Announcement

Collapse
No announcement yet.

Catalyst 3750 Switch and ASA 5510

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • Catalyst 3750 Switch and ASA 5510

    I am trying to set up some VLans, and want a catalyst 3750 to do the routing. I am using an ASA 5510 to connect to the ISP. The vlans are all able to talk to each other but they are not able to get to the outside interface on the ASA. I do have a route port configure on the switch and a default route pointing to the inside interface on the ASA. I am including the configs. Any help is greatly appreciated.


    ASA Config:
    :
    ASA Version 8.2(1)
    !
    hostname ciscoasa

    names
    !
    interface Ethernet0/0
    nameif outside
    security-level 0
    ip address 10.0.0.10 255.255.255.0
    !
    interface Ethernet0/1
    nameif inside
    security-level 100
    ip address 10.109.109.1 255.255.255.252
    !
    interface Ethernet0/2
    shutdown
    no nameif
    no security-level
    no ip address
    !
    interface Ethernet0/3
    shutdown
    no nameif
    no security-level
    no ip address
    !
    interface Management0/0
    nameif management
    security-level 100
    ip address 192.168.1.1 255.255.255.0
    management-only
    !
    ftp mode passive
    pager lines 24
    logging enable
    logging asdm informational
    mtu outside 1500
    mtu inside 1500
    mtu management 1500
    no failover
    icmp unreachable rate-limit 1 burst-size 1
    no asdm history enable
    arp timeout 14400
    route outside 0.0.0.0 0.0.0.0 10.0.0.1 1
    route inside 192.168.1.0 255.255.255.0 10.109.109.2 1
    timeout xlate 3:00:00
    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
    timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
    timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
    timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
    timeout tcp-proxy-reassembly 0:01:00
    dynamic-access-policy-record DfltAccessPolicy
    http server enable
    http 192.168.1.0 255.255.255.0 management
    no snmp-server location
    no snmp-server contact
    snmp-server enable traps snmp authentication linkup linkdown coldstart
    crypto ipsec security-association lifetime seconds 28800
    crypto ipsec security-association lifetime kilobytes 4608000
    telnet 10.10.10.0 255.255.255.0 inside
    telnet timeout 5
    ssh timeout 5
    console timeout 0
    dhcpd address 192.168.1.2-192.168.1.254 management
    dhcpd enable management
    !
    threat-detection basic-threat
    threat-detection statistics access-list
    no threat-detection statistics tcp-intercept
    webvpn
    !
    class-map inspection_default
    match default-inspection-traffic
    !
    !
    policy-map type inspect dns preset_dns_map
    parameters
    message-length maximum 512
    policy-map global_policy
    class inspection_default
    inspect dns preset_dns_map
    inspect ftp
    inspect h323 h225
    inspect h323 ras
    inspect rsh
    inspect rtsp
    inspect esmtp
    inspect sqlnet
    inspect skinny
    inspect sunrpc
    inspect xdmcp
    inspect sip
    inspect netbios
    inspect tftp
    !
    service-policy global_policy global


