Solved: Re: cannot add a static route between two or more Vlans - Page 2

sibrahimoff · ‎10-31-2011

Here is what i need.

Servers at Vlan 6 must see servers at Vlan 2, 10, 11, 12. and and vica versa

How to write the correct commands.

Here is my outputs:

VLAN Name Status Ports

---- -------------------------------- --------- -------------------------------

1 default active Gi1/0/1, Gi1/0/2, Gi1/0/3, Gi1/0/4

2 ****OFFICE_SERVERS**** active Fa1/0/13, Fa1/0/14, Fa1/0/15, Fa1/0/16, Fa1/0/17, Fa1/0/18, Fa1/0/19, Fa1/0/20, Fa1/0/25

Fa1/0/26, Fa1/0/29, Fa1/0/30, Fa1/0/33, Fa1/0/34

4 ****END_USER**** active Fa1/0/39

6 ****ILO**** active Fa1/0/1, Fa1/0/2, Fa1/0/3, Fa1/0/4, Fa1/0/5, Fa1/0/6, Fa1/0/7, Fa1/0/8, Fa1/0/9, Fa1/0/10

10 ****WEB**** active Fa1/0/27, Fa1/0/28, Fa1/0/31, Fa1/0/32, Fa1/0/43

11 ****APP_SERVERS**** active Fa1/0/11, Fa1/0/12, Fa1/0/21, Fa1/0/22, Fa1/0/35, Fa1/0/36

12 ****DB_SERVERS**** active Fa1/0/23, Fa1/0/24, Fa1/0/37

99 ****VISITORS**** active

Gateway of last resort is 192.168.0.253 to network 0.0.0.0

C 192.168.10.0/24 is directly connected, Vlan100

172.16.0.0/24 is subnetted, 6 subnets

C 172.16.29.0 is directly connected, Vlan99

C 172.16.30.0 is directly connected, Vlan6

C 172.16.9.0 is directly connected, Vlan3

C 172.16.10.0 is directly connected, Vlan4

C 172.16.0.0 is directly connected, Vlan1

C 172.16.1.0 is directly connected, Vlan2

C 192.168.0.0/24 is directly connected, Vlan5

S* 0.0.0.0/0 [1/0] via 192.168.0.253

sibrahimoff · ‎11-01-2011

Guys, it feels like i found the clue...

Vlans 10, 11 and 12 are on my ASA it's adress from my side is 192.169.0.253....

So if i want these vlans to be seen from vlan 6 and 2 (that are on core switch) i have to write this command on the Core switch: ip route 192.168.1(or 2-3).0 255.255.255.0. 192.168.0.253 (adress of next hop)

Plz confirm if i'm right...

sibrahimoff · ‎11-01-2011

seems like i was wrong:(

Mohit Chauhan · ‎11-01-2011

Hi Sanchos

this seems to be a routing problem.

Your ASA and the core switch needs to have routes exchanged.

the vlans that have ip on the ASA are coming via the core switch but all through layer 2.

the core switch has a default route so anyway it should send any request coming from say Vlan 2 subnet to ASA .253 address.

But the ASA does not know where is 172.16.1.0/24 subnet. So this is the problem.

you need to add static routes pointing back to the core switch- just do sh ip it brief on the core switch and pick the ip address which is coming from the firewall.

hope that helps.

Regards,

Mohit

sibrahimoff · ‎11-01-2011

Great!

Thats right, i've noticed the default gateway to ASA.253 address...

the problem is in the way back...

PHSWCO01#sh ip int brief

Interface IP-Address OK? Method Status Protocol

Vlan1 172.16.0.1 YES NVRAM up up

Vlan2 172.16.1.2 YES NVRAM up up

Vlan3 172.16.9.2 YES NVRAM up up

Vlan4 172.16.10.2 YES NVRAM up up

Vlan5 192.168.0.2 YES NVRAM up up

Vlan6 172.16.30.2 YES NVRAM up up

Vlan99 172.16.29.2 YES NVRAM up up

Vlan100 192.168.10.251 YES NVRAM up up

this is from core switch, but it's not so helpful to pick the interface coming from ASA...

Mohit Chauhan · ‎11-01-2011

Sanchos Ibrahimov wrote:

Great!

Thats right, i've noticed the default gateway to ASA.253 address...

the problem is in the way back...

PHSWCO01#sh ip int brief

Interface IP-Address OK? Method Status Protocol

Vlan1 172.16.0.1 YES NVRAM up up

Vlan2 172.16.1.2 YES NVRAM up up

Vlan3 172.16.9.2 YES NVRAM up up

Vlan4 172.16.10.2 YES NVRAM up up

Vlan5 192.168.0.2 YES NVRAM up up

Vlan6 172.16.30.2 YES NVRAM up up

Vlan99 172.16.29.2 YES NVRAM up up

Vlan100 192.168.10.251 YES NVRAM up up

this is from core switch, but it's not so helpful to pick the interface coming from ASA...

