Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1350
Views
0
Helpful
38
Replies

help with 2 subnets in LAN - ASR5505 and ISR 1921

dwl001001
Level 1
Level 1

‎12-09-2014 07:11 AM - edited ‎03-07-2019 09:49 PM

Hello all, complete newbie here with what should be a very simple issue.

I have an ASR5505 that is currently being used as a router/firewall at home. It is connected to a SG300-28P switch.

I then connected a 1921 to one of the ports of the switch and have a simple switch connected to the 1921.

The ASA provides DHCP for it's subnet of 192.168.30.0/24 with its address set to 192.168.30.1.

I set the 1921 to have an address of 192.168.30.254 on its "WAN" port and it provides DHCP for it's subnet of 192.168.40.0/24 with its LAN ip address set to 192.168.40.1.

The SG300 has all of its ports set to be trunks.

I can ping both the 1921 ip addresses (192.168.30.254 and 192.168.40.1) and a host on the .40 subnet from the ASA and I can ping the ASA and hosts on it's subnet from the 1921, I just cannot seem to be able to ping from a host on the .30 subnet from the .40 subnet and visa versa.

Here is the configuration for the ASA:

asa# show run
: Saved
:
ASA Version 8.2(5)
!
hostname asa
domain-name xxtest.loc
enable password Fab4kU5WFOw35F/r encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
interface Vlan1
 nameif inside
 security-level 100
 ip address 192.168.30.1 255.255.255.0
!
interface Vlan2
 nameif outside
 security-level 0
 ip address dhcp setroute
!
ftp mode passive
dns domain-lookup inside
dns domain-lookup outside
dns server-group DefaultDNS
 name-server 8.8.8.8
 domain-name xxtest.loc
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
icmp permit any inside
icmp permit any outside
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
route inside 192.168.40.0 255.255.255.0 192.168.30.254 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
aaa authentication ssh console LOCAL
http server enable
http 192.168.30.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
telnet timeout 5
ssh scopy enable
ssh 192.168.30.0 255.255.255.0 inside
ssh timeout 5
console timeout 0
dhcpd auto_config outside
!
dhcpd address 192.168.30.110-192.168.30.169 inside
dhcpd dns 192.168.30.209 8.8.8.8 interface inside
dhcpd lease 86400 interface inside
dhcpd domain xxtest.loc interface inside
dhcpd auto_config outside interface inside
dhcpd enable inside
!

threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
username admin password 5BztkalEwGIfCfmL encrypted privilege 15
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum client auto
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
  inspect ip-options
  inspect icmp
  inspect icmp error
policy-map gobal_policy
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
Cryptochecksum:60de883e9781895e35632bc05478d43d
: end
asa#

 

Here is the config from the 1921:

r1#show run
Building configuration...

Current configuration : 1911 bytes
!
! Last configuration change at 22:31:42 UTC Tue Nov 25 2014 by admin
! NVRAM config last updated at 04:00:33 UTC Tue Nov 25 2014
! NVRAM config last updated at 04:00:33 UTC Tue Nov 25 2014
version 15.1
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname r1
!
boot-start-marker
boot-end-marker
!
!
! card type command needed for slot/vwic-slot 0/0
enable secret 5 $1$6EMr$APljoMtdSziT.xA61oxA61
!
no aaa new-model
!
!
no ipv6 cef
ip source-route
ip cef
!
!
!
ip dhcp excluded-address 192.168.40.1 192.168.40.99
!
ip dhcp pool Pool40
 network 192.168.40.0 255.255.255.0
 default-router 192.168.40.1
 dns-server 192.168.30.209 8.8.8.8
 lease 9
!
!
ip domain name xxtest.loc
ip name-server 192.168.30.209
ip name-server 8.8.8.8
!
multilink bundle-name authenticated
!
crypto pki token default removal timeout 0
!
!
license udi pid CISCO1921/K9 sn FGL17052097
!
!
username admin privilege 15 secret 4 QIhoiTptjnBMCO7nnaai9WXret9RdBq.Dr2zUBQGw8g
!
redundancy
!
!
!
!
ip ssh time-out 60
ip ssh version 2
!
!
!
!
!
!
!
interface Embedded-Service-Engine0/0
 no ip address
 shutdown
!
interface GigabitEthernet0/0
 ip address 192.168.30.254 255.255.255.0
 duplex auto
 speed auto
 no mop enabled
!
interface GigabitEthernet0/1
 description LAN port
 ip address 192.168.40.1 255.255.255.0
 duplex auto
 speed auto
!
ip default-gateway 192.168.30.1
ip forward-protocol nd
!
ip http server
no ip http secure-server
!
ip route 0.0.0.0 0.0.0.0 192.168.30.1
!
!
!
!
!
!
!
control-plane
!
!
!
line con 0
line aux 0
line 2
 no activation-character
 no exec
 transport preferred none
 transport input all
 transport output pad telnet rlogin lapb-ta mop udptn v120 ssh
 stopbits 1
line vty 0 1
 privilege level 15
 login local
 transport input telnet ssh
line vty 2 4
 no login
 transport input all
!
scheduler allocate 20000 1000
end

