cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
7825
Views
5
Helpful
18
Replies

Not able to access internet using VRF-lite on through ASA 5505

vucko-sanel
Level 1
Level 1

Hi guys

I am trying to “build up” a small home-network and using some of following Cisco equipment’s

  • ASA 5505 v8.4.3 witch base license
  • Cisco Catalyst 3750G with ipservices version 15.0.x
  • and 1 qty of AP1142N

I am not able to get internet access from any VRF’s.

From "MILAN (LAN) VRF, I am able to ping my gw: 10.45.45.1 but I am not able to ping for example: “linknett VRF”.

It seems that i am missing some NAT rules on ASA or ?

If i connect my laptop directly to the ASA, i am able to get internet access!

I am not feeling comfortable with a new ASA 8.4 code yet, so im not so sure which exact code's i am missing on ASA ...

Please look at attached digram including configuration files from ASA and 3750 sw.

Thanks!!

2 Accepted Solutions

Accepted Solutions

Mohamed Sobair
Level 7
Level 7

Hello,

From either of all VRFs, you wont be able to access the internet, the problem is not your ASA config, the problem is in your 3750 Switch.

you have VRF-lite configured on all vlan interfaces, therfore , you will be having seperate routing table for each VRF which will not allow other VRFs to interface with the 10.20.45.0/29 by default.

Since you need to setup your default route pointing to 10.20.45.2/29 in all other VRFs, then you need VRF MILAN , VOICE & WLAN to have the 10.20.45.2 in its vrf routing table, Also you need vrf LINKNETT to have all networks in VRF Voice, MILAN & WLAN in its routing table.

In order to perform the above, you will have to configure BGP routing protocol, the ONLY protocol allows VRFs to be carried and leaked together.

So, add the following configuration in your 3750 Switch:

router bgp 1

address-family ipv4 vrf LINKNETT

redistribute connected

address-family ipv4 vrf VOICE

redistribute connected

address-family vrf MILAN

redistribute connected

address-family vrf WLAN

redistribute connected

ip vrf LINKNETT

rd 10:1

route-target export 1:1

route-target import 1:2

route-target import 1:3

route-target import 1:4

ip vrf  MILAN

rd 45:1

route-target export 1:2

route-target import 1:1

ip vrf VOICE

rd 172:1

route-target export 1:3

route-target import 1:1

ip vrf WLAN

rd 192:1

route-target export 1:4

route-target import 1:1

After doing it, you should be good to go and have internet Access at all VRFs.

Thanks,

Mohamed

View solution in original post

OHHH Vuko!!!!!!

I do really apologize , After I got deeper look , I got where your issue. Its really embarassing issue, but beleive me when I was amswering your first post it was very late and was not concentrating well.

Your issue firstly seem to me VRF-RouteLeaking, and then I knew from you you dont need those VRFs to internally communicate except for Internet Traffic.

Now, Your issue is not with the VRF Leaking problem or configuration, the Issue lies on your Firewall, Let me explain further:

VRFs (MILAN, VOICE, & WLAN) have a static default route pointing to 10.20.45.2.  Now, this IP represent the Firewall which is the Gateway (Nexthop) to reach the internet for all VRFs.

Now, Since the (10.20.45.2) has been Leaked from VRF (LINKNETT), So the Communication Established to the Firewall.

However, the Firewall have a route back for all VRFs pointing to (LINKNETT VRF ip: 10.20.45.1) Your Core Switch. and with My recommended config and Setup which has to be done this way, VRF (LINKNETT) has all routes for all VRFs in its routing table.

So when traffic initiated from WLAN VRF , it goes to the Firewall, the Firewall return it back to the Core Switch (VRF LINKNETT), and VRF (LINKNETT) has all routes for all VRFs in its routing table, So it forwards the traffic directly to it.

And this happens vice versa for the returned path.>>> Did you get it yet???

Now, Since we have to have VRF (LINKNETT) has all connected VRFs routes in its routing table which is a MUST, we have no other choice but to deploy (Access Control List) as Close to the Source as possible as you Know.

Since this is the Case, I would suggest you have an ACL Configuration like below added to your Switch configuration, with this ACL , you will prevent All VRFs to communicate with each other Except for Internet:

interface Vlan10

description ** linknett_to_ASA **

ip vrf forwarding LINKNETT

ip address 10.20.45.1 255.255.255.248

!

interface Vlan20

description ** LAN **

ip vrf forwarding MILAN

ip address 10.45.45.1 255.255.255.0

Access-group 100 in ---------------------(Add this statement)

!

interface Vlan30

description ** VOICE **

ip vrf forwarding VOICE

ip address 172.45.45.1 255.255.255.248

access-group 101 in ---------------------- (Add this statement)

!

interface Vlan40

description ** WLAN **

ip vrf forwarding WLAN

ip address 192.168.45.1 255.255.255.240

access-group 102 in  -------------------- (Add this statement)

Add the Following ACLs as Well:

Access-list 100 deny ip 10.45.45.0 0.0.0.255 172.45.45.0 0.0.0.7

access-list 100 deny ip 10.45.45.0 0.0.0.255 192.168.45.0 0.0.0.15

access-list 100 permit ip any any

access-list 101 deny ip 172.45.45.0 0.0.0.7 10.45.45.0 0.0.0.255

access-list 101 deny ip 172.45.45.0 0.0.0.7 192.168.45.0 0.0.0.7

access-list 101 permit ip 172.45.45.0 0.0.0.7 any

access-list 102 deny ip 192.168.45.0 0.0.0.15 10.45.45.0 0.0.0.255

access-list 102 deny ip 192.168.45.0 0.0.0.15 172.45.45.0 0.0.0.7

access-list 102 permit ip any any

After the above Config, you should have Access to internet in all VRFs and NO Inter-VRF communication.

Again, I am reall Sorry and Apologize for not Concentrating on your Second requirement.

Let me know how it goes, Or if you have any doubt.

Thanks,

Mohamed

View solution in original post

18 Replies 18

Mohamed Sobair
Level 7
Level 7

Hello,

From either of all VRFs, you wont be able to access the internet, the problem is not your ASA config, the problem is in your 3750 Switch.

you have VRF-lite configured on all vlan interfaces, therfore , you will be having seperate routing table for each VRF which will not allow other VRFs to interface with the 10.20.45.0/29 by default.

Since you need to setup your default route pointing to 10.20.45.2/29 in all other VRFs, then you need VRF MILAN , VOICE & WLAN to have the 10.20.45.2 in its vrf routing table, Also you need vrf LINKNETT to have all networks in VRF Voice, MILAN & WLAN in its routing table.

In order to perform the above, you will have to configure BGP routing protocol, the ONLY protocol allows VRFs to be carried and leaked together.

So, add the following configuration in your 3750 Switch:

router bgp 1

address-family ipv4 vrf LINKNETT

redistribute connected

address-family ipv4 vrf VOICE

redistribute connected

address-family vrf MILAN

redistribute connected

address-family vrf WLAN

redistribute connected

ip vrf LINKNETT

rd 10:1

route-target export 1:1

route-target import 1:2

route-target import 1:3

route-target import 1:4

ip vrf  MILAN

rd 45:1

route-target export 1:2

route-target import 1:1

ip vrf VOICE

rd 172:1

route-target export 1:3

route-target import 1:1

ip vrf WLAN

rd 192:1

route-target export 1:4

route-target import 1:1

After doing it, you should be good to go and have internet Access at all VRFs.

Thanks,

Mohamed

Thanks Mohamed! That was the trick!

I have now other quetsion:

I don't want to allow access from one specific vrf to other one...

I understand that i have to use route-target import command's ... but with configuration above, I am now able to access MILAN VRF from WLAN VRF which I acctualy don't wont ..

Hello,

I missed that, you eventually needs not all VRFs to communicate with each other but rather ONLY to communicate with LINKNETT VRF.

Yes, now, add the below config to LINKNETT VRF:

ip vrf LINKNETT

rd 10:1

route-target export 1:1

route-target import 1:2

route-target import 1:3

route-target import 1:4

export-map INTERNET    (Add this statement)

route-map INTERNET permit 10

match ip address 10

access-list 10 permit 10.20.45.0 0.0.0.7

This should ONLY allow Internet Access to all VRFs while block Inter-VRF Communication.

Regards,

Mohamed

After adding those commands below, i am still able to acess VRF MILAN (10.45.45.0/24) from VRF WLAN (192.168.45.0/28)

ip vrf LINKNETT

rd 10:1

export map INTERNET

route-target export 1:1

route-target import 1:2

route-target import 1:3

route-target import 1:4

!

access-list 10 permit 10.20.45.0 0.0.0.7

!

route-map INTERNET permit 10

match ip address 10

Core-01#sh route-map INTERNET

route-map INTERNET, permit, sequence 10

  Match clauses:

    ip address (access-lists): 10

  Set clauses:

  Policy routing matches: 0 packets, 0 bytes

Core-01#

Core-01#sh access-lists     

Standard IP access list 10

    10 permit 10.20.45.0, wildcard bits 0.0.0.7 (1 match)

Extended IP access list test

    10 permit ip any any

Core-01#

Attached switch configuration

This Shouldnt be...

Can you clear the IP routing table for those VRFs manually and try again. Clear VRF WLAN and MILAN routing and check.

Regards,

Mohamed

tallready done that ...

Core-01#clear ip route vrf WLAN *

Core-01#clear ip route vrf MILAN *

Core-01#clear ip route vrf LINKNETT *

but i still have acces to MILAN VRF for WLAN VRF ..

Core-01#sh ip route vrf MILAN

Routing Table: MILAN

Gateway of last resort is 10.20.45.2 to network 0.0.0.0

S*    0.0.0.0/0 [1/0] via 10.20.45.2

      10.0.0.0/8 is variably subnetted, 3 subnets, 3 masks

B        10.20.45.0/29 is directly connected, 00:03:57, Vlan10

C        10.45.45.0/24 is directly connected, Vlan20

L        10.45.45.1/32 is directly connected, Vlan20

Core-01#sh ip route vrf WLAN

Routing Table: WLAN

Gateway of last resort is 10.20.45.2 to network 0.0.0.0

S*    0.0.0.0/0 [1/0] via 10.20.45.2

      10.0.0.0/29 is subnetted, 1 subnets

B        10.20.45.0 is directly connected, 00:03:45, Vlan10

      192.168.45.0/24 is variably subnetted, 2 subnets, 2 masks

C        192.168.45.0/28 is directly connected, Vlan40

L        192.168.45.1/32 is directly connected, Vlan40

Core-01#sh ip route vrf LINKNETT

Routing Table: LINKNETT

Gateway of last resort is 10.20.45.2 to network 0.0.0.0

S*    0.0.0.0/0 [1/0] via 10.20.45.2

      10.0.0.0/8 is variably subnetted, 3 subnets, 3 masks

C        10.20.45.0/29 is directly connected, Vlan10

L        10.20.45.1/32 is directly connected, Vlan10

B        10.45.45.0/24 is directly connected, 00:03:52, Vlan20

      172.45.0.0/29 is subnetted, 1 subnets

B        172.45.45.0 is directly connected, 00:03:52, Vlan30

      192.168.45.0/28 is subnetted, 1 subnets

B        192.168.45.0 is directly connected, 00:03:52, Vlan40

Core-01#

but it seems that ping results from switch are correct ...

Core-01#ping vrf WLAN 192.168.45.10 source vlan 20

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 192.168.45.10, timeout is 2 seconds:

Packet sent with a source address of 10.45.45.1

.....

