I am working on a lab right now and am having some issues with ASA routing.
Here is the current network topology:
Currently if I login to the console on the ASA or Router I can get outside to the internet no problem. The second I login to the layer 3 switch I can only ping the inside interface of the ASA. This leads me to believe I have issues with the return routing from the ASA.
I want the layer 3 switch to do the intervlan routing (which it is).
This brings up a couple of questions:
- Best practice wise – should I let the router or the ASA handle NAT (Overloading)?
- I can ping the 172.16.2.2 interface but not 172.16.2.1 from a pc connected to one of the layer 2 switches (proves intervlan routing is working — i have a 172.20.100.8 address on the PC). Why can't I ping 172.16.2.1 from a PC but I can from the Layer 3 Switch?
- I cannot get an ip address right now from the DHCP server (windows). Any insight into why?
- And most of all — Why can't I get out to the internet from the Layer 3 switch?
Here are concatenated dumps of the configs:
Layer 3 Switch:
version 15.1 no service pad service timestamps debug datetime msec service timestamps log datetime msec no service password-encryption service compress-config service unsupported-transceiver ! ! ! no aaa new-model ! ip vrf mgmtVrf ! ! ! vtp mode transparent ! ! ! ! ! ! spanning-tree mode pvst spanning-tree extend system-id ! vlan internal allocation policy ascending ! vlan 3,12,100 ! ! ! ! ! ! ! interface FastEthernet1 ip vrf forwarding mgmtVrf no ip address speed auto duplex auto ! interface GigabitEthernet1/1 no switchport ip address 172.16.2.2 255.255.255.224 ! interface GigabitEthernet1/2 switchport mode trunk shutdown ! interface GigabitEthernet1/3 switchport mode trunk ! interface GigabitEthernet1/4 switchport mode trunk ! interface GigabitEthernet1/5 switchport mode trunk ! interface GigabitEthernet1/6 switchport mode trunk ! interface GigabitEthernet1/7 switchport mode trunk ! interface GigabitEthernet1/8 switchport mode trunk ! interface GigabitEthernet1/9 switchport mode trunk ! interface GigabitEthernet1/10 switchport mode trunk ! interface GigabitEthernet1/11 switchport mode trunk ! interface GigabitEthernet1/12 switchport mode trunk ! interface GigabitEthernet1/13 switchport mode trunk ! interface GigabitEthernet1/14 shutdown ! interface GigabitEthernet1/15 shutdown ! interface GigabitEthernet1/16 shutdown ! interface Vlan1 no ip address ! interface Vlan3 ip address 172.19.3.1 255.255.255.0 ip helper-address 172.20.100.27 ! interface Vlan12 ip address 172.19.12.1 255.255.255.240 ip helper-address 172.20.100.27 ! interface Vlan100 ip address 172.20.100.1 255.255.255.224 ip helper-address 172.20.100.27 ! ! no ip http server ip route 0.0.0.0 0.0.0.0 172.16.2.1 ! ! ! ! line con 0 logging synchronous stopbits 1 line vty 0 4 login ! end
ASA:
ASA Version 8.6(1)2 ! hostname ciscoasa names ! interface GigabitEthernet0/0 nameif outside security-level 0 ip address 172.16.1.10 255.255.255.0 ! interface GigabitEthernet0/1 nameif inside security-level 100 ip address 172.16.2.1 255.255.255.224 ! interface GigabitEthernet0/2 shutdown no nameif no security-level no ip address ! interface GigabitEthernet0/3 shutdown no nameif no security-level no ip address ! interface GigabitEthernet0/4 shutdown no nameif no security-level no ip address ! interface GigabitEthernet0/5 shutdown no nameif no security-level no ip address ! interface Management0/0 nameif management security-level 100 ip address 192.168.1.1 255.255.255.0 management-only ftp mode passive object network OBJ_GENERIC_ALL subnet 0.0.0.0 0.0.0.0 pager lines 24 logging asdm informational mtu management 1500 mtu outside 1500 mtu inside 1500 no failover icmp unreachable rate-limit 1 burst-size 1 asdm image disk0:/asdm-66114.bin no asdm history enable arp timeout 14400 nat (inside,outside) source dynamic OBJ_GENERIC_ALL interface route outside 0.0.0.0 0.0.0.0 172.16.1.1 1 timeout xlate 3:00:00 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02 timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00 timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00 timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute timeout tcp-proxy-reassembly 0:01:00 timeout floating-conn 0:00:00 dynamic-access-policy-record DfltAccessPolicy user-identity default-domain LOCAL http server enable http 192.168.1.0 255.255.255.0 management no snmp-server location no snmp-server contact snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart telnet timeout 5 ssh timeout 5 console timeout 0 dhcpd address 192.168.1.2-192.168.1.254 management dhcpd enable management ! threat-detection basic-threat threat-detection statistics access-list no threat-detection statistics tcp-intercept webvpn ! class-map inspection_default match default-inspection-traffic ! ! policy-map type inspect dns preset_dns_map parameters message-length maximum client auto message-length maximum 512 policy-map global_policy class inspection_default inspect dns preset_dns_map inspect ftp inspect h323 h225 inspect h323 ras inspect rsh inspect rtsp inspect esmtp inspect sqlnet inspect skinny inspect sunrpc inspect xdmcp inspect sip inspect netbios inspect tftp inspect ip-options ! service-policy global_policy global prompt hostname context no call-home reporting anonymous
Router Config:
version 15.3 service timestamps debug datetime msec service timestamps log datetime msec service password-encryption no platform punt-keepalive disable-kernel-core ! ! boot-start-marker boot-end-marker ! ! vrf definition Mgmt-intf ! address-family ipv4 exit-address-family ! address-family ipv6 exit-address-family ! ! no aaa new-model ! ! ! ! ! ! ! ! ! ! multilink bundle-name authenticated ! ! ! ! ! ! ! ! ! redundancy mode none ! ! ! ip tftp source-interface GigabitEthernet0 ! ! ! ! ! ! ! interface GigabitEthernet0/0/0 ip address 204.28.125.74 255.255.255.252 ip nat outside negotiation auto ! interface GigabitEthernet0/0/1 no ip address shutdown negotiation auto ! interface GigabitEthernet0/0/2 no ip address shutdown negotiation auto ! interface GigabitEthernet0/0/3 ip address 172.16.1.1 255.255.255.0 ip nat inside negotiation auto ! interface GigabitEthernet0 vrf forwarding Mgmt-intf no ip address shutdown negotiation auto ! ip nat inside source list 1 interface GigabitEthernet0/0/0 overload ip forward-protocol nd ! no ip http server no ip http secure-server ip route 0.0.0.0 0.0.0.0 200.200.200.200 ! access-list 1 permit 172.16.1.0 0.0.0.255 ! ! ! control-plane ! ! line con 0 logging synchronous stopbits 1 line aux 0 stopbits 1 line vty 0 4 login ! ! end
Best Answer
In the most general of design best practices NAT is performed between an inside and outside network. NAT overloading is generally performed at the edge when there is limited public IP address space. You can learn more about NAT overloading, also known as Port Address Translation or PAT, in RFC 2663 (PAT is referred to as Network Address Port Translation (NAPT) in section 4.1.2).
In this particular scenario you can argue that you have two inside and outside networks and will need to perform some form of NAT on both the ASA (whether that is the NAT overloading you're using now, NAT exemption, static NAT, etc) and the Cisco Router.
The ASA
172.16.2.2
is receiving the ICMP echo-request but does not have a route back to172.20.100.0/27
. The echo-reply is actually being forwarded to the Router172.16.1.1
via the default route.Currently your ASA and Cisco Router do not have routes to internal devices other than their connected routes.
Your ASA configuration:
This will provide a default route via the outside interface, but how will the ASA know how to reach subnets residing behind the Layer 3 Distribution Switch?
You'll need to add routes to the internal subnets via the inside interface using the Layer 3 Distribution Switch as the next-hop IP address.
ASA static routing example:
Further reading: ASA static routing
Your Cisco Router's configuration:
Additionally, how will your border router know how to reach subnets other than it's connected routes, and the catch all default route via the outside interface's next-hop address
200.200.200.200
?Router static routing example:
Further reading: ISR static routing
Ensure you have end-to-end IP reachability between the client(s) sending DHCP discover messages and the DHCP server.
From what I can gather from your topology and configuration, the subnets
172.19.3.0/24
,172.19.12.0/28
and172.20.100.0/27
should have no issues connecting to each other (assuming they are configured to use their respective default gateways) from a networking perspective.You can remove the
ip helper-address
syntax from the SVI 100 given that the DHCP server is on the same segment and that command is used for a DHCP server(s) that is on a different segment.