Using CISCO ASA 5510 as layer 3 for inter-Vlan routing

Discussion in 'Cisco' started by WabukiSensei, Dec 1, 2006.

  1. WabukiSensei

    WabukiSensei

    Joined:
    Nov 9, 2006
    Messages:
    6
    Hi, newbie to the forums.


    I'm currently working on a project where I have to use a CISCO ASA 5510 as a router-on-a-stick for my network due to the resources that I am limited to. Initially my whole network was working fine with subinterfaces configured on the device where each is put into a separate vlan. After a few days of leaving the entire system off, I turned the system back on only to discover that the device is currently disconnected from the rest of the network and I can no longer to inter-vlan routing because of this. Pinging to the ASA results to nothing, but pinging from the ASA to other devices reveal question marks:


    ciscoasa# ping 192.168.2.2
    Sending 5, 100-byte ICMP Echos to 192.168.2.2, timeout is 2 seconds:
    ?????
    Success rate is 0 percent (0/5)
    ciscoasa#


    Wondering if the device itself could not connect to any other devices, I set up a connectivity test, basically by assigning an ip address to one interface and another ip address within the same subnet to the neighbor's interface and they are able to ping each other.

    It seems when I set it up for vlan communication, the ASA router cannot detect anything. Below is the running-config unedited:


    ciscoasa# show run
    : Saved
    :
    ASA Version 7.0(5)
    !
    hostname ciscoasa
    enable password 8Ry2YjIyt7RRXU24 encrypted
    names
    dns-guard
    !
    interface Ethernet0/0
    nameif inside
    security-level 100
    ip address 192.168.0.254 255.255.255.0
    !
    interface Ethernet0/0.1
    vlan 1
    nameif VL_1
    security-level 100
    no ip address
    !
    interface Ethernet0/0.2
    vlan 2
    nameif VL_2
    security-level 100
    ip address 192.168.2.254 255.255.255.0
    !
    interface Ethernet0/0.3
    vlan 3
    nameif VL_3
    security-level 100
    ip address 192.168.3.254 255.255.255.0
    !
    interface Ethernet0/1
    shutdown
    no nameif
    no security-level
    no ip address
    !
    interface Ethernet0/2
    shutdown
    no nameif
    no security-level
    no ip address
    !
    interface Management0/0
    shutdown
    no nameif
    no security-level
    no ip address
    management-only
    !
    passwd 2KFQnbNIdI.2KYOU encrypted
    ftp mode passive
    same-security-traffic permit inter-interface
    pager lines 24
    mtu inside 1500
    mtu VL_1 1500
    mtu VL_2 1500
    mtu VL_3 1500
    icmp permit any inside
    icmp permit any echo inside
    icmp permit any echo-reply inside
    no asdm history enable
    arp timeout 14400
    timeout xlate 3:00:00
    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
    timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00
    timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00
    timeout uauth 0:05:00 absolute
    no snmp-server location
    no snmp-server contact
    snmp-server enable traps snmp authentication linkup linkdown coldstart
    telnet 192.168.0.0 255.255.255.0 inside
    telnet timeout 5
    ssh timeout 5
    console timeout 0
    !
    class-map inspection_default
    match default-inspection-traffic
    !
    !
    policy-map global_policy
    class inspection_default
    inspect dns maximum-length 512
    inspect ftp
    inspect h323 h225
    inspect h323 ras
    inspect netbios
    inspect rsh
    inspect rtsp
    inspect skinny
    inspect esmtp
    inspect sqlnet
    inspect sunrpc
    inspect tftp
    inspect sip
    inspect xdmcp
    !
    service-policy global_policy global
    Cryptochecksum:80b5d280306638f7a2c92c15e3c18008
    : end
    ciscoasa#


    I'd like to point out that this section of the config:

    interface Ethernet0/0
    nameif inside
    security-level 100
    ip address 192.168.0.254 255.255.255.0
    !
    interface Ethernet0/0.1
    vlan 1
    nameif VL_1
    security-level 100
    no ip address

    the original working setup was to have the ip address 192.168.0.254 255.255.255.0 command assigned to int e0/0.1 (it was working before this problem came up) but doing that and trying to ping the subinterface would result in the 'question mark pings' as I previously mentioned. Letting int e0/0 have the ip address allows for ping connectivity, but only to that ip address. All the other subinterfaces configured are unreachable from other devices.

    This running-config was working, give or take a few commands (that might potentially take care of the problem) which I can't remember. Did I miss a few crucial commands to enable connectivity?

    Appreciate all the help!
     
