[HELP] Routing and Switching Issue

fatalXerror · ‎09-09-2015

Hi Experts,

Good Day!

I need help about the routing and switching of my network since I'm more familiar about security technologies.

Technically, I have 1 ASA firewall and 2 non-stacked Catalyst below the ASA firewall. My link to the 2 non-stacked Catalysts is via port-channel that is configured from the ASA firewall and I also configured the interface of the Catalyst as a port channel. The 2 non-stacked Catalysts are running HSRP with a Virtual IP (VIP) of 10.132.253.25 however the issue is that from the ASA which I configured correctly, I cannot ping the VIP of the 2 non-stacked Catalysts but I can ping the interface vlan 20 (SVI) of each Catalysts.

How can I resolve this issue?

Below are the configuration portion of the 2 non-stacked Catalysts.

--------------------

CAT1

-------------------

CAT1#sh run int vlan 20

Building configuration...

Current configuration : 216 bytes

!

interface Vlan20

description {VPN}

ip address 10.132.253.26 255.255.255.248

ip ospf network point-to-point

ip ospf 10 area 0.0.0.0

standby 20 ip 10.132.253.25

standby 20 priority 210

standby 20 preempt

end

CAT1#sh run int gi1/7

Building configuration...

Current configuration : 170 bytes

!

interface GigabitEthernet1/7

description [VPN01 PORT2]

switchport access vlan 20

switchport mode access

spanning-tree portfast

spanning-tree bpduguard enable

end

CAT1#sh run int gi1/8

Building configuration...

Current configuration : 170 bytes

!

interface GigabitEthernet1/8

description [VPN02 PORT2]

switchport access vlan 20

switchport mode access

spanning-tree portfast

spanning-tree bpduguard enable

end

-------------------

CAT2

-------------------

CAT2#sh run int vlan 20

Building configuration...

Current configuration : 196 bytes

!

interface Vlan20

description {VPN}

ip address 10.132.253.27 255.255.255.248

ip ospf network point-to-point

ip ospf 10 area 0.0.0.0

standby 20 ip 10.132.253.25

standby 20 priority 115

end

CAT2#sh run int gi1/7

Building configuration...

Current configuration : 170 bytes

!

interface GigabitEthernet1/7

description [VPN01 PORT3]

switchport access vlan 20

switchport mode access

spanning-tree portfast

spanning-tree bpduguard enable

end

CAT2#sh run int gi1/8

Building configuration...

Current configuration : 170 bytes

!

interface GigabitEthernet1/8

description [VPN02 PORT3]

switchport access vlan 20

switchport mode access

spanning-tree portfast

spanning-tree bpduguard enable

end

-------------------

ASA-1

-------------------

interface GigabitEthernet0/2
description ### Member Interface of PortChannel 20 ###
channel-group 20 mode on
no nameif
no security-level
no ip address
no shutdown
!
interface GigabitEthernet0/3
description ### Member Interface of PortChannel 20 ###
channel-group 20 mode on
no nameif
no security-level
no ip address
no shutdown

interface Port-channel20
description ### Members: Gig0/2 and Gig0/3 ###
lacp max-bundle 8
no nameif
no security-level
no ip address
no shutdown
!
interface Port-channel20.20
description ### Members: Gig0/2 and Gig0/3 ###
vlan 20
nameif INSIDE
security-level 100
ip address 10.132.253.29 255.255.255.248
no shutdown

Please see diagram attached for your reference.

Thanks.

ahmed.el-sherbiny · ‎09-09-2015

I think the setup is incorrect. You can't have port-channel on one side and not on the other side..

fatalXerror · ‎09-10-2015

Hi ahmed,

Good Day!

Sorry I paste the incorrect configurations.

Please see below for the correct one.

======

CAT1

======
interface FastEthernet1/0
switchport trunk allowed vlan 1,2,20,1002-1005
switchport mode trunk
channel-group 1 mode on
end

interface Vlan20
description {VPN}
ip address 10.132.253.26 255.255.255.248
standby 20 ip 10.132.253.25
standby 20 priority 210
standby 20 preempt

interface Port-channel1
switchport trunk allowed vlan 1,2,20,1002-1005
switchport mode trunk
end

======

CAT2

======

interface FastEthernet1/0
switchport trunk allowed vlan 1,2,20,1002-1005
switchport mode trunk
channel-group 1 mode on
end

interface Vlan20
description {VPN}
ip address 10.132.253.27 255.255.255.248
standby 20 ip 10.132.253.25
standby 20 priority 115
standby 20 preempt

interface Port-channel1
switchport trunk allowed vlan 1,2,20,1002-1005
switchport mode trunk
end

====

ASA

====

interface GigabitEthernet0/2
description ### Member Interface of PortChannel 20 ###
channel-group 20 mode on
no nameif
no security-level
no ip address
no shutdown
!
interface GigabitEthernet0/3
description ### Member Interface of PortChannel 20 ###
channel-group 20 mode on
no nameif
no security-level
no ip address
no shutdown

interface Port-channel20
description ### Members: Gig0/2 and Gig0/3 ###
lacp max-bundle 8
no nameif
no security-level
no ip address
no shutdown
!
interface Port-channel20.20
description ### Members: Gig0/2 and Gig0/3 ###
vlan 20
nameif INSIDE
security-level 100
ip address 10.132.253.29 255.255.255.248
no shutdown

For your assistance please.

Thanks

ahmed.el-sherbiny · ‎09-10-2015

That's still invalid design. In order to be able to connect your ASA two different switches and have a single port channel that spans the two switches you will need either stacking, vPC or VSS.