12-21-2012 12:06 AM - edited 03-07-2019 10:43 AM
Hi All
I emplamented the configuration example of this link :
http://www.cisco.com/en/US/tech/tk389/tk815/technologies_configuration_example09186a008015f17a.shtml
My architecture is the same as show on the link with some difference
I use the router 1841 for inetrnet connexion instead of 7200VXR, this router 1841 is connected on the catalyst 3750 port G1/0/1
I use catalyst 2960 instead of catalyst 2950 or 2948
I use ASA 5510 for conexion on remote branche(I have 5 remote site), This ASA is connected on the catalyst 3750 port G1/0/37
Result of the test
I can ping devices in the same Vlans
I can ping devices in different VLANs
I can ping all device from the catalyst 3750
I cannot ping the router 1841 or ASA 5510 from the any devices (computer)
The gateway of each computer is the correpondant VLAN IP address configured on the catalyst 3750
Why I cannot ping the router 1841 or ASA 5510 from the any devices (computer)
Please advise
Thanks
Solved! Go to Solution.
12-27-2012 12:52 AM
Nop, you NO need to make any changes on either Router or ASA except given routing change.
all you need to do, remove existing IP addresses from Gi1/01 and Gi1/0/37 on 3750 and assign it on L-3 Vlan and take both these interfaces under that Vlan, the Router and ASA will have same IP (existing) so that you will able to ping 192.168.1.100 (Vlan-100) IP from both Router and ASA.
Below is change on 3750 for interfaces and Vlan -
Existing config -
interface GigabitEthernet1/0/1
description to INTERNET_ROUTER_1841
ip address 192.168.1.3 255.255.255.0
no switchport
interface GigabitEthernet1/0/37
description to ASA_5510
ip address 192.168.1.5 255.255.255.0
no switchport
New config-
interface GigabitEthernet1/0/1
description to INTERNET_ROUTER_1841
no ip add
switchport
interface GigabitEthernet1/0/37
description to ASA_5510
no ip add
switchport
--------------------------
B - Create a new L-3 Vlan
# Vlan 100 (hope this vlan not exist)
# name Backbone_Vlan
# int vlan 100
# ip add 192.168.1.100 255.255.255.0 (free IP)
# int Gi 1/0/1
# switchport access vlan 100
# int Gi 1/0/37
# switchport access vlan 100
2. Put the below Routes on Router -
# ip route 192.168.13.0 255.255.255.0 192.168.1.100
# ip route 192.168.14.0 255.255.255.0 192.168.1.100
3. Put the below Routes on ASA
# route
# route
12-21-2012 12:53 AM
Hi,
You need a route on the 1841 and ASA to be able to send the icmp echo-replies back to source which is in a subnet not directly connected.
Regards.
Alain
Don't forget to rate helpful posts.
12-21-2012 04:08 AM
Kindly share ip scheme so we can tell you the exact static routes
12-26-2012 12:19 AM
Hi
Kindly found below the IP address information
Cisco 1841 : 192.168.1.1/24
ASA5510 : 192.168.1.2/24
IP address of 3750 G1/0/1 port 192.168.1.3/24
IP address of 3750 G1/0/37 port 192.168.1.5/24
Vlan IP address
vlan 2 : 192.168.13.0/26
vlan 3 : 192.168.13.64/26
vlan 4 : 192.168.13.128/26
vlan 5 : 192.168.13.193/26
vlan 6 : 192.168.14.0/27
vlan 7 : 192.168.14.32/27
vlan 8 : 192.168.14.64/27
vlan 9 : 192.168.14.96/27
vlan 10 : 192.168.14.128/27
vlan 11 : 192.168.14.160/27
vlan 12 : 192.168.14.192/27
vlan 13 : 192.168.14.224/27
Thanks in advance for your help
12-26-2012 01:55 AM
Hi,
Can you show output from these commands?
on 3750:
sh run int g1/0/1
sh run int g1/0/37
sh ip int br
Abzal
12-26-2012 03:39 AM
Are you sure you have provided IP per below on 3750? coz it should get overlap on network, can you provided output "show ip route" from Router and "show route" from ASA?