    Cisco 3750 Config

    version 12.2
    no service pad
    service timestamps debug uptime
    service timestamps log uptime
    no service password-encryption
    !
    hostname Switch
    !
    boot-start-marker
    boot-end-marker
    !
    enable secret 5 $1$PN2o$ezLE8vU.T6PW9R2IBOkev/
    enable password id10t
    !
    no aaa new-model
    system mtu routing 1500
    ip subnet-zero
    ip routing
    !
    !
    !
    !
    !
    !
    !
    !
    spanning-tree mode pvst
    spanning-tree extend system-id
    !
    vlan internal allocation policy ascending
    !
    !
    !
    interface FastEthernet0/1
    switchport trunk encapsulation dot1q
    switchport mode trunk
    !
    interface FastEthernet0/2
    switchport voice vlan 16
    spanning-tree portfast
    !
    interface FastEthernet0/3
    switchport voice vlan 16
    spanning-tree portfast
    !
    interface FastEthernet0/4
    switchport voice vlan 16
    spanning-tree portfast
    !
    interface FastEthernet0/5
    switchport voice vlan 16
    spanning-tree portfast
    !
    interface FastEthernet0/6
    switchport voice vlan 16
    spanning-tree portfast
    !
    interface FastEthernet0/7
    switchport voice vlan 16
    spanning-tree portfast
    !
    interface FastEthernet0/8
    switchport access vlan 109
    switchport mode access
    switchport voice vlan 16
    spanning-tree portfast
    !
    interface GigabitEthernet0/1
    no switchport
    ip address 10.109.109.2 255.255.255.252
    !
    interface Vlan1
    ip address 192.168.1.5 255.255.255.0
    !
    interface Vlan16
    description Voice
    ip address 172.18.36.3 255.255.252.0
    !
    interface Vlan109
    description test vlan
    ip address 192.168.109.5 255.255.255.0
    !
    ip classless
    ip route 0.0.0.0 0.0.0.0 10.109.109.1
    ip http server
    !
    !
    control-plane
    Last edited by kgantt; 6th February 2013, 15:18.

  • #2
    Re: Catalyst 3750 Switch and ASA 5510

    Can you ping the ip address of interface Ethernet0/1 of the ASA from interface GigabitEthernet0/1 of the 3750? (Extended ping and select the source ip address or interface)

    What does a tracert to the ip address of interface Ethernet0/1 of the ASA from a client show?

    Comment


    • #3
      Re: Catalyst 3750 Switch and ASA 5510

      I am able to ping the inside interface (eth 0/1), but not the outside interface (eth 0/0).

      Trace shows the 2 hops you would expect. Gateway and address of inside interface.

      Trace to outside interface (eth 0/0) shows gateway, and then times out.

      Thanks for your help.

      Comment


      • #4
        Re: Catalyst 3750 Switch and ASA 5510

        I am able to ping the inside interface (eth 0/1), but not the outside interface (eth 0/0).

        This is not allowed by design. You cannot ping a non directly attached interface on the ASA. I think you may be able to work around this by using the same-security-traffic permit inter-interface command but in reality why would you want your inside hosts to do this? If anything let them ping through to the next hop gateway (normally your ISP router/firewall).

        Also the ASA by default does not decrement the TTL so by default you would not see the ASA appear in the traceroute. Again this is by design and a best practice to keep it that way. You could allow this though:

        ciscoasa(config)# policy-map global_policy

        ciscoasa(config-pmap)# class class-default

        ciscoasa(config-pmap-c)# set connection decrement-ttl

        Another note, the ASA by default does not inspect icmp traffic. So your pings to say an internet based host (8.8.8. would go out but since its not inspected the reply's would be blocked. Again you could allow this as well


        policy-map global_policy
        class inspection_default
        inspect icmp
        CCNA, CCNA-Security, CCNP
        CCIE Security (In Progress)

        Comment


        • #5
          Re: Catalyst 3750 Switch and ASA 5510

          I have added the inspect icmp command to the configuration. I also created a DMZ. If I connect to the DMZ interface, no routed port, I am able to ping both the outside interface and the ISP gateway address with out any trouble. When connected to the routed port I am still unable to pass any traffic to the outside interface or the gateway interface. This includes using telnet to connect to the isp gateway. Something I can normally do.

          Please let me know if there are any questions as to what I am trying to accomplish, there may be a different way, but I do not want you use the ASA to route my individual VLans.

          Thanks for the help.

          Comment


          • #6
            Re: Catalyst 3750 Switch and ASA 5510

            Post the full updated ASA config and also the switch config again. A diagram would be helpfull as well.


            but I do not want you use the ASA to route my individual VLans.
            Your intervlan traffic should never reach the ASA as the switch should have local routes to all your vlans that are directly connected. Now if the inside needs to access the dmz off the ASA then that traffic would have to come through the ASA.

