Production Cisco Question

staticz

I've been working on an interesting network implementation and have come to a road block. I'm fairly new to Cisco (just started on my CCNA studies) but, alas, people leave and here I am. Hopefully you guys can help me out!

We have a situation where we are acquiring an organization and are starting their network from scratch. Due to some testing that needs to take place I have to have the 'old' network talk to the new network. I've connected our 3750x stack to the cisco router on the old network. I have configured this port as a trunk port.

We are doing routing with the 3750x and also have setup a handful of vlans. I've created an interface on the 3750 to talk to the old network (192.168.55.X) and from the 3750 can ping anything on the 192.168.55.X network. However the next hop (an ASA 5505 on the new network (172.50.1.X)) cannot ping anything on 192.168.55.X. The 3750 has a route statement to send all request to the cisco router (192.168.55.1) but traffic is not flowing.

Like I said, I'm new to Cisco but everything seems to be in line. Hopefully I explained in full and would appreciate any guidance.

sratakhin

It's difficult to give advice when you only provided a vague description with no configs. Did you allow the needed VLANs on the trunk?

staticz

Unfortunately I cannot get to the configs right now, I'd be happy to post them tomorrow though. The port that is connected to the old router (192 numbers) is set as a trunk but I have not allowed any vlans other than vlan 2 (192 number) through. Is that the key? Port config would look something like this

int g2/0/24
switchport mode trunk
siwtchport trunk native vlan2
switchport trunk encapsulation dot1q

I need addresses from vlan50,51,52 to go through that port as well. Is it as simple as allowing the vlans through the trunk?

Thanks for the quick response! I really appreciate it as I struggled with this all day.

TehToG

A trunk port is just a port which allows multiple VLANs, The native VLAN is the vlan which all 'untagged' (not VLAN tagged) traffic is sent. With the config you have there (because you haven't specified which vlans are allowed) should allow all VLAN traffic to traverse the link.

It's hard to say without configs but I presume you either have a VLAN mismatch between the two networks or the ASA isn't configured to forward traffic destined for the 192.168.55.x network.



Just a small criticism but if you could provide slash notation for the networks it might help.

edit: I don't mean native vlan mismatch. More something like this. Don't forget you need intervlan routing too.

atorven

This may be basic but do you have routes configured from 192.168.55.X to 172.50.1.X and the other way around?

ChooseLife

Sidenote: when you post the configs tomorrow, remember to take out usernames/passwords and public ips (as well as ssl, vpn keys and snmp strings if applicable). (sorry if it's obvious!)

drkat

1. Make sure the ASA doesnt have any ACL's blocking icmp - Best way is to just try like RDP between two subnets..
2. Make sure you have a route from the ASA to the destination network
3. You can run a packet tracer from the ASA to the destination network / as well as run a packet capture on the ASA

MAC_Addy

drkat wrote: »

1. Make sure the ASA doesnt have any ACL's blocking icmp - Best way is to just try like RDP between two subnets..
2. Make sure you have a route from the ASA to the destination network
3. You can run a packet tracer from the ASA to the destination network / as well as run a packet capture on the ASA

+1 on this. Also, ASA's block ICMP by default.

staticz

Hi everyone - sorry for the delayed reply. let me see if I can explain this any better -

I have a 3750X stack that has IP Routing turned on and the following vlans defined -

VLAN10 - 172.50.1.X
VLAN11 - 172.50.2.X
VLAN12 - 172.50.3.X
VLAN14 - 172.50.4.X
VLAN 2 - 192.168.51.X

I've given the vlan2 interface an address of 192.168.1.166 and have configured a port as follows:

interface GigabitEthernet1/0/24
switchport mode trunk

switchport trunk encapsulation dot1q

This port is connected to a Cisco 2821 with the following sub-interfaces configured:

0.1 - 192.168.50.X
0.2 - 192.168.51.X

The 2821 is also acting as a firewall. For what it is worth the port on the 3750X is plugged into g0/0 on the 2821 which is configure as follows:

interface GigabitEthernet0/0
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat inside
ip virtual-reassembly
no ip route-cache
ip tcp adjust-mss 1300
duplex auto
speed auto
no mop enabled
!
interface GigabitEthernet0/0.1
encapsulation dot1Q 3
ip address 192.168.50.254 255.255.255.0
ip access-group InsideBlock in
ip nat inside
ip virtual-reassembly
zone-member security in-zone
no ip route-cache
!
interface GigabitEthernet0/0.2
encapsulation dot1Q 2
ip address 192.168.51.1 255.255.255.0
ip virtual-reassembly
zone-member security in-zone
ip access-group InsideBlock in
ip accounting output-packets
ip nat inside

no ip route-cache
!

My issue is that I need to have 192.168.51.X be able to talk to all 172.24.X.X networks. I've tried the trunk port with no success (obviously). I also tried setting up a routed interface on the 3750 but that dropped connection to the 2821.

If you need the full configs I can scrounge those up. They are pretty extensive though.

gregorio323

can you do show ip access-list InsideBlock and give us the output. Looks like you have configured a IOS zone based firewall on the 2821. If possible can we get the config?

staticz

gregorio323 wrote: »

can you do show ip access-list InsideBlock and give us the output. Looks like you have configured a IOS zone based firewall on the 2821. If possible can we get the config?

ip access-list extended InsideBlock
permit ip host 192.168.51.239 host 192.168.1.85

permit tcp any any established
permit udp any eq bootpc host 255.255.255.255 eq bootps
deny ip 192.168.0.0 0.0.0.255 192.168.0.0 0.0.255.255
deny ip 192.168.0.0 0.0.0.255 172.16.0.0 0.15.255.255
deny ip 192.168.0.0 0.0.0.255 10.0.0.0 0.255.255.255
permit ip any any

Sorry I'm not more help. None of this is my config and I've walked into a mess. I'd rather not post the entire config if possible

gregorio323

as a note you did mention your 3750 is turned on for ip routing so you don't need to create that trunk to the cisco 2821.
Where does the 172.24.x.x lives on? can you show us a the route path?
your ICMP should be allowed through by looking at your ACL permit ip any any will allow icmp destined to 172.24.x.x
it should help if you can give us more of a background on the security zones.

staticz

Routes defined on the 3750 -

ip route 0.0.0.0 0.0.0.0 172.50.1.244
ip route 192.168.51.0 255.255.255.0 192.168.51.1

Routes defined on the 2821 -

ip route 172.50.1.0 255.255.255.0 172.50.1.254
ip route 172.50.2.0 255.255.255.0 172.50.2.254
ip route 172.50.3.0 255.255.255.0 172.50.3.254
ip route 172.50.4.0 255.255.255.0 172.50.4.254

When you mean the trunk isn't needed, then I should be ok with just an access port connected from the 3750 to the 2821? Thanks again for your help.

gregorio323

If that is the complete routing table. then the Cisco 2821 does not know how to reach 172.24.x.x I do not see a default gateway or a ip route statement for 172.24.x.x

If you set the port as an access port. Make sure on the cisco 2821 you do not have the statement for encapsulation and you can remove the sub interfaces and just make gi0/0 to 192.168.51.1.

one last thing on the cisco 3750 the statement ip route 192.168.51.0 255.255.255.0 192.168.51.1 is not doing anything. Since you created the vlan 2 on the 192.168.1.0/24 subnet it's directly "connected".

staticz

gregorio That was pretty much it. It took a few hours but looks like I just needed to walk away from it for a day. Thanks for all of the input everyone!

gregorio323

so what fixed the problem?

johnifanx98

gregorio323 wrote: »

as a note you did mention your 3750 is turned on for ip routing so you don't need to create that trunk to the cisco 2821.
Where does the 172.24.x.x lives on? can you show us a the route path?
your ICMP should be allowed through by looking at your ACL permit ip any any will allow icmp destined to 172.24.x.x
it should help if you can give us more of a background on the security zones.

A side question. What is the point to turn on for ip routing on a switch? Is it layer 3 switching?

staticz

johnifanx98 wrote: »

A side question. What is the point to turn on for ip routing on a switch? Is it layer 3 switching?

Yes it is

The solution was to add the correct route but you'll also notice that the gateway on the existing routes (located on the 2821) was wrong. I was pointing them to the gateway of the vlan, not the next nearest hop. So my routes, for example, ended up being

ip route 172.24.50.1 255.255.255.0 192.168.50.254

instead of

ip route 172.24.50.1.255.255.255.0 172.24.50.254