Routing Issues: Can Ping Core Switch but Not Firewall – Troubleshooting

cisco-catalystroutingswitch

We have a setup with 4 total sites all connected back to one, 2 via fiber and one via a wireless link. The link with the wireless bridge also needs a vlan (269) from our main site, so we set it up as a trunk instead of a link.

               4507-2
                 ^
                 |
WAN -> Sonicwall -> 4507 -> 3560
                 |
                 v
               4507-3

Cannot ping from 3560 to Sonicwall or external.
Can ping from 3560 to all 4507 switches.
Can ping from Firewall to 3560.

4507 Configuration

interface GigabitEthernet1/1
 description *SONICWALL*
 switchport access vlan 100
 switchport mode access
 switchport nonegotiate
 spanning-tree portfast

interface GigabitEthernet2/46
 description **Trunk to 3560**
 switchport trunk allowed vlan 269,300
 switchport mode trunk

interface Vlan100
 ip address 10.1.100.1 255.255.252.0
 ip helper-address 10.1.104.10

interface Vlan269
 no ip address
 shutdown

interface Vlan300
 ip address 172.20.20.9 255.255.255.252

ip default-gateway 10.1.100.254
ip route 0.0.0.0 0.0.0.0 10.1.100.254
ip route 10.4.100.0 255.255.252.0 172.20.20.10

3560 Configuration
ip routing

interface GigabitEthernet0/24
 description Trunk to 4507
 switchport trunk encapsulation dot1q
 switchport trunk allowed vlan 269,300
 switchport mode trunk

interface Vlan100
 ip address 10.4.100.1 255.255.252.0
 ip helper-address 10.1.104.10

interface Vlan300
 ip address 172.20.20.10 255.255.255.252

ip classless
ip route 0.0.0.0 0.0.0.0 172.20.20.9
ip route 10.1.100.0 255.255.252.0 172.20.20.9

4507 routes

4507#sh ip route
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
       ia - IS-IS inter area, * - candidate default, U - per-user static route
       o - ODR, P - periodic downloaded static route

Gateway of last resort is 10.1.100.254 to network 0.0.0.0

S    192.168.110.0/24 [1/0] via 10.1.104.180
     172.20.0.0/30 is subnetted, 3 subnets
C       172.20.20.8 is directly connected, Vlan300
     10.0.0.0/22 is subnetted, 20 subnets
S       10.4.100.0 [1/0] via 172.20.20.10
C       10.1.100.0 is directly connected, Vlan100
S*   0.0.0.0/0 [1/0] via 10.1.100.254

3560 routes

3560#sh ip route
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP
       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
       ia - IS-IS inter area, * - candidate default, U - per-user static route
       o - ODR, P - periodic downloaded static route

Gateway of last resort is 172.20.20.9 to network 0.0.0.0

     172.20.0.0/30 is subnetted, 1 subnets
C       172.20.20.8 is directly connected, Vlan300
     10.0.0.0/22 is subnetted, 10 subnets
C       10.4.100.0 is directly connected, Vlan100
S       10.1.100.0 [1/0] via 172.20.20.9
S*   0.0.0.0/0 [1/0] via 172.20.20.9

Sonicwall also has a route for 10.4.100.0/22 to go to 10.4.100.1

Best Answer

It looks like your problem may be the firewall route.

Sonicwall also has a route for 10.4.100.0/22 to go to 10.4.100.1

You need the firewall route to go to the next hop, 10.1.100.1, not to an address on the route itself. You are telling the firewall how to get to that network, and the address of the next hop for the network cannot be on the network itself because the firewall doesn't know how to get to the network where the next hop is, so the firewall cannot send anything to the next hop.

My two cents, based on experience:

I would actually have a routed link between the firewall and the layer-3 switch, rather than a VLAN, and run a routing protocol between all the layer-3 devices. Static routes just don't scale.

Configure the switch interfaces as layer-3 interfaces, and address them as point-to-point interfaces with /30 or /31 networks. You are using /30 networks on the SVI for the VLANs, but you can run into some problems with delayed detection of link problems using SVIs, and you don't have that if you address on the physical interfaces.

For the 4507, instead of:

interface GigabitEthernet1/1
 description *SONICWALL*
 switchport access vlan 100
 switchport mode access
 switchport nonegotiate
 spanning-tree portfast

Use something like:

interface GigabitEthernet1/1
 description *SONICWALL*
 no switchport
 ip address 172.20.20.13 255.255.255.252

Also, understand that by extending layer-2 VLANs to a remote location, you increase the chances of a layer-2 problem, and the problem will affect two sites instead of one. There is almost nothing today that requires have two hosts on the same layer-2 domain. We live in a layer-3 world, and routing works well. I don't see any advantage to extending the VLAN to a remote location, but I do see some disadvantages to doing it.

Your ASA configuration:

route outside 0.0.0.0 0.0.0.0 172.16.1.1 1

This will provide a default route via the outside interface, but how will the ASA know how to reach subnets residing behind the Layer 3 Distribution Switch?

You'll need to add routes to the internal subnets via the inside interface using the Layer 3 Distribution Switch as the next-hop IP address.

ASA static routing example:

route inside 172.19.12.0 255.255.255.240 172.16.2.2
route inside 172.19.3.0 255.255.255.0 172.16.2.2
route inside 172.20.100.0 255.255.255.224 172.16.2.2

Your Cisco Router's configuration:

ip route 0.0.0.0 0.0.0.0 200.200.200.200

Additionally, how will your border router know how to reach subnets other than it's connected routes, and the catch all default route via the outside interface's next-hop address 200.200.200.200?

Router static routing example:

ip route 172.19.12.0 255.255.255.240 172.16.1.10
ip route 172.19.3.0 255.255.255.0 172.16.1.10
ip route 172.19.100.0 255.255.255.224 172.16.1.10
ip route 172.16.2.0 255.255.255.224 172.16.1.10

Cisco – How to Summarize LSA Type 7/NSSA ASBR External routes

I would suggest creating a static route to Null 0 on the external router:

ip route 192.168.0.0 255.255.248.0 Null 0

Static route to Null interface is seen as a connected interface on the local router.

Then advertise the summary address in whatever routing protocol is originating the routes with a network statement in the routing process.

When you redistribute from one routing process to the other the summary route should be injected into the OSPF process.

You could also filter out the subnets with a prefix list or route map to be sure the smaller subnets don't get injected.

Hopefully this helps.

Best Answer

Related Solutions

Cisco ASA Routing Issue

Your ASA configuration:

ASA static routing example:

Your Cisco Router's configuration:

Router static routing example:

Cisco – How to Summarize LSA Type 7/NSSA ASBR External routes

Related Topic