            Just an fyi, the inspect icmp command is only for traffic passing through the ASA not traffic destined to it. For local ASA traffic you would use the icmp permit command.

            Not sure what you mean by "routed port". If the interface has an ip and traffic is sourced from that subnet destined to a remote subnet then that traffic is routed (not switched)

            Also why would you add a dmz to the config when the original config isn't working? Take it in steps

            Does the upsteam ISP device have a route back to your subnet initiating the telnet? If not it will be dropped on that device. Does the ASA have a route back to your internal subnets? I see the route for 192.168.1.0/24 but I dont see one for the 192.168.109 subnet on the ASA


            Also there really isn't a need for the routed port on the switch. You could just use and SVI and then put the ASA inside interface in a different vlan


            interface GigabitEthernet0/1
            no switchport
            ip address 10.109.109.2 255.255.255.252

            could be


            int vlan 20
            description ASA
            ip add 10.109.109.2 255.255.255.252

            int fa1/0/4
            description CONNECTION_TO_ASA
            switchport mode access
            switchport access vlan 20


            Also looking at your config on the switch, I see the voice vlan defined but not the data vlan


            int fa0/6
            switchport mode access (makes it an access port)
            switchport access vlan ?? (defines the data vlan)
            switchport voice vlan ?? (defines the voice vlan)
            spanning-tree portfast
            spanning-tree bpduguard enable


            Also for your test vlan make sure at least one port in that vlan is in an up up state (IE something is connected to it) as the SVI will show in a up/down state (the spanning tree instance will be down) until at least one port in that vlan is up and in the spanning tree forwarding state (The vlan must also exist in the vlan database). An active trunk link with that vlan allowed also will bring the SVI up as well.You can verify this:

            show ip int brief (check svi status)

            sh vlan brief (check to make sure the vlan exists in the database)


            This feature is called auto state
            Last edited by auglan; 6th February 2013, 16:59.
            CCNA, CCNA-Security, CCNP
            CCIE Security (In Progress)

            Comment


            • #7
              Re: Catalyst 3750 Switch and ASA 5510

              I don't disagree with one step at a time. The DMZ was simply to test to make sure I was getting traffic through the ASA to the ISP Router. From the DMZ I am able to ping. I am still not able to pass traffic on the inside interface. I am posting up dated configs along with sho int brief and sho vlan brief.

              I am sure at this point it is something stupid I am missing. Thanks for all the help.

              ASA Config


              ASA Version 8.2(1)
              !
              hostname ciscoasa

              names
              !
              interface Ethernet0/0
              nameif outside
              security-level 0
              ip address 10.0.0.10 255.255.255.0
              !
              interface Ethernet0/1
              description inside
              no nameif
              no security-level
              no ip address
              !
              interface Ethernet0/1.1
              description connect to switch
              vlan 5
              nameif inside
              security-level 100
              ip address 10.109.109.1 255.255.255.252
              !
              interface Ethernet0/2
              nameif dmz
              security-level 90
              ip address 172.27.27.1 255.255.0.0
              !
              interface Ethernet0/3
              shutdown
              no nameif
              no security-level
              no ip address
              !
              interface Management0/0
              nameif management
              security-level 100
              ip address 192.168.1.1 255.255.255.0
              management-only
              !
              ftp mode passive
              pager lines 24
              logging enable
              logging asdm informational
              mtu outside 1500
              mtu inside 1500
              mtu management 1500
              mtu dmz 1500
              no failover
              icmp unreachable rate-limit 1 burst-size 1
              no asdm history enable
              arp timeout 14400
              route outside 0.0.0.0 0.0.0.0 10.0.0.1 1
              timeout xlate 3:00:00
              timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
              timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
              timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
              timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
              timeout tcp-proxy-reassembly 0:01:00
              dynamic-access-policy-record DfltAccessPolicy
              http server enable
              http 192.168.1.0 255.255.255.0 management
              no snmp-server location
              no snmp-server contact
              snmp-server enable traps snmp authentication linkup linkdown coldstart
              crypto ipsec security-association lifetime seconds 28800
              crypto ipsec security-association lifetime kilobytes 4608000
              telnet timeout 5
              ssh timeout 5
              console timeout 0
              dhcpd address 192.168.1.2-192.168.1.254 management
              dhcpd enable management
              !
              threat-detection basic-threat
              threat-detection statistics access-list
              no threat-detection statistics tcp-intercept
              webvpn
              !
              class-map inspection_default
              match default-inspection-traffic
              !
              !
              policy-map type inspect dns preset_dns_map
              parameters
              message-length maximum 512
              policy-map global_policy
              class inspection_default
              inspect dns preset_dns_map
              inspect ftp
              inspect h323 h225
              inspect h323 ras
              inspect rsh
              inspect rtsp
              inspect esmtp
              inspect sqlnet
              inspect skinny
              inspect sunrpc
              inspect xdmcp
              inspect sip
              inspect netbios
              inspect tftp
              inspect icmp
              !
              service-policy global_policy global

              Switch Config



              version 12.2
              no service pad
              service timestamps debug uptime
              service timestamps log uptime
              no service password-encryption
              !
              hostname Switch
              !
              boot-start-marker
              boot-end-marker
              !
              !
              no aaa new-model
              system mtu routing 1500
              ip subnet-zero
              ip routing
              !
              !
              !
              !
              !
              !
              !
              !
              spanning-tree mode pvst
              spanning-tree extend system-id
              !
              vlan internal allocation policy ascending
              !
              !
              !
              interface FastEthernet0/1
              switchport trunk encapsulation dot1q
              switchport mode trunk
              !
              interface FastEthernet0/2
              switchport voice vlan 16
              spanning-tree portfast
              !
              interface FastEthernet0/3
              switchport voice vlan 16
              spanning-tree portfast
              !
              interface FastEthernet0/4
              switchport voice vlan 16
              spanning-tree portfast
              !
              interface FastEthernet0/5
              switchport voice vlan 16
              spanning-tree portfast
              !
              interface FastEthernet0/6
              switchport access vlan 109
              switchport mode access
              switchport voice vlan 16
              spanning-tree portfast
              spanning-tree bpduguard enable
              !
              interface FastEthernet0/7
              switchport voice vlan 16
              spanning-tree portfast
              !
              interface FastEthernet0/8
              switchport access vlan 109
              switchport mode access
              switchport voice vlan 16
              spanning-tree portfast
              !
              interface GigabitEthernet0/1
              description connect to asa
              switchport access vlan 5
              switchport mode access
              !
              interface Vlan1
              ip address 172.27.27.5 255.255.255.0
              !
              interface Vlan5
              description connection to asa
              ip address 10.109.109.2 255.255.255.252
              !
              interface Vlan16
              description Voice
              ip address 172.18.36.3 255.255.252.0
              !
              interface Vlan109
              description test vlan
              ip address 192.168.109.5 255.255.255.0
              !
              ip classless
              ip route 0.0.0.0 0.0.0.0 10.109.109.1
              ip http server
              !
              !
              control-plane
              !
              !

              !
              end


              Switch#sho ip int brief
              Interface IP-Address OK? Method Status Protocol
              Vlan1 172.27.27.5 YES manual up up
              Vlan5 10.109.109.2 YES manual up up
              Vlan16 172.18.36.3 YES NVRAM up up
              Vlan109 192.168.109.5 YES manual up up
              FastEthernet0/1 unassigned YES unset up up
              FastEthernet0/2 unassigned YES unset down down
              FastEthernet0/3 unassigned YES unset down down
              FastEthernet0/4 unassigned YES unset down down
              FastEthernet0/5 unassigned YES unset down down
              FastEthernet0/6 unassigned YES unset up up
              FastEthernet0/7 unassigned YES unset down down
              FastEthernet0/8 unassigned YES unset down down
              GigabitEthernet0/1 unassigned YES unset up up

              Switch_Fay#sho vlan brief

              VLAN Name Status Ports
              ---- -------------------------------- --------- -------------------------------
              1 default active Fa0/2, Fa0/3, Fa0/4, Fa0/5
              Fa0/7
              5 VLAN0005 active Gi0/1
              10 master-vlan active
              11 VLAN0011 active
              12 VLAN0012 active
              13 VLAN0013 active
              14 VLAN0014 active
              15 VLAN0015 active
              16 VLAN0016 active Fa0/2, Fa0/3, Fa0/4, Fa0/5
              Fa0/6, Fa0/7, Fa0/8
              20 VLAN0020 active
              23 VLAN0023 active
              27 VLAN0027 active
              30 vlan-corp active
              40 vlan-guest active
              41 VLAN0041 active
              61 VLAN0061 active
              72 VLAN0072 active
              103 VLAN0103 active

              VLAN Name Status Ports
              ---- -------------------------------- --------- -------------------------------
              109 VLAN0109 active Fa0/6, Fa0/8
              1002 fddi-default act/unsup
              1003 token-ring-default act/unsup
              1004 fddinet-default act/unsup
              1005 trnet-default act/unsup

              Comment


              • #8
                Re: Catalyst 3750 Switch and ASA 5510

                Try making the gi0/1 interface on the switch into a dot1q trunk. Typically when using subinterfaces on the ASA it will be a trunk link from the ASA to the switch as the reason for using sub-interfaces is to encapsulate multiple vlans.


                Also check your logs. If you can console into the ASA:

                logging console 7 (this will produce alot of output if there is alot of traffic passing through it so it may be better to send it to buffer) This will tell you if the asa is dropping it etc..
                CCNA, CCNA-Security, CCNP
                CCIE Security (In Progress)

                Comment


                • #9
                  Re: Catalyst 3750 Switch and ASA 5510

                  So I have this working. Make the port connected to the asa a routed port using the no switch port command, then assign an ip address directly to the port. Define a default route to the inside port on the asa.

                  On the ASA i needed to configure nat for each ip range, and needed to define routes for each ip range, with the gateway address being the port on the switch.

                  Here are the working configs, and I hope it helps someone. There may need to be some clean up needed, but these are allowing access between vlans and access to the internet.

                  ASA Config

                  ASA Version 8.2(1)
                  !
                  hostname ciscoasa

                  names
                  !
                  interface Ethernet0/0
                  nameif outside
                  security-level 0
                  ip address 10.0.0.10 255.255.255.0
                  !
                  interface Ethernet0/1
                  description trunk inside
                  nameif inside
                  security-level 100
                  ip address 10.109.109.1 255.255.255.252
                  !
                  interface Ethernet0/2
                  nameif dmz
                  security-level 90
                  ip address 172.27.27.1 255.255.0.0
                  !
                  interface Ethernet0/3
                  shutdown
                  no nameif
                  no security-level
                  no ip address
                  !
                  interface Management0/0
                  nameif management
                  security-level 100
                  ip address 192.168.1.1 255.255.255.0
                  management-only
                  !
                  ftp mode passive
                  access-list outside-entry extended permit icmp any any echo-reply
                  access-list outside-entry extended permit icmp any any time-exceeded
                  access-list outside-entry extended permit icmp any any unreachable
                  pager lines 24
                  logging enable
                  logging asdm informational
                  mtu outside 1500
                  mtu inside 1500
                  mtu management 1500
                  mtu dmz 1500
                  no failover
                  icmp unreachable rate-limit 1 burst-size 1
                  icmp permit any outside
                  no asdm history enable
                  arp timeout 14400
                  global (outside) 1 interface
                  nat (inside) 1 10.109.109.0 255.255.255.0
                  nat (inside) 1 192.168.109.0 255.255.255.0
                  route outside 0.0.0.0 0.0.0.0 10.0.0.1 1
                  route inside 172.18.36.0 255.255.255.0 10.109.109.2 1
                  route inside 192.168.109.0 255.255.255.0 10.109.109.2 1
                  timeout xlate 3:00:00
                  timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
                  timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
                  timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
                  timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
                  timeout tcp-proxy-reassembly 0:01:00
                  dynamic-access-policy-record DfltAccessPolicy
                  http server enable
                  http 192.168.1.0 255.255.255.0 management
                  no snmp-server location
                  no snmp-server contact
                  snmp-server enable traps snmp authentication linkup linkdown coldstart
                  crypto ipsec security-association lifetime seconds 28800
                  crypto ipsec security-association lifetime kilobytes 4608000
                  telnet timeout 5
                  ssh timeout 5
                  console timeout 0
                  dhcpd address 192.168.1.2-192.168.1.254 management
                  dhcpd enable management
                  !
                  threat-detection basic-threat
                  threat-detection statistics access-list
                  no threat-detection statistics tcp-intercept
                  webvpn
                  !
                  class-map inspection_default
                  match default-inspection-traffic
                  !
                  !
                  policy-map type inspect dns preset_dns_map
                  parameters
                  message-length maximum 512
                  policy-map global_policy
                  class inspection_default
                  inspect dns preset_dns_map
                  inspect ftp
                  inspect h323 h225
                  inspect h323 ras
                  inspect rsh
                  inspect rtsp
                  inspect esmtp
                  inspect sqlnet
                  inspect skinny
                  inspect sunrpc
                  inspect xdmcp
                  inspect sip
                  inspect netbios
                  inspect tftp
                  inspect icmp
                  !
                  service-policy global_policy global
                  prompt hostname context


                  Switch Config

                  version 12.2
                  no service pad
                  service timestamps debug uptime
                  service timestamps log uptime
                  no service password-encryption
                  !
                  hostname Switch
                  !
                  boot-start-marker
                  boot-end-marker
                  !
                  !
                  no aaa new-model
                  system mtu routing 1500
                  ip subnet-zero
                  ip routing
                  !
                  !
                  !
                  !
                  !
                  !
                  !
                  !
                  spanning-tree mode pvst
                  spanning-tree extend system-id
                  !
                  vlan internal allocation policy ascending
                  !
                  !
                  !
                  interface FastEthernet0/1
                  switchport trunk encapsulation dot1q
                  switchport mode trunk
                  !
                  interface FastEthernet0/2
                  switchport voice vlan 16
                  spanning-tree portfast
                  !
                  interface FastEthernet0/3
                  switchport voice vlan 16
                  spanning-tree portfast
                  !
                  interface FastEthernet0/4
                  switchport voice vlan 16
                  spanning-tree portfast
                  !
                  interface FastEthernet0/5
                  switchport voice vlan 16
                  spanning-tree portfast
                  !
                  interface FastEthernet0/6
                  switchport access vlan 109
                  switchport mode access
                  switchport voice vlan 16
                  spanning-tree portfast
                  spanning-tree bpduguard enable
                  !
                  interface FastEthernet0/7
                  switchport voice vlan 16
                  spanning-tree portfast
                  !
                  interface FastEthernet0/8
                  switchport access vlan 109
                  switchport mode access
                  switchport voice vlan 16
                  spanning-tree portfast
                  !
                  interface GigabitEthernet0/1
                  description connect to asa
                  no switchport
                  ip address 10.109.109.2 255.255.252.0
                  !
                  interface Vlan1
                  no ip address
                  !
                  interface Vlan5
                  description connection to asa
                  no ip address
                  !
                  interface Vlan16
                  description Voice
                  ip address 172.18.36.3 255.255.252.0
                  !
                  interface Vlan109
                  description test vlan
                  ip address 192.168.109.5 255.255.255.0
                  !
                  ip classless
                  ip route 0.0.0.0 0.0.0.0 10.109.109.1
                  ip http server
                  !
                  !
                  control-plane
                  !

                  Comment

                  Working...
                  X