ASA to Layer3 switch

Trying to connect an ASA to a Dell N4032 Layer 3 switch to do all inter vlan routing
The switch can’t do a routed port so tried a vlan and it is not working.

ASA-1

interface Ethernet1/2
 nameif inside
 security-level 100
 ip address 192.168.30.1 255.255.255.0


route inside 172.17.0.0 255.255.0.0 172.17.0.0 1
route inside 172.18.0.0 255.255.0.0 172.18.0.0 1
route inside 172.19.0.0 255.255.0.0 172.19.0.0 1

SW-1

ip routing
interface vlan 1
exit
interface vlan 10
ip address 10.10.10.1 255.255.255.0
exit
interface vlan 17
ip address 172.17.1.1 255.255.0.0
ip netdirbcast
bandwidth 10000
exit
interface vlan 18
ip address 172.18.1.1 255.255.0.0
ip netdirbcast
bandwidth 10000
exit
interface vlan 19
ip address 172.19.1.1 255.255.0.0
ip netdirbcast
bandwidth 10000
exit
interface vlan 303
ip address 192.168.30.3 255.255.255.0
exit

!Cannot use a L3 routed port /30 address so use a vlan
interface Te1/0/21   
switchport access vlan 303
exit

ip route 0.0.0.0 0.0.0.0 192.168.30.1


SW-1console#ping 192.168.30.1
 Pinging 192.168.30.1 with 0 bytes of data:

Reply From 192.168.30.1: icmp_seq = 0. time= 2119 usec.
Reply From 192.168.30.1: icmp_seq = 1. time= 1644 usec.
Reply From 192.168.30.1: icmp_seq = 2. time= 1603 usec.
Reply From 192.168.30.1: icmp_seq = 3. time= 1874 usec.

----192.168.30.1 PING statistics----
4 packets transmitted, 4 packets received, 0% packet loss
round-trip (msec) min/avg/max = 1/1/2
fp2110asa# ping 192.168.30.33
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.30.33, timeout is 2 seconds:
????
Success rate is 0 percent (0/4)
fp2110asa# ping 192.168.30.33
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.30.33, timeout is 2 seconds:
?????
Success rate is 0 percent (0/5)

fp2110asa# ping 172.17.1.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.17.1.1, timeout is 2 seconds:


fp2110asa# sho route

Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2, V - VPN
       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
       ia - IS-IS inter area, * - candidate default, U - per-user static route
       o - ODR, P - periodic downloaded static route, + - replicated route
       SI - Static InterVRF, BI - BGP InterVRF
Gateway of last resort is not set

S        172.17.0.0 255.255.0.0 [1/0] via 172.17.0.0, inside
S        172.18.0.0 255.255.0.0 [1/0] via 172.18.0.0, inside
S        172.19.0.0 255.255.0.0 [1/0] via 172.19.0.0, inside
C        192.168.30.0 255.255.255.0 is directly connected, inside
L        192.168.30.1 255.255.255.255 is directly connected, inside

Update:

got the fist part working - single ASA to the switch stack by using this

ASA-1

interface Ethernet1/2
 nameif inside
 security-level 100
 ip address 192.168.7.1 255.255.255.252
!
route inside 172.17.0.0 255.255.0.0 192.168.7.2 1
route inside 172.18.0.0 255.255.0.0 192.168.7.2 1
route inside 172.19.0.0 255.255.0.0 192.168.7.2 1

SW-1

interface vlan 303
ip address 192.168.7.2 255.255.255.252
ip netdirbcast
exit
ip route 0.0.0.0 0.0.0.0 192.168.7.1

!
interface Te1/0/21
switchport mode trunk
switchport access vlan 303
switchport trunk native vlan 303
exit

fp2110asa# ping 172.19.1.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.19.1.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/10 ms
fp2110asa# ping 172.18.1.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.18.1.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/10 ms
fp2110asa# ping 172.17.1.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.17.1.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/10 ms

The next step is to have redundant connections for HA.
2 connections from each ASA to 2 of switch stack members.
FP2110 running ASA requires port-channel to be created at the FXOS level.
I assume a port-channel will be needed on the switch too?
Anyone done this before?

