I am working on a lab right now and am having some issues with ASA routing.
Here is the current network topology:
Currently if I login to the console on the ASA or Router I can get outside to the internet no problem. The second I login to the layer 3 switch I can only ping the inside interface of the ASA. This leads me to believe I have issues with the return routing from the ASA.
I want the layer 3 switch to do the intervlan routing (which it is).
This brings up a couple of questions:
- Best practice wise - should I let the router or the ASA handle NAT (Overloading)?
- I can ping the 172.16.2.2 interface but not 172.16.2.1 from a pc connected to one of the layer 2 switches (proves intervlan routing is working -- i have a 172.20.100.8 address on the PC). Why can't I ping 172.16.2.1 from a PC but I can from the Layer 3 Switch?
- I cannot get an ip address right now from the DHCP server (windows). Any insight into why?
- And most of all -- Why can't I get out to the internet from the Layer 3 switch?
Here are concatenated dumps of the configs:
Layer 3 Switch:
version 15.1 no service pad service timestamps debug datetime msec service timestamps log datetime msec no service password-encryption service compress-config service unsupported-transceiver ! ! ! no aaa new-model ! ip vrf mgmtVrf ! ! ! vtp mode transparent ! ! ! ! ! ! spanning-tree mode pvst spanning-tree extend system-id ! vlan internal allocation policy ascending ! vlan 3,12,100 ! ! ! ! ! ! ! interface FastEthernet1 ip vrf forwarding mgmtVrf no ip address speed auto duplex auto ! interface GigabitEthernet1/1 no switchport ip address 172.16.2.2 255.255.255.224 ! interface GigabitEthernet1/2 switchport mode trunk shutdown ! interface GigabitEthernet1/3 switchport mode trunk ! interface GigabitEthernet1/4 switchport mode trunk ! interface GigabitEthernet1/5 switchport mode trunk ! interface GigabitEthernet1/6 switchport mode trunk ! interface GigabitEthernet1/7 switchport mode trunk ! interface GigabitEthernet1/8 switchport mode trunk ! interface GigabitEthernet1/9 switchport mode trunk ! interface GigabitEthernet1/10 switchport mode trunk ! interface GigabitEthernet1/11 switchport mode trunk ! interface GigabitEthernet1/12 switchport mode trunk ! interface GigabitEthernet1/13 switchport mode trunk ! interface GigabitEthernet1/14 shutdown ! interface GigabitEthernet1/15 shutdown ! interface GigabitEthernet1/16 shutdown ! interface Vlan1 no ip address ! interface Vlan3 ip address 172.19.3.1 255.255.255.0 ip helper-address 172.20.100.27 ! interface Vlan12 ip address 172.19.12.1 255.255.255.240 ip helper-address 172.20.100.27 ! interface Vlan100 ip address 172.20.100.1 255.255.255.224 ip helper-address 172.20.100.27 ! ! no ip http server ip route 0.0.0.0 0.0.0.0 172.16.2.1 ! ! ! ! line con 0 logging synchronous stopbits 1 line vty 0 4 login ! end
ASA:
ASA Version 8.6(1)2 ! hostname ciscoasa names ! interface GigabitEthernet0/0 nameif outside security-level 0 ip address 172.16.1.10 255.255.255.0 ! interface GigabitEthernet0/1 nameif inside security-level 100 ip address 172.16.2.1 255.255.255.224 ! interface GigabitEthernet0/2 shutdown no nameif no security-level no ip address ! interface GigabitEthernet0/3 shutdown no nameif no security-level no ip address ! interface GigabitEthernet0/4 shutdown no nameif no security-level no ip address ! interface GigabitEthernet0/5 shutdown no nameif no security-level no ip address ! interface Management0/0 nameif management security-level 100 ip address 192.168.1.1 255.255.255.0 management-only ftp mode passive object network OBJ_GENERIC_ALL subnet 0.0.0.0 0.0.0.0 pager lines 24 logging asdm informational mtu management 1500 mtu outside 1500 mtu inside 1500 no failover icmp unreachable rate-limit 1 burst-size 1 asdm image disk0:/asdm-66114.bin no asdm history enable arp timeout 14400 nat (inside,outside) source dynamic OBJ_GENERIC_ALL interface route outside 0.0.0.0 0.0.0.0 172.16.1.1 1 timeout xlate 3:00:00 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02 timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00 timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00 timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute timeout tcp-proxy-reassembly 0:01:00 timeout floating-conn 0:00:00 dynamic-access-policy-record DfltAccessPolicy user-identity default-domain LOCAL http server enable http 192.168.1.0 255.255.255.0 management no snmp-server location no snmp-server contact snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart telnet timeout 5 ssh timeout 5 console timeout 0 dhcpd address 192.168.1.2-192.168.1.254 management dhcpd enable management ! threat-detection basic-threat threat-detection statistics access-list no threat-detection statistics tcp-intercept webvpn ! class-map inspection_default match default-inspection-traffic ! ! policy-map type inspect dns preset_dns_map parameters message-length maximum client auto message-length maximum 512 policy-map global_policy class inspection_default inspect dns preset_dns_map inspect ftp inspect h323 h225 inspect h323 ras inspect rsh inspect rtsp inspect esmtp inspect sqlnet inspect skinny inspect sunrpc inspect xdmcp inspect sip inspect netbios inspect tftp inspect ip-options ! service-policy global_policy global prompt hostname context no call-home reporting anonymous
Router Config:
version 15.3 service timestamps debug datetime msec service timestamps log datetime msec service password-encryption no platform punt-keepalive disable-kernel-core ! ! boot-start-marker boot-end-marker ! ! vrf definition Mgmt-intf ! address-family ipv4 exit-address-family ! address-family ipv6 exit-address-family ! ! no aaa new-model ! ! ! ! ! ! ! ! ! ! multilink bundle-name authenticated ! ! ! ! ! ! ! ! ! redundancy mode none ! ! ! ip tftp source-interface GigabitEthernet0 ! ! ! ! ! ! ! interface GigabitEthernet0/0/0 ip address 204.28.125.74 255.255.255.252 ip nat outside negotiation auto ! interface GigabitEthernet0/0/1 no ip address shutdown negotiation auto ! interface GigabitEthernet0/0/2 no ip address shutdown negotiation auto ! interface GigabitEthernet0/0/3 ip address 172.16.1.1 255.255.255.0 ip nat inside negotiation auto ! interface GigabitEthernet0 vrf forwarding Mgmt-intf no ip address shutdown negotiation auto ! ip nat inside source list 1 interface GigabitEthernet0/0/0 overload ip forward-protocol nd ! no ip http server no ip http secure-server ip route 0.0.0.0 0.0.0.0 200.200.200.200 ! access-list 1 permit 172.16.1.0 0.0.0.255 ! ! ! control-plane ! ! line con 0 logging synchronous stopbits 1 line aux 0 stopbits 1 line vty 0 4 login ! ! end