ASA are quite complex conmpared to switches in regards to commands.

Depending what version of ASA you are running, the following is the command to be used to add a static route on version 8.2.x:

route if_name dest_ip mask gateway_ip

[distance]

Example:

hostname(config)# route outside 10.10.10.0 255.255.255.0 192.168.1.1

also to check the routing table,

do sh route (this is based on version 8.2)

you should be able to see the default route in the o/p.

Cheers.

sibrahimoff · ‎11-01-2011

many thanks, you helped a lot!

so i have to add such a static route in ASA, as i understand, right? and the interface is gonna be "inside" i guess...

Mohit Chauhan · ‎11-01-2011

Sanchos Ibrahimov wrote:
many thanks, you helped a lot!
so i have to add such a static route in ASA, as i understand, right? and the interface is gonna be "inside" i guess...

I think yes, just make sure before that the "inside" is on the subnet which connects to the switch.

sh route shall tell you clearly like

C x.x.x.x x.x.x.x is directly connected, INSIDE

do advise if that fixex your issue. cheers!

sibrahimoff · ‎11-01-2011

phfwasa01# sh route

Gateway of last resort is gw_int to network 0.0.0.0

S 192.168.10.0 255.255.255.0 [1/0] via 192.168.0.1, inside

S 172.16.29.0 255.255.255.0 [1/0] via 192.168.0.1, inside

S 172.16.30.0 255.255.255.0 [1/0] via 192.168.0.1, inside

S 172.16.9.0 255.255.255.0 [1/0] via 192.168.0.1, inside

S 172.16.10.0 255.255.255.0 [1/0] via 192.168.0.1, inside

S 172.16.0.0 255.255.255.0 [1/0] via 192.168.0.1, inside -here it is!!!

S 172.16.1.0 255.255.255.0 [1/0] via 192.168.0.1, inside

C 10.1.1.0 255.255.255.252 is directly connected, failover

C 255.255.255.240 is directly connected, outside

C 192.168.0.0 255.255.255.0 is directly connected, inside

C 192.168.1.0 255.255.255.0 is directly connected, web_dmz

C 192.168.2.0 255.255.255.0 is directly connected, app_dmz

C 192.168.3.0 255.255.255.0 is directly connected, db_dmz

S* 0.0.0.0 0.0.0.0 [1/0] via gw_int, outside

and my command on ASA will be:

hostname(config)# route inside 172.16.30.0 255.255.255.0 172.16.0.1

- 172.16.30.0 is the network i want to reach

- 172.16.0.1 is the adress of the core switch

seems like it will work, let me check...

sibrahimoff · ‎11-01-2011

Strange output:(((

phfwasa01(config)# route inside 172.16.30.0 255.255.255.0 172.16.0.1

phfwasa01(config)# sh route

Gateway of last resort is gw_int to network 0.0.0.0

S 192.168.10.0 255.255.255.0 [1/0] via 192.168.0.1, inside

S 172.16.29.0 255.255.255.0 [1/0] via 192.168.0.1, inside

S 172.16.30.0 255.255.255.0 [1/0] via 192.168.0.1, inside

[1/0] via 172.16.0.1, inside

S 172.16.9.0 255.255.255.0 [1/0] via 192.168.0.1, inside

S 172.16.10.0 255.255.255.0 [1/0] via 192.168.0.1, inside

S 172.16.0.0 255.255.255.0 [1/0] via 192.168.0.1, inside

S 172.16.1.0 255.255.255.0 [1/0] via 192.168.0.1, inside

C 10.1.1.0 255.255.255.252 is directly connected, failover

why do i have such an emty space there? is it normal

sibrahimoff · ‎11-02-2011

i've deleted the route i added... there is a different one ... so it's not the correct way...:(

Mohit Chauhan · ‎11-02-2011

looks like you already have a route entry there pointing to 192.168.0.1

its good you removed that new entry that you had added as that was miles away from what i was pointing. you had pciked up a static route (you see S in front of that line. it should have been C - as you seee this below

C 192.168.0.0 255.255.255.0 is directly connected, inside)

anyway, i think looking at the diagram you pasted above you have two core switches and perhaps you are running HSRP/VRRP thing? cos the vlan 5 ip address on the switch output (sh ip int bri) says 192.168.0.2

can you ping 192.168.0.2 from the Firewall. i should be working cos you have many routes pointing to that interface.

check where is 192.168.1.1 as that is the place where the traffic is pointing to. if you are running hssrp or vrrp then we need to may be check its working....i wud say if u can send me the sho run from both cores i may be able to look thru quickly.

for security reasons, u can remove any passwords from it if you like.

cheers,

Mohit

sibrahimoff · ‎11-02-2011

Mohit, i've solved the problem.

The routing between vlans were on my ASA. And ACL's vere there two... the problem was in acl's they were extended and for spoecific protocols. i've changed it to standard specifying Ip's and everything started to work...

Thank you very much for your help. I really appreciate it!