Success rate is 0 percent (0/5)

Core-01#

Core-01#ping vrf MILAN 10.45.45.20 source vlan 40

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 10.45.45.20, timeout is 2 seconds:

Packet sent with a source address of 192.168.45.1

.....

Success rate is 0 percent (0/5)

Core-01#

Hmmm!!!!!

Can you add the below config and let me know:

ip vrf MILAN

rd 45:1

route-target export 1:2

route-target import 1:1

import map INTERNET (Add this statement)

ip vrf WLAN

rd 192:1

route-target export 1:4

route-target import 1:1

import map INTERNET  (Add this statement)

Let me know how it goes... I remeber the (import map) command have influence on what routes should be imported into the VRF regardless of its route-target..

Please check..

Regards,

Mohamed

Still able to communicate between VRFs ...

i attached updated configuration file from swith ..

OK, I have reviewed the main VRF LINKNETT config, please configure it as follows:

ip vrf LINKNETT

rd 10:1

route-target export 1:1  (Remove this statement)

route-target import 1:2

route-target import 1:3

route-target import 1:4

export-map INTERNET (Add this statement)

route-map INTERNET permit 10

match ip address 10

set extcommunity rt 1:1    (Add this statement)

access-list 10 permit 10.20.45.0 0.0.0.7

Also remove all (import map) commands under both VRFs. Let me know

Clear All routing table and check your connectivity.

Regards,

Mohamed

sorry to tell you that "issue" is still there ..

.. and yes, i clear all routering tables as well

maybe  i should try to reload switch and ASA .. ?

attached a new updated configuration ..

I just reloded both devices (ASA and switch) and im still able to communicate between VRFs

ping results still looks fine ..

Core-01#ping vrf WLAN 192.168.45.10 source vlan 20

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 192.168.45.10, timeout is 2 seconds:

Packet sent with a source address of 10.45.45.1

.....

Success rate is 0 percent (0/5)

Core-01#

Core-01#ping vrf MILAN 10.45.45.20 source vlan 40

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 10.45.45.20, timeout is 2 seconds:

Packet sent with a source address of 192.168.45.1

.....

Success rate is 0 percent (0/5)

Core-01#

Any Ideas Mohamed ?

Hi,

This is how it should work!! and I am surprised if your other VRFs recieves other routes than the 10.20.45.0/29.

With the above config, VRF WLAN & MILAN Should ONLY recieve 10.20.45.0/29 from VRF LINKNETT.

Please double check your VRF routing table,

Regards,

Mohamed

like u could have seen from diagram, i am using 3 VRFs (MILAN, WLAN and VOICE) and 4th VRF is just small linknet subnet between ASA og 3k.

My VRF routing table reciving just routes from "LINKNETT" VRF

Core-01#sh ip route vrf MILAN  

Routing Table: MILAN

Gateway of last resort is 10.20.45.2 to network 0.0.0.0

S*    0.0.0.0/0 [1/0] via 10.20.45.2

      10.0.0.0/8 is variably subnetted, 3 subnets, 3 masks

B        10.20.45.0/29 is directly connected, 17:00:51, Vlan10

C        10.45.45.0/24 is directly connected, Vlan20

L        10.45.45.1/32 is directly connected, Vlan20

Core-01#

Core-01#sh ip route vrf WLAN

Routing Table: WLAN

Gateway of last resort is 10.20.45.2 to network 0.0.0.0

S*    0.0.0.0/0 [1/0] via 10.20.45.2

      10.0.0.0/29 is subnetted, 1 subnets

B        10.20.45.0 is directly connected, 17:00:58, Vlan10

      192.168.45.0/24 is variably subnetted, 2 subnets, 2 masks

C        192.168.45.0/28 is directly connected, Vlan40

L        192.168.45.1/32 is directly connected, Vlan40

Core-01#

Core-01#sh ip route vrf VOICE

Routing Table: VOICE

Gateway of last resort is 10.20.45.2 to network 0.0.0.0

S*    0.0.0.0/0 [1/0] via 10.20.45.2

      10.0.0.0/29 is subnetted, 1 subnets

B        10.20.45.0 is directly connected, 17:01:06, Vlan10

      172.45.0.0/16 is variably subnetted, 2 subnets, 2 masks

C        172.45.45.0/29 is directly connected, Vlan30

L        172.45.45.1/32 is directly connected, Vlan30

Core-01#

so i canæt understand why i am stil able to log on server which is placed in MILAN VRF (10.45.45.0/24) from WLAN VRF (192.168.45.0/28)

Please find attached updated digram and configuration files!

