Solved: Catalyst 3850 and ASA5516 Issues

sook.1981 · ‎08-01-2018

Have a Catalyst 3850 with IP Routing turned on. I have three different IP ranges that talk back and forth with each other on the C3850. Now I want to put a fourth IP range in but, want that IP range to be behind ASA 5516. I put the ASA 5516 with subinterfaces in place but, I get the C3850 routing all traffic through the subinterface interface GigabitEthernet1/2.700 because I put in an ip route 0.0.0.0 0.0.0.0 192.168.1.2. I verified that this was the issue by changing the ip route 0.0.0.0 0.0.0.0 192.168.2.2 and then communication was alright. Can someone tell me what I have forgot to do?

ASA 5516

interface GigabitEthernet1/1
nameif outside
security-level 0
ip address 192.168.250.1 255.255.255.0

interface GigabitEthernet1/2.700
vlan 700
nameif inside700
security-level 100
ip address 192.168.1.2 255.255.255.0

interface GigabitEthernet1/2.701
vlan 701
nameif inside701
security-level 100
ip address 192.168.2.2 255.255.255.0

C3850

ip route 0.0.0.0 0.0.0.0 192.168.1.2
ip route 192.168.1.0 255.255.255.0 Vlan700

ip route 192.168.2.0 255.255.255.0 Vlan701

Richard Burts · ‎08-01-2018

You do not provide enough information about your environment for us to be able to give you good advice. It is not clear why you have two connections between your 3850 and the ASA, vlans 700 and 701 or what you want these vlans to do, given that both vlans on the ASA have security level of 100.

One thing we can say is that assuming that the 3850 has vlan interfaces for vlans 700 and 701 that you do not need the static routes on the 3850 for those subnets. The 3850 should see those subnets as connected subnets and does not need the static routes.

It is not clear at this point why using the static default route pointing to 192.168.1.2 is a problem. But my guess at this point is that it reflects how your ASA is configured. If you have configured address translation and/or access rules for vlan 701 and not for vlan 700 then it might produce the symptoms that you were experiencing.

If you need further assistance please provide more information about your environment and provide the configuration of the ASA (and seeing the configuration of the 3850 might help).

HTH

Rick

HTH

Rick

View solution in original post

paul driver · ‎08-01-2018

Hello

Sounds possibly like the ASA doesn't have any knowledge of the 2.700 sub-interface network either by a static route or missing nat statement.

As requested would it be applicable to share the configuration of the ASA?

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

View solution in original post

Richard Burts · ‎08-01-2018

You do not provide enough information about your environment for us to be able to give you good advice. It is not clear why you have two connections between your 3850 and the ASA, vlans 700 and 701 or what you want these vlans to do, given that both vlans on the ASA have security level of 100.

One thing we can say is that assuming that the 3850 has vlan interfaces for vlans 700 and 701 that you do not need the static routes on the 3850 for those subnets. The 3850 should see those subnets as connected subnets and does not need the static routes.

It is not clear at this point why using the static default route pointing to 192.168.1.2 is a problem. But my guess at this point is that it reflects how your ASA is configured. If you have configured address translation and/or access rules for vlan 701 and not for vlan 700 then it might produce the symptoms that you were experiencing.

If you need further assistance please provide more information about your environment and provide the configuration of the ASA (and seeing the configuration of the 3850 might help).

HTH

Rick

HTH

Rick

o.rtterud · ‎08-01-2018

Hi,

Do all the inter vlan Routing on the 3850 and then create a transport vlan from the 3850 to ASA.

Then route back from the ASA to 3850 With 192.168.0.0

Firewall on a stick tecnology With inter-vlan Routing.

If you need a working config I can give you one depending on your final design.

paul driver · ‎08-01-2018

Hello

Sounds possibly like the ASA doesn't have any knowledge of the 2.700 sub-interface network either by a static route or missing nat statement.

As requested would it be applicable to share the configuration of the ASA?

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

sook.1981 · ‎08-07-2018

Sorry about not posting the entire ASA configuration. I started thinking about what was going on and it was that I did not have static routes in the ASA. I was able to get rid of all sub interfaces and put in a single IP that connected to the L3 C3850. On the C3850 I took off the ip routes like Rick said and let the L3 switch take care of the routing.

Thank you for getting me on the right path.

Richard Burts · ‎08-07-2018

Thank you for posting back to the forum with the update. I am glad that our suggestions did put you on the right path. Thank you for marking this question as solved. This will help other participants in the forum to identify discussions that have helpful information. These forums are excellent places to learn about networking. I hope to see you continue to be active in the forum.

HTH

Rick

HTH

Rick