Solved: No problem at all and glad to - Page 2

Jean Milne · ‎06-01-2017

As part of my learning curve after inheriting our network, I am trying to get an experiment with an ASA 5505, a switch and multiple vlans working.

I have an ASA 5505.

Interface 0/1 has been given IP address 192.168.0.1. The ASA automatically created vlan1 when I did this. TestLaptop1 is connected to this interface with IP address 192.168.0.100.

Interface 0/2 has been given IP address 192.168.1.1. The ASA automatically created vlan2 when I did this. A switch has been connected to this interface with IP address 192.168.1.2.

The switch has 3 vlans. vlan1 was already on the switch out of the box. I then created vlan100 and vlan101. I have connected TestLaptop2 to vlan100 with IP address 192.168.1.3 and TestLaptop3 to vlan101 with IP address 192.168.2.3.

The idea is that I have 3 vlans but two are on a switch. Therefore two vlans are in effect on the same ASA interface.

My aim is to prove I can ping between TestLaptop1, TestLaptop2 and TestLaptop3.

At the moment I can ping from TestLaptop1 to TestLaptop2. Using packet tracer, I can see that the ASA knows that the 192.168.1.0 network is on interface 0/2.

However, I cannot ping from TestLaptop1 to TestLaptop3. Packet tracer shows that the route lookup step is failing and the ASA thinks the 192.168.2.0 network is on the outside interface 0/0.

I'm assuming that the ASA knows that network 192.168.1.0 is on interface 0/2 because the IP address of the interface is in that network.

I have a few questions which are probably obvious to everyone on this site except me.

1: Does it matter that the ASA and the switch both created vlan1?
2: What should the IP address of the ASA interface 0/2 be? I.e. which switch vlan segment should it be in (default, vlan100 or vlan101)?
3: What step have I missed that means the ASA thinks that 192.168.2.0 is on the outside interface?

I did guess I was missing some kind of route and tried to configure a static route but it didn't work. Either I configured the static route wrong or I missed some other step.

Any nudge in the right direction would be greatly appreciated.

Thank you for reading my post.

Kind regards,

Jean

Jean Milne · ‎06-02-2017

I'm forced to request aid again as I seem unable to move past the vlan configuration phase.

Using the CLI I tore down the previous configuration of 0/2, created the three vlans (100, 101, 102) and set 0/2 as a trunked port.

I was pretty pleased with myself and thought, great, all I need to do now is configure static routes to each vlan like I did last time and I'll be able to get from TestLaptop1 to the other test laptops.

Apparently not because packet tracer shows that the ASA now thinks all the vlans are on the outside interface, even with static routes.

I think I've misunderstood something fundamental to do with trunked interfaces (again). ASDM shows what looks like static routes to the three vlans but the show route command doesn't.

I set the routes up using commands like:

route vlan100 192.168.48.0 255.255.255.0 192.168.48.1 1

I think this says go to the vlan100 interface (0/2) for traffic to the 192.168.48.0 network.

However, I am guessing based on the little info I could find on google.

What is worrying me is that most articles are saying inter-vlan routing is not a common task for an ASA? That makes me think the whole design is just wrong?

Some of the articles also talk about enabling a routing protocol. I inherited the ASA and no protocols are currently showing as enabled in ASDM. I don't want to enable anything I don't have to but I'm supposed to be following decent practice.

So the question is now, is the diagram I drew a valid experiment in the first place? Or insanely bad practice...?

And, what step have I missed to allow the ASA to know that the vlans are on 0/2?

I was really hoping my next post to you was to report success. I owe you a number of drinks....

Jon Marshall · ‎06-02-2017

It is more normal to do routing between vlans with a L3 switch but if you don't have one or you want to route on the ASA for security reasons it can be done.

If your switch is L3 though you could use that.

In terms of routes you don't need any for directly connected interfaces. If you do a "sh route" on your ASA you will see it knows all about those IP subnets or should do.

You only need to add routes for remote networks.

Jon

Jean Milne · ‎06-02-2017

OK, so my static routes attempt was a red herring.

The sh route command is definitely not showing vlans 100, 101 and 102.

I checked the status of the vlans and they are down. So, it seems that I have not configured them correctly after all.

The running config is below (not all of it, just the bit for the interfaces). Have I missed something?

The switch is a layer 3 switch. However, if I am going to use that instead of the router I don't understand how traffic will get from TestLaptop1 to the other laptops? If the ASA doesn't have anything on it, I just don't understand how the traffic will get through it...?

CONFIG

interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
switchport trunk allowed vlan 100-102
switchport mode trunk
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
interface Vlan1
nameif inside
security-level 100
ip address 192.168.47.1 255.255.255.0
!
interface Vlan100
nameif vlan100
security-level 0
ip address 192.168.30.1 255.255.255.0
!
interface Vlan101
nameif vlan101
security-level 0
ip address 192.168.40.1 255.255.255.0
!
interface Vlan102
nameif vlan102
security-level 0
ip address 192.168.50.1 255.255.255.0

Jon Marshall · ‎06-02-2017

Is the interface connecting to the switch up and is it configured as a trunk link on both ends ?

If you used the L3 switch then the switch would route between the vlans on it and then via the ASA to the laptop connected directly to it.

Or you move all vlans to the switch and simply use the ASA for internet access.

Jon

Jean Milne · ‎06-02-2017

Right, took a deep breath and traced it end to end.

Right at the beginning when I was about to delete the previous configuration of 0/2 I unplugged the switch from the ASA. I did this because last time I deleted an interface I took down our network (because a loop was created when the interface went back into vlan1).

Amazingly, after I plugged it back in all became well with the world. The routes are in the table and I can packet trace from TestLaptop1 to all the other test laptops.

I can't ping from the actual laptops but I wasn't expecting to yet (because I haven't configured the switch itself to have a trunk port).

Now I can get a packet trace to work, I'm moving on to the switch again.

I see what you are saying about the switch. What you said clarified the various articles I found. Would the setup usually be a core switch on 0/1 and all other switches connected to that?

This experiment is so we can have a test setup of our DMZ. Our overall goal is to set up double proxy servers that fail over to one another.

We don't have any spare ports to play with on our production ASA (5510) and so we are having to prove that I can run both the test DMZ and the LightsOut vlans from a single ASA port while we test (or we lose our LightsOut while I practice).

You have got me moving again which is greatly appreciated.

Jon Marshall · ‎06-02-2017

Depending on the size of the company it could be a single switch but more likely a pair perhaps stacked or for the modular switches running VSS. But yes core switches with access switches connecting to them is a common setup.

I am logging off now so if you need more help perhaps start another thread although I will check back later with this.

Also should point out there is a Firewalling forum although a lot of people answer in both forums so no big deal.

Glad you are back on track :)

Jon

Jean Milne · ‎06-02-2017

Just wanted to let you know that I have the experiment up now thanks to your help.

After I had configured the trunk port on the switch it was just a question of access rules and nat and all my tests now work.

I would not have been able to complete this experiment without your help.

Thank you very much.

Jon Marshall · ‎06-02-2017

No problem at all and glad to hear it's working.

Jon

Jean Milne · ‎06-02-2017

Actually, there is one thing, if that interface has no address, what should the default gateway of the test laptops be...?

Jon Marshall · ‎06-02-2017

The default gateway of a client would be the L3 vlan interface IP address on the ASA for the vlan it is in.

Does this make sense ?

Jon

Jean Milne · ‎06-02-2017

Aaahhh, I see. I think you may have just stopped another error. I was just about to put network addresses on the vlan interfaces where I'm now guessing that they should be host addresses the same as for normal interfaces. That seems obvious now I think about it.

Jon Marshall · ‎06-02-2017

Yes you use an IP address on the interfaces not a subnet address.

Jon

Inter-vlan routing on ASA 5505, multiple vlans on different ASA interfaces