01-07-2014 05:43 PM - edited 03-07-2019 05:25 PM
I'm just starting to learn about route leaking today, so I'm still trying to figure this out.
In short, I've created three vlans and put them in a vrf and would like them to access the internet. At this point, I have vrf created, vlans assigned and a global route leaked from the vrf to the gateway of last resort. A machine in the vrf is able to ping all three vlan gateways, but cannot still get to the internet.
I have everything on a 6509 core switch, and my firewall is an ASA 5505. I've also tried putting routing configs in using eigrp, but the vrf networks never made it to the ASA. Attached are my configs on both. If anyone could help me with what I'm missing that would be great. Thanks!
**** 6509 Config ****
lab-core6509#sh run
Building configuration...
Current configuration : 22128 bytes
!
! Last configuration change at 17:31:43 pst Tue Jan 7 2014 by rmf
! NVRAM config last updated at 12:30:19 pst Tue Jan 7 2014 by rmf
!
upgrade fpd auto
version 12.2
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
no service password-encryption
service sequence-numbers
service counters max age 5
!
hostname lab-core6509
!
boot-start-marker
boot system flash disk0:s72033-ipservicesk9_wan-mz.122-33.SXI.bin
boot-end-marker
!
aaa new-model
!
!
aaa authentication login default local
aaa authorization exec default local
!
!
!
aaa session-id common
clock timezone pst -8
clock summer-time PDT recurring
clock calendar-valid
ip subnet-zero
!
!
ip dhcp excluded-address 192.168.80.1 192.168.80.9
!
ip dhcp pool 192.168.80.0/24
network 192.168.80.0 255.255.255.0
default-router 192.168.80.1
domain-name procopio-guest.com
dns-server 8.8.8.8
!
ip vrf bingfish
rd 123:1
!
ip domain-name company.local
mls ip slb purge global
mls netflow interface
no mls flow ip
no mls flow ipv6
mls cef error action reset
!
!
!
!
!
!
!
!
!
!
spanning-tree mode pvst
diagnostic bootup level minimal
diagnostic cns publish cisco.cns.device.diag_results
diagnostic cns subscribe cisco.cns.device.diag_commands
fabric timer 15
!
redundancy
main-cpu
auto-sync running-config
mode sso
!
vlan internal allocation policy ascending
vlan access-log ratelimit 2000
!
!
!
interface Port-channel10
switchport
switchport trunk encapsulation dot1q
switchport mode trunk
!
interface GigabitEthernet1/1
switchport
switchport access vlan 500
switchport mode access
spanning-tree portfast edge
!
~SNIP~ (I don't think anyone cares about all the interface configs!)
!
interface Vlan510
description voice server net
ip address 10.90.10.1 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
no ip mroute-cache
!
interface Vlan666
ip address 10.90.253.1 255.255.255.0
!
interface Vlan851
description bingfish client net
ip vrf forwarding bingfish
ip address 10.249.1.1 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
no ip mroute-cache
!
interface Vlan852
description bingfish server net
ip vrf forwarding bingfish
ip address 10.249.2.1 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
no ip mroute-cache
!
interface Vlan853
description bingfish management net
ip vrf forwarding bingfish
ip address 10.249.3.1 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
no ip mroute-cache
!
interface Vlan901
description guest network
ip address 192.168.80.1 255.255.255.0
ip access-group guest-net in
no ip redirects
no ip unreachables
no ip proxy-arp
no ip mroute-cache
!
interface Vlan912
description internet perimeter
ip address 10.91.2.1 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
no ip mroute-cache
!
interface Vlan999
description management net
ip address 10.90.100.1 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
no ip mroute-cache
!
router eigrp 200
network 10.0.0.0
!
address-family ipv4 vrf bingfish
autonomous-system 99
network 10.249.1.0 0.0.0.255
network 10.249.2.0 0.0.0.255
network 10.249.3.0 0.0.0.255
redistribute static metric 10000 100 255 1 1500
exit-address-family
!
ip classless
ip route 0.0.0.0 0.0.0.0 10.91.1.2
ip route vrf bingfish 0.0.0.0 0.0.0.0 10.91.1.2 global
!
!
no ip http server
no ip http secure-server
!
ip access-list extended guest-net
deny ip any 10.0.0.0 0.255.255.255
permit ip any any
!
!
!
!
control-plane
!
!
dial-peer cor custom
!
!
!