    WabukiSensei, Dec 1, 2006
    #1
    1. Advertising

  2. WabukiSensei

    globalchicken

    Joined:
    Oct 29, 2006
    Messages:
    37
    Location:
    Sacramento
    From first glance, yes thats what i noticed. The ip address is assigned to main interface. Now i am not sure that working on ASA is any different than working on 26xx 37xx, ect, but the ip address has to be on the subinterfaces, the main interface can not have an ip. The interface has to be up and the switchport on your switch that connects has to be a TRUNKing port. HAve you checked that yet?
    Also not having any experience with the ASA, Is there a way to define your encapsulation type as i dont see that. Either ISL (if supported) but preferably dot1q.
    http://www.cisco.com/en/US/products/ps6120/products_configuration_guide_chapter09186a0080636f42.html#wp1044006

    I found a link that describes that dot1q, is the encapsulation type, this link also describes configuring your ASA subinterfaces.

    Like I said above maybe check your switch and ensure the link is trunked.

    Check out this note that I found on the above link:

    If you use subinterfaces, you typically do not also want the physical interface to pass traffic, because the physical interface passes untagged packets. Because the physical interface must be enabled for the subinterface to pass traffic, ensure that the physical interface does not pass traffic by leaving out the nameif command. If you want to let the physical interface pass untagged packets, you can configure the nameif command as usual.

    I would reconfigure the interface as such according to the documentation:

    interface Ethernet0/0
    security-level 100

    !
    interface Ethernet0/0.1
    vlan 1
    nameif VL_1
    security-level 100
    ip address 192.168.0.254 255.255.255.0


    In your opinion, what is the difference between the PIX and the ASA?
    Also, what is the purpose of the security-level command?

    M
     
    Last edited: Dec 1, 2006
    globalchicken, Dec 1, 2006
    #2
    1. Advertising

  3. WabukiSensei

    WabukiSensei

    Joined:
    Nov 9, 2006
    Messages:
    6

    Thanks for the reply. The original configuration (when it was working) isn't supposed to have an IP for the physical address, I just put it there because assigning the IP to int e0/0.1 wasn't working (none of the subinterfaces were working). I was only able to obtain connectivity only via the physical interface, so I did that just for testing purposes.

    Yes, the ASA does automatically make it dot1q capable. In terms of trunking, the firewall is connected to a non-Cisco device and as I mentioned earlier, was working fine before this (for some reason the switch doesn't have any trunking capabilities).

    Since all the devices are internal, or on the 'inside' I needed to set them all to the same security level and then enable the 'same-security-traffic permit inter-interface' so that they could communicate with each other.

    Regarding the differences between the ASA and PIX, I'm not too sure about any differences since I've had limited exposure to them. So far they seem to be pretty much the same in terms of OS and commands.

    I guess the main issue that I'm facing is that my configuration was working for a certain time, then when I powered the firewall back on after turning it off for a few days, the firewall just wouldn't cooperate anymore (with the exact same configs). But I do appreciate your suggestion and will continue to figure out what's wrong.

    Thanks
     
    WabukiSensei, Dec 4, 2006
    #3
  4. WabukiSensei

    globalchicken

    Joined:
    Oct 29, 2006
    Messages:
    37
    Location:
    Sacramento
    Thanks for that good info. The only thing that i do not understand is that you said your non cisco switch does not support trunking. how then do you allow multiple vlans to traverse over that one link and your ASA recogize them as being in different vlans with different subnets? Trunking would allow all vlans or at least the ones you specify to travel over that link and communicate with the appropriate subinterface. I would still consider looking into the switch. Like I said, that does not make sense that your switch is not trunking.
     
    globalchicken, Dec 5, 2006
    #4
  5. WabukiSensei

    WabukiSensei

    Joined:
    Nov 9, 2006
    Messages:
    6
    Glad to help out! Regarding the non Cisco switch, I believe it is because the way they make different VLANs communicate with each other is a bit different. It gets the job done, but I wouldn't call it trunking. Honestly, I'm not too sure how it works either, it just happened to work after we were messing around with the settings for those switches :|

    On another note, we've decided to try another alternative for the system we're doing and we won't be using the firewall for layer 3 purposes anymore (couldn't figure out the problem.) This is actually a better solution than using the firewall actually, and I am more comfortable with this design, hehe.
     
    Last edited: Dec 8, 2006
    WabukiSensei, Dec 6, 2006
    #5
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. SmilerNet

    Inter-VLAN Routing Cisco 3550 SMI

    SmilerNet, Sep 26, 2004, in forum: Cisco
    Replies:
    7
    Views:
    3,493
    Sam Wilson
    Oct 1, 2004
  2. hal@nospam.com

    Inter vlan routing in Cisco 4507

    hal@nospam.com, Aug 18, 2005, in forum: Cisco
    Replies:
    1
    Views:
    2,401
    www.BradReese.Com
    Aug 18, 2005
  3. WabukiSensei
    Replies:
    0
    Views:
    3,011
    WabukiSensei
    Dec 1, 2006
  4. JohnD
    Replies:
    3
    Views:
    4,386
    stephen
    Dec 18, 2007
  5. Mag
    Replies:
    2
    Views:
    2,008
    alexd
    Jan 31, 2009
Loading...

Share This Page