Background: I am setting up a network for a local church I attend. The setup will be:
Currently ATT DSL –> Motorola 3801HGV set in transparent (bridging) mode –>outside interface of ASA5506 (configured for DHCP from DSL modem) –>Inside interface of 5506 (172.16.0.2 IP) –> routed interface on Cisco 3750 (Gi1/0/3).
The 3750 has 3 private networks. All networks can talk to each other without issue. All networks can ping the 172.16.0.2 IP (inside interface of ASA5506). Those three private networks are:
10.1.1.0/24
10.1.2.0/24
10.1.3.0/24
Note: I have single area OSPF running on the 3750 that performs my routing. I have default information originate configured there as well.
I currently have NAT configured on my ASA so that when traffic leaves the outside interface, it is PAT-ed to the external ISP IP (108.x.x.x). I ran packet-tracer to confirm – and packet tracer says it is allowed out – and shows it PAT-ed to the 108.x.x.x IP.
The problem: None of my 10.x.x.x networks can get out to the Internet. If i plug directly into the ATT 5031NV with a statically assigned 192.168.1.x IP (that's the DHCP Pool range the 5031nv gives out) – I can get out to the Internet with no issues.
I found that I can also not ping my default (ISP) gateway from my Cisco ASA. See below with updated (11/5/2015) config. I made several changes based on comments from this thread.
Relevant config on Cisco 3750:
SRPC-CORE-OFFICE#sho run | s router ospf
router ospf 1
passive-interface default
no passive-interface GigabitEthernet1/0/3
network 10.1.1.0 0.0.0.255 area 1
network 10.1.2.0 0.0.0.255 area 1
network 10.1.3.0 0.0.0.255 area 1
SRPC-CORE-OFFICE#sho ip route
Gateway of last resort is not set
10.0.0.0/8 is variably subnetted, 6 subnets, 2 masks
C 10.1.1.0/24 is directly connected, Vlan100
L 10.1.1.1/32 is directly connected, Vlan100
C 10.1.2.0/24 is directly connected, Vlan120
L 10.1.2.1/32 is directly connected, Vlan120
C 10.1.3.0/24 is directly connected, Vlan130
L 10.1.3.1/32 is directly connected, Vlan130
172.16.0.0/16 is variably subnetted, 2 subnets, 2 masks
C 172.16.0.0/24 is directly connected, GigabitEthernet1/0/3
L 172.16.0.1/32 is directly connected, GigabitEthernet1/0/3
S 192.168.0.0/16 is directly connected, GigabitEthernet1/0/3
S 192.168.5.0/24 is directly connected, GigabitEthernet1/0/3
!
!
SRPC-CORE-OFFICE#sho ip int br | ex un
Interface IP-Address OK? Method Status Protocol
Vlan100 10.1.1.1 YES NVRAM up up
Vlan120 10.1.2.1 YES NVRAM up up
Vlan130 10.1.3.1 YES NVRAM up up
GigabitEthernet1/0/3 172.16.0.1 YES NVRAM up up
!
!
SRPC-CORE-OFFICE#sho vlan br | i active
100 MANAGEMENT active
120 SRPC_WIFI active
130 SRPC_DATA active
Cisco ASA5506 relevant config:
SRPC-FW-01# sho run nat
!
object network obj_any
nat (dmzTest,outside) dynamic interface
router ospf 1
network 7.0.1.0 255.255.255.0 area 1
network 10.1.1.10 255.255.255.255 area 1
network 192.168.1.0 255.255.255.0 area 1
log-adj-changes
default-information originate
!
route dmzTest 10.1.0.0 255.255.224.0 172.16.0.1 1
!
!
SRPC-FW-01# sh int ip br
Interface IP-Address OK? Method Status Protocol
GigabitEthernet1/1 108.225.177.202 YES DHCP up up
GigabitEthernet1/2 172.16.0.2 YES CONFIG up up
!
!
SRPC-FW-01# sho nameif
Interface Name Security
GigabitEthernet1/1 outside 0
GigabitEthernet1/2 dmzTest 100
!
access-list dmzTest-in extended permit tcp any any
access-list dmzTest-in extended permit icmp any any
access-list dmzTest-out extended permit tcp any any
access-list management-in extended permit ip any any
access-list management-out extended permit ip any any
access-list OutsideATT-in extended permit ip any any
access-list OutsideATT-out extended permit ip any any
access-list dmztest-out extended permit icmp any any
access-list outside_inbound_to_SRPC extended deny ip any any
access-list outside_inbound_to_SRPC extended permit ip host 108.225.176.1 any
access-list outside_outbound_to_INET extended permit ip 108.225.176.0 255.255.252.0 any
access-list outside_outbound_to_INET extended permit ip any any
!
!
!
access-group outside_inbound_to_SRPC in interface outside
access-group outside_outbound_to_INET out interface outside
access-group dmzTest-in in interface dmzTest
access-group dmzTest-out out interface dmzTest
access-group OutsideATT-in in interface OutsideATT
access-group OutsideATT-out out interface OutsideATT
access-group management-in in interface management
access-group management-out out interface management
!
SRPC-FW-01# sho route
Gateway of last resort is 108.225.176.1 to network 0.0.0.0
S* 0.0.0.0 0.0.0.0 [1/0] via 108.225.176.1, outside
S 10.1.0.0 255.255.224.0 [1/0] via 172.16.0.1, dmzTest
C 108.225.176.0 255.255.252.0 is directly connected, outside
L 108.225.177.202 255.255.255.255 is directly connected, outside
C 172.16.0.0 255.255.255.0 is directly connected, dmzTest
L 172.16.0.2 255.255.255.255 is directly connected, dmzTest
Best Answer
First, OSPF is not necessary (or recommended) for such a tiny network. I run much larger networks and still don't bother with dynamic routing.
Second, never, ever, route to a broadcast interface (ie.
ip route 0.0.0.0 0.0.0.0 GigabitEthernet1/0/3
) BTW, that's proxy-arp; I'm 1000% certain that is not what you want.Third, AT&T's 3801 does not have a "bridge mode". And those modems have a particularly nasty bit of brain damage where the IP:MAC table is one-to-one -- a MAC can have only one IP and v.v., which means with a static block each IP must go to a different device.