Search this Blog

Wednesday, March 30, 2011

Trying to link test LAN to Production

Qsolved Question: We have some spare equipment and we are trying to access the internet via our production LAN, from a test LAN. We have a 6506 as our core switch, a 3560 acting as a Layer 3 switch connected to the 650 and an ASA 5520 firewall. We have posted configs below. First, the connections:

GigabitEthernet3/1 on the 6506 is directly connected to GigabitEthernet0/25 on the 3560. (our test LAN)

GigabitEthernet0/26 on the 3560 is directly connected GigabitEthernet0/1 on the ASA, which is designated as the Inside interface. (The internet access "router")

GigabitEthernet0/0 on the ASA (outside) is directly connected to the Production Core switch, which is a 6513. (the firewall prior to the "internet")

Also, VLAN 500 with an ip address of 10.50.0.254 is defined on the Production 6513 so that the NAT address from the test ASA will be able to communicate

In the configurations below, we can successfully ping all production IP addresses from both the ASA and the 3560 (they are 192.168.x.x IP's)

We can successfully ping the IP addresses on the 3560 and the inside interface of the ASA from the 6506.

We cannot ping production IP addresses from the 6506 - basically anything outside the firewall.

Here are configs for each. Note that on the 6506, I can't enter switchport trunk encapsulation dot1q but when I check the capabilities of the interfaces, they are all dot1q enabled:

6506:

vtp domain domain-name

vtp mode transparent

ip subnet-zero

!

vlan 120

!

interface GigabitEthernet3/1

description To 3560 Gi0/25

switchport trunk native vlan 120

switchport mode trunk

!

interface Vlan1

no ip address

shutdown

!

interface Vlan120

ip address 10.10.20.254 255.255.255.0

!

ip classless

ip route 0.0.0.0 0.0.0.0 10.10.20.1

3560:

vtp domain domain-name

vtp mode transparent

ip routing

!

vlan 120

!

interface GigabitEthernet0/25

description From 6506 Gi3/1

switchport trunk encapsulation dot1q

switchport trunk native vlan 120

!

interface GigabitEthernet0/26

description To ASA inside interface

no switchport

ip address 10.10.40.254 255.255.255.0

!

interface Vlan1

no ip address

shutdown

!

interface Vlan120

ip address 10.10.20.1 255.255.255.0

!

ip classless

ip route 0.0.0.0 0.0.0.0 10.10.40.1

ASA 5520:

interface GigabitEthernet0/0

nameif outside

security-level 0

ip address 10.50.0.1 255.255.255.0

!

interface GigabitEthernet0/1

nameif inside

security-level 100

ip address 10.10.40.1 255.255.255.0

!

same-security-traffic permit intra-interface

access-list traffic_out extended permit ip any any

access-list traffic_in extended permit ip any any

!

global (outside) 1 interface

nat (inside) 1 0.0.0.0 0.0.0.0

access-group traffic_in in interface outside

access-group traffic_out out interface inside

route outside 0.0.0.0 0.0.0.0 10.50.0.254 1

That's all. We'll crank down the security on the firewall if we can ever get the test 6506 to communicate with production.

QSolved Answer:

Sounds like a routing issue. Does your firewall know how to get to the inside addresses? i.e. in your case 10.10.20.x. You might need a route inside statement.From your config you 6506 has a static to the 3560 and the 3560 has a static to the firewall. You also need the reverse else the traffic ain't going come back .It works from the firewall and the 3560 because they have connected interfaces in those subnets.

Citation - This blog post does not reflect original content from the author. Rather it summarizes content that are relevant to the topic from different sources in the web. The sources might include any online discussion boards, forums, websites and others.

No comments :

Post a Comment

 
/* Google Analytics begin ----------------------------------------------- */ /* Google Analytics end ----------------------------------------------- */