Solved: Re: Trying to link test LAN to Production

jeffreykolek · ‎03-28-2011

Hello all,

We have some spare equipment and I'm trying to access the internet via our production LAN, from a test LAN.

I have a 6506 as our core switch, a 3560 acting as a Layer 3 switch connected to the 650 and an ASA 5520 firewall. I will post all configs below. First, the connections:

GigabitEthernet3/1 on the 6506 is directly connected to GigabitEthernet0/25 on the 3560. (our test LAN)

GigabitEthernet0/26 on the 3560 is directly connected GigabitEthernet0/1 on the ASA, which is designated as the Inside interface. (The internet access "router")

GigabitEthernet0/0 on the ASA (outside) is directly connected to the Production Core switch, which is a 6513. (the firewall prior to the "internet")

Also, VLAN 500 with an ip address of 10.50.0.254 is defined on the Production 6513 so that the NAT address from the test ASA will be able to communicate

In the configurations below, I can successfully ping all production IP addresses from both the ASA and the 3560 (they are 192.168.x.x IP's)

I can successfully ping the IP addresses on the 3560 and the inside interface of the ASA from the 6506.

I cannot ping production IP addresses from the 6506 - basically anything outside the firewall.

I know it's something simple that I'm missing. Here are configs for each.

Note that on the 6506, I can't enter switchport trunk encapsulation dot1q but when I check the capabilities of the interfaces, they are all dot1q enabled:

6506:

vtp domain domain-name

vtp mode transparent

ip subnet-zero

!

vlan 120

!

interface GigabitEthernet3/1

description To 3560 Gi0/25

switchport trunk native vlan 120

switchport mode trunk

!

interface Vlan1

no ip address

shutdown

!

interface Vlan120

ip address 10.10.20.254 255.255.255.0

!

ip classless

ip route 0.0.0.0 0.0.0.0 10.10.20.1

3560:

vtp domain domain-name

vtp mode transparent

ip routing

!

vlan 120

!

interface GigabitEthernet0/25

description From 6506 Gi3/1

switchport trunk encapsulation dot1q

switchport trunk native vlan 120

!

interface GigabitEthernet0/26

description To ASA inside interface

no switchport

ip address 10.10.40.254 255.255.255.0

!

interface Vlan1

no ip address

shutdown

!

interface Vlan120

ip address 10.10.20.1 255.255.255.0

!

ip classless

ip route 0.0.0.0 0.0.0.0 10.10.40.1

ASA 5520:

interface GigabitEthernet0/0

nameif outside

security-level 0

ip address 10.50.0.1 255.255.255.0

!

interface GigabitEthernet0/1

nameif inside

security-level 100

ip address 10.10.40.1 255.255.255.0

!

same-security-traffic permit intra-interface

access-list traffic_out extended permit ip any any

access-list traffic_in extended permit ip any any

!

global (outside) 1 interface

nat (inside) 1 0.0.0.0 0.0.0.0

access-group traffic_in in interface outside

access-group traffic_out out interface inside

route outside 0.0.0.0 0.0.0.0 10.50.0.254 1

That's all. I'll crank down the security on the firewall if I can ever get the test 6506 to communicate with production.

Thank you for any help on this annoying and probably extremely simple problem....

This is my first post ever, so please let me know if I didn't do something correctly :-)

IAN WHITMORE · ‎03-29-2011

Sounds like a routing issue. Does your firewall know how to get to the inside addresses? i.e. in your case 10.10.20.x.

You might need a route inside statement.

From your config you 6506 has a static to the 3560 and the 3560 has a static to the firewall. You also need the reverse else the traffic ain't going come back

It works from the firewall and the 3560 because they have connected interfaces in those subnets.

As far as what to do on the forum, just rate useful posts and if resolved, mark them resolved. Simple

And welcome

Regards,

Ian

View solution in original post

IAN WHITMORE · ‎03-29-2011