Vlan 2, 10, 11, 12. and and vica versa
How to write the correct commands.
Here is my outputs:
VLAN Name Status Ports
---- -------------------------------- --------- -------------------------------
1 default active Gi1/0/1, Gi1/0/2, Gi1/0/3, Gi1/0/4
2 ****OFFICE_SERVERS**** active Fa1/0/13, Fa1/0/14, Fa1/0/15, Fa1/0/16, Fa1/0/17, Fa1/0/18, Fa1/0/19, Fa1/0/20, Fa1/0/25
Fa1/0/26, Fa1/0/29, Fa1/0/30, Fa1/0/33, Fa1/0/34
4 ****END_USER**** active Fa1/0/39
6 ****ILO**** active Fa1/0/1, Fa1/0/2, Fa1/0/3, Fa1/0/4, Fa1/0/5, Fa1/0/6, Fa1/0/7, Fa1/0/8, Fa1/0/9, Fa1/0/10
10 ****WEB**** active Fa1/0/27, Fa1/0/28, Fa1/0/31, Fa1/0/32, Fa1/0/43
11 ****APP_SERVERS**** active Fa1/0/11, Fa1/0/12, Fa1/0/21, Fa1/0/22, Fa1/0/35, Fa1/0/36
12 ****DB_SERVERS**** active Fa1/0/23, Fa1/0/24, Fa1/0/37
99 ****VISITORS**** active
Gateway of last resort is 192.168.0.253 to network 0.0.0.0
C 192.168.10.0/24 is directly connected, Vlan100
172.16.0.0/24 is subnetted, 6 subnets
C 172.16.29.0 is directly connected, Vlan99
C 172.16.30.0 is directly connected, Vlan6
C 172.16.9.0 is directly connected, Vlan3
C 172.16.10.0 is directly connected, Vlan4
C 172.16.0.0 is directly connected, Vlan1
C 172.16.1.0 is directly connected, Vlan2
C 192.168.0.0/24 is directly connected, Vlan5
S* 0.0.0.0/0 [1/0] via 192.168.0.253
Solved! Go to Solution.
11-01-2011 11:25 AM
Guys, it feels like i found the clue...
Vlans 10, 11 and 12 are on my ASA it's adress from my side is 192.169.0.253....
So if i want these vlans to be seen from vlan 6 and 2 (that are on core switch) i have to write this command on the Core switch: ip route 192.168.1(or 2-3).0 255.255.255.0. 192.168.0.253 (adress of next hop)
Plz confirm if i'm right...
11-01-2011 09:35 PM
seems like i was wrong:(
11-01-2011 10:09 PM
Hi Sanchos
this seems to be a routing problem.
Your ASA and the core switch needs to have routes exchanged.
the vlans that have ip on the ASA are coming via the core switch but all through layer 2.
the core switch has a default route so anyway it should send any request coming from say Vlan 2 subnet to ASA .253 address.
But the ASA does not know where is 172.16.1.0/24 subnet. So this is the problem.
you need to add static routes pointing back to the core switch- just do sh ip it brief on the core switch and pick the ip address which is coming from the firewall.
hope that helps.
Regards,
Mohit
11-01-2011 10:32 PM
Great!
Thats right, i've noticed the default gateway to ASA.253 address...
the problem is in the way back...
PHSWCO01#sh ip int brief
Interface IP-Address OK? Method Status Protocol
Vlan1 172.16.0.1 YES NVRAM up up
Vlan2 172.16.1.2 YES NVRAM up up
Vlan3 172.16.9.2 YES NVRAM up up
Vlan4 172.16.10.2 YES NVRAM up up
Vlan5 192.168.0.2 YES NVRAM up up
Vlan6 172.16.30.2 YES NVRAM up up
Vlan99 172.16.29.2 YES NVRAM up up
Vlan100 192.168.10.251 YES NVRAM up up
this is from core switch, but it's not so helpful to pick the interface coming from ASA...
11-01-2011 10:55 PM
Sanchos Ibrahimov wrote:
Great!
Thats right, i've noticed the default gateway to ASA.253 address...
the problem is in the way back...
PHSWCO01#sh ip int brief
Interface IP-Address OK? Method Status Protocol
Vlan1 172.16.0.1 YES NVRAM up up
Vlan2 172.16.1.2 YES NVRAM up up
Vlan3 172.16.9.2 YES NVRAM up up
Vlan4 172.16.10.2 YES NVRAM up up
Vlan5 192.168.0.2 YES NVRAM up up
Vlan6 172.16.30.2 YES NVRAM up up
Vlan99 172.16.29.2 YES NVRAM up up
Vlan100 192.168.10.251 YES NVRAM up up
this is from core switch, but it's not so helpful to pick the interface coming from ASA...
ASA are quite complex conmpared to switches in regards to commands.