r1#

 

And lastly, here is the confog from the SG300:


switch0ce7fb#show run
voice vlan oui-table add 0001e3 Siemens_AG_phone________
voice vlan oui-table add 00036b Cisco_phone_____________
voice vlan oui-table add 00096e Avaya___________________
voice vlan oui-table add 000fe2 H3C_Aolynk______________
voice vlan oui-table add 0060b9 Philips_and_NEC_AG_phone
voice vlan oui-table add 00d01e Pingtel_phone___________
voice vlan oui-table add 00e075 Polycom/Veritel_phone___
voice vlan oui-table add 00e0bb 3Com_phone______________
interface vlan 1
ip address 192.168.30.2 255.255.255.0
exit
ip default-gateway 192.168.30.1
interface vlan 1
no ip address dhcp
exit
hostname switch0ce7fb
management access-list sampleaccessprofile
permit
exit
management access-class sampleaccessprofile
aaa authentication enable Console none
aaa authentication enable SSH enable
aaa authentication enable Telnet enable
aaa authentication login Console none
aaa authentication login SSH local
aaa authentication login Telnet local
line telnet
login authentication Telnet
enable authentication Telnet
password da39a3ee5e6b4b0d3255bfef95601890afd80709 encrypted
exit
line ssh
login authentication SSH
enable authentication SSH
password da39a3ee5e6b4b0d3255bfef95601890afd80709 encrypted
exit
line console
login authentication Console
enable authentication Console
password da39a3ee5e6b4b0d3255bfef95601890afd80709 encrypted
exit
no passwords complexity enable
passwords aging 0
username admin password encrypted 006345b12ad566bf7891be05cef5909df928cbcd privilege 15
username cisco password encrypted 006345b12ad566bf7891be05cef5909df928cbcd privilege 15
ip ssh server
no snmp-server server
ip http secure-server
ip telnet server
switch0ce7fb#

 

 

Any help at all is appreciated.

 

Thanks.

 

 

Labels:
0 Helpful
38 Replies 38

cer43tcent
Level 1
Level 1

‎12-09-2014 07:34 AM

Have you checked the logs on the ASA to see if the traffic is being allowed?  Using ASDM you could run a packet capture or use the packet tracer to see if its being allowed too.

0 Helpful

dwl001001
Level 1
Level 1
In response to cer43tcent

‎12-09-2014 07:57 AM

I had never even seen the logging in ASDM, thanks for that.

3Dec 09 201409:53:05106014192.168.30.140 192.168.40.1 Deny inbound icmp src inside:192.168.30.140 dst inside:192.168.40.1 (type 8, code 0)

I do get log entries which indeed do show that the ASA is denying inbouind icmp traffic. What do I do to allow it?

 

Thanks.

0 Helpful

cer43tcent
Level 1
Level 1
In response to dwl001001

‎12-09-2014 08:10 AM

I like to look at the syslog messages to get an understanding of whats going on

http://www.cisco.com/c/en/us/td/docs/security/asa/syslog-guide/syslogs.html

I would create an access-list that permits icmp for the specified source to destination.

Then you'd apply that ACL in the necessary direction outbound/inbound to an interface.

0 Helpful

dwl001001
Level 1
Level 1
In response to cer43tcent

‎12-09-2014 08:18 AM

Well, as I said earlier, complete newbie here.

