Cisco – Connectivity issues/L3 switch

ciscopfsenserouting

I'm having issues with connectivity on my home lab network after trying a different setup. Can't connect to the pfsense box from LAN, though pfsense can reach all the way to the LAN network.

From the viewpoint of my laptop:

ping 192.168.1.1 From laptop to fa 1/0/1 interface
PING 192.168.1.1 (192.168.1.1): 56 data bytes
64 bytes from 192.168.1.1: icmp_seq=0 ttl=255 time=1.290 ms
64 bytes from 192.168.1.1: icmp_seq=1 ttl=255 time=1.281 ms
64 bytes from 192.168.1.1: icmp_seq=2 ttl=255 time=1.865 ms
64 bytes from 192.168.1.1: icmp_seq=3 ttl=255 time=3.229 ms

ping 192.168.1.43 From laptop to fa 1/0/2 interface
PING 192.168.1.43 (192.168.1.43): 56 data bytes
64 bytes from 192.168.1.43: icmp_seq=0 ttl=255 time=1.256 ms
64 bytes from 192.168.1.43: icmp_seq=1 ttl=255 time=1.606 ms
64 bytes from 192.168.1.43: icmp_seq=2 ttl=255 time=1.299 ms
64 bytes from 192.168.1.43: icmp_seq=3 ttl=255 time=1.877 ms

ping 192.168.1.41 From laptop to Pfsense
PING 192.168.1.41 (192.168.1.41): 56 data bytes
Request timeout for icmp_seq 0
Request timeout for icmp_seq 1
Request timeout for icmp_seq 2
Request timeout for icmp_seq 3
Request timeout for icmp_seq 4

Laptop has connectivity to L3 switch but not pfsense box

From the viewpoint of the L3 switch:

ping 192.168.1.1 - From SW to host in LAN

    Type escape sequence to abort.
    Sending 5, 100-byte ICMP Echos to 192.168.1.1, timeout is 2 seconds:
    !!!!!
    Success rate is 100 percent (5/5), round-trip min/avg/max = 1/7/17 ms

 ping 192.168.1.41 - From SW to Pfsense em1 interface

    Type escape sequence to abort.
    Sending 5, 100-byte ICMP Echos to 192.168.1.41, timeout is 2 seconds:
    !!!!!
    Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/8 ms

 ping 8.8.8.8 - L3 SW to internet

 Type escape sequence to abort.
 Sending 5, 100-byte ICMP Echos to 8.8.8.8, timeout is 2 seconds:
 .....
 Success rate is 0 percent (0/5)

Routing table

show ip route
Gateway of last resort is 0.0.0.0 to network 0.0.0.0

     192.168.1.0/24 is variably subnetted, 2 subnets, 2 masks
C       192.168.1.40/29 is directly connected, FastEthernet1/0/2
C       192.168.1.0/28 is directly connected, FastEthernet1/0/1
S*   0.0.0.0/0 is directly connected, FastEthernet1/0/2

running config

Router-L3(config)#do show run
Building configuration...

Current configuration : 3239 bytes
!
version 12.2
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname Router-L3
!
boot-start-marker
boot-end-marker
!
enable secret 
!
!
!
no aaa new-model
switch 1 provision ws-c3750-48ts
system mtu routing 1500
ip routing
ip name-server 50.116.40.226
ip name-server 104.245.39.112
ip name-server 74.207.232.103
ip name-server 107.170.95.180
ip name-server 8.8.8.8
ip dhcp excluded-address 192.168.1.1 192.168.1.2
!
ip dhcp pool LAN
   network 192.168.1.0 255.255.255.240
   dns-server 50.116.40.226 104.245.39.112
   default-router 192.168.1.1
!
!
!
spanning-tree mode pvst
spanning-tree extend system-id
!
vlan internal allocation policy ascending
!
!
!
!
interface FastEthernet1/0/1
 description LAN
 no switchport
 ip address 192.168.1.1 255.255.255.240
!
interface FastEthernet1/0/2
 description TO FW
 no switchport
 ip address 192.168.1.43 255.255.255.248
!
interface FastEthernet1/0/3
!
[...]
interface FastEthernet1/0/48
 shutdown
!
interface GigabitEthernet1/0/1
!
interface GigabitEthernet1/0/2
!
interface GigabitEthernet1/0/3
!
interface GigabitEthernet1/0/4
!
interface Vlan1
 no ip address
 shutdown
!
interface Vlan2
 no ip address
 shutdown
!
ip default-gateway 192.168.1.41
ip classless
ip route 0.0.0.0 0.0.0.0 FastEthernet1/0/2
!
!
line con 0
line vty 5 15
!
end

L3 SW has connectivity to LAN and pfsense box, but not the internet

Viewpoint from PFsense

PING 192.168.1.43 (192.168.1.43): 56 data bytes  - PFsense to L3 fa 1/0/2
64 bytes from 192.168.1.43: icmp_seq=0 ttl=255 time=2.502 ms
64 bytes from 192.168.1.43: icmp_seq=1 ttl=255 time=2.281 ms
64 bytes from 192.168.1.43: icmp_seq=2 ttl=255 time=2.405 ms
64 bytes from 192.168.1.43: icmp_seq=3 ttl=255 time=1.730 ms

--- 192.168.1.43 ping statistics ---
4 packets transmitted, 4 packets received, 0.0% packet loss
round-trip min/avg/max/stddev = 1.730/2.229/2.502/0.299 ms

PING 192.168.1.1 (192.168.1.1): 56 data bytes - PFsense to L3 fa 1/0/1
64 bytes from 192.168.1.1: icmp_seq=0 ttl=255 time=0.571 ms
64 bytes from 192.168.1.1: icmp_seq=1 ttl=255 time=0.537 ms
64 bytes from 192.168.1.1: icmp_seq=2 ttl=255 time=0.548 ms
64 bytes from 192.168.1.1: icmp_seq=3 ttl=255 time=0.519 ms

--- 192.168.1.1 ping statistics ---
4 packets transmitted, 4 packets received, 0.0% packet loss
round-trip min/avg/max/stddev = 0.519/0.544/0.571/0.019 ms

PING 192.168.1.13 (192.168.1.13): 56 data bytes - From PFSense to a host in Lan
64 bytes from 192.168.1.13: icmp_seq=0 ttl=63 time=53.374 ms
64 bytes from 192.168.1.13: icmp_seq=1 ttl=63 time=69.013 ms
64 bytes from 192.168.1.13: icmp_seq=2 ttl=63 time=79.912 ms
64 bytes from 192.168.1.13: icmp_seq=3 ttl=63 time=114.207 ms

--- 192.168.1.13 ping statistics ---
4 packets transmitted, 4 packets received, 0.0% packet loss
round-trip min/avg/max/stddev = 53.374/79.126/114.207/22.342 ms

Firewall config

Routing table

Pf sense has connectivity to internet, and all the way to LAN

I believe it's an issue with the L3 switch, but there's something obvious I'm missing but I can't see it at the moment. Any help would be appreciated.

Best Answer

Beside the Problem, your default route is set in the wrong manner:

...
ip routing
ip classless
...

is on on your switch, ok.

ip default-gateway 192.168.1.41

has no meaning.

But

ip route 0.0.0.0 0.0.0.0 FastEthernet1/0/2

is not good, it should read

ip route 0.0.0.0 0.0.0.0 192.168.1.41

And (my opinion) the switch should not wait for DNS resolution, so i almost allways configure "no ip domain-lookup" (some IOS versions dont like the "-" ) Ok, so you must know the IP-adresses, but logging etc. of events on the device does not depend on external service "DNS" .

BTW, hat NAT been enabled on your PFSense box ?

Related Solutions

Cisco – Output Drops on Serial interface: Better queueing or Output queue size

You're right, you wouldn't really see the burstiness easily on SNMP. 1GE can send 1.48Mpps, so it takes very very little time to congest the the 45Mbps, which can handle less than 75kpps.

If your ingress is 1GE and egress is 45Mbps, then obviously the congestion point of 45Mbps will need to drop packets. This is normal and expected. If you increase buffers you'll introduce more delay.
1GE takes 0.45ms to send 40 1500B IP frames, which is right now the amount of burst you can handle. However dequeueing them on the 45Mbps already takes 10ms.

If you don't have any acute problem, I would probably not do anything about it. But if some traffic is more eligible for dropping than other, then you should replace FIFO with class-based queueing. Say maybe you want to prioritize so that more ftp is dropped and less voip.
Then it'll also make more sense to add more buffering on the ftp traffic, as it's not really sensitive to delay.

If you want to try your luck with deeper buffers, something like this should suffice:

policy-map WAN-OUT
 class class-default
    fair-queue
    queue-limit 200 packets
!
interface Serial1/0
  service-policy output WAN-OUT

This would cause 50ms buffers on the Serial1 and would allow you to handle up-to 2.25ms burst from single Gige interface.

Cisco ASA Routing Issue

Best practice wise - should I let the router or the ASA handle NAT (Overloading)?

In the most general of design best practices NAT is performed between an inside and outside network. NAT overloading is generally performed at the edge when there is limited public IP address space. You can learn more about NAT overloading, also known as Port Address Translation or PAT, in RFC 2663 (PAT is referred to as Network Address Port Translation (NAPT) in section 4.1.2).

In this particular scenario you can argue that you have two inside and outside networks and will need to perform some form of NAT on both the ASA (whether that is the NAT overloading you're using now, NAT exemption, static NAT, etc) and the Cisco Router.

I can ping the 172.16.2.2 interface but not 172.16.2.1 from a pc connected to one of the layer 2 switches (proves intervlan routing is working -- i have a 172.20.100.8 address on the PC). Why can't I ping 172.16.2.1 from a PC but I can from the Layer 3 Switch?

The ASA 172.16.2.2 is receiving the ICMP echo-request but does not have a route back to 172.20.100.0/27. The echo-reply is actually being forwarded to the Router 172.16.1.1 via the default route.

And most of all -- Why can't I get out to the Internet from the Layer 3 switch?

Currently your ASA and Cisco Router do not have routes to internal devices other than their connected routes.

Your ASA configuration:

route outside 0.0.0.0 0.0.0.0 172.16.1.1 1

This will provide a default route via the outside interface, but how will the ASA know how to reach subnets residing behind the Layer 3 Distribution Switch?

You'll need to add routes to the internal subnets via the inside interface using the Layer 3 Distribution Switch as the next-hop IP address.

ASA static routing example:

route inside 172.19.12.0 255.255.255.240 172.16.2.2
route inside 172.19.3.0 255.255.255.0 172.16.2.2
route inside 172.20.100.0 255.255.255.224 172.16.2.2

Your Cisco Router's configuration:

ip route 0.0.0.0 0.0.0.0 200.200.200.200

Additionally, how will your border router know how to reach subnets other than it's connected routes, and the catch all default route via the outside interface's next-hop address 200.200.200.200?

Router static routing example:

ip route 172.19.12.0 255.255.255.240 172.16.1.10
ip route 172.19.3.0 255.255.255.0 172.16.1.10
ip route 172.19.100.0 255.255.255.224 172.16.1.10
ip route 172.16.2.0 255.255.255.224 172.16.1.10