IP address of 3750 G1/0/1 port 192.168.1.3/24
IP address of 3750 G1/0/37 port 192.168.1.5/24
12-26-2012 05:38 AM
Yes I give the goo IP
I am too far away from the site and I dont have remote access to copy and post the ip route
I use the router 1841 for inetrnet connexion, this router 1841 is connected on the catalyst 3750 port G1/0/1
I use ASA 5510 for conexion on remote branche(I have 5 remote site), This ASA is connected on the catalyst 3750 port G1/0/37
There is no vlan on port G1/0/1 and port G1/0/37 of catalyst 3750
Result of the test
I can ping devices in the same Vlans
I can ping devices in different VLANs
I can ping all device from the catalyst 3750
I cannot ping the router 1841 or ASA 5510 from the any devices (computer)
The gateway of each computer is the correpondant VLAN IP address configured on the catalyst 3750
Kindly found below the IP address information
Cisco 1841 : 192.168.1.1/24
ASA5510 : 192.168.1.2/24
IP address of 3750 G1/0/1 port 192.168.1.3/24
IP address of 3750 G1/0/37 port 192.168.1.5/24
Vlan IP address
vlan 2 : 192.168.13.0/26
vlan 3 : 192.168.13.64/26
vlan 4 : 192.168.13.128/26
vlan 5 : 192.168.13.193/26
vlan 6 : 192.168.14.0/27
vlan 7 : 192.168.14.32/27
vlan 8 : 192.168.14.64/27
vlan 9 : 192.168.14.96/27
vlan 10 : 192.168.14.128/27
vlan 11 : 192.168.14.160/27
vlan 12 : 192.168.14.192/27
vlan 13 : 192.168.14.224/27
Wich route should I add on the 1841 and ASA
Why I cannot ping the router 1841 or ASA 5510 from the any devices (computer)
Thanks in advance for your help
12-26-2012 06:01 AM
I guess, you need to reverify for config on 3750 again, putting the ip on two different interface on same device out of same subnet is not possible, it might be one of the interface is Down thats why you may able to provide ip from subne or subnet range would be different.
can you provide config for 3750? so that routing can be suggested..Thx
12-26-2012 06:32 AM
Other thing you can do, create a New L3-Vlan on 3750 and take both the ports for Router and ASA under that Vlan and then provide ip routes on Router and ASA per below -
1. On 3750 Switch -
NOTE - You have to physically access the 3750 coz it will disconnect the connectivity to both Router and ASA, and if you are accessing 3750 remotely then you may lose your access as well so access it from physical location - Also take latest backup for configs before make any chabges.
A. First remove the IP from both the interfaces on 3750 -
IP address of 3750 G1/0/1 port 192.168.1.3/24
IP address of 3750 G1/0/37 port 192.168.1.5/24
B - Create a new L-3 Vlan
# Vlan 100 (hope this vlan not exist)
# name Backbone_Vlan
# int vlan 100
# ip add 192.168.1.100 255.255.255.0 (free IP)
# int Gi 1/0/1
# switchport access vlan 100
# int Gi 1/0/37
# switchport access vlan 100
2. Put the below Routes on Router -
# ip route 192.168.13.0 255.255.255.0 192.168.1.100
# ip route 192.168.14.0 255.255.255.0 192.168.1.100
3. Put the below Routes on ASA
# route
# route
Above may also serve you solution -
12-26-2012 07:25 AM
Hi
Found below the actual sh run of 3750
Why do I need to create another vlan for port 1 and port 37, by default these 2 port is in vlan 1:
Is it absolutly neccesery to put port G1/0/1 and G1/0/37 in new vlan X ?
If I put these 2 ports in vlan 10 I should configure the ASA ans router 1841 port with vlan 100 ?
Can I sumarize the route in ASA and router 1841 ?
Please advise
SWITCH_3750#
SWITCH_3750#
SWITCH_3750#sh run
Building configuration...
