10-03-2014 09:19 AM - edited 03-07-2019 08:58 PM
I have a customer with a different case and I am having trouble getting the routing working.
They have an ASA as the head-end today with a single flat network and all unmanaged switches. The ASA is on network 173.18.1.0. The ASA is 173.18.1.251.
I have added a L3 switch behind the ASA to do some segmentation of the network to clean things up. The switch is on VLAN1 with the ASA with an address of 173.18.1.252 and all pings fine including to the other PCs on the network.
I have created a new network of 173.18.30.0 and assigned the L3 an address of 173.18.30.1. From that address I can ping the ASA Inside interface at 173.18.1.251 and I can ping to the Internet both by IP and by name. However, from that 173.18.30.1 I cannot ping to any computers on the 173.18.1.x network (i.e. the DNS server is 173.18.1.8 and it cannot be reached from he 173.18.30.1 address).
Any ideas where my routing is screwed up? I have static routes in place on both the L3 and the ASA.
L3 routing setup:
interface Vlan1
ip address 173.18.1.252 255.255.255.0
!
interface Vlan10
ip address 173.18.10.1 255.255.255.0
!
interface Vlan30
ip address 173.18.30.1 255.255.255.0
!
ip classless
ip route 0.0.0.0 0.0.0.0 173.18.1.251
ip route 173.18.1.0 255.255.255.0 173.18.1.251
173.18.0.0/24 is subnetted, 2 subnets
C 173.18.30.0 is directly connected, Vlan30
C 173.18.1.0 is directly connected, Vlan1
S* 0.0.0.0/0 [1/0] via 173.18.1.251
ASA routing setup:
route outside 0.0.0.0 0.0.0.0 99.110.69.97 1
route inside Wireless 255.255.255.0 173.18.30.1 1
C 99.110.69.96 255.255.255.224 is directly connected, outside
S Wireless 255.255.255.0 [1/0] via 173.18.30.1, inside
C 173.18.1.0 255.255.255.0 is directly connected, inside
S* 0.0.0.0 0.0.0.0 [1/0] via 99.110.69.97, outside
10-03-2014 12:57 PM
Please change the route on ASA
route inside 173.18.30.0 255.255.255.0 173.18.1.252
10-03-2014 01:02 PM
you can remove the below static route from your L3 switch
ip route 173.18.1.0 255.255.255.0 173.18.1.251
10-03-2014 02:05 PM
For the 173.18.1.0 network should I still be using the ASA as the gateway for the clients or should I be using the L3 switch?
I have made the changes to the routing but am still not able to ping anything not the .1 network from the .30 network.
10-03-2014 06:12 PM
All the clients in Vlan-1 should have a default GW as an interface on L3 switch : 173.18.1.252
same for the clients in Vlan-30, their default GW should be an Interface on L3 switch : 173.18.30.1
Please check your vlan status, and make surre that you have created L2 Vlans also # show vlan (you should able see your vlans vlan-1,vlan-30 and vlan-10) if not then please create L2 vlans by entering command : # vlan 30
#exit
please try to ping as follow.
#ping 173.18.1.252 source 173.18.30.1
#ping 173.18.1.251 source 173.18.30.1
If above ping fails then enter command # ip routing and try above ping one more time.
10-04-2014 07:23 AM
Instead of having an addressed interface on VLAN1 not he L3 switch, can I just make a route between the 30 and the 1? There are a large number of users, and they are all static, that would need their addresses changed to be able to make this work I think.
Any other ideas?
10-04-2014 08:30 AM
You can swap the IP address of L3 switch and firewall (for vlan -1), if you plan to do that rou need to change your static routes accordingly.
As vlan 30 is on L3- switch, you need to crate a route on firewall
Wireless 173.18.30.1 255.255.255.0 "<Next_hop_ip address>" not <Firewall_address>
So for firewalls prospective its nextt hop will be the ip address of Vlan-1 of the L3 switch
10-03-2014 12:59 PM
Hey,
How does ASA knows about 173.18.30.X network?
Also the static route which you have entered "route inside Wireless 255.255.255.0 173.18.30.1 1" should be route inside Wireless 173.18.30.1 255.255.255.0 <firewall_IP_address>"
HTH.
Regards,
RS.
10-04-2014 07:39 AM
should be route inside Wireless 173.18.30.1 255.255.255.0 <firewall_IP_address>" - What address should the firewall be? The interface for VLAN 1 on the L3?
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide