Routing Setup

nshoe18 · ‎10-03-2014

I have a customer with a different case and I am having trouble getting the routing working.

They have an ASA as the head-end today with a single flat network and all unmanaged switches. The ASA is on network 173.18.1.0. The ASA is 173.18.1.251.

I have added a L3 switch behind the ASA to do some segmentation of the network to clean things up. The switch is on VLAN1 with the ASA with an address of 173.18.1.252 and all pings fine including to the other PCs on the network.

I have created a new network of 173.18.30.0 and assigned the L3 an address of 173.18.30.1. From that address I can ping the ASA Inside interface at 173.18.1.251 and I can ping to the Internet both by IP and by name. However, from that 173.18.30.1 I cannot ping to any computers on the 173.18.1.x network (i.e. the DNS server is 173.18.1.8 and it cannot be reached from he 173.18.30.1 address).

Any ideas where my routing is screwed up? I have static routes in place on both the L3 and the ASA.

L3 routing setup:

interface Vlan1
ip address 173.18.1.252 255.255.255.0
!
interface Vlan10
ip address 173.18.10.1 255.255.255.0
!
interface Vlan30
ip address 173.18.30.1 255.255.255.0
!
ip classless
ip route 0.0.0.0 0.0.0.0 173.18.1.251
ip route 173.18.1.0 255.255.255.0 173.18.1.251

173.18.0.0/24 is subnetted, 2 subnets
C 173.18.30.0 is directly connected, Vlan30
C 173.18.1.0 is directly connected, Vlan1
S* 0.0.0.0/0 [1/0] via 173.18.1.251

ASA routing setup:

route outside 0.0.0.0 0.0.0.0 99.110.69.97 1
route inside Wireless 255.255.255.0 173.18.30.1 1

C 99.110.69.96 255.255.255.224 is directly connected, outside
S Wireless 255.255.255.0 [1/0] via 173.18.30.1, inside
C 173.18.1.0 255.255.255.0 is directly connected, inside
S* 0.0.0.0 0.0.0.0 [1/0] via 99.110.69.97, outside

vishal vyas · ‎10-03-2014

Please change the route on ASA

route inside 173.18.30.0 255.255.255.0 173.18.1.252

vishal vyas · ‎10-03-2014

you can remove the below static route from your L3 switch

ip route 173.18.1.0 255.255.255.0 173.18.1.251

nshoe18 · ‎10-03-2014

For the 173.18.1.0 network should I still be using the ASA as the gateway for the clients or should I be using the L3 switch?

I have made the changes to the routing but am still not able to ping anything not the .1 network from the .30 network.

vishal vyas · ‎10-03-2014

All the clients in Vlan-1 should have a default GW as an interface on L3 switch : 173.18.1.252

same for the clients in Vlan-30, their default GW should be an Interface on L3 switch : 173.18.30.1

Please check your vlan status, and make surre that you have created L2 Vlans also # show vlan (you should able see your vlans vlan-1,vlan-30 and vlan-10) if not then please create L2 vlans by entering command : # vlan 30

#exit

please try to ping as follow.

#ping 173.18.1.252 source 173.18.30.1

#ping 173.18.1.251 source 173.18.30.1

If above ping fails then enter command # ip routing and try above ping one more time.

nshoe18 · ‎10-04-2014

Instead of having an addressed interface on VLAN1 not he L3 switch, can I just make a route between the 30 and the 1? There are a large number of users, and they are all static, that would need their addresses changed to be able to make this work I think.

Any other ideas?

vishal vyas · ‎10-04-2014

You can swap the IP address of L3 switch and firewall (for vlan -1), if you plan to do that rou need to change your static routes accordingly.

As vlan 30 is on L3- switch, you need to crate a route on firewall

Wireless 173.18.30.1 255.255.255.0 "<Next_hop_ip address>" not <Firewall_address>

So for firewalls prospective its nextt hop will be the ip address of Vlan-1 of the L3 switch

Rajeev Sharma · ‎10-03-2014

Hey,

How does ASA knows about 173.18.30.X network?

Also the static route which you have entered "route inside Wireless 255.255.255.0 173.18.30.1 1" should be route inside Wireless 173.18.30.1 255.255.255.0 <firewall_IP_address>"

HTH.

Regards,
RS.

nshoe18 · ‎10-04-2014

should be route inside Wireless 173.18.30.1 255.255.255.0 <firewall_IP_address>" - What address should the firewall be? The interface for VLAN 1 on the L3?