Solved: Re: L3 Routing Config problem on 3560g

tabiv · ‎02-22-2012

Hi all!

I am changing my companies network and I am stuck. I've dug through a number of articles and posts both up here and elsewhere and I am not sure what the problem is. In particular I've been through THIS article a number of times, worried that I missed something. The problem that I am having is with the config of my 3560g. I think the issue may be with the routing between the 3560g and ASA.

Below is my network config that I am working on:

Cisco_3560g (g0/24) ---> (e0/3) Cisco_ASA_5510 ---> Cisco_2811 ---> Interweb

I say working on, because I have all of my users connected via a few switches (on a flat network, with a voice vlan) on another Interface (e0/1) on the ASA. My plan is to split my network up into a few VLANs and use the 3560g to do the Layer 3 the switching.

A few points, bulleted out for easy reading:

I've enable IP Routing on the switch and configured the route to the ASA
InterVlan routing seems to be working fine
from a connected PC (192.168.5.5) plugged into switch port g0/13 (on vlan5) I:
- Can ping all the virtual interfaces
- Can Ping 192.168.1.1
- Cannot Ping 192.168.1.2 (ASA) or 8.8.8.8 (Google DNS)
From the switch I can ping the 192.168.1.2
From the switch I Cannot ping 8.8.8.8
I verified via a Packet Trace on the ASA that the Flow should work (so ACLs and NAT are all OK).
Just too make sure of the above, I connected a PC (IP 192.168.1.5/24) to g0/24 and was able to get to the interweb.
I am not using any SVIs\Subinterfaces on the ASA. (I had them originally, but removed them so that I could do the L3 routing on the 3560g instead).

Below is relevant excerpts from the Switch Config:

!

ip subnet-zero

ip routing

!

interface GigabitEthernet0/13

switchport access vlan 5

switchport mode access

switchport voice vlan 2

spanning-tree portfast

spanning-tree bpduguard enable

!

interface GigabitEthernet0/24

no switchport

ip address 192.168.1.1 255.255.255.0

!

interface Vlan1

ip address 192.168.4.230 255.255.255.0

!

interface Vlan5

ip address 192.168.5.1 255.255.255.0

!

interface Vlan10

ip address 192.168.10.1 255.255.255.0

!

ip classless

ip route 0.0.0.0 0.0.0.0 192.168.1.2

ip http server

ip http secure-server

I hate that I am stuck on this and any help to point me in the right direction would be great.

Thanks!

Ted

ebarticel · ‎02-22-2012

Have you done a traceroute to see how far you can go from PC? Does your ASA has routes back to all your subnets? Also 2811 has routes back to your subnets?

View solution in original post

Pronoy Dasgupta · ‎02-23-2012

Hey Ted,

You would ideally need to instruct the ASA to route traffic back to each individual subnets.

The command would be something like the following (for the ASA):

route inside 192.168.4.230 255.255.255.0 192.168.1.1

Once you have the above, try and use traceroute from a host in this subnet. Check where it drops, and if possible post the output here as well.

HTH

Pronoy

View solution in original post

ebarticel · ‎02-22-2012

Have you done a traceroute to see how far you can go from PC? Does your ASA has routes back to all your subnets? Also 2811 has routes back to your subnets?

lfgchinadc · ‎02-22-2012

Default asa setting disallows ping from internal world to outside world.

you said "Cisco_3560g (g0/24) ---> (e0/3) Cisco_ASA_5510 ---> Cisco_2811 ---> Interweb"

and then "

Just too make sure of the above, I connected a PC (IP 192.168.1.5/24) to g0/24 and was able to get to the interweb."

see what?

If you connect a PC to gi0/24, to which port does your asa connect. How could that PC get to web? I'm JUST confused.

tabiv · ‎02-23-2012

Jimmy,

It's not the default ASA settings, I configured it so I can ping things externally and get a response.

Eugen,

I've done a traceroute from the PC and if I remember right it doesnt get past the first hop. But I'll test that when I get into the office today.

I have not added any static routes to the ASA or 2811 with this new config. The 2811 should not have any, because it's not aware of anything on the other side of the ASA (for any of the 3 interfaces currently in use). The ASA has one static route to the outside that has been there. A route was automatically added for the connected interface once I configured it (like the other interfaces I am using). from a Show Route on the ASA:

C 192.168.1.0 255.255.255.0 is directly connected, LAN_2

I don't need routes added for the different VLAN interfaces, do I? Uggg, is that it? Static routes for each VLAN pointing to the L3 interface on the 3560g?

OK, I am now hurrying to get into the office.

Pronoy Dasgupta · ‎02-23-2012

Hey Ted,

You would ideally need to instruct the ASA to route traffic back to each individual subnets.

The command would be something like the following (for the ASA):

route inside 192.168.4.230 255.255.255.0 192.168.1.1

Once you have the above, try and use traceroute from a host in this subnet. Check where it drops, and if possible post the output here as well.

HTH

Pronoy

tabiv · ‎02-23-2012

Eugen,

That was it. I needed the routes to my subnets. When I was using the SVIs\Subinterfaces on the ASA the routes were created since there was an interface connected and it was aware of the network. Makes so much sense now, and I feel silly. Everything is working now. Thanks!

Pronoy,

Thanks for your input too. That would have answered it as well.

I am rushing off to a meeting and I wanted to check one thing before I closed this.

Thanks!

Ted

tabiv · ‎02-24-2012

I meant to reply yesterday, but next thing you know I was spending the next 8 hours converting my network and phone system. It was very nerve-wracking especially when I couldnt get my Dell switches to play nice with my Cisco switches. This was particularly fun because my Cisco switches didn't have enough ports to cover all of my users. Sorry, off topic.

Closing this now.

Thanks for the help!!!

Ted