Trying to connect an ASA to a Dell N4032 Layer 3 switch to do all inter vlan routing
The switch can’t do a routed port so tried a vlan and it is not working.
ASA-1
interface Ethernet1/2
nameif inside
security-level 100
ip address 192.168.30.1 255.255.255.0
route inside 172.17.0.0 255.255.0.0 172.17.0.0 1
route inside 172.18.0.0 255.255.0.0 172.18.0.0 1
route inside 172.19.0.0 255.255.0.0 172.19.0.0 1
SW-1
ip routing
interface vlan 1
exit
interface vlan 10
ip address 10.10.10.1 255.255.255.0
exit
interface vlan 17
ip address 172.17.1.1 255.255.0.0
ip netdirbcast
bandwidth 10000
exit
interface vlan 18
ip address 172.18.1.1 255.255.0.0
ip netdirbcast
bandwidth 10000
exit
interface vlan 19
ip address 172.19.1.1 255.255.0.0
ip netdirbcast
bandwidth 10000
exit
interface vlan 303
ip address 192.168.30.3 255.255.255.0
exit
!Cannot use a L3 routed port /30 address so use a vlan
interface Te1/0/21
switchport access vlan 303
exit
ip route 0.0.0.0 0.0.0.0 192.168.30.1
SW-1console#ping 192.168.30.1
Pinging 192.168.30.1 with 0 bytes of data:
Reply From 192.168.30.1: icmp_seq = 0. time= 2119 usec.
Reply From 192.168.30.1: icmp_seq = 1. time= 1644 usec.
Reply From 192.168.30.1: icmp_seq = 2. time= 1603 usec.
Reply From 192.168.30.1: icmp_seq = 3. time= 1874 usec.
----192.168.30.1 PING statistics----
4 packets transmitted, 4 packets received, 0% packet loss
round-trip (msec) min/avg/max = 1/1/2
fp2110asa# ping 192.168.30.33
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.30.33, timeout is 2 seconds:
????
Success rate is 0 percent (0/4)
fp2110asa# ping 192.168.30.33
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.30.33, timeout is 2 seconds:
?????
Success rate is 0 percent (0/5)
fp2110asa# ping 172.17.1.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.17.1.1, timeout is 2 seconds:
fp2110asa# sho route
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2, V - VPN
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route, + - replicated route
SI - Static InterVRF, BI - BGP InterVRF
Gateway of last resort is not set
S 172.17.0.0 255.255.0.0 [1/0] via 172.17.0.0, inside
S 172.18.0.0 255.255.0.0 [1/0] via 172.18.0.0, inside
S 172.19.0.0 255.255.0.0 [1/0] via 172.19.0.0, inside
C 192.168.30.0 255.255.255.0 is directly connected, inside
L 192.168.30.1 255.255.255.255 is directly connected, inside
Update:
got the fist part working - single ASA to the switch stack by using this
ASA-1
interface Ethernet1/2
nameif inside
security-level 100
ip address 192.168.7.1 255.255.255.252
!
route inside 172.17.0.0 255.255.0.0 192.168.7.2 1
route inside 172.18.0.0 255.255.0.0 192.168.7.2 1
route inside 172.19.0.0 255.255.0.0 192.168.7.2 1
SW-1
interface vlan 303
ip address 192.168.7.2 255.255.255.252
ip netdirbcast
exit
ip route 0.0.0.0 0.0.0.0 192.168.7.1
!
interface Te1/0/21
switchport mode trunk
switchport access vlan 303
switchport trunk native vlan 303
exit
fp2110asa# ping 172.19.1.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.19.1.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/10 ms
fp2110asa# ping 172.18.1.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.18.1.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/10 ms
fp2110asa# ping 172.17.1.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.17.1.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/10 ms
The next step is to have redundant connections for HA.
2 connections from each ASA to 2 of switch stack members.
FP2110 running ASA requires port-channel to be created at the FXOS level.
I assume a port-channel will be needed on the switch too?
Anyone done this before?