Hello Niel

Concerning your update, yes, you’ve corrected the next-hop IP address for the routing in the ASA, and that has resolved the routing problem, so that’s great.

Concerning a high availability configuration, there are various options to use. You can use an Active/Standby configuration with two ASAs as seen in the ASA Active/Standby lesson, or an Active/Active failover scenario as shown in the following Cisco documentation:

From this, you can connect the ASAs to two switches using some gateway redundancy protocol such as HSRP or VRRP. Or, you can employ EtherChannel to two different switches, or you can even stack those two switches and make them operate as one with two EtherChannels to each ASA.

It all depends upon your specific topology, the equipment you are using, and the capabilities of that equipment. It also depends upon where routing is taking place. There’s no clear cut answer, however, there are advantages and disadvantages to each option.

I hope this has been helpful!

Laz

Hi Laz
Yes I was looking at VRRP but then decided to stack the switches so can treat them a 1 switch.
I believe that means just 2 cables from each ASA, one to each switch.
Cisco sent me some info

I would to make diagrams like that.
Of course I don’t have Cisco 3750 switches so it will be a bit different.

I don’t really understand the N4032 interface settings

interface Te1/0/21
switchport mode trunk
switchport access vlan 303
switchport trunk native vlan 303

other than it seems to work. Now need to create a port-channel with the same settings

Update
Tried using port-channel as shown the cisco instructions,
on the switch
I tried this config and it’s not working

interface vlan 303
ip address 192.168.7.2 255.255.255.252
ip netdirbcast
exit
ip route 0.0.0.0 0.0.0.0 192.168.7.1

interface Te1/0/21
channel-group 1 mode active
switchport mode trunk
switchport access vlan 303
switchport trunk native vlan 303
exit
!

interface Te2/0/21
channel-group 1 mode active
switchport mode trunk
switchport access vlan 303
switchport trunk native vlan 303
exit
!

interface port-channel 1
description "link to ASA1"
switchport mode trunk
switchport access vlan 303
switchport trunk native vlan 303
exit

I saw some posts about using hashing 3 or 4 for the LAG settings but none of them worked either.

The ASA shows a LACP connection and send and receive traffic on both ports but pings are not working

ASA-1

From FXOS
Connect local-mgmt

firepower-2110(local-mgmt)# show lacp neighbor

Flags:  S - Device is requesting Slow LACPDUs
        F - Device is requesting Fast LACPDUs
        A - Device is in Active mode       P - Device is in Passive mode

Channel group: 3

Cluster Spanned: False
Cluster SystemID:
Cluster UnitID: 0
Cluster Detached: False
LACP Peer KeepAlive Timer Fast: False

Partner (internal) information:

          Partner                 Partner                       Partner
Port      System ID             Port Number     Age         Flags
Eth1/3    1    ,f8b1.566e.0dc2  0x59            22 s        SA


          LACP Partner           Partner           Partner
          Port Priority        Oper Key        Port State
          1                    0x334           0x3d

          Port State Flags Decode:
          Activity:   Timeout:   Aggregation:   Synchronization:
          Active      Short      Yes            Yes

          Collecting:   Distributing:   Defaulted:   Expired:
          Yes           Yes             No           No

          Partner                 Partner                       Partner
Port      System ID             Port Number     Age         Flags
Eth1/4    1    ,f8b1.566e.0dc2  0x15            21 s        SA


          LACP Partner           Partner           Partner
          Port Priority        Oper Key        Port State
          1                    0x334           0x3d

          Port State Flags Decode:
          Activity:   Timeout:   Aggregation:   Synchronization:
          Active      Short      Yes            Yes

          Collecting:   Distributing:   Defaulted:   Expired:
          Yes           Yes             No           No
firepower-2110(local-mgmt)#

