ASA multiple VLAN intercommunication and a Dell managed switch

Discussion in 'Cisco' started by justin_ltg, Oct 6, 2007.

  1. justin_ltg

    justin_ltg Guest

    Trying to figure this out, and am stumped.

    I have an ASA 5505 with 3 VLANs configured.

    1 - Outside vlan 1 eth0/0 to internet nat'd
    2 - Inside vlan 2 eth0/1 to 10.0.0.x network (ip 10.0.0.1)
    3 - Sungard vlan 3 port eth0/2 to 10.0.0.x network (ip 10.0.4.100)

    For Vlan's 1 and 2 everything is fine as that was the original
    config. I added VLAN3 because I want my clients (pcs) to be able to
    failover to and access High availability servers. The gateway to
    these servers is 10.0.4.25. So my cisco ISR and ASA eth0/2 are
    plugged into the same layer 2 switch, ports 1 and 2(which is managed
    and does support VLAN)

    When I originally set up the ASA to accomplish this task, I was
    sporadically able to ping 10.0.4.25 from the ASA as well as the High
    availability servers in the 10.0.2.x range from the ASA. It would
    ping but packets would drop, and sometimes no replies at all. The
    PC's however were not able to do this.

    I called cisco, the guy looked at my ASA config and said it looked
    good. He said, what I needed to do was setup a seperate VLAN on my
    switch, and plug Vlan3 from the ASA and the eth0/1 ISR port with ip
    10.0.4.25 into those designated switch vlans ports, and then the
    traffic would be routed by the ASA to the appropriate spots if Traffic
    from my PC's (10.0.0.x) range came to their default Gateway of the ASA
    (10.0.0.1) looking for 10.0.4.x traffic.

    So I am like fine, sounds simple enough. So I setup 2 ports on my
    switch in VLAN2 and assigned the VLAN2 an ip of 10.0.4.1.

    My PC's (10.0.0.x) and the ASA (10.0.4.100) and the ISR (10.0.4.25)
    can all ping the VLAN2 IP (10.0.4.1) of the switch.

    Im like great, progress. Well of course one issue is, my 10.0.0.x
    traffic still can't ping 10.0.4.x interfaces. Okay, so this sounds
    like a trunking problem, I can work on that. (either that or the ASA
    isn't routing the traffic whatsoever) I assumed since the Cisco
    engineer said everything was good, that it is good to go.

    HOWEVER, the big question is, and this is the curve ball, My ASA
    (10.0.4.100) cannot ping the ISR (10.0.4.25) which are in the same
    VLAN on the switch! (I know the ISR is setup correctly, because I can
    ping from my servers with static routes set in windowz to the ISR) I
    also have my access list setup correctly on the ASA

    pleassseee any insight would be most appreciated, as like we all are,
    on a time schedule.


    Here is the ASA config

    ASA Version 7.2(2)
    !
    hostname rfgasa
    domain-name xxx.com
    enable password gVS2wdA63vY9dM4F encrypted
    names
    !
    interface Vlan1
    nameif inside
    security-level 100
    ip address 10.0.0.1 255.255.255.0
    !
    interface Vlan2
    nameif outside
    security-level 0
    ip address 68.x.x.x 255.255.255.224
    !
    interface Vlan3
    description static route to sungard
    nameif sungard
    security-level 99
    ip address 10.0.4.100 255.255.255.0
    !
    interface Ethernet0/0
    switchport access vlan 2
    !
    interface Ethernet0/1
    !
    interface Ethernet0/2
    description physical sungard static route port
    switchport access vlan 3
    !
    interface Ethernet0/3
    !
    interface Ethernet0/4
    !
    interface Ethernet0/5
    !
    interface Ethernet0/6
    !
    interface Ethernet0/7
    !
    passwd jtwS04SN/D4dwlvP encrypted
    ftp mode passive
    dns server-group DefaultDNS
    domain-name rfginc.com
    access-list rfg extended permit icmp any any echo-reply
    access-list rfg extended permit icmp any any time-exceeded
    access-list rfg extended permit icmp any any unreachable
    access-list rfg extended permit tcp any host x.x.x.80 eq www
    access-list rfg extended permit tcp any host x.x.x.86 eq www
    access-list rfg extended permit tcp any host x.x.x.88 eq www
    access-list rfg extended permit tcp any host x.x.x.70 eq www
    access-list rfg extended permit tcp any host x.x.x.75 eq www
    access-list rfg extended permit tcp any host x.x.x.69 eq www
    access-list rfg extended permit tcp any host x.x.x.72 eq www
    access-list rfg extended permit tcp any host x.x.x.67 eq https
    access-list rfg extended permit tcp any host x.x.x.80 eq https
    access-list rfg extended permit tcp any host x.x.x.72 eq https
    access-list rfg extended permit tcp any host x.x.x.82 eq https
    access-list rfg extended permit tcp any host x.x.x.68 eq 3389
    access-list rfg extended permit tcp any host x.x.x.71 eq 3389
    access-list rfg extended permit tcp any host x.x.x.77 eq 3389
    access-list rfg extended permit tcp any host x.x.x.78 eq 3389
    access-list rfg extended permit tcp any host x.x.x.76 eq 3389
    access-list rfg extended permit tcp any host x.x.x.81 eq 3389
    access-list rfg extended permit tcp any host x.x.x..67 eq ssh
    access-list rfg extended permit tcp any host x.x.x.79 eq ssh
    access-list rfg extended permit tcp any host x.x.x.73 eq 990
    access-list rfg extended permit tcp any host x.x.x.74 eq 990
    access-list rfg extended permit tcp any host x.x.x.73 eq 10023
    access-list rfg extended permit tcp any host x.x.x.74 eq 10039
    access-list rfg extended permit tcp any host x.x.x.71 eq smtp
    access-list rfg extended permit tcp any host x.x.x.82 eq www
    access-list rfg extended permit tcp any host x.x.x.89 eq 3389
    access-list rfg extended permit tcp any host x.x.x.83 eq 3389
    access-list rfg extended permit tcp any host x.x.x.84 eq 3389
    access-list rfg extended permit tcp any host x.x.x.85 eq 3389
    access-list rfg extended permit tcp host 10.0.4.100 any
    access-list VPN extended permit ip 10.0.0.0 255.0.0.0 192.168.1.0
    255.255.255.0
    access-list VPN extended permit ip 10.0.0.0 255.0.0.0 192.168.2.0
    255.255.255.0
    access-list VPN extended permit ip 10.0.0.0 255.0.0.0 192.168.3.0
    255.255.255.0
    access-list VPN extended permit ip 10.0.0.0 255.0.0.0 192.168.4.0
    255.255.255.0
    access-list VPN extended permit ip 10.0.0.0 255.0.0.0 10.0.1.0
    255.255.255.0
    access-list sungard extended permit tcp any any
    access-list sungard extended permit icmp any any echo-reply
    access-list sungard extended permit icmp any any time-exceeded
    access-list sungard extended permit icmp any any unreachable
    access-list sungard extended permit icmp any any
    pager lines 24
    logging enable
    logging monitor debugging
    logging trap debugging
    logging asdm informational
    logging host inside 10.0.0.19
    logging debug-trace
    mtu inside 1500
    mtu outside 1500
    mtu sungard 1500
    no failover
    icmp unreachable rate-limit 1 burst-size 1
    asdm image disk0:/asdm-522.bin
    no asdm history enable
    arp timeout 14400
    global (outside) 1 x.x.x.92-x.x.x.94
    global (outside) 1 interface
    global (outside) 1 x.x.x.90
    global (outside) 1 x.x.x.91
    global (sungard) 1 interface
    nat (inside) 0 access-list VPN
    nat (inside) 1 10.0.0.0 255.255.255.0
    nat (inside) 1 0.0.0.0 0.0.0.0
    static (inside,outside) tcp x.x.x.80 www 10.0.0.5 www netmask
    255.255.255.25
    static (inside,outside) tcp x.x.x.86 www 10.0.0.14 www netmask
    255.255.255.2
    static (inside,outside) tcp x.x.x.88 www 10.0.0.16 www netmask
    255.255.255.2
    static (inside,outside) tcp x.x.x.70 www 10.0.0.18 www netmask
    255.255.255.2
    static (inside,outside) tcp x.x.x.75 www 10.0.0.27 www netmask
    255.255.255.2
    static (inside,outside) tcp x.x.x.69 www 10.0.0.11 www netmask
    255.255.255.2
    static (inside,outside) tcp x.x.x.72 www 10.0.0.6 www netmask
    255.255.255.25
    static (inside,outside) tcp x.x.x.82 https 10.0.0.7 https netmask
    255.255.25
    static (inside,outside) tcp x.x.x.68 3389 10.0.0.9 3389 netmask
    255.255.255.
    static (inside,outside) tcp x.x.x.71 3389 10.0.0.17 3389 netmask
    255.255.255
    static (inside,outside) tcp x.x.x.72 https 10.0.0.6 https netmask
    255.255.25
    static (inside,outside) tcp x.x.x.82 www 10.0.0.7 www netmask
    255.255.255.25
    static (inside,outside) tcp x.x.x.77 3389 10.0.0.36 3389 netmask
    255.255.255
    static (inside,outside) tcp x.x.x.78 3389 10.0.0.7 3389 netmask
    255.255.255.
    static (inside,outside) tcp x.x.x.76 3389 10.0.0.8 3389 netmask
    255.255.255.
    static (inside,outside) tcp x.x.x.81 3389 10.0.0.4 3389 netmask
    255.255.255.
    static (inside,outside) tcp x.x.x.79 ssh 10.0.0.7 ssh netmask
    255.255.255.25
    static (inside,outside) tcp x.x.x.73 990 10.0.0.23 990 netmask
    255.255.255.2
    static (inside,outside) tcp x.x.x.74 990 10.0.0.5 990 netmask
    255.255.255.25
    static (inside,outside) tcp x.x.x.74 10039 10.0.0.5 10039 netmask
    255.255.25
    static (inside,outside) tcp x.x.x.71 smtp 10.0.0.17 smtp netmask
    255.255.255
    static (inside,outside) tcp x.x.x.73 10023 10.0.0.23 10023 netmask
    255.255.2
    static (inside,outside) tcp x.x.x.89 3389 10.0.0.95 3389 netmask
    255.255.255
    static (inside,outside) tcp x.x.x.83 3389 10.0.0.169 3389 netmask
    255.255.25
    static (inside,outside) tcp x.x.x.84 3389 10.0.0.6 3389 netmask
    255.255.255.
    static (inside,outside) tcp x.x.x.85 3389 10.0.0.41 3389 netmask
    255.255.255
    access-group rfg in interface outside
    access-group sungard in interface sungard
    route outside 0.0.0.0 0.0.0.0 x.x.x.65 1
    route sungard 10.0.2.0 255.255.255.0 10.0.4.25 1
    timeout xlate 3:00:00
    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
    timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat
    0:05:00
    timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-
    disconnect 0:02:00
    timeout uauth 0:05:00 absolute
    username cisco password 3USUcOPFUiMCO4Jk encrypted privilege 15
    aaa authentication ssh console LOCAL
    no snmp-server location
    no snmp-server contact
    snmp-server enable traps snmp authentication linkup linkdown coldstart
    crypto ipsec transform-set dynes esp-des esp-md5-hmac
    crypto ipsec transform-set cbcco esp-des esp-md5-hmac
    crypto ipsec transform-set blair esp-des esp-md5-hmac
    crypto dynamic-map cisco 1 set transform-set dynes
    crypto map dyn-map 20 ipsec-isakmp dynamic cisco
    crypto map dyn-map interface outside
    crypto isakmp identity address
    crypto isakmp enable outside
    crypto isakmp policy 10
    authentication pre-share
    encryption des
    hash md5
    group 1
    lifetime 86400
    crypto isakmp nat-traversal 20
    tunnel-group DefaultL2LGroup ipsec-attributes
    pre-shared-key *
    isakmp keepalive disable
    tunnel-group x.x.x.2 type ipsec-l2l
    tunnel-group x.x.x.2 ipsec-attributes
    pre-shared-key *
    tunnel-group x.x.x.14 type ipsec-l2l
    tunnel-group x.x.x.14 ipsec-attributes
    pre-shared-key *
    tunnel-group DefaultL2Lgroup type ipsec-l2l
    telnet 10.0.0.0 255.255.255.0 inside
    telnet timeout 1440
    ssh x.x.x.140 255.255.255.255 outside
    ssh 0.0.0.0 0.0.0.0 outside
    ssh timeout 60
    console timeout 0

    !
    class-map class_sip_tcp
    match port tcp eq sip
    class-map inspection_default
    match default-inspection-traffic
    !
    !
    policy-map type inspect dns preset_dns_map
    parameters
    message-length maximum 512
    policy-map global_policy
    class inspection_default
    inspect dns preset_dns_map
    inspect ftp
    inspect rsh
    inspect rtsp
    inspect sqlnet
    inspect sunrpc
    inspect xdmcp
    inspect netbios
    class class_sip_tcp
    inspect sip
    !
    service-policy global_policy global
    tftp-server inside 10.0.0.176 TFTP
    prompt hostname context
    Cryptochecksum:ddcf0bb2275e5337b7edca35fad99809
    : end
    rfgasa#

    thank you for any help.
     
    justin_ltg, Oct 6, 2007
    #1
    1. Advertisements

  2. justin_ltg

    justin_ltg Guest

    nevermind. im a monkey.

    first mistake. um, switchport counts go vertical, top to bottom to
    the right.

    second mistake. made switchport 1 a trunk port (plugged into ASA)
    made switchport 3!!!!!!!! an access port (plugged into the ISR)!!!

    its miller time
     
    justin_ltg, Oct 6, 2007
    #2
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.