Solved: Cannot ping interfaces - Page 3

Roger Richards · ‎11-19-2013

Ok.. Good day, I have an ASA 5510 and a 2921 -

My ASA is used for VPN and Internet

My 2921 is used to connect different subnets

I also have an attached diagram

I have a directly connected interface on 2921-10.10.10.1 to the ASA 10.10.10.2

Also on the 2921 i have a subnet 192.168.2.0 and 10.20.30.0

I have trunk link on my switch 2950 from the 2921... The ASA is aslo connected to the switch

on the ASA

Int0/0 66.xxx.xxx.xxx internet

Int0/1 10.20.60.2 - Gateway for computers

Int0/2 10.10.10.2 - connected to 2921

on the 2921

gig0/1 10.10.10.1 - connected to ASA

gig0/1.20 sub-if 192.168.2.1

gig0/1.30 sub-if 10.20.30.1

I have connected some static routes to get from 10.20.60.0 to 192.168.2.0

I cannot ping 10.10.10.2 from my PC

I cannot ping 10.20.60.2 from my 2921

I would appreciate any ideas for configuration help... And redesign...

What cannot happen is for us to use the 2921 for vpn and internet..

Thanks,,, see image.

Roger Richards · ‎12-11-2013

Jon,

Sorry for the confusion. So with this update I would need to add to the ASA

routes to 10.20.10.0,192.168.2.0 and 10.20.50.0

and a defualt route in the 2921 to the ASA? Also my gateway would now be 10.20.60.1

Roger Richards · ‎12-11-2013

Sorry for the headache Jon, But I think I will stick to your original idea whci was to readress the Inside interface. It makes more sense....

Jon Marshall · ‎12-11-2013

Roger

No problem.

You can do what you are suggesting in the diagram and it would work fine.

Yes you add routes on ASA for all the 2921 subnets via 10.20.60.1.

And you would only need a default route on the 2921 pointing to 10.20.60.2.

Jon

Roger Richards · ‎12-12-2013

Ok.. I realize I have a lot of ACL's and some natting to different objects, so changing the Inside interface might be a better choice....

But I do understand what i need to do, by changing it though...

Roger Richards · ‎12-20-2013

Hi,

I made an attemp to do the configuration. But I couldnt get to devices on my 10.20.60.0 subnet... or ping devices on that subnet from the ASA.

I stuck with your originial plan to change the inside interface 10.10.10.2 ..

But i didnt really know what else to change beside the interface and adding the routes.. What nat would need to change? what acl or other object needs to change?

Thanks again

Jon Marshall · ‎12-20-2013

Roger

Can you post configs of the router + ASA. Could you add them as attachments otherwise this thread is going to get too big to open. Or start a new thread as a continuation of this one.

Can you be specific as to what you mean when you say you couldn't get to 10.20.60.x devices ie. from where ?

Were other subnets working ?

Jon

Roger Richards · ‎12-20-2013

Here it is..

Roger Richards · ‎12-20-2013

the Other subnets was working... .. I could not get to ping any server on the 10.20.60.0 subnet from the ASA... but was able to get to 192.168.2.0 sub.

All my devices are on the 10.20.60.0 network... from pcs to servers. so remember the plan was to remove the 2921 interface and use 10.10.10.2 on the inter with 10.20.60.2...

in the asa I added the routes via the Inside interface (10.10.10.2)

route to 10.20.60.0/23 10.10.10.2

route to 192.168.2.0/24 10.10.10.2

Jon Marshall · ‎12-20-2013

edited

Jon Marshall · ‎12-20-2013

Roger

so remember the plan was to remove the 2921 interface and use 10.10.10.2 on the inter with 10.20.60.2...

But you haven't done this according to the configs you have just posted.

The idea is to use the inside interface to connect to the 2921 so that you do not need to change any NAT statements on the ASA. But you still have the 2921 interface connected to the router. So do this (note you will need downtime) -

1) shutdown the 2921 interface on the ASA and remove the address from the config.

2) remove the cable from the inside interface of the ASA that i think still connects to a switch.

3) take the cable that is in the 2921 interface on the ASA and connect it to the inside interface of the ASA.

Now the 2921 router physical connection runs from gi0/2 on the router to the inside interface of the ASA.

4) remove the 10.20.60.2 address from the inside interface on the ASA and add the 10.10.10.2 address that was previously on the 2921 ASA interface.

5) these routes on the ASA need changing -

a) remove these -

no route 2921 10.20.30.0 255.255.254.0 10.10.10.1 1

no route 2921 192.168.2.0 255.255.255.0 10.10.10.1 1

b) add these

route inside 10.20.30.0 255.255.254.0 10.10.10.1 1

route inside 192.168.2.0 255.255.255.0 10.10.10.1 1

6) add this route to the 2921

ip route 0.0.0.0 0.0.0.0 10.10.10.2

That should do it. As i say you will need downtime but once done all internal vlans should route via the 2921 and the ASA should only be used for internet. The ASA NAT statements reference the inside interface so it should just work.

Jon

Roger Richards · ‎12-20-2013

The config i sent you was the current one. I had to put it back in order for things to work, cause its a production network ...

I did exactly what you have above..

Except I added a route in the asa to

10.20.60.0 /23 10.10.10.1 <-- ?

so i will do it again, and remove that route and all the other ones.

Jon Marshall · ‎12-20-2013

Roger

Sorry, i just copied the routes from the ASA config. You will need that 10.20.60.0/23 route ie.

route inside 10.20.60.0 255.255.254.0 10.10.10.1

I don't know where the 10.20.30.0/23 network is ie. there is a route on the ASA but no sign of it on the 2921. If there is no such network then just remove it from the ASA config altogether.

One other point. When you do the change after you have moved the cables around make sure you clear the arp tables on the both the 2921 and the ASA because the mac to IP mappings will have changed.

Jon

Roger Richards · ‎12-20-2013

ok

Roger Richards · ‎01-09-2014

HAPPY NEW YEAR!!

I must be doing something wrong, cause I still cant get it to work.

Jon Marshall · ‎01-09-2014

Roger

Happy New Year as well.

Okay, what didn't work and can you post the configs or are they back to where they were before the changes (i suspect they are).

Jon