Note: On FPR21xx/FPR1xxx the default LACP rate is Slow and cannot be changed

firepower-2110(local-mgmt)# show lacp counters

             LACPDUs         Marker      Marker Response    LACPDUs
Port       Sent   Recv     Sent   Recv    Sent    Recv      Pkts Err
---------------------------------------------------------------------
Channel group: 3
Eth1/3     140    41       0      0        0      0         0
Eth1/4     141    45       0      0        0      0         0


firepower-2110(local-mgmt)# sho portmanager switch status

Dev/Port         Mode        Link   Speed  Duplex  Loopback Mode  Port Manager
---------  ----------------  -----  -----  ------  -------------  ------------

0/0             QSGMII       Down    1G     Half    None           n/a
0/1             QSGMII       Down    1G     Half    None           n/a
0/2             QSGMII        Up     1G     Full    None           n/a
0/3             QSGMII        Up     1G     Full    None           n/a
0/4             QSGMII       Down    1G     Half    None           n/a
0/5             QSGMII       Down    1G     Half    None           n/a


firepower-2110(local-mgmt)# sho portmanager counters ethernet 1 3
Good Octets Received                              : 81061
Bad Octets Received                               : 0
MAC Transmit Error                                : 0
Good Packets Received                             : 1007
Bad Packets Received                              : 0
BRDC Packets Received                             : 0
MC Packets Received                               : 1007
Size 64                                           : 758
Size 65 to 127                                    : 98
Size 128 to 255                                   : 263
Size 256 to 511                                   : 0
Size 512 to 1023                                  : 0
Size 1024 to Max                                  : 0
Good Octets Sent                                  : 14336
Good Packets Sent                                 : 112
Excessive Collision                               : 0
MC Packets Sent                                   : 112
BRDC Packets Sent                                 : 0
Unrecognized MAC Received                         : 0
FC Sent                                           : 0
Good FC Received                                  : 0
Drop Events                                       : 0
Undersize Packets                                 : 0
Fragments Packets                                 : 0
Oversize Packets                                  : 0
Jabber Packets                                    : 0
MAC RX Error Packets Received                     : 0
Bad CRC                                           : 0
Collisions                                        : 0
Late Collision                                    : 0
bad FC Received                                   : 0
Good UC Packets Received                          : 0
Good UC Packets Sent                              : 0
Multiple Packets Sent                             : 0
Deferred Packets Sent                             : 0
Size 1024 to 15180                                : 0
Size 1519 to Max                                  : 0
txqFilterDisc                                     : 0
linkChange                                        : 1
firepower-2110(local-mgmt)#

firepower-2110(local-mgmt)# sho portchannel summary
Flags:  D - Down        P - Up in port-channel (members)
I - Individual  H - Hot-standby (LACP only)
s - Suspended   r - Module-removed
S - Switched    R - Routed
U - Up (port-channel)
M - Not in use. Min-links not met
-------------------------------------------------------------------------------
Group Port-       Type     Protocol  Member Ports
      Channel
--------------------------------------------------------------------------------
3     Po3(U)      Eth      LACP      Eth1/3(P)    Eth1/4(P)

LACP KeepAlive Timer:
--------------------------------------------------------------------------------
      Channel  PeerKeepAliveTimerFast
--------------------------------------------------------------------------------
3     Po3(U)      False

Cluster LACP Status:
--------------------------------------------------------------------------------
      Channel  ClusterSpanned  ClusterDetach  ClusterUnitID  ClusterSysID
--------------------------------------------------------------------------------
3     Po3(U)      False          False          0

Hello Neil

I believe stacking is a simpler solution so way to go. Ideally, you should have two cables from each ASA, one to each switch, although one cable from each ASA to each switch will also be acceptable in most scenarios since you’re using stacked switches.

I’m not sure how much I can help you with that since those are Dell switches, and I am not familiar with them. However, the syntax looks similar to Cisco, and if that is the case, it looks like the port is configured as a trunk port, but is also configured to use access VLAN 303. On a Cisco switch, in such a configuration, the switchport access vlan 303 would simply be ignored.

Again, not sure I can help you out. I suggest you take a look at Dell documentation for this particular device and see if you can troubleshoot. On a Cisco device, it’s always best practice to apply all configurations to the Port Channel and never to the actual physical interfaces. Take a look at this NetworkLessons note about applying configurations to EtherChannel interfaces for more info.

If LACP looks up but traffic is not passing, the only thing I can think of is to examine the Dell switch config and make sure it’s correct on that end. Also, check out the routing, and do some troubleshooting. Since LACP is up, it may be that the problem is not with the EtherChannel at all.

I hope this has been helpful!

Laz

Hi Laz
Yes your are right the “swithport access vlan 303” was not needed. I have change the config a bit
From the ASA I can ping 172.17.1.1, 172.18.1.1,172.19.1.1, 10.10.10.1, 192.168.7.1
From the Switch I ping 192.168.7.4 and 192.168.2.57 but I cannot ping 192.168.2.1
If I connect a computer to the switch on a vlan 17 port with IP 172.17.1.40 , it cannot reach the internet.

internet
public IP from ISP

Home Router
outside - Public IP from ISP
inside - 192.168.2.1 255.255.255.0

Home router inside connected to a hub

FP2110-ASA
Outside e1/1 - 192.168.2.57 255.255.255.0 standby 192.168.2.58
Each ASA Interface e1/1 connected to hub
Inside e1/2 - 192.168.7.4 255.255.255.240 standby 192.168.7.5
Each ASA connected to Switch:
ASA-1 e1/2 connected to switch portte1/0/21
ASA-2 e1/2 connected to switch port te2/0/21
Management1/1- 10.10.10.4 255.255.255.0 standby 10.10.10.5

interface Ethernet1/1
 nameif outside
 security-level 0
 ip address 192.168.2.57 255.255.255.0 standby 192.168.2.58
!
interface Ethernet1/2
 nameif inside
 security-level 100
 ip address 192.168.7.4 255.255.255.240 standby 192.168.7.5
!
interface Management1/1
 management-only
 nameif management
 security-level 100
 ip address 10.10.10.4 255.255.255.0 standby 10.10.10.5
!
failover
failover lan unit primary
failover lan interface folink Ethernet1/7
failover link folink Ethernet1/7
failover interface ip folink 192.168.10.1 255.255.255.252 standby 192.168.10.2
no failover wait-disable
no moinitor management
!
object network obj_any
 nat (any,outside) dynamic interface
route outside 0.0.0.0 0.0.0.0 192.168.2.1 1
route inside 172.17.0.0 255.255.0.0 192.168.7.1 1
route inside 172.18.0.0 255.255.0.0 192.168.7.1 1
route inside 172.19.0.0 255.255.0.0 192.168.7.1 1

Dell N4032 Layer 3 Switch Stack

ip routing
interface vlan 10
ip address 10.10.10.1 255.255.255.0
exit
interface vlan 17
ip address 172.17.1.1 255.255.0.0
ip netdirbcast
bandwidth 10000
exit
interface vlan 18
ip address 172.18.1.1 255.255.0.0
ip netdirbcast
bandwidth 10000
exit
interface vlan 19
ip address 172.19.1.1 255.255.0.0
ip netdirbcast
bandwidth 10000
exit
interface vlan 99
ip address 192.168.7.1 255.255.255.240
ip netdirbcast
exit

ip route 0.0.0.0 0.0.0.0 192.168.7.4

interface Te1/0/21
description "Link to ASA-1"
switchport mode trunk
switchport trunk native vlan 99
exit
interface Te2/0/21
description "Link to ASA-2"
switchport mode trunk
switchport trunk native vlan 99
exit

Update
Well I restarted everything, switches first, and now I can reach the internet from the computer on vlan 17!!!
The posts on your site were very useful to determine if the settings were right.
I don’t think I will try again with the etherchannel. Failover is working with just the single connections. thank you for all your replies and info

Hello Neil

Well, it seems that a good old reload did the trick! Thanks for sharing your success with us, and the topology that ended up working best for you!

All the best in your endeavours!

Laz