!
line con 0
exec-timeout 30 0
line vty 0 4
exec-timeout 30 0
line vty 5 15
exec-timeout 30 0
!
ntp logging
ntp authenticate
ntp trusted-key 10
ntp clock-period 17179851
ntp source Vlan500
ntp master
ntp server 10.90.1.50 prefer
!
end
**** ASA 5505 Config ****
lab-5505asa# sh run
: Saved
:
ASA Version 8.2(5)
!
hostname lab-5505asa
domain-name company.local
names
dns-guard
!
interface Ethernet0/0
description inside
!
interface Ethernet0/1
description outside
switchport access vlan 2
!
interface Ethernet0/2
description dmz
switchport access vlan 4
speed 100
duplex full
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
interface Vlan1
nameif inside
security-level 100
ip address 10.91.1.2 255.255.255.0
ospf cost 10
!
interface Vlan2
nameif outside
security-level 0
ip address <outside ip> 255.255.255.128
ospf cost 10
!
interface Vlan4
nameif DMZ
security-level 50
ip address 172.16.35.1 255.255.255.0
ospf cost 10
!
boot system disk0:/asa825-k8.bin
ftp mode passive
clock timezone PST -8
clock summer-time PDT recurring
dns server-group DefaultDNS
domain-name company.local
object-group service DM_INLINE_SERVICE_1
service-object tcp eq domain
service-object udp eq domain
service-object udp eq ntp
object-group service DM_INLINE_TCP_1 tcp
port-object eq www
port-object eq https
object-group network DM_INLINE_NETWORK_1
network-object host 10.90.1.10
network-object host 10.90.1.11
object-group network DM_INLINE_NETWORK_2
network-object host <outside ip>
network-object host<outside ip>
object-group service DM_INLINE_SERVICE_2
service-object tcp eq domain
service-object udp eq domain
object-group service DM_INLINE_TCP_2 tcp
port-object eq ftp
port-object eq ftp-data
port-object eq www
port-object eq https
port-object eq 3008
port-object eq 3010
port-object eq ssh
object-group network DM_INLINE_NETWORK_3
network-object 216.9.240.0 255.255.240.0
network-object 68.171.224.0 255.255.224.0
object-group service DM_INLINE_TCP_4 tcp
port-object eq 3268
port-object eq 3269
port-object eq ldap
port-object eq ldaps
object-group network DM_INLINE_NETWORK_6
network-object host 172.16.35.12
network-object host 172.16.35.13
object-group service DM_INLINE_TCP_5 tcp
port-object eq www
port-object eq https
object-group network DM_INLINE_NETWORK_7
network-object host 172.16.35.12
network-object host 172.16.35.13
object-group network DM_INLINE_NETWORK_8
network-object host 172.16.36.45
network-object host 172.16.36.46
object-group service DM_INLINE_TCP_6 tcp
port-object eq 2598
port-object eq citrix-ica
port-object eq www
object-group service DM_INLINE_TCP_7 tcp
port-object eq www
port-object eq https
object-group service DM_INLINE_TCP_3 tcp
port-object eq www
port-object eq https
object-group network DM_INLINE_NETWORK_4
network-object host<outside ip>
network-object host <outside ip>
network-object host <outside ip>
object-group network DM_INLINE_NETWORK_5
network-object host 172.16.35.12
network-object host 172.16.35.13
object-group network DM_INLINE_NETWORK_10
network-object host 172.16.36.15
network-object host 172.16.36.42
object-group network xenapp_servers
network-object host 10.90.1.45
network-object host 10.90.1.46
network-object host 10.90.5.54
object-group network xendesktop_servers
network-object host 10.90.1.38
network-object host 10.90.1.54
object-group network DM_INLINE_NETWORK_11
network-object host 172.16.36.10
network-object host 172.16.36.42
network-object 10.80.1.0 255.255.255.0
group-object xenapp_servers
group-object xendesktop_servers
object-group network DM_INLINE_NETWORK_9
network-object host 172.16.36.27
network-object host 172.16.36.31
object-group network DM_INLINE_NETWORK_12
network-object host 74.117.58.150
network-object host 97.95.240.159
object-group network DM_INLINE_NETWORK_13
network-object 10.90.10.0 255.255.255.0
network-object 192.168.80.0 255.255.255.0
network-object 10.249.0.0 255.255.0.0
object-group network DM_INLINE_NETWORK_14
network-object 10.90.1.0 255.255.255.0
network-object 10.90.5.0 255.255.255.0
access-list outside_access_in extended deny ip object-group DM_INLINE_NETWORK_12 any log disable
access-list outside_access_in extended permit tcp any host <outside ip>eq 3389 log disable
access-list outside_access_in extended permit tcp any host<outside ip>eq smtp log disable
access-list outside_access_in extended permit tcp any object-group DM_INLINE_NETWORK_4 object-group DM_INLINE_TCP_7 log disable
access-list dmz_access_in extended permit ip any any log disable
access-list inside_access_in extended deny ip host 10.90.100.25 any log disable
access-list inside_access_in extended permit ip object-group DM_INLINE_NETWORK_13 any log disable
access-list inside_access_in extended permit tcp host 10.90.1.27 host 172.16.35.11 eq smtp log disable
access-list inside_access_in extended permit ip 10.80.1.0 255.255.255.0 any log disable
