02-22-2012 10:00 PM - edited 03-07-2019 05:07 AM
Hi all!
I am changing my companies network and I am stuck. I've dug through a number of articles and posts both up here and elsewhere and I am not sure what the problem is. In particular I've been through THIS article a number of times, worried that I missed something. The problem that I am having is with the config of my 3560g. I think the issue may be with the routing between the 3560g and ASA.
Below is my network config that I am working on:
Cisco_3560g (g0/24) ---> (e0/3) Cisco_ASA_5510 ---> Cisco_2811 ---> Interweb
I say working on, because I have all of my users connected via a few switches (on a flat network, with a voice vlan) on another Interface (e0/1) on the ASA. My plan is to split my network up into a few VLANs and use the 3560g to do the Layer 3 the switching.
A few points, bulleted out for easy reading:
Below is relevant excerpts from the Switch Config:
!
ip subnet-zero
ip routing
!
interface GigabitEthernet0/13
switchport access vlan 5
switchport mode access
switchport voice vlan 2
spanning-tree portfast
spanning-tree bpduguard enable
!
interface GigabitEthernet0/24
no switchport
ip address 192.168.1.1 255.255.255.0
!
interface Vlan1
ip address 192.168.4.230 255.255.255.0
!
interface Vlan5
ip address 192.168.5.1 255.255.255.0
!
interface Vlan10
ip address 192.168.10.1 255.255.255.0
!
ip classless
ip route 0.0.0.0 0.0.0.0 192.168.1.2
ip http server
ip http secure-server
I hate that I am stuck on this and any help to point me in the right direction would be great.
Thanks!
Ted
Solved! Go to Solution.
02-22-2012 11:12 PM
Have you done a traceroute to see how far you can go from PC? Does your ASA has routes back to all your subnets? Also 2811 has routes back to your subnets?
02-23-2012 09:53 AM
Hey Ted,
You would ideally need to instruct the ASA to route traffic back to each individual subnets.
The command would be something like the following (for the ASA):
route inside 192.168.4.230 255.255.255.0 192.168.1.1
Once you have the above, try and use traceroute from a host in this subnet. Check where it drops, and if possible post the output here as well.
HTH
Pronoy
02-22-2012 11:12 PM
Have you done a traceroute to see how far you can go from PC? Does your ASA has routes back to all your subnets? Also 2811 has routes back to your subnets?
02-22-2012 11:47 PM
Default asa setting disallows ping from internal world to outside world.
you said "Cisco_3560g (g0/24) ---> (e0/3) Cisco_ASA_5510 ---> Cisco_2811 ---> Interweb"
and then "
see what?
If you connect a PC to gi0/24, to which port does your asa connect. How could that PC get to web? I'm JUST confused.
02-23-2012 08:42 AM
Jimmy,
It's not the default ASA settings, I configured it so I can ping things externally and get a response.
Eugen,
I've done a traceroute from the PC and if I remember right it doesnt get past the first hop. But I'll test that when I get into the office today.
I have not added any static routes to the ASA or 2811 with this new config. The 2811 should not have any, because it's not aware of anything on the other side of the ASA (for any of the 3 interfaces currently in use). The ASA has one static route to the outside that has been there. A route was automatically added for the connected interface once I configured it (like the other interfaces I am using). from a Show Route on the ASA:
C 192.168.1.0 255.255.255.0 is directly connected, LAN_2
I don't need routes added for the different VLAN interfaces, do I? Uggg, is that it? Static routes for each VLAN pointing to the L3 interface on the 3560g?
OK, I am now hurrying to get into the office.
02-23-2012 09:53 AM
Hey Ted,
You would ideally need to instruct the ASA to route traffic back to each individual subnets.
The command would be something like the following (for the ASA):
route inside 192.168.4.230 255.255.255.0 192.168.1.1
Once you have the above, try and use traceroute from a host in this subnet. Check where it drops, and if possible post the output here as well.
HTH
Pronoy
02-23-2012 11:34 AM
Eugen,
That was it. I needed the routes to my subnets. When I was using the SVIs\Subinterfaces on the ASA the routes were created since there was an interface connected and it was aware of the network. Makes so much sense now, and I feel silly. Everything is working now. Thanks!
Pronoy,
Thanks for your input too. That would have answered it as well.
I am rushing off to a meeting and I wanted to check one thing before I closed this.
Thanks!
Ted
02-24-2012 02:26 PM
I meant to reply yesterday, but next thing you know I was spending the next 8 hours converting my network and phone system. It was very nerve-wracking especially when I couldnt get my Dell switches to play nice with my Cisco switches. This was particularly fun because my Cisco switches didn't have enough ports to cover all of my users. Sorry, off topic.
Closing this now.
Thanks for the help!!!
Ted
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide