Announcement

Collapse
No announcement yet.

2 vlan in switch and dhcp server 2008 and ASA firewall

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • 2 vlan in switch and dhcp server 2008 and ASA firewall

    dear all

    I need help of problems

    I have 2 vlan switch 3560
    vlan 1
    ip address 10.46.0.0 255.255.255.0
    ip helper 10.46.10.10

    vlan 2
    ip address 10.46.10.0 255.255.255.0
    ip helper 10.46.10.10

    ip default gateway 10.46.0.5 .....this ip for ASA

    ip route 0.0.0.0 0.0.0.0 10.46.0.5

    in dhcp server I create 2 scope
    10.46.0.0 .........gate way 10.46.0.1
    10.46.10.0 .......gateway 10.46.10.1

    in ASA I did this route
    route inside 10.46.10.0 255.255.255.0 10.46.0.10 1............10.46.0.10 switch ip

    problem ?
    so now no ping between server in vlan 2 and pc in vlan 1
    even also no internet in vlan 1

    I did ip routing in the switch 3560

    so I need hep for my issue

    thanks a lot

  • #2
    Re: 2 vlan in switch and dhcp server 2008 and ASA firewall

    OK, so your switch is a router. In order for that to work, the ip addresses on VLAN 1 and VLAN 2 have to be host addresses, and you have them set as the network name. So those aren't valid as written. Based on the ASA routing entry and the DHCP scope definitions, it looks like Vlan1 should be 10.46.0.1 255.255.255.0, and Vlan2 should be 10.46.10.1 255.255.255.0.

    Also, when the DHCP server is in the local subnet, an ip helper entry isn't needed. So that entry under Vlan 2 can be removed.

    But, in the same ASA routing entry mentioned earlier, you call out that the switch IP is 10.46.0.10. Where in the switch runnig config is that set? How are switch and the ASA connected? That will be the final fix, when we know more.
    *RicklesP*
    MSCA (2003/XP), Security+, CCNA

    ** Remember: credit where credit is due, and reputation points as appropriate **

    Comment


    • #3
      Re: 2 vlan in switch and dhcp server 2008 and ASA firewall

      ASAs will refuse to route packets out the same interface they arrived on.

      In this case, I'm betting the PCs in the "outer" network (with the ASA) are using the ASA as their default gateway. When they try to reply to requests from hosts in the "inner" network (behind the L3 switch), packets are sent to the ASA which summarily drops them.

      Solution: Use the L3 switch as the default g/w in the "outer" network, and add a default route on the L3 switch pointing to the ASA.

      Also, make sure both the access rules and the NAT rules on the ASA cover the network behind the L3 switch, otherwise that network will have no Internet connectivity.

      Comment

      Working...
      X