I checked the running config and there was a permit icmp any outside, but there was not the same for the inside interface so i added it.

This made no difference at all, I still see the same error in the logs,

3Dec 09 201410:12:14106014192.168.30.140 192.168.40.1 Deny inbound icmp src inside:192.168.30.140 dst inside:192.168.40.1 (type 8, code 0)

I will take a look at the link that you provided and will read up on the acl stuff, but right now I do not understand it.

I just want to be able to access both subnets from the other so would like to allow all traffic between them.

Thanks.

 

 

 

 

 

0 Helpful

cer43tcent
Level 1
Level 1
In response to dwl001001

‎12-09-2014 08:30 AM

Understood.  I'll admit I'm no guru on the ASA but have some experience with them.  So I'll help the best I can.

 

The simplest form of the ACL would be

access-list INSIDE_IN extended permit ip any4 any4

access-list INSIDE_OUT extended permit ip any4 any4

access-list OUTSIDE_IN extended permit ip any4 any4

access-list OUTSIDE_OUT extended permit ip any4 any4

 

To apply to an interface you'd

access-group INSIDE_OUT out interface inside

access-group INSIDE_IN in interface inside

access-group OUTSIDE_OUT out interface outside

access-group OUTSIDE_IN in interface outside

 

These ACLs are allowing all traffic so if security is a concern you can always tweak them to be more granular.

 

 

 

 

0 Helpful

dwl001001
Level 1
Level 1
In response to cer43tcent

‎12-09-2014 08:44 AM

...still getting the same error saying that i is denying the traffic

0 Helpful

dwl001001
Level 1
Level 1
In response to cer43tcent

‎12-09-2014 09:08 AM

Thanks for those. I can already ping to the internet and to other hosts on each of the to two subnets that i I have, they just cannot get to the other subnet on the LAN.

I must be missing something very basic.

I am trying to do this using only 1 physical port on the ASA for both subnets, on the ASA, the outside port is connected to the internet, and the inside port is to be used for the 192.168.30.0/24 and 192.168.40.0/24 subnets. The ip address on this port is 192.168.30.1. The 1921 has an interface set to 192.168.30.254 and is just connected to the switch. Can the ASA actually route traffic for the 192.168.40.0 subnet back through the "inside" interface? 

Thanks.

0 Helpful

cer43tcent
Level 1
Level 1
In response to dwl001001

‎12-09-2014 09:14 AM

Could you provide a diagram?

0 Helpful

dwl001001
Level 1
Level 1
In response to cer43tcent

‎12-09-2014 10:28 AM

sorry for the delay.

it is really a crappy diagram

added another diagram just slightly better

Preview file
13 KB
Preview file
21 KB
0 Helpful

cer43tcent
Level 1
Level 1
In response to dwl001001

‎12-09-2014 10:28 AM

From looking at the diagram and what you've stated, your routing looks good to go.  Its just the firewall blocking communication between the LANs.  Have you already used the packet tracer feature?  If not, if you have an asdm image on the ASA you can put in a web browser https://192.168.30.1 preferrably from a host on the 192.168.30.x subnet.  Once you logon and it launches, go to Tools--> Packet Tracer and select the criteria to trace the packet from one LAN to the other.  This should show you where its getting denied.  Note I'm using ASDM 7.1 so the navigation to the Packet Tracer may be slightly different.

0 Helpful

cer43tcent
Level 1
Level 1
In response to cer43tcent

‎12-09-2014 10:31 AM

if this network isnt in production or carrying alot of traffic you could always debug icmp trace on the ASA

0 Helpful

dwl001001
Level 1
Level 1
In response to cer43tcent

‎12-09-2014 10:42 AM

it is a rule, i just need to figure out what it is and what to do about it... at this point, i think i will revert the config back to startup. 

 

0 Helpful

Jon Marshall
Hall of Fame
Hall of Fame
In response to dwl001001

‎12-09-2014 11:31 AM

Try adding this to your ASA config -

asa(config)# same-security-traffic permit intra-interface

Edit - just remembered you will probably need a NAT exemption as well.

See this doc for explanation on how to configure -

https://nat0.net/cisco-asa-hairpinning/

Jon

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card