Current configuration : 5585 bytes
!
version 12.2
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname SWITCH_3750
!
boot-start-marker
boot-end-marker
!
!
no aaa new-model
clock timezone UTC 10
clock summer-time UTC recurring last Sun Mar 2:00 last Sun Oct 3:00
switch 1 provision ws-c3750x
system mtu routing 1500
ip routing
!
!
spanning-tree mode pvst
spanning-tree extend system-id
!
vlan internal allocation policy ascending
!
interface FastEthernet0
no ip address
no ip route-cache cef
no ip route-cache
shutdown
!
interface GigabitEthernet1/0/1
description to INTERNET_ROUTER_1841
ip address 192.168.1.3 255.255.255.0
no switchport
!
interface GigabitEthernet1/0/2
description to SWITCH_9_2960
switchport trunk encapsulation dot1q
!
interface GigabitEthernet1/0/3
description to SWITCH_3550_DHCP
switchport trunk encapsulation dot1q
!
interface GigabitEthernet1/0/4
description to SWITCH_2_2960
switchport trunk encapsulation dot1q
!
interface GigabitEthernet1/0/5
description to SWITCH_3_2960
switchport trunk encapsulation dot1q
!
interface GigabitEthernet1/0/6
description to SWITCH_4_2960
switchport trunk encapsulation dot1q
!
interface GigabitEthernet1/0/7
description to SWITCH_5_2960
switchport trunk encapsulation dot1q
!
interface GigabitEthernet1/0/8
!
interface GigabitEthernet1/0/9
!
interface GigabitEthernet1/0/10
!
interface GigabitEthernet1/0/11
interface GigabitEthernet1/0/36
!
interface GigabitEthernet1/0/37
description to ASA_5510
ip address 192.168.1.5 255.255.255.0
no switchport
!
interface GigabitEthernet1/0/38
!
interface GigabitEthernet1/0/39
!
interface GigabitEthernet1/0/40
description to PC_VLAN5
switchport access vlan 5
switchport mode access
spanning-tree portfast
!
interface GigabitEthernet1/0/41
description to PC_VLAN6
switchport access vlan 6
switchport mode access
spanning-tree portfast
!
interface GigabitEthernet1/0/42
description to PC_VLAN7
switchport access vlan 7
switchport mode access
spanning-tree portfast
!
interface GigabitEthernet1/0/43
description to PC_VLAN8
switchport access vlan 8
switchport mode access
spanning-tree portfast
!
interface GigabitEthernet1/0/44
description to PC_VLAN9
switchport access vlan 9
switchport mode access
spanning-tree portfast
!
interface GigabitEthernet1/0/45
!
interface GigabitEthernet1/0/46
!
interface GigabitEthernet1/0/47
!
interface GigabitEthernet1/0/48
!
interface GigabitEthernet1/1/1
!
interface GigabitEthernet1/1/2
!
interface GigabitEthernet1/1/3
!
interface GigabitEthernet1/1/4
!
interface TenGigabitEthernet1/1/1
!
interface TenGigabitEthernet1/1/2
!
interface Vlan1
no ip address
!
interface Vlan2
ip address 192.168.13.1 255.255.255.128
!
interface Vlan3
ip address 192.168.13.65 255.255.255.128
!
interface Vlan4
ip address 192.168.13.129 255.255.255.128
!
interface Vlan5
ip address 192.168.13.193 255.255.255.128
interface Vlan6
ip address 192.168.14.1 255.255.255.192
!
interface Vlan7
ip address 192.168.14.33 255.255.255.192
!
interface Vlan8
ip address 192.168.14.65 255.255.255.192
!
interface Vlan9
ip address 192.168.14.97 255.255.255.192
!
interface Vlan10
description VLAN MANAGEMENT
ip address 192.168.14.129 255.255.255.192
!
ip classless
ip http server
ip http secure-server
!
ip sla enable reaction-alerts
!
!
end
SWITCH_3750#
12-26-2012 07:51 AM
Hi,
G1/0/1 and g1/0/37 Interfaces are Layer 3 interface. Because of no switchport command. You can either put them on separate VLAN or change ip addresses not to be on the same subnets.
Example:
3750
int g1/0/1
ip add 192.168.100.1 255.255.255.252
int g1/0/37
ip add 192.168.101.1 255.255.255.252
1841
int
ip add 192.168.100.2 255.255.255.252
ASA
int
ip add 192.168.101.2 255.255.255.252
Sent from Cisco Technical Support iPhone App
12-26-2012 08:06 AM
Yes, by default interfaces comes in Vlan 1 which has NO IP address assigned, but thats not an issue, both the ports
Gi 1/0/1 and Gi 1/0/37 are routed ports so 3750 also has to understand if request come for subnet 192.168.1.0/24 then what interface it should use, in this case device may get confuse or do routing loop
so if you create one more Vlan 100 (which is not exist) so you will have single L-3 Vlan for subnet 192.168.1.0/24 and once you take above both ports under that Vlan then your Router and ASA will have in same broadcast domain with same subnet, and once you put routing entry on Router & ASA suggested you will have all subnet rechability from them
secondly, there isnt found any default gateway on 3750, so in order to access internet there should be one default route for device connected to internet.
config suggested below -
1. On 3750 Switch -
NOTE - You have to physically access the 3750 coz it will disconnect the connectivity to both Router and ASA, and if you are accessing 3750 remotely then you may lose your access as well so access it from physical location - Also take latest backup for configs before make any chabges.
A. First remove the IP from both the interfaces on 3750 -
IP address of 3750 G1/0/1 port 192.168.1.3/24
IP address of 3750 G1/0/37 port 192.168.1.5/24
B - Create a new L-3 Vlan
# Vlan 100 (hope this vlan not exist)
# name Backbone_Vlan
# int vlan 100
# ip add 192.168.1.100 255.255.255.0 (free IP)
# int Gi 1/0/1
# switchport access vlan 100
# int Gi 1/0/37
# switchport access vlan 100
2. Put the below Routes on Router -
# ip route 192.168.13.0 255.255.255.0 192.168.1.100
# ip route 192.168.14.0 255.255.255.0 192.168.1.100
3. Put the below Routes on ASA
# route
# route
12-27-2012 12:37 AM
Thanks for your answer
Do I need to create subinterface for vlan 100 in router 1841 and ASA 5510 ?
There is also VPN configured on ASA to connect remote site, the configuration of vlan can impact this VPN
12-27-2012 12:52 AM
Nop, you NO need to make any changes on either Router or ASA except given routing change.
all you need to do, remove existing IP addresses from Gi1/01 and Gi1/0/37 on 3750 and assign it on L-3 Vlan and take both these interfaces under that Vlan, the Router and ASA will have same IP (existing) so that you will able to ping 192.168.1.100 (Vlan-100) IP from both Router and ASA.
Below is change on 3750 for interfaces and Vlan -
Existing config -
interface GigabitEthernet1/0/1
description to INTERNET_ROUTER_1841
ip address 192.168.1.3 255.255.255.0
no switchport
interface GigabitEthernet1/0/37
description to ASA_5510
ip address 192.168.1.5 255.255.255.0
no switchport
New config-
interface GigabitEthernet1/0/1
description to INTERNET_ROUTER_1841
no ip add
switchport
interface GigabitEthernet1/0/37
description to ASA_5510
no ip add
switchport
--------------------------
B - Create a new L-3 Vlan
# Vlan 100 (hope this vlan not exist)
# name Backbone_Vlan
# int vlan 100
# ip add 192.168.1.100 255.255.255.0 (free IP)
# int Gi 1/0/1
# switchport access vlan 100
# int Gi 1/0/37
# switchport access vlan 100
2. Put the below Routes on Router -
# ip route 192.168.13.0 255.255.255.0 192.168.1.100
# ip route 192.168.14.0 255.255.255.0 192.168.1.100
3. Put the below Routes on ASA
# route
# route
12-27-2012 12:55 AM
can you help with below output from router and ASA?
Router -
sh ip int brief
ASA -
sh ip add
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: