Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1214
Views
8
Helpful
12
Replies

Connecting a 3560 switch to a asa5520

Go to solution
hawkeyeg
Level 1
Level 1

‎07-15-2017 05:38 AM - edited ‎03-08-2019 11:20 AM

I am trying to connect a switch 3560  to a asa5520  but I can't get it to connect to the internet.  I am using a server and a laptop in one vlan  and the asa in another. The server and laptop have no trouble talking to each other but the cant talk to the asa. I can connect to the internet from the ASA if I change my Laptop configuration.

My config files follow

My computer are set to IP Address 192.168.50.100 and 192.168.50.50 with a default gateway of 192.168.50.10

Any help would be great.

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
cofee
Level 5
Level 5
In response to cofee

‎07-16-2017 02:11 PM

forgot to add crni00000 is right about asa missing route to 192.168.50.0

Please configure a static route on asa:

route inside 192.168.50.0 255.255.255.0 192.168.40.10

View solution in original post

0 Helpful
12 Replies 12

Go to solution
hawkeyeg
Level 1
Level 1

‎07-15-2017 02:17 PM

Switch 3560

Building configuration...

Current configuration : 1841 bytes
!
version 12.2
no service pad
service timestamps debug uptime
service timestamps log uptime
service password-encryption
!
hostname HawkSW2
!
enable secret 5 $1$wtIr$/oL0NPmd/z7AQU1XUq6u/1
enable password 7 044B2B151C701E1D5D
!
username Hawk password 7 0822455D0A16
no aaa new-model
ip subnet-zero
ip routing
!
!
!
!
no file verify auto
spanning-tree mode pvst
spanning-tree extend system-id
!
vlan internal allocation policy ascending
!
interface FastEthernet0/1
switchport access vlan 50
switchport mode access
!
interface FastEthernet0/2
!
interface FastEthernet0/3
!
interface FastEthernet0/4
!
interface FastEthernet0/5
!
interface FastEthernet0/6
!
interface FastEthernet0/7
switchport access vlan 50
switchport mode access
!
interface FastEthernet0/8
!
interface FastEthernet0/9
!
interface FastEthernet0/10
!
interface FastEthernet0/11
!
interface FastEthernet0/12
!
interface FastEthernet0/13
switchport access vlan 40
switchport mode access
!
interface FastEthernet0/14
!
interface FastEthernet0/15
!
interface FastEthernet0/16
!
interface FastEthernet0/17
!
interface FastEthernet0/18
!
interface FastEthernet0/19
!
interface FastEthernet0/20
!
interface FastEthernet0/21
!
interface FastEthernet0/22
!
interface FastEthernet0/23
!
interface FastEthernet0/24
!
interface GigabitEthernet0/1
!
interface GigabitEthernet0/2
!
interface Vlan1
no ip address
!
interface Vlan40
ip address 192.168.40.10 255.255.255.0
!
interface Vlan50
ip address 192.168.50.10 255.255.255.0
!
ip default-gateway 192.168.40.1
ip classless
ip http server
!
!
control-plane
!
!
line con 0
exec-timeout 45 0
password 7 0822455D0A16
logging synchronous
login local
line vty 0 4
exec-timeout 30 0
password 7 01100F175804
logging synchronous
login
line vty 5 15
exec-timeout 30 0
password 7 01100F175804
logging synchronous
login
!

ASA5520

!:
: Serial Number: JMX1024K166
: Hardware: ASA5520, 512 MB RAM, CPU Pentium 4 Celeron 2000 MHz
:
ASA Version 8.2(5)57
!
hostname HawkASA
domain-name HawkeyeTechnology.ca
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface GigabitEthernet0/0
nameif Outside
security-level 0
ip address 192.168.30.2 255.255.255.0
!
interface GigabitEthernet0/1
nameif Inside
security-level 100
ip address 192.168.40.1 255.255.255.0
!
interface GigabitEthernet0/2
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
nameif Management
security-level 70
ip address 192.168.35.1 255.255.255.0
!
ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
dns server-group DefaultDNS
domain-name HawkeyeTechnology.ca
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
pager lines 24
logging enable
logging asdm informational
mtu Outside 1500
mtu Inside 1500
mtu Management 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-731-101.bin
asdm history enable
arp timeout 14400
nat (Outside) 1 192.168.40.0 255.255.255.0 outside
static (Inside,Outside) 192.168.30.0 192.168.40.0 netmask 255.255.255.0
!
router ospf 1
network 0.0.0.0 0.0.0.0 area 0
log-adj-changes
!
route Outside 0.0.0.0 0.0.0.0 192.168.30.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 192.168.40.0 255.255.255.0 Inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
telnet timeout 5
ssh timeout 5
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
username Hawk password 0p57cUqGdokWpRYH encrypted privilege 15
!
!
prompt hostname context
no call-home reporting anonymous
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email callhome@cisco.com
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:0e157b9725f920bc69766517a6151f03
: end