access-list inside_access_in extended permit tcp host 10.90.1.33 object-group DM_INLINE_NETWORK_3 eq 3101 log disable
access-list inside_access_in extended permit tcp object-group DM_INLINE_NETWORK_14 any object-group DM_INLINE_TCP_2 log disable
access-list inside_access_in extended permit object-group DM_INLINE_SERVICE_2 object-group DM_INLINE_NETWORK_1 object-group DM_INLINE_NETWORK_2 log disable
access-list inside_access_in extended permit udp host 10.90.1.50 any eq ntp log disable
access-list DMZ_access_in extended permit ip object-group DM_INLINE_NETWORK_5 object-group DM_INLINE_NETWORK_11 log disable
access-list DMZ_access_in extended permit tcp host 172.16.35.10 host 172.16.36.27 eq smtp log disable
access-list DMZ_access_in extended permit object-group DM_INLINE_SERVICE_1 host 172.16.35.10 host 172.16.36.10 log disable
access-list DMZ_access_in extended permit tcp host 172.16.35.11 any eq smtp log disable
access-list DMZ_access_in extended permit tcp host 172.16.35.10 any object-group DM_INLINE_TCP_1 log disable
access-list DMZ_access_in remark rule for cag to owa
access-list DMZ_access_in extended permit tcp host 172.16.35.13 object-group DM_INLINE_NETWORK_9 object-group DM_INLINE_TCP_3 log disable
access-list DMZ_access_in extended permit tcp host 172.16.35.10 host 172.16.36.10 object-group DM_INLINE_TCP_4 log disable
access-list DMZ_access_in extended permit tcp object-group DM_INLINE_NETWORK_6 object-group DM_INLINE_NETWORK_10 object-group DM_INLINE_TCP_5 log disable
access-list DMZ_access_in extended permit tcp object-group DM_INLINE_NETWORK_7 object-group DM_INLINE_NETWORK_8 object-group DM_INLINE_TCP_6 log disable inactive
access-list slow-down extended permit ip 10.90.0.0 255.255.0.0 any
access-list slow-down extended permit ip any 10.90.0.0 255.255.0.0
pager lines 24
logging enable
logging trap debugging
logging asdm warnings
logging host inside 10.90.1.65 6/1470
logging permit-hostdown
mtu inside 1500
mtu outside 1500
mtu DMZ 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-713.bin
asdm history enable
arp timeout 14400
global (inside) 2 interface
global (outside) 1 interface
global (DMZ) 1 interface
nat (inside) 1 10.80.1.0 255.255.255.0
nat (inside) 1 10.90.1.0 255.255.255.0
nat (inside) 1 10.90.5.0 255.255.255.0
nat (inside) 1 192.168.80.0 255.255.255.0
nat (inside) 1 10.249.0.0 255.255.0.0
nat (DMZ) 1 172.16.35.0 255.255.255.0
static (DMZ,outside)<outside ip>172.16.35.10 netmask 255.255.255.255 dns
static (DMZ,outside) <outside ip>172.16.35.55 netmask 255.255.255.255 dns
static (DMZ,outside) <outside ip>172.16.35.50 netmask 255.255.255.255 dns
static (DMZ,outside) <outside ip>172.16.35.60 netmask 255.255.255.255 dns
static (inside,outside) <outside ip>10.90.1.21 netmask 255.255.255.255 dns
static (inside,DMZ) 172.16.36.31 10.90.1.31 netmask 255.255.255.255
static (inside,DMZ) 172.16.36.10 10.90.1.10 netmask 255.255.255.255
static (inside,DMZ) 172.16.36.27 10.90.1.27 netmask 255.255.255.255
static (inside,DMZ) 172.16.36.15 10.90.1.15 netmask 255.255.255.255
static (inside,DMZ) 172.16.36.42 10.90.1.42 netmask 255.255.255.255
static (inside,DMZ) 10.90.1.0 10.90.1.0 netmask 255.255.255.0
static (inside,DMZ) 10.80.1.0 10.80.1.0 netmask 255.255.255.0
static (inside,DMZ) 10.90.5.0 10.90.5.0 netmask 255.255.255.0
access-group inside_access_in in interface inside
access-group outside_access_in in interface outside
access-group DMZ_access_in in interface DMZ
!
router eigrp 200
network 10.0.0.0 255.0.0.0
passive-interface default
no passive-interface inside
!
route outside 0.0.0.0 0.0.0.0 209.242.145.129 1
route inside 10.0.0.0 255.0.0.0 10.91.1.1 1
route inside 10.249.0.0 255.255.0.0 10.91.1.1 1
route inside 192.168.80.0 255.255.255.0 10.91.1.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
aaa authentication ssh console LOCAL
aaa authentication enable console LOCAL
http server enable
http 10.0.0.0 255.0.0.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
telnet timeout 5
ssh 10.0.0.0 255.0.0.0 inside
ssh timeout 60
console timeout 0
threat-detection basic-threat
threat-detection statistics
threat-detection statistics host number-of-rate 3
threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
ntp server 10.90.1.50 source inside prefer
webvpn
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect netbios
inspect tftp
inspect icmp
inspect pptp
inspect ip-options
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email callhome@cisco.com
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:9ba1f1f89fa1a88af05e2fc5fdba3090
: end
01-08-2014 12:18 PM
So it would appear I've solved it by adding a static route in the global routing table back to the subnets in the vrf:
ip classless
ip route 0.0.0.0 0.0.0.0 10.91.1.2
ip route 10.249.1.0 255.255.255.0 Vlan851 <-----------------------
ip route vrf bingfish 0.0.0.0 0.0.0.0 10.91.1.2 global
!
Thanks
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide