Hello, I am new to Cisco ASAs and Dell PowerConnects. Yet some how I find myself setting these up without much success. A friend helped me with the switches, so I think they are mostly working correctly.
The basic set up a cisco asa, with internet plugged into eth0/0. There are two dell PowerConnects connected to eth0/1 and eth0/2. My friend setup LAG between the two switches, and that seems to be working pretty well. In other words, I am on one switch, and I can get to something on the other switch.
At this point, I am just trying to ssh into an outside ip address : 172.16.1.90, and get to an internal address on a vlan : 10.1.132.32. (aka the static route) From the logs, it looks like the cisco asa is not even trying to send that traffic to either of the dell PowerConnects. Furthermore, I am trying to get connectivity out from ip : 10.1.132.32, to the world.
I did have the cisco asa configuration that basically worked without using vlans, but I would really like to do this with vlans to keep my internal networks separate.
Is there something that is clearly wrong with my configuration? I have tried to open up and simplify the configuration as much as I can. Also, is there anything specific I need to do on the PowerConnect switch to make it work with the cisco asa?
Here is the cisco asa configuration:
ASA Version 7.0(7)
!
dns-guard
!
interface Ethernet0/0
speed 100
duplex full
nameif outside
security-level 0
ip address 172.16.1.67 255.255.255.224
!
interface Ethernet0/1
no nameif
security-level 100
no ip address
!
interface Ethernet0/1.10
vlan 10
nameif sw01_network
security-level 100
ip address 10.1.10.1 255.255.255.0
!
interface Ethernet0/1.132
vlan 132
nameif api_network
security-level 100
ip address 10.1.132.1 255.255.255.0
!
interface Ethernet0/1.228
vlan 228
nameif test2_network
security-level 100
ip address 10.1.228.1 255.255.255.0
!
interface Ethernet0/2
speed 100
no nameif
security-level 100
no ip address
!
interface Ethernet0/2.11
vlan 11
nameif sw02_network
security-level 100
ip address 10.1.11.1 255.255.255.0
!
interface Ethernet0/2.20
vlan 20
nameif test_network
security-level 100
ip address 10.1.20.1 255.255.255.0
!
interface Ethernet0/2.52
vlan 52
nameif retail_network
security-level 100
ip address 10.1.52.1 255.255.255.0
!
interface Management0/0
nameif management
security-level 100
ip address 192.168.1.1 255.255.255.0
management-only
!
ftp mode passive
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object-group network vlan-test
network-object host 10.1.228.4
network-object host 10.1.228.11
object-group network vlan-api
network-object host 10.1.132.32
object-group network vlan-corp
network-object host 10.1.20.34
object-group network vlan-retail
network-object host 10.1.52.33
access-list outside_access_in extended permit tcp any any eq ssh
access-list outside_access_in extended permit tcp any any
access-list ANY extended permit tcp any any
access-list ANY extended permit udp any any
access-list ANY extended permit icmp any any
access-list LIMIT_IN extended permit tcp any any eq ssh
access-list outside_ssh_in extended permit tcp any eq ssh any eq ssh
access-list outside_access_out extended permit tcp any any
access-list outside_access_out extended permit icmp any any
access-list outside_access_out extended permit udp any any
pager lines 24
logging enable
logging timestamp
logging console debugging
logging buffered debugging
logging asdm informational
mtu outside 1500
mtu test2_network 1500
mtu management 1500
mtu test_network 1500
mtu retail_network 1500
mtu api_network 1500
mtu sw01_network 1500
mtu sw02_network 1500
icmp permit any outside
icmp permit any test2_network
icmp permit any retail_network
asdm image disk0:/asdm-507.bin
no asdm history enable
arp timeout 14400
global (outside) 1 172.16.1.70-172.16.1.72
global (outside) 228 172.16.1.90-172.16.1.92
nat (api_network) 1 0.0.0.0 0.0.0.0
static (api_network,outside) tcp 172.16.1.90 ssh 10.1.132.32 ssh netmask 255.255.255.255
access-group outside_access_in in interface outside
access-group outside_access_out out interface outside
access-group LIMIT_IN in interface test2_network
access-group ANY out interface test2_network
access-group LIMIT_IN in interface test_network
access-group ANY out interface test_network
access-group LIMIT_IN in interface retail_network
access-group ANY out interface retail_network
access-group LIMIT_IN in interface api_network
access-group ANY out interface api_network
access-group LIMIT_IN in interface sw01_network
access-group ANY out interface sw01_network
access-group LIMIT_IN in interface sw02_network
access-group ANY out interface sw02_network
route outside 0.0.0.0 0.0.0.0 172.16.1.65 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00
timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server gv protocol ldap
aaa authentication ssh console LOCAL
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
sysopt noproxyarp retail_network
console timeout 0
management-access management
dhcpd address 192.168.1.2-192.168.1.254 management
dhcpd lease 3600
dhcpd ping_timeout 50
dhcpd enable management
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map global_policy
class inspection_default
inspect dns maximum-length 512
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect icmp
!
service-policy global_policy global
Any help would be greatly appreciated!
Thanks a head of time,
Aaron
The basic set up a cisco asa, with internet plugged into eth0/0. There are two dell PowerConnects connected to eth0/1 and eth0/2. My friend setup LAG between the two switches, and that seems to be working pretty well. In other words, I am on one switch, and I can get to something on the other switch.
At this point, I am just trying to ssh into an outside ip address : 172.16.1.90, and get to an internal address on a vlan : 10.1.132.32. (aka the static route) From the logs, it looks like the cisco asa is not even trying to send that traffic to either of the dell PowerConnects. Furthermore, I am trying to get connectivity out from ip : 10.1.132.32, to the world.
I did have the cisco asa configuration that basically worked without using vlans, but I would really like to do this with vlans to keep my internal networks separate.
Is there something that is clearly wrong with my configuration? I have tried to open up and simplify the configuration as much as I can. Also, is there anything specific I need to do on the PowerConnect switch to make it work with the cisco asa?
Here is the cisco asa configuration:
ASA Version 7.0(7)
!
dns-guard
!
interface Ethernet0/0
speed 100
duplex full
nameif outside
security-level 0
ip address 172.16.1.67 255.255.255.224
!
interface Ethernet0/1
no nameif
security-level 100
no ip address
!
interface Ethernet0/1.10
vlan 10
nameif sw01_network
security-level 100
ip address 10.1.10.1 255.255.255.0
!
interface Ethernet0/1.132
vlan 132
nameif api_network
security-level 100
ip address 10.1.132.1 255.255.255.0
!
interface Ethernet0/1.228
vlan 228
nameif test2_network
security-level 100
ip address 10.1.228.1 255.255.255.0
!
interface Ethernet0/2
speed 100
no nameif
security-level 100
no ip address
!
interface Ethernet0/2.11
vlan 11
nameif sw02_network
security-level 100
ip address 10.1.11.1 255.255.255.0
!
interface Ethernet0/2.20
vlan 20
nameif test_network
security-level 100
ip address 10.1.20.1 255.255.255.0
!
interface Ethernet0/2.52
vlan 52
nameif retail_network
security-level 100
ip address 10.1.52.1 255.255.255.0
!
interface Management0/0
nameif management
security-level 100
ip address 192.168.1.1 255.255.255.0
management-only
!
ftp mode passive
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object-group network vlan-test
network-object host 10.1.228.4
network-object host 10.1.228.11
object-group network vlan-api
network-object host 10.1.132.32
object-group network vlan-corp
network-object host 10.1.20.34
object-group network vlan-retail
network-object host 10.1.52.33
access-list outside_access_in extended permit tcp any any eq ssh
access-list outside_access_in extended permit tcp any any
access-list ANY extended permit tcp any any
access-list ANY extended permit udp any any
access-list ANY extended permit icmp any any
access-list LIMIT_IN extended permit tcp any any eq ssh
access-list outside_ssh_in extended permit tcp any eq ssh any eq ssh
access-list outside_access_out extended permit tcp any any
access-list outside_access_out extended permit icmp any any
access-list outside_access_out extended permit udp any any
pager lines 24
logging enable
logging timestamp
logging console debugging
logging buffered debugging
logging asdm informational
mtu outside 1500
mtu test2_network 1500
mtu management 1500
mtu test_network 1500
mtu retail_network 1500
mtu api_network 1500
mtu sw01_network 1500
mtu sw02_network 1500
icmp permit any outside
icmp permit any test2_network
icmp permit any retail_network
asdm image disk0:/asdm-507.bin
no asdm history enable
arp timeout 14400
global (outside) 1 172.16.1.70-172.16.1.72
global (outside) 228 172.16.1.90-172.16.1.92
nat (api_network) 1 0.0.0.0 0.0.0.0
static (api_network,outside) tcp 172.16.1.90 ssh 10.1.132.32 ssh netmask 255.255.255.255
access-group outside_access_in in interface outside
access-group outside_access_out out interface outside
access-group LIMIT_IN in interface test2_network
access-group ANY out interface test2_network
access-group LIMIT_IN in interface test_network
access-group ANY out interface test_network
access-group LIMIT_IN in interface retail_network
access-group ANY out interface retail_network
access-group LIMIT_IN in interface api_network
access-group ANY out interface api_network
access-group LIMIT_IN in interface sw01_network
access-group ANY out interface sw01_network
access-group LIMIT_IN in interface sw02_network
access-group ANY out interface sw02_network
route outside 0.0.0.0 0.0.0.0 172.16.1.65 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00
timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server gv protocol ldap
aaa authentication ssh console LOCAL
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
sysopt noproxyarp retail_network
console timeout 0
management-access management
dhcpd address 192.168.1.2-192.168.1.254 management
dhcpd lease 3600
dhcpd ping_timeout 50
dhcpd enable management
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map global_policy
class inspection_default
inspect dns maximum-length 512
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect icmp
!
service-policy global_policy global
Any help would be greatly appreciated!
Thanks a head of time,
Aaron
