Cisco ASA



  • Hi folks,

    I am unable to sort this routing issue. Any ideas? I have a few interfaces as follows:

    ASA: 192.168.50.10/24
    ASA: 10.12.0.1/20
    ASA: 10.4.0.1/20

    Also, a switch:
    vLAN A 10.12.0.2
    vLAN B 10.4.0.2
    vLAN C 172.16.0.1
    vLAN D 192.168.50.1
    Default route on this switch is 0.0.0.0 192.168.50.10 (the ASA)

    Now, A and B can have traffic going both ways. I can ping/RDP/whatever between those two vLANs.

    A and B can also RDP/ping devices sitting on C. A and B physically connect to the ASA.

    D also physically connects to the ASA, and it looks like C routes out over D as its the global default route.

    Now, the problem is that anything on C cannot contact A or B.

    Any ideas on this? I am thinking of just blowing away D entirely and putting 172.16.0.1 on the ASA removing that entire vLAN. (Its like that for legacy purposes).

    I have tried setting a range of routes on the switch for the various vlan, and have set routes on the ASA, but C > A/B will not flow. Which is strange as A/B > C works fine.

    Best,
    Jim



  • What is the default gateway on each VLAN?



  • It looks like routing is enabled on the switch itself - now - who's doing the switching between the VLANs kinda depends on what the default gateway for each VLAN is.

    Though since you can make one way communication to C from A/B, but not back, I'm guessing the rules exist in the switch, not the ASA that handle that.



  • @Dashrender said in Cisco ASA:

    What is the default gateway on each VLAN?

    10.12.0.0 vlan… switch IP = 10.12.0.2, ASA = 10.12.0.1. Gateway on the vlan is 10.12.0.2 (the switch)
    [clietns are given gateway of 10.12.0.1 (the asa) by DHCP]

    10.4.0.0 vlan… switch IP = 10.4.0.2, ASA = 10.4.0.1. Gateway on the vlan is 10.4.0.2 (the switch)
    [clients are given gateway of 10.4.0.1 (the asa) by DHCP]

    172.16.0.0 vlan… switch IP = 172.16.0.1, ASA = N/A, gateway on the vlan is 172.16.0.1 (the switch)

    • this is legacy. What appears to happen is that the switch has 0.0.0.0 set to 192.168.50.10 (the ASA) on a vlan2. So, traffic from 172.16.0.0 hits the switch IP at 172.16.0.1, then hope out 0.0.0.0
      ^ I think its this that's causing the issue.

    I think if I blow away 192.168.50.x and make the ASA 172.16.0.1, and the switch say (182.16.0.2 or something) that all vlans will talk as the ASA would be doing the routing...



  • @Dashrender said in Cisco ASA:

    It looks like routing is enabled on the switch itself - now - who's doing the switching between the VLANs kinda depends on what the default gateway for each VLAN is.

    Though since you can make one way communication to C from A/B, but not back, I'm guessing the rules exist in the switch, not the ASA that handle that.

    Each vlan does point to its switch IP address for the vLAN.

    Funny enough, if I set a client to use the switch IP as its gateway, then 172.x can communicate back with it, but the device also loses access to the Internet.



  • @Jimmy9008 said in Cisco ASA:

    A and B can also RDP/ping devices sitting on C.

    If this is true, it's just a matter of rules/route allowing C back to A/B or a route specifically for C -> A/B.

    172.16.0.0 vlan… switch IP = 172.16.0.1, ASA = N/A, gateway on the vlan is 172.16.0.1 (the switch)

    • this is legacy. What appears to happen is that the switch has 0.0.0.0 set to 192.168.50.10 (the ASA) on a vlan2. So, traffic from 172.16.0.0 hits the switch IP at 172.16.0.1, then hope out 0.0.0.0
      ^ I think its this that's causing the issue.

    This should be fine, this is what allows the C network to get to the internet

    so, when on the 172.16.0.0 network, the request goes to the switch's IP (172.16.0.1) which forwards it to 192.168.50.10 (the ASA), The ASA then doesn't have a rule allowing traffic from 172.16.0.0 to talk to 10.x, so it just dumps the traffic.

    At least that's what it looks like to me at this time.



  • @Jimmy9008 said in Cisco ASA:

    @Dashrender said in Cisco ASA:

    It looks like routing is enabled on the switch itself - now - who's doing the switching between the VLANs kinda depends on what the default gateway for each VLAN is.

    Though since you can make one way communication to C from A/B, but not back, I'm guessing the rules exist in the switch, not the ASA that handle that.

    Each vlan does point to its switch IP address for the vLAN.

    Funny enough, if I set a client to use the switch IP as its gateway, then 172.x can communicate back with it, but the device also loses access to the Internet.

    It doesn't surprise me that you can get to A/B if A/B client uses the switch IP as it's gateway, because routing on the switch is seemingly enabled... though it does surprise me that you can't get on the internet...

    can 172.x.x.x get on the internet? I made an assumption earlier that it could - perhaps that was wrong.



  • @Dashrender said in Cisco ASA:

    @Jimmy9008 said in Cisco ASA:

    @Dashrender said in Cisco ASA:

    It looks like routing is enabled on the switch itself - now - who's doing the switching between the VLANs kinda depends on what the default gateway for each VLAN is.

    Though since you can make one way communication to C from A/B, but not back, I'm guessing the rules exist in the switch, not the ASA that handle that.

    Each vlan does point to its switch IP address for the vLAN.

    Funny enough, if I set a client to use the switch IP as its gateway, then 172.x can communicate back with it, but the device also loses access to the Internet.

    It doesn't surprise me that you can get to A/B if A/B client uses the switch IP as it's gateway, because routing on the switch is seemingly enabled... though it does surprise me that you can't get on the internet...

    can 172.x.x.x get on the internet? I made an assumption earlier that it could - perhaps that was wrong.

    172.x can. Yes.

    I think rules must be needed in the ASA... will keep looking at it tomorrow.



  • @Dashrender said in Cisco ASA:

    @Jimmy9008 said in Cisco ASA:

    A and B can also RDP/ping devices sitting on C.

    If this is true, it's just a matter of rules/route allowing C back to A/B or a route specifically for C -> A/B.

    172.16.0.0 vlan… switch IP = 172.16.0.1, ASA = N/A, gateway on the vlan is 172.16.0.1 (the switch)

    • this is legacy. What appears to happen is that the switch has 0.0.0.0 set to 192.168.50.10 (the ASA) on a vlan2. So, traffic from 172.16.0.0 hits the switch IP at 172.16.0.1, then hope out 0.0.0.0
      ^ I think its this that's causing the issue.

    This should be fine, this is what allows the C network to get to the internet

    so, when on the 172.16.0.0 network, the request goes to the switch's IP (172.16.0.1) which forwards it to 192.168.50.10 (the ASA), The ASA then doesn't have a rule allowing traffic from 172.16.0.0 to talk to 10.x, so it just dumps the traffic.

    At least that's what it looks like to me at this time.

    “C” network really?