Best practice wise - should I let the router or the ASA handle NAT
(Overloading)?
In the most general of design best practices NAT is performed between an inside and outside network. NAT overloading is generally performed at the edge when there is limited public IP address space. You can learn more about NAT overloading, also known as Port Address Translation or PAT, in RFC 2663 (PAT is referred to as Network Address Port Translation (NAPT) in section 4.1.2).
In this particular scenario you can argue that you have two inside and outside networks and will need to perform some form of NAT on both the ASA (whether that is the NAT overloading you're using now, NAT exemption, static NAT, etc) and the Cisco Router.
I can ping the 172.16.2.2
interface but not 172.16.2.1
from a pc
connected to one of the layer 2 switches (proves intervlan routing is
working -- i have a 172.20.100.8
address on the PC). Why can't I ping
172.16.2.1
from a PC but I can from the Layer 3 Switch?
The ASA 172.16.2.2
is receiving the ICMP echo-request but does not have a route back to 172.20.100.0/27
. The echo-reply is actually being forwarded to the Router 172.16.1.1
via the default route.
And most of all -- Why can't I get out to the Internet from the Layer 3 switch?
Currently your ASA and Cisco Router do not have routes to internal devices other than their connected routes.
Your ASA configuration:
route outside 0.0.0.0 0.0.0.0 172.16.1.1 1
This will provide a default route via the outside interface, but how will the ASA know how to reach subnets residing behind the Layer 3 Distribution Switch?
You'll need to add routes to the internal subnets via the inside interface using the Layer 3 Distribution Switch as the next-hop IP address.
ASA static routing example:
route inside 172.19.12.0 255.255.255.240 172.16.2.2
route inside 172.19.3.0 255.255.255.0 172.16.2.2
route inside 172.20.100.0 255.255.255.224 172.16.2.2
Further reading: ASA static routing
Your Cisco Router's configuration:
ip route 0.0.0.0 0.0.0.0 200.200.200.200
Additionally, how will your border router know how to reach subnets other than it's connected routes, and the catch all default route via the outside interface's next-hop address 200.200.200.200
?
Router static routing example:
ip route 172.19.12.0 255.255.255.240 172.16.1.10
ip route 172.19.3.0 255.255.255.0 172.16.1.10
ip route 172.19.100.0 255.255.255.224 172.16.1.10
ip route 172.16.2.0 255.255.255.224 172.16.1.10
Further reading: ISR static routing
I cannot get an ip address right now from the DHCP server (Windows).
Any insight into why?
Ensure you have end-to-end IP reachability between the client(s) sending DHCP discover messages and the DHCP server.
From what I can gather from your topology and configuration, the subnets 172.19.3.0/24
, 172.19.12.0/28
and 172.20.100.0/27
should have no issues connecting to each other (assuming they are configured to use their respective default gateways) from a networking perspective.
You can remove the ip helper-address
syntax from the SVI 100 given that the DHCP server is on the same segment and that command is used for a DHCP server(s) that is on a different segment.
interface Vlan100
ip address 172.20.100.1 255.255.255.224
ip helper-address 172.20.100.27
Interfaces/IP Addressing:
If you're looking to poll a device's IP address, subnet mask and corresponding interface you can use the following OIDs from the IP-MIB and IF-MIB MIBs:
.1.3.6.1.2.1.4.20.1.1
- The IP address can be found at this OID
~]$ snmptranslate .1.3.6.1.2.1.4.20.1.1
IP-MIB::ipAdEntAddr
~]$ snmpwalk -v2c -c cisco 10.30.46.1 .1.3.6.1.2.1.4.20.1.1
IP-MIB::ipAdEntAddr.10.30.46.1 = IpAddress: 10.30.46.1
IP-MIB::ipAdEntAddr.25.255.25.254 = IpAddress: 25.255.25.254
IP-MIB::ipAdEntAddr.55.44.33.22 = IpAddress: 55.44.33.22
IP-MIB::ipAdEntAddr.172.31.10.10 = IpAddress: 172.31.10.10
.1.3.6.1.2.1.4.20.1.3
- The subnet mask cane be found at this OID
~]$ snmptranslate .1.3.6.1.2.1.4.20.1.3
IP-MIB::ipAdEntNetMask
~]$ snmpwalk -v2c -c cisco 10.30.46.1 .1.3.6.1.2.1.4.20.1.3
IP-MIB::ipAdEntNetMask.10.30.46.1 = IpAddress: 255.255.255.0
IP-MIB::ipAdEntNetMask.25.255.25.254 = IpAddress: 255.255.255.0
IP-MIB::ipAdEntNetMask.55.44.33.22 = IpAddress: 255.255.255.0
IP-MIB::ipAdEntNetMask.172.31.10.10 = IpAddress: 255.255.255.0
.1.3.6.1.2.1.4.20.1.2
- The interface index (ifTable Indexes) are unique integers for each interface.
~]$ snmptranslate .1.3.6.1.2.1.4.20.1.2
IP-MIB::ipAdEntIfIndex
~]$ snmpwalk -v2c -c cisco 10.30.46.1 .1.3.6.1.2.1.4.20.1.2
IP-MIB::ipAdEntIfIndex.10.30.46.1 = INTEGER: 1
IP-MIB::ipAdEntIfIndex.25.255.25.254 = INTEGER: 5
IP-MIB::ipAdEntIfIndex.55.44.33.22 = INTEGER: 6
IP-MIB::ipAdEntIfIndex.172.31.10.10 = INTEGER: 7
.1.3.6.1.2.1.2.2.1.2
- The interface friendly name can be found at this OID and the ifTable index is appended (eg. ...2.1.2.[INDEX]
) for each interface.
~]$ snmptranslate .1.3.6.1.2.1.2.2.1.2
IF-MIB::ifDescr
~]$ snmpwalk -v2c -c cisco 10.30.46.1 .1.3.6.1.2.1.2.2.1.2
IF-MIB::ifDescr.1 = STRING: FastEthernet0/0
IF-MIB::ifDescr.2 = STRING: FastEthernet0/1
IF-MIB::ifDescr.4 = STRING: Null0
IF-MIB::ifDescr.5 = STRING: Loopback0
IF-MIB::ifDescr.6 = STRING: Tunnel10
IF-MIB::ifDescr.7 = STRING: Dialer1
IF-MIB::ifDescr.8 = STRING: Virtual-Access1
You can walk these OIDs manually, script something out in the language of your choice, or use much smarter programs/scripts similar to what's mentioned in Tim Peck's answer.
Here's a quick (and dirty) shell example:
#!/bin/bash
# duct taped by one.time
# Basic interface information collector
##
# Set usage var and getoptions
usage="Usage: interface-info.sh -H <IP Address> -C <snmp community string>
OPTIONS:
-H Hostname set IP address or hostname
-h Help prints usage options
SNMPv2 OPTIONS:
-C Community set SNMPv2 community string
"
while getopts H:C:h option;
do
case $option in
H) ipaddress=$OPTARG;;
C) community=$OPTARG;;
h) echo "$usage"
exit $invalid_result;;
esac
done
##
# Prevent blank argvars
if [[ -z $ipaddress || -z $community ]]; then
echo "$usage"
exit 0
fi
##
# Set field separator to new line
IFS=$'\n'
##
# Store our IP-MIB info in arrays
ipAdEntAddr=( $(snmpbulkwalk -v2c -c $community $ipaddress .1.3.6.1.2.1.4.20.1.1 | awk -F ": " '{print $2}') )
ipAdEntNetMask=( $(snmpbulkwalk -v2c -c $community $ipaddress .1.3.6.1.2.1.4.20.1.3 | awk -F ": " '{print $2}') )
ipAdEntIfIndex=( $(snmpbulkwalk -v2c -c $community $ipaddress .1.3.6.1.2.1.4.20.1.2 | awk -F ": " '{print $2}') )
for ((i=0; i<${#ipAdEntAddr[@]}; i++)); do
ifDescr[$i]=$(snmpwalk -v2c -c $community $ipaddress .1.3.6.1.2.1.2.2.1.2.${ipAdEntIfIndex[$i]} | awk -F ": " '{print $2}')
echo "${ifDescr[$i]}: ${ipAdEntAddr[$i]} ${ipAdEntNetMask[$i]}"
done
Example:
~]$ ./interface-info.sh -H 10.30.46.1 -C cisco
FastEthernet0/0: 10.30.46.1 255.255.255.0
Loopback0: 25.255.25.254 255.255.255.0
Tunnel10: 55.44.33.22 255.255.255.0
Dialer1: 172.31.10.10 255.255.255.0
VLANs:
If you're looking for the VLAN IDs and VLAN names you can use the following OID:
.1.3.6.1.4.1.9.9.46.1.3.1.1.4.1
The vtpVlanName can be found (on Cisco devices) at this OID and the VLAN-ID can be found appended, e.g.: ...1.4.1.[VLAN-ID]
(similar to the ifIndex and ifDescr example above).
~]$ snmptranslate .1.3.6.1.4.1.9.9.46.1.3.1.1.4.1
SNMPv2-SMI::enterprises.9.9.46.1.3.1.1.4.1
~]$ snmpwalk -v2c -c cisco 192.168.0.8 SNMPv2-SMI::enterprises.9.9.46.1.3.1.1.4.1
SNMPv2-SMI::enterprises.9.9.46.1.3.1.1.4.1.1 = STRING: "default"
SNMPv2-SMI::enterprises.9.9.46.1.3.1.1.4.1.10 = STRING: "VLAN0010"
SNMPv2-SMI::enterprises.9.9.46.1.3.1.1.4.1.21 = STRING: "VLAN0021"
SNMPv2-SMI::enterprises.9.9.46.1.3.1.1.4.1.100 = STRING: "VLAN0100"
SNMPv2-SMI::enterprises.9.9.46.1.3.1.1.4.1.344 = STRING: "VLAN0344"
SNMPv2-SMI::enterprises.9.9.46.1.3.1.1.4.1.456 = STRING: "iSCSI-TRAFFIC"
SNMPv2-SMI::enterprises.9.9.46.1.3.1.1.4.1.1002 = STRING: "fddi-default"
SNMPv2-SMI::enterprises.9.9.46.1.3.1.1.4.1.1003 = STRING: "token-ring-default"
SNMPv2-SMI::enterprises.9.9.46.1.3.1.1.4.1.1004 = STRING: "fddinet-default"
SNMPv2-SMI::enterprises.9.9.46.1.3.1.1.4.1.1005 = STRING: "trnet-default"
Manual example of scraping the VLAN IDs:
~]$ snmpbulkwalk -v2c -c cisco 192.168.0.8 1.3.6.1.4.1.9.9.46.1.3.1.1.4 | sed -e 's/.*4.1.\(.*\) =.*/\1/'
1
10
21
100
344
456
1002
1003
1004
1005
Best Answer
The problem is that you don't have the
access
option on the ASAsnmp-server user
command like you do on IOS.As Ricky Beam points out, you use the
snmp-server host
command to restict the host access:See the Cisco ASA Series CLI Configuration Guide, 9.0: