07-16-2013 03:16 AM - edited 03-07-2019 02:25 PM
Hi,
We have the below network in one of our factories.
Atttached is the visio for it.
Servers 192.168.2.11, 2.15 & 2.21 from third business unit need to access our factory network servers in vlan 101( 192.168.101.1/24).
The factory network has an ASA , a nexus 5k.
Our Cisco ASA is used to terminate the link between our factory & the other business unit. It is actually not that far away , hence fiber is used across both for interconnect using LACP.
The ip addressing is shown in the diagram.
Current State:-
From ASA , we can ping 192.168.62.1 & any of the servers like 192.168.2.11.
From their side, they can reach 192.168.62.2 and any of our servers like 192.168.101.45
However, when we tried to ping the servers 192.168.2.X from our nexus 5k core, they are not pingable.
These are the configuration on the ASA. we have an dual link running between ASA to N5k as portchannel.
ASA :->
interface GigabitEthernet0/6
speed 1000
duplex full
channel-group 1 mode on
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/7
speed 1000
duplex full
channel-group 1 mode on
no nameif
no security-level
no ip address
interface Port-channel1
no nameif
no security-level
no ip address
interface Port-channel1.200
vlan 200
nameif LOCAL
security-level 100
ip address 10.10.1.1 255.255.255.248
interface Port-channel18
description Uplink to Business unit
nameif BU
security-level 0
ip address 192.168.62.1 255.255.255.0
access-list BU_access_in extended permit ip 192.168.2.0 255.255.255.0 192.168.101.0 255.255.255.0
access-group BU_access_in in interface BU
route BU 0.0.0.0 0.0.0.0 192.168.62.1
route LOCAL 192.168.101.0 255.255.255.0 10.10.1.2
On the N5K core :->
ip route 0.0.0.0 0.0.0.0 10.10.1.1
interface port-channel1
switchport mode trunk
speed 1000
duplex full
interface Ethernet1/21
switchport mode trunk
speed 1000
duplex full
channel-group 1
interface Ethernet1/22
switchport mode trunk
speed 1000
duplex full
channel-group 1
Please help what could be wrong here. Appreciate all advise on this.
Solved! Go to Solution.
07-16-2013 06:33 AM
Hi,
it depends on what is your goal or what do you want to have reachable. Of course this route is not needed because it is pointing to your core switch. I wouldn't want to make my core switc visible from remote side. So if you don't want to reach you core switch from remote side for some reason so this route is not needed on remote router.
Regarding issue of server reachability:
Because remote side(router) is able reach your servers so I dont think there is etherchannel or link problem.
Is there ACL applied on remote side? I think there will be something.
Is it possible to post remote running-config of router and switch where server are connected?
Jan
07-16-2013 03:34 AM
Hi,
depends on if your ASA has NAT configured.
Regarding configuration you provided it seems that 3th party BU don't know nothing about 10.10.1.0/30 network. Because when you try to ping remote network from Nexus so probably it will has 10.10.1.2 source IP address if no NAT is applied on your ASA.
Best Regards,
Jan
07-16-2013 04:35 AM
ASA has no nat configured.
Third party BU has belo route on their device;
ip route 192.168.101.0 255.255.255.0 192.168.62.2
ASA has route pointing towards 10.10.1.2 for traffic towards 192.168.101.0 /24 servers.
Thanks again!
07-16-2013 05:51 AM
Hi,
is there any oher route on remote side?
I think they are missing this route:
ip route 10.10.1.0 255.255.255.248 192.168.62.2
So remote route wil know your source address of 5k switch which is 10.10.1.2.Then it should work if there are not other thing like ACL on remote side whcich could deny traffci from 10.10.1.0 network.
Best regards,
Jan
07-16-2013 06:08 AM
Thanks again.
Is that route needed, as that 10.10.1.0 network is only a routing link between Core & ASA.
If we try to reach BU server 192.168.2.x from within one of our server 192.168.101.x, it is not reachable.
The Core switch has a route pointing the traffic towards ASA for this.
Is there any problems related to the link between ASA & Core, etherchannel or so. or the way trunk operates.
07-16-2013 06:33 AM
Hi,
it depends on what is your goal or what do you want to have reachable. Of course this route is not needed because it is pointing to your core switch. I wouldn't want to make my core switc visible from remote side. So if you don't want to reach you core switch from remote side for some reason so this route is not needed on remote router.
Regarding issue of server reachability:
Because remote side(router) is able reach your servers so I dont think there is etherchannel or link problem.
Is there ACL applied on remote side? I think there will be something.
Is it possible to post remote running-config of router and switch where server are connected?
Jan
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide