Cisco ASA Routing Issue

ciscocisco-asafirewalllayer3switch

I am working on a lab right now and am having some issues with ASA routing.

Here is the current network topology:

Network Topology

Currently if I login to the console on the ASA or Router I can get outside to the internet no problem. The second I login to the layer 3 switch I can only ping the inside interface of the ASA. This leads me to believe I have issues with the return routing from the ASA.

I want the layer 3 switch to do the intervlan routing (which it is).

This brings up a couple of questions:

  1. Best practice wise – should I let the router or the ASA handle NAT (Overloading)?
  2. I can ping the 172.16.2.2 interface but not 172.16.2.1 from a pc connected to one of the layer 2 switches (proves intervlan routing is working — i have a 172.20.100.8 address on the PC). Why can't I ping 172.16.2.1 from a PC but I can from the Layer 3 Switch?
  3. I cannot get an ip address right now from the DHCP server (windows). Any insight into why?
  4. And most of all — Why can't I get out to the internet from the Layer 3 switch?

Here are concatenated dumps of the configs:

Layer 3 Switch:

version 15.1
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
service compress-config
service unsupported-transceiver
!
!
!
no aaa new-model
!
ip vrf mgmtVrf
!         
!         
!         
vtp mode transparent
!         
!         
!         
!         
!         
!         
spanning-tree mode pvst
spanning-tree extend system-id
!         
vlan internal allocation policy ascending
!         
vlan 3,12,100 
!         
!         
!         
!         
!         
!         
!         
interface FastEthernet1
 ip vrf forwarding mgmtVrf
no ip address
 speed auto
 duplex auto
!         
interface GigabitEthernet1/1
 no switchport
 ip address 172.16.2.2 255.255.255.224
!         
interface GigabitEthernet1/2
 switchport mode trunk
 shutdown 
!         
interface GigabitEthernet1/3
 switchport mode trunk
!         
interface GigabitEthernet1/4
 switchport mode trunk
!         
interface GigabitEthernet1/5
 switchport mode trunk
!         
interface GigabitEthernet1/6
 switchport mode trunk
!         
interface GigabitEthernet1/7
 switchport mode trunk
!         
interface GigabitEthernet1/8
 switchport mode trunk
!         
interface GigabitEthernet1/9
 switchport mode trunk
!         
interface GigabitEthernet1/10
 switchport mode trunk
!         
interface GigabitEthernet1/11
 switchport mode trunk
!         
interface GigabitEthernet1/12
 switchport mode trunk
!         
interface GigabitEthernet1/13
 switchport mode trunk
!         
interface GigabitEthernet1/14
 shutdown 
!         
interface GigabitEthernet1/15
 shutdown 
!         
interface GigabitEthernet1/16
 shutdown 
!         
interface Vlan1
 no ip address
!         
interface Vlan3
 ip address 172.19.3.1 255.255.255.0
 ip helper-address 172.20.100.27
!     
interface Vlan12
 ip address 172.19.12.1 255.255.255.240
 ip helper-address 172.20.100.27
!        
interface Vlan100
 ip address 172.20.100.1 255.255.255.224
 ip helper-address 172.20.100.27
!         
!         
no ip http server
ip route 0.0.0.0 0.0.0.0 172.16.2.1
!         
!         
!         
!     
line con 0
 logging synchronous
 stopbits 1
line vty 0 4
 login    
!         
end

ASA:

ASA Version 8.6(1)2 
!
hostname ciscoasa
names
!
interface GigabitEthernet0/0
 nameif outside
 security-level 0
 ip address 172.16.1.10 255.255.255.0 
!
interface GigabitEthernet0/1
 nameif inside
 security-level 100
 ip address 172.16.2.1 255.255.255.224 
!
interface GigabitEthernet0/2
 shutdown
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet0/3
 shutdown     
 no nameif    
 no security-level
 no ip address
!             
interface GigabitEthernet0/4
 shutdown     
 no nameif    
 no security-level
 no ip address
!             
interface GigabitEthernet0/5
 shutdown     
 no nameif    
 no security-level
 no ip address
!             
interface Management0/0
 nameif management
 security-level 100
 ip address 192.168.1.1 255.255.255.0 
 management-only

ftp mode passive
object network OBJ_GENERIC_ALL
 subnet 0.0.0.0 0.0.0.0
pager lines 24
logging asdm informational
mtu management 1500
mtu outside 1500
mtu inside 1500
no failover   
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-66114.bin
no asdm history enable
arp timeout 14400
nat (inside,outside) source dynamic OBJ_GENERIC_ALL interface
route outside 0.0.0.0 0.0.0.0 172.16.1.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
http server enable
http 192.168.1.0 255.255.255.0 management
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
telnet timeout 5
ssh timeout 5 
console timeout 0
dhcpd address 192.168.1.2-192.168.1.254 management
dhcpd enable management
!             
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn        
!             
class-map inspection_default
 match default-inspection-traffic
!             
!             
policy-map type inspect dns preset_dns_map
parameters   
  message-length maximum client auto
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map 
  inspect ftp 
  inspect h323 h225 
  inspect h323 ras 
  inspect rsh 
  inspect rtsp 
  inspect esmtp 
  inspect sqlnet 
  inspect skinny  
  inspect sunrpc 
  inspect xdmcp 
  inspect sip  
  inspect netbios 
  inspect tftp 
  inspect ip-options 
!             
service-policy global_policy global
prompt hostname context 
no call-home reporting anonymous

Router Config:

version 15.3
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
no platform punt-keepalive disable-kernel-core
!
!
boot-start-marker
boot-end-marker
!
!
vrf definition Mgmt-intf
 !
 address-family ipv4
 exit-address-family
 !
 address-family ipv6
 exit-address-family
!         
!         
no aaa new-model
!         
!         
!         
!         
!         


!         
!         
!         
!         
!         
multilink bundle-name authenticated
!         
!         
!         
!         
!         
!         
!         
!         
!         
redundancy
 mode none
!         
!         
!         
ip tftp source-interface GigabitEthernet0
!         
!         
!         
!         
!         
!         
!         
interface GigabitEthernet0/0/0
 ip address 204.28.125.74 255.255.255.252
 ip nat outside
 negotiation auto
!         
interface GigabitEthernet0/0/1
 no ip address
 shutdown 
 negotiation auto
!         
interface GigabitEthernet0/0/2
 no ip address
 shutdown 
 negotiation auto
!         
interface GigabitEthernet0/0/3
 ip address 172.16.1.1 255.255.255.0
 ip nat inside
 negotiation auto
!         
interface GigabitEthernet0
 vrf forwarding Mgmt-intf
 no ip address
 shutdown 
 negotiation auto
!         
ip nat inside source list 1 interface GigabitEthernet0/0/0 overload
ip forward-protocol nd
!         
no ip http server
no ip http secure-server
ip route 0.0.0.0 0.0.0.0 200.200.200.200
!         
access-list 1 permit 172.16.1.0 0.0.0.255
!         
!         
!         
control-plane
!         
!         
line con 0
 logging synchronous
 stopbits 1
line aux 0
 stopbits 1
line vty 0 4
 login    
!         
!         
end

Best Answer

Best practice wise - should I let the router or the ASA handle NAT (Overloading)?

In the most general of design best practices NAT is performed between an inside and outside network. NAT overloading is generally performed at the edge when there is limited public IP address space. You can learn more about NAT overloading, also known as Port Address Translation or PAT, in RFC 2663 (PAT is referred to as Network Address Port Translation (NAPT) in section 4.1.2).

In this particular scenario you can argue that you have two inside and outside networks and will need to perform some form of NAT on both the ASA (whether that is the NAT overloading you're using now, NAT exemption, static NAT, etc) and the Cisco Router.

I can ping the 172.16.2.2 interface but not 172.16.2.1 from a pc connected to one of the layer 2 switches (proves intervlan routing is working -- i have a 172.20.100.8 address on the PC). Why can't I ping 172.16.2.1 from a PC but I can from the Layer 3 Switch?

The ASA 172.16.2.2 is receiving the ICMP echo-request but does not have a route back to 172.20.100.0/27. The echo-reply is actually being forwarded to the Router 172.16.1.1 via the default route.

And most of all -- Why can't I get out to the Internet from the Layer 3 switch?

Currently your ASA and Cisco Router do not have routes to internal devices other than their connected routes.

Your ASA configuration:

route outside 0.0.0.0 0.0.0.0 172.16.1.1 1

This will provide a default route via the outside interface, but how will the ASA know how to reach subnets residing behind the Layer 3 Distribution Switch?

You'll need to add routes to the internal subnets via the inside interface using the Layer 3 Distribution Switch as the next-hop IP address.

ASA static routing example:

route inside 172.19.12.0 255.255.255.240 172.16.2.2
route inside 172.19.3.0 255.255.255.0 172.16.2.2
route inside 172.20.100.0 255.255.255.224 172.16.2.2

Further reading: ASA static routing

Your Cisco Router's configuration:

ip route 0.0.0.0 0.0.0.0 200.200.200.200

Additionally, how will your border router know how to reach subnets other than it's connected routes, and the catch all default route via the outside interface's next-hop address 200.200.200.200?

Router static routing example:

ip route 172.19.12.0 255.255.255.240 172.16.1.10
ip route 172.19.3.0 255.255.255.0 172.16.1.10
ip route 172.19.100.0 255.255.255.224 172.16.1.10
ip route 172.16.2.0 255.255.255.224 172.16.1.10

Further reading: ISR static routing

I cannot get an ip address right now from the DHCP server (Windows). Any insight into why?

Ensure you have end-to-end IP reachability between the client(s) sending DHCP discover messages and the DHCP server.

From what I can gather from your topology and configuration, the subnets 172.19.3.0/24, 172.19.12.0/28 and 172.20.100.0/27 should have no issues connecting to each other (assuming they are configured to use their respective default gateways) from a networking perspective.

You can remove the ip helper-address syntax from the SVI 100 given that the DHCP server is on the same segment and that command is used for a DHCP server(s) that is on a different segment.

interface Vlan100
ip address 172.20.100.1 255.255.255.224
ip helper-address 172.20.100.27