Solved: I need help with a poor config

Ed Gandolfi · ‎01-02-2013

Hi all! Thank you for reviewing my question. I hope you can help me out. I needed to create a few VLANs off of a Cat 4506. I inherited this LAN and it is configured poorly. I cannot overhaul it at this time so I am stuck working in this scenario. You have the Internet coming into an ASA 5510. That ASA connects to the Cat 4506. Now the ASA is actually the default gateway on the local LAN. The CAT 4506 doesnt really do any routing.

I have two VLANs on the cat:

Default: is the main VLAN for the organization 192.168.0.0/23

VLAN2: This will be for a wireless network 10.220.1.0/24

Now the default VLAN uses the ASA as its default gateway 192.168.1.1

VLAN2 has IP 10.220.1.1 assigned to it.

I have the appropriate routes in the ASA. I can ping from the default VLAN to VLAN2 on the cat itself. I can ping VLAN2 from the ASA no problem. However when I try and ping VLAN2 from a workstation on the default VLAN it fails.

Does anyone have any idea as to why I wouldn't be able to ping VLAN 2 from the workstation on the Default VLAN?

Edison Ortiz · ‎01-02-2013

I had a chance to review your diagram and it seems you have SVIs in the 4500.

As John correctly pointed out, you should enabled 'ip routing' in the 4500 and simply change the default gateway on default Vlan to .5

Additionally, have a default static route from the 4500 pointing to the ASA.

From the ASA, just have a route to Vlan 2 pointing to the .5 address.

View solution in original post

csco11257494 · ‎01-02-2013

did you try to trunk the the cat ports the vlans are connected to? if u do is the cat a multilayer cat switch if so pls use the ip routing command so that intervlan communication can work.

Ed Gandolfi · ‎01-02-2013

But I can ping the VLAN on the cat itself AND I can ping VLAN2 from the ASA as well. I thought you enable trunking between 2 switches not a switch and firewall.

Edison Ortiz · ‎01-02-2013

Packets are in and out the same interface which isn't allowed by default, please refer to:

http://www.cisco.com/en/US/products/ps6120/products_tech_note09186a0080734db7.shtml

Ed Gandolfi · ‎01-02-2013

I have it enabled. actually both inter and intra are enabled. Again I can ping VLAN 2 from the ASA. Its just when I try from a workstation that uses the ASA as the default gateway. Thanks for the replies.

John Blakley · ‎01-02-2013

Do you have routing enabled on the switch?

HTH,
John

*** Please rate all useful posts ***

HTH, John *** Please rate all useful posts ***

Edison Ortiz · ‎01-02-2013

I had a chance to review your diagram and it seems you have SVIs in the 4500.

As John correctly pointed out, you should enabled 'ip routing' in the 4500 and simply change the default gateway on default Vlan to .5

Additionally, have a default static route from the 4500 pointing to the ASA.

From the ASA, just have a route to Vlan 2 pointing to the .5 address.

csco11257494 · ‎01-02-2013

SVIs are virtual interfaces for connecting intervlan routing. then u can use the ip address of the SVI as ur D.G

at the workstaions nodes.

e.g

interface vlan 2 (this command would create the SVI interface.)

ip add 192.168.1.1 255.255.255.0

ip routing.

so all the workstation would use this add as there D.G and the remaining address as theere statis ip.