Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
962
Views
0
Helpful
5
Replies

Cisco ASA: routing issue

matthewceroni
Level 1
Level 1

‎03-20-2013 03:44 PM - edited ‎03-07-2019 12:23 PM

I am stuck on an issue that is most likely going to turn out to be a simple resolution and be the result of my not truly understanding what the heck I am doing (at least I can be honest).

I have a ASA 5510. The management interface is connected to an access port (VLAN 102) on a 2960 switch.

     interface FastEthernet0/21

      switchport access vlan 102

      switchport mode access

    !

This switch is trunked to a 3560

trunk on 2960 side:

     interface GigabitEthernet0/2

      description LINK TO L3 port 36

      switchport trunk native vlan 21

      switchport trunk allowed vlan 2-5,7,11,21,102

      switchport mode trunk

     !

trunk on 3560 side:

     interface GigabitEthernet0/36

      description LINK TO CM-SRSW07 port G2

      switchport trunk native vlan 21

      switchport trunk allowed vlan 2-5,7,11,21,102

      switchport mode trunk

     !

The SVI for VLAN 102 on the 3560:

     interface Vlan102

      description information technology lights out management

      ip address 192.168.102.6 255.255.254.0

      ip helper-address 192.168.2.21

     !

I then have the inside interface on the ASA connected to a routed port on the 3560

3560:

     interface GigabitEthernet0/23

      description to test ASA

      no switchport

      ip address 192.168.100.1 255.255.254.0

     !

ASA:

     interface Ethernet0/0

      description Routed interface to 3560 L3

      nameif inside

      security-level 100

      ip address 192.168.100.2 255.255.254.0

     !

The routing table on the ASA is as follows:

     C    173.228.48.0 255.255.255.0 is directly connected, Outside

     S    192.168.21.0 255.255.255.0 [1/0] via 192.168.100.1, inside

     S    192.168.2.0 255.255.255.0 [1/0] via 192.168.100.1, inside

     S*   0.0.0.0 0.0.0.0 [1/0] via 173.228.48.1, Outside

     C    192.168.102.0 255.255.254.0 is directly connected, management

     C    192.168.100.0 255.255.254.0 is directly connected, inside

My PC (or switch 7, since it's management interface is on VLAN 21 as well) which sits on VLAN 21 can't access (just pinging as my test right now) the management interface of the ASA. It can get to the inside interface though (but I don't want to use that for management).

It appears the ping traffic gets all the way to the ASA so I am 90% sure all the switch + 3560 config is correct. But on the ASA when I ping I get

  Routing failed to locate next hop for icmp management: 192.168.102.9/0 to management: 192.168.21.67/0

IP 192.168.21.67 is my IP. The way I visualize it (and this is probably where I am wrong) is that I ping from my PC. It sends to my default gateway, 192.168.21.6, which is an SVI interface on the 3560. The 3560 routes it to the VLAN 102 SVI interface and then just sends the packet out there. The show mac address-table shows the ASA management MAC on port 36, which is where switch 7 is connect and hence the management interface for the ASA. The ASA gets the ICMP traffic. To route back the ASA would look at its routing table and see

192.168.21.0 255.255.255.0 via 192.168.100.1 inside

So it would send the reply to the routed port on the 3560 which would then handle it from there (doesn't even appear to be getting this far).

I know on a Linux machine that had two network cards I had this type of issue before. Where if traffic came in one interface it would fail if the return traffic was out another interface. Is this what is kind of happening here?

Thanks in advance

Labels:
0 Helpful
5 Replies 5

matthewceroni
Level 1
Level 1

‎03-20-2013 03:54 PM

Forgot to post the management interface configuration on the ASA:

interface Management0/0

description San Rafael primary ASA management interface

management-only

nameif management

security-level 100

ip address 192.168.102.9 255.255.254.0

0 Helpful

pille1234
Level 3
Level 3
In response to matthewceroni

‎03-20-2013 05:10 PM

What you are trying to do is highly confusing: you enter the device via management interface and try to send the answer via inside interface. This is rather bad style routing- and security wise and -obviously- does not work, because the ASA does not allow management traffic to be routed through the device. If to-the-device-traffic enters managment-only interface it has to leave the same interface. Now there is no corresponding route bound to the management interface and that is why the ASA does not know where to send the packet and drops it with the error message you observed.

To resolve that you need to add a static route:

route management 192.168.21.0 255.255.255.0 192.168.102.6

You are right that you could witness the same on linux or windows servers, however there you can enable a routing service depending on the distribution. That would allow to send a packet out on another interface than it was received.

Regards

0 Helpful

matthewceroni
Level 1
Level 1
In response to pille1234

‎03-20-2013 05:58 PM

I can't add that route cause one exists already saying use outside.

Maybe my issue is a topology problem. I have management interface on 102 subnet and inside/router interface on 100 subnet.

I need to be able to connect to management interface from other subnets. In this case the 21 network. When doing so all traffic needs to stay on management interface since as you described above the ASA won't route between them.

At the same time I need to be able to use the ASA as a router, so communicate with it over inside interface from other subnets. Ie: 21 network.

Is this not a logical setup? The only option I see is that you can only communicate with management interface when on the same subnet and when you are you can't use the ASA as a router. But that seems pretty limiting to me.

0 Helpful

pille1234
Level 3
Level 3
In response to matthewceroni

‎03-20-2013 07:10 PM

The management interface is typically used with a dedicated out-of-band management network or at least a specific management station. These networks or devices are usually separeted from the production network and inband access is therefore intentionally denied.

In your case it looks like there is free intervlan routing between vlan 102 (your management interface vlan), vlan 21 (your PC) and vlan 100 (inside). In terms of security that means all networks have the same security or trust level, hence it does not add any security to use a dedicated management interface. You could as well use inband management and use your inside interface to access the ASA.

One more thing: you can remove this route

S    192.168.21.0 255.255.255.0 [1/0] via 192.168.100.1, inside

and add this one

route management 192.168.21.0 255.255.255.0 192.168.102.6

and you would still be able to reach the outside world from your 192.168.21.0/24 network. This is because the return traffic from outside to this network would be routed based on the connection table and not the routing table. However traffic initiated from outside would not have a con table entry and a routing table lookup would point to the management interface which would then force the ASA to drop the packets.

I hope that is not getting to confusing now...

0 Helpful

matthewceroni
Level 1
Level 1
In response to pille1234

‎03-20-2013 08:08 PM

That makes sense.

Thanks for the input. I am kind of new to Cisco equipment. Enjoying learning about it but sometimes it can be a little frustrating.

0 Helpful
Customers Also Viewed These Support Documents