Basics:
Modem --> ASA5520 --> 3750
ASA acts as a dhcp server for the vlans
I know that DHCP is working, since the laptop I have attached to G 1/0/13 has grabbed IP 172.20.10.10.
However, I have weirdness.
Wireshark shows that the machine at 172.20.10.10 is getting outside traffic somehow.
5671 3028.754863 40.69.223.39 172.20.10.10 TCP 60 443 → 50586 [RST, ACK] Seq=4072 Ack=1256 Win=0 Len=0
5672 3031.521058 172.20.10.10 173.194.199.188 TCP 55 [TCP Keep-Alive] 50528 → 5228 [ACK] Seq=934 Ack=4508 Win=261376 Len=1
5673 3031.550522 173.194.199.188 172.20.10.10 TCP 66 [TCP Keep-Alive ACK] 5228 → 50528 [ACK] Seq=4508 Ack=935 Win=67072 Len=0 SLE=934 SRE=935
The settings I do have, I'm not even sure how they work--specifically the access lists (which side is "in" which side is "out," etc)---no number of cisco videos either on youtube or learning library have been straight forward and specific enough for me to grasp. Seems like a lot of counterintuitiveness here.
So I have a device that's getting out, but I cannot ping 8.8.8.8 from the switch itself.
In the command prompt on the laptop I run ping 8.8.8.8 -S 172.20.10.10 and get result:
Pinging 8.8.8.8 from 172.20.10.10 with 32 bytes of data:
Reply from 8.8.8.8: bytes=32 time=30ms TTL=55
Reply from 8.8.8.8: bytes=32 time=26ms TTL=55
Reply from 8.8.8.8: bytes=32 time=32ms TTL=55
Reply from 8.8.8.8: bytes=32 time=28ms TTL=55
Ping statistics for 8.8.8.8:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 26ms, Maximum = 32ms, Average = 29ms
The "LOCAL" network object is 172.20.10.0/24 and uses dynamic pat to translate to outside. This includes the switch ip 172.20.10.254, yet the switch can get out.
Is there a possibility that "LOCAL" is being redesignated to only the range of IP's from the ASA's DHCP?
The switch is operating at L2 only.
INB4 Questions--Yes the Switch is L3 capable, but there's more eventually to be going on than just the one asa and switch, which is why this is the setup. The environment is not that large, and this device should handle everything fine if I can for sure get it working correctly.
The switch can ping the inside local interface on the asa:
ping 172.20.10.254
Sending 5, 100-byte ICMP Echos to 172.20.10.254, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/4/9 ms
Thus far any attempt I have made to get nat (inside,outside) to function properly has failed, or I have failed to understand what is going on.
ASA
names
ddns update method ddns-2
ddns both
interval maximum 20 0 0 0
same-security-traffic permit intra-interface
object network LOCAL
subnet 172.20.10.0 255.255.255.0
description Local Network Vlan 10
object network LOCAL
nat (LOCAL,outside) dynamic interface
access-group outside_access_in in interface outside
!
router rip
passive-interface outside
no auto-summary
gig 0/0
interface GigabitEthernet0/0
nameif outside
security-level 0
ddns update hostname server.com
ddns update ddns-2
ip address dhcp setroute [[This does work]]
gig 0/1
interface GigabitEthernet0/1
description Trunk to 3750G
nameif inside
security-level 100
no ip address
interface GigabitEthernet0/1.10
vlan 10
nameif LOCAL
security-level 100
ip address 172.20.10.254 255.255.255.0
dhcpd address 172.20.10.10-172.20.10.90 LOCAL
dhcpd dns 1.1.1.1 8.8.8.8 interface LOCAL
dhcpd enable LOCAL
Switch settings:
vtp mode off
spanning-tree mode rapid-pvst
spanning-tree extend system-id
!
vlan internal allocation policy ascending
!
vlan 10
name LOCAL
!
interface GigabitEthernet1/0/13
description Test
switchport access vlan 10
switchport mode access
spanning-tree portfast
spanning-tree bpduguard enable
interface GigabitEthernet1/0/52
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 10
switchport mode trunk
interface Vlan10
description LOCAL
ip address 172.20.10.253 255.255.255.0
spanning-tree bpduguard enable
No comments:
Post a Comment