Cisco ASA and 3750x Switches

qwaven · ‎01-26-2012

Hello,

I am wondering if anyone is able to assist with getting vlans working properly between sub-interfaces on a ASA and a trunk port on a switch.

There seems to be issue with the VLAN's being assigned to the correct VLAN and this information being properly sent to the ASA over the trunk.

We seem to be unable to ping most of the interfaces except for one on the switch. Sometimes if we are lucky we are able to ping a host on a different vlan that is on the switch. This seems sparadic at best.

Logs on the ASA show traffic does not seem to be assigned properly to the correct sub interface. We have access rules on the ASA disallowing traffic not part of the same vlan. For example you will see networkA blocked on networkB when it really should be directed through networkA's sub interface.

I'm wondering if anyone can give example commands for the ASA and Switch for at least the basic requirements to enable all the VLAN's to communicate properly with the ASA?

Hope I'm making sense here. If not please let me know.

Thanks for your help!

ebarticel · ‎01-26-2012

Not much info to go on. If you can post some show commands output from switch it may help

Eugen

qwaven · ‎01-27-2012

Thanks for your reply.

Well we have 1 ASA and 2 stacks of switches. Stack 1 is IP Based and Stack 2 is not.

[remote] -> {tunnel} -> [ASA] -> [Stack 1] -> [Stack 2]

[ASA] has several sub-interfaces on one of the interfaces connecting to [Stack 1] via Gig 1/0/1 Trunk port.

[Stack 1] has a trunk to [stack 2]

We can ping [Stack 2] just fine.

We cannot ping [Stack 1]; however if we connect to [Stack 2] we can access [stack 1].

--> Show IP INT BRIEF on STACK 1 (trunkated for relivance)

Interface IP-Address OK? Method Status Protocol

Vlan1 unassigned YES NVRAM administratively down down

Vlan10 10.0.0.33 YES NVRAM up up

Vlan11 10.0.1.33 YES NVRAM up up

Vlan12 10.0.2.33 YES NVRAM up up

Vlan13 10.0.3.33 YES NVRAM up up

Vlan101 10.1.0.33 YES NVRAM up up

FastEthernet0 unassigned YES NVRAM administratively down down

GigabitEthernet1/0/1 unassigned YES unset up up

GigabitEthernet1/0/2 unassigned YES unset down down

--> Interface Gig 1/0/1 via show run

interface GigabitEthernet1/0/1

switchport trunk encapsulation dot1q

switchport trunk allowed vlan 1,10-13,101

switchport mode trunk

speed 1000

duplex full

We cannot ping any of the VLAN's except for 10.0.0.34 (Stack 2 IP)

On the ASA we'll see logs like this showing one VLAN trying to HOP to another...

4

Jan 27 2012

17:39:11

10.1.0.35

123

10.120.1.2

123

Deny udp src EB_Server:10.1.0.35/123 dst WAN:10.120.1.2/123 by access-group "EB_Server_access_in" [0x0, 0x0]

EB_SERVER is VLAN 13 or 10.0.3.0 /24 network.

The origin is from VLAN 11 or 10.0.1.0 /24 network

There is a deny rule denying all traffic not in the same vlan. (intentional) and we need to make sure the traffic for vlan x actually goes through vlan x.

Thoughts?

Thanks!

lucentmoon · ‎01-27-2012

Sounds like an acl problem blocking return traffic. Can you post relevant acl configurations & ASA subinterface configs please.

qwaven · ‎01-27-2012

On the ASA we have:

interface GigabitEthernet0/1

speed 1000

duplex full

no nameif

no security-level

no ip address

!

interface GigabitEthernet0/1.10

description Server

vlan 10

nameif Server

security-level 100

ip address 10.0.0.1 255.255.255.0

!

interface GigabitEthernet0/1.11

description Finance Server

vlan 11

nameif F_Server

security-level 100

ip address 10.0.1.1 255.255.255.0

!

interface GigabitEthernet0/1.12

description Exchange Front End

vlan 12

nameif EF_Server

security-level 100

ip address 10.0.2.1 255.255.255.0

!

interface GigabitEthernet0/1.13

description Exchange Back End

vlan 13

nameif EB_Server

security-level 100

ip address 10.0.3.1 255.255.255.0

As for ACL. The ASA is practically defaults. It is a brand new device.

Only ACL is what I mentioned above. For each interface/vlan there is one rule saying allow from souce network (which is for the correct vlan) to any and then the implicit deny.

for example vlan 13 will have allow network 10.0.3.0 /24 to any and deny all.

Thanks for your help.

ebarticel · ‎01-27-2012

Hi Michael,

Which IP address is 10.120.1.2 ? On you ASA log output I see that your ping is denied by 10.120.1.2. Looks like a different subnet to me. Check the ACL on that device.

Eugen