end

0 Helpful

Go to solution
cofee
Level 5
Level 5
In response to hawkeyeg

‎07-16-2017 03:42 AM

This is what you seem to be missing:

nat (inside) 1 192.168.50.0 255.255.255.0
global (outside) 1 interface

You can also create static NATs for inside hosts if you want be more specific.

Go to solution
hawkeyeg
Level 1
Level 1
In response to cofee

‎07-16-2017 08:31 AM

That did not work I think that the problem is with the vlan I can talk to the server in vlan 50 and the server can talk to the Laptop no problem but I cannot connect to vlan 40 and the Asa.  I was able to connect to the asa directly and access the internet so I known its working at least.

0 Helpful

Go to solution
cofee
Level 5
Level 5
In response to hawkeyeg

‎07-16-2017 11:17 AM

Can you ping inside interface of Asa from switch or vice-versa? Make sure inside interface on the firewall and switch port that connect to Asa is up and should be assigned to vlan 40. 

Also check that svi for vlan 40 is up up or just ping 192.168.40.10 from the switch itself it should be able to ping itself. 

Also you can remove the NAT configuration from your original post.

0 Helpful

Go to solution
hawkeyeg
Level 1
Level 1
In response to cofee

‎07-16-2017 11:40 AM

I can ping from the Asa to port 192.168.40.10 I can also ping 192.168.30.2 the outside connection from the Asa.  The switch I can ping 192.168.40.10 and ping 192.168.40.1 but if I try to ping 192.168.40.10 from the laptop it fails 

0 Helpful

Go to solution
cofee
Level 5
Level 5
In response to hawkeyeg

‎07-16-2017 02:03 PM

Please make sure that ip routing is enabled on the switch. It may not be enabled by default.

Below is the commands to enable it in config mode:

ip routing

Also make sure that SVI for vlan 50 is up up and you are able ping it from the switch itself and also from end host in vlan 50. Also it's better to have a default route on a multi layer switch than using a default gateway as suggested in the other post, but it won't prevent it from working.

So you can remove this command from the switch:

ip default-gateway 192.168.40.1

And configure a default route:

ip route 0.0.0.0 0.0.0.0 192.168.40.1

0 Helpful

Go to solution
cofee
Level 5
Level 5
In response to cofee

‎07-16-2017 02:11 PM

forgot to add crni00000 is right about asa missing route to 192.168.50.0

Please configure a static route on asa:

route inside 192.168.50.0 255.255.255.0 192.168.40.10

0 Helpful

Go to solution
hawkeyeg
Level 1
Level 1
In response to cofee

‎07-16-2017 02:31 PM

No luck the Laptop can not ping 192.168.40.10 vlan 40 I can from the switch but not from the endpoint 

0 Helpful

Go to solution
hawkeyeg
Level 1
Level 1
In response to hawkeyeg

‎07-16-2017 02:46 PM

IT WORKS I had to turn everything off and back on to get it to connect. Thanks for all your support 

0 Helpful

Go to solution
cofee
Level 5
Level 5
In response to hawkeyeg

‎07-16-2017 03:36 PM

Nice. I am happy that you got it working.

Go to solution
Predrag Jovic
Level 3
Level 3
In response to cofee

‎07-17-2017 06:13 AM

Also it's better to have a default route on a multi layer switch than using a default gateway as suggested in the other post, but it won't prevent it from working.

Just the opposite. In the case when routing is enabled on device (ip routing was issued on 3560 - it is present in configuration above) default gateway will not be used to forward traffic. Traffic is forwarded only according to routing table. Default gateway does not have to be removed from the device, it will just not be used.

0 Helpful

Go to solution
Predrag Jovic
Level 3
Level 3
In response to hawkeyeg

‎07-16-2017 09:03 PM

Default route is missing on 3560 (ip routing command is issued):

ip route 0.0.0.0 0.0.0.0 192.168.40.1

On ASA is missing route to 192.168.50.0/24 network (ASA have no route to 192.168.50.0/24). I am not too familiar with ASA, so maybe I am missing something, but I don't see that 192.168.50.0/24 traffic is natted?

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card