sigh. It appears, the default gateway is the ASA 5505 connected to the 3750 I neglected to mention.... I ran a show route and this is what I got.

C    10.70.64.0 255.255.252.0 is directly connected, inside
S    10.30.0.0 255.255.255.0 [1/0] via 10.70.64.31, inside

The default gateway of what, one of the PCs ?

Jon

Correct. one of the PCs.

route -n
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
0.0.0.0         10.70.64.1      0.0.0.0         UG    202    0        0 eth0
10.70.64.0      0.0.0.0         255.255.252.0   U     202    0        0 eth0

Well that would explain it.

You either need to configure the ASA to allow traffic back from the inside interface because it wont do it by default or change the default gateway on the PC.

Which one to do depends on why it is currently pointing to the ASA ie. is it for security reasons.

Jon

I have to look further but I don't know. I'm not sure why everything points to the firewall. I can't find any legitimate reason it would do so. So... allowing traffic back, would that be hairpinning? Also... it amazes me how fast you answer these questions. Thanks just doesn't seem to be enough. :)

So... allowing traffic back, would that be hairpinning?

Yes it would.

By default the ASA will not send traffic back out of the same interface it was received on to get to the destination IP but you can configure it to do so.

If there is no reason to have the firewall as the default gateway other than that was the way it was setup then I would recommend using your 3750 for routing between vlans and only sending traffic to the ASA for internet.

It makes everything simpler.

However one thing is that your ASA is in the same vlan as some of your clients and this isn't ideal because what happens is a client in the vlan sends traffic to the 3750 because that is its default gateway.

If the traffic is for the internet the 3750 sends it to the ASA. But return traffic goes direct to the client ie not via the 3750 because the ASA inside interface is in the same vlan.

It will work but I wouldn't set it up like that.

Ideally you want a dedicated vlan or routed connection  (if there is only firewall) for the 3750 to ASA connection with no clients in it and then all traffic to and from the ASA has to go via the 3750.

Obviously then you would need routes on the ASA for all internal subnets.

You don't have to do this, just a suggestion.

But first you need to find out if the default gateway needs to be the ASA.

Jon

To be honest, I'm not sure. I'm still trying to learn more about how ASAs work. There is a l2l ipsec tunnel but if there's routing on the 3750, I don't see any reason why the core switch can't be the gateway

A L2L tunnel doesn't require the networks at either end to be directly connected so it would work fine via the 3750 as long as the routing was correct.

It could just be that it was setup that way and there is no real reason.

If the two vlans are meant to be able to communicate with each other then you would expect the ASA to have the extra configuration but it hasn't.

If there are certain machines that should use the ASA as their default gateway because you want to firewall between these internally then all machines in that vlan should use the ASA ie.

you don't have some machines using the ASA and some the 3750 within the same vlan because there is no real logic to that.

Like i say, I can't tell you but sometimes there really is no reason as to why it has been setup that way other than it was the only way a previous person knew how to make it work.

Jon

I added the second vlan to try to correct a mistake I made. I C&P'd an incorrect IP configuration into a server. This is my attempt to be able to access the server and change it back. :D (Yes, I feel really stupid)

We've all done something similar, or at least I have :-)

Can't you just access the server from a client in the same vlan then default gateways don't come into it.

Jon

I'm not on location so if I change the client vlan, I can no longer access it remotely due to the routing in the two asa's between my office/colo and the office where I'm having the problem. unfortunately, I don't have anyone who can help at the site either...

Okay can you describe exactly what the issue is in terms of IP addressing etc.

So your IP address, the server IP address etc.

Do you have access to the ASA and if so do you know what version of code it is running ?

How do you access the server, is it RDP ?

Jon

ok. Thanks for the help. It's a little complicated though. :)

NETWORK: ASA 10.70.64.1 => 3750 10.70.64.31 => 2960 10.70.64.48

unfortunately, the server only has https access. I changed its IP to 10.30.0.2 255.255.255.252. realizing my oops, I added vlan 2 on the 3750 with an IP of 10.30.0.1 255.255.255.0. I then tried to browse to it. The computer I RDP'd into to try and get to it is 10.70.64.155. I do have access to the ASA. I can't do any port forwarding because... well, nutshell is my outside interface on the ASA is a private IP and the site has port forwarding on their ASA for IKE so that I could establish the ipsec l2l tunnel. Our ASA is behind their ASA because their building splits out the internet between offices and we needed this office network isolated. I attached a crude gliffy pic to help.