OHHH Vuko!!!!!!

I do really apologize , After I got deeper look , I got where your issue. Its really embarassing issue, but beleive me when I was amswering your first post it was very late and was not concentrating well.

Your issue firstly seem to me VRF-RouteLeaking, and then I knew from you you dont need those VRFs to internally communicate except for Internet Traffic.

Now, Your issue is not with the VRF Leaking problem or configuration, the Issue lies on your Firewall, Let me explain further:

VRFs (MILAN, VOICE, & WLAN) have a static default route pointing to 10.20.45.2.  Now, this IP represent the Firewall which is the Gateway (Nexthop) to reach the internet for all VRFs.

Now, Since the (10.20.45.2) has been Leaked from VRF (LINKNETT), So the Communication Established to the Firewall.

However, the Firewall have a route back for all VRFs pointing to (LINKNETT VRF ip: 10.20.45.1) Your Core Switch. and with My recommended config and Setup which has to be done this way, VRF (LINKNETT) has all routes for all VRFs in its routing table.

So when traffic initiated from WLAN VRF , it goes to the Firewall, the Firewall return it back to the Core Switch (VRF LINKNETT), and VRF (LINKNETT) has all routes for all VRFs in its routing table, So it forwards the traffic directly to it.

And this happens vice versa for the returned path.>>> Did you get it yet???

Now, Since we have to have VRF (LINKNETT) has all connected VRFs routes in its routing table which is a MUST, we have no other choice but to deploy (Access Control List) as Close to the Source as possible as you Know.

Since this is the Case, I would suggest you have an ACL Configuration like below added to your Switch configuration, with this ACL , you will prevent All VRFs to communicate with each other Except for Internet:

interface Vlan10

description ** linknett_to_ASA **

ip vrf forwarding LINKNETT

ip address 10.20.45.1 255.255.255.248

!

interface Vlan20

description ** LAN **

ip vrf forwarding MILAN

ip address 10.45.45.1 255.255.255.0

Access-group 100 in ---------------------(Add this statement)

!

interface Vlan30

description ** VOICE **

ip vrf forwarding VOICE

ip address 172.45.45.1 255.255.255.248

access-group 101 in ---------------------- (Add this statement)

!

interface Vlan40

description ** WLAN **

ip vrf forwarding WLAN

ip address 192.168.45.1 255.255.255.240

access-group 102 in  -------------------- (Add this statement)

Add the Following ACLs as Well:

Access-list 100 deny ip 10.45.45.0 0.0.0.255 172.45.45.0 0.0.0.7

access-list 100 deny ip 10.45.45.0 0.0.0.255 192.168.45.0 0.0.0.15

access-list 100 permit ip any any

access-list 101 deny ip 172.45.45.0 0.0.0.7 10.45.45.0 0.0.0.255

access-list 101 deny ip 172.45.45.0 0.0.0.7 192.168.45.0 0.0.0.7

access-list 101 permit ip 172.45.45.0 0.0.0.7 any

access-list 102 deny ip 192.168.45.0 0.0.0.15 10.45.45.0 0.0.0.255

access-list 102 deny ip 192.168.45.0 0.0.0.15 172.45.45.0 0.0.0.7

access-list 102 permit ip any any

After the above Config, you should have Access to internet in all VRFs and NO Inter-VRF communication.

Again, I am reall Sorry and Apologize for not Concentrating on your Second requirement.

Let me know how it goes, Or if you have any doubt.

Thanks,

Mohamed