Depending what version of ASA you are running, the following is the command to be used to add a static route on version 8.2.x:
route if_name dest_ip mask gateway_ip
[distance]
Example:
hostname(config)# route outside 10.10.10.0 255.255.255.0 192.168.1.1
also to check the routing table,
do sh route (this is based on version 8.2)
you should be able to see the default route in the o/p.
Cheers.
11-01-2011 11:01 PM
many thanks, you helped a lot!
so i have to add such a static route in ASA, as i understand, right? and the interface is gonna be "inside" i guess...
11-01-2011 11:08 PM
Sanchos Ibrahimov wrote:
many thanks, you helped a lot!
so i have to add such a static route in ASA, as i understand, right? and the interface is gonna be "inside" i guess...
I think yes, just make sure before that the "inside" is on the subnet which connects to the switch.
sh route shall tell you clearly like
C x.x.x.x x.x.x.x is directly connected, INSIDE
do advise if that fixex your issue. cheers!
11-01-2011 11:38 PM
phfwasa01# sh route
Gateway of last resort is gw_int to network 0.0.0.0
S 192.168.10.0 255.255.255.0 [1/0] via 192.168.0.1, inside
S 172.16.29.0 255.255.255.0 [1/0] via 192.168.0.1, inside
S 172.16.30.0 255.255.255.0 [1/0] via 192.168.0.1, inside
S 172.16.9.0 255.255.255.0 [1/0] via 192.168.0.1, inside
S 172.16.10.0 255.255.255.0 [1/0] via 192.168.0.1, inside
S 172.16.0.0 255.255.255.0 [1/0] via 192.168.0.1, inside -here it is!!!
S 172.16.1.0 255.255.255.0 [1/0] via 192.168.0.1, inside
C 10.1.1.0 255.255.255.252 is directly connected, failover
C 255.255.255.240 is directly connected, outside
C 192.168.0.0 255.255.255.0 is directly connected, inside
C 192.168.1.0 255.255.255.0 is directly connected, web_dmz
C 192.168.2.0 255.255.255.0 is directly connected, app_dmz
C 192.168.3.0 255.255.255.0 is directly connected, db_dmz
S* 0.0.0.0 0.0.0.0 [1/0] via gw_int, outside
and my command on ASA will be:
hostname(config)# route inside 172.16.30.0 255.255.255.0 172.16.0.1
- 172.16.30.0 is the network i want to reach
- 172.16.0.1 is the adress of the core switch
seems like it will work, let me check...
11-01-2011 11:44 PM
Strange output:(((
phfwasa01(config)# route inside 172.16.30.0 255.255.255.0 172.16.0.1
phfwasa01(config)# sh route
Gateway of last resort is gw_int to network 0.0.0.0
S 192.168.10.0 255.255.255.0 [1/0] via 192.168.0.1, inside
S 172.16.29.0 255.255.255.0 [1/0] via 192.168.0.1, inside
S 172.16.30.0 255.255.255.0 [1/0] via 192.168.0.1, inside
[1/0] via 172.16.0.1, inside
S 172.16.9.0 255.255.255.0 [1/0] via 192.168.0.1, inside
S 172.16.10.0 255.255.255.0 [1/0] via 192.168.0.1, inside
S 172.16.0.0 255.255.255.0 [1/0] via 192.168.0.1, inside
S 172.16.1.0 255.255.255.0 [1/0] via 192.168.0.1, inside
C 10.1.1.0 255.255.255.252 is directly connected, failover
why do i have such an emty space there? is it normal
11-02-2011 12:01 AM
i've deleted the route i added... there is a different one ... so it's not the correct way...:(
11-02-2011 12:25 AM
looks like you already have a route entry there pointing to 192.168.0.1
its good you removed that new entry that you had added as that was miles away from what i was pointing. you had pciked up a static route (you see S in front of that line. it should have been C - as you seee this below
C 192.168.0.0 255.255.255.0 is directly connected, inside)
anyway, i think looking at the diagram you pasted above you have two core switches and perhaps you are running HSRP/VRRP thing? cos the vlan 5 ip address on the switch output (sh ip int bri) says 192.168.0.2
can you ping 192.168.0.2 from the Firewall. i should be working cos you have many routes pointing to that interface.
check where is 192.168.1.1 as that is the place where the traffic is pointing to. if you are running hssrp or vrrp then we need to may be check its working....i wud say if u can send me the sho run from both cores i may be able to look thru quickly.
for security reasons, u can remove any passwords from it if you like.
cheers,
Mohit
11-02-2011 10:35 PM
Mohit, i've solved the problem.
The routing between vlans were on my ASA. And ACL's vere there two... the problem was in acl's they were extended and for spoecific protocols. i've changed it to standard specifying Ip's and everything started to work...
Thank you very much for your help. I really appreciate it!
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide