• Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login
Netgate Discussion Forum
  • Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login

Replacing old Cisco ASA w/new Netgate trouble

Scheduled Pinned Locked Moved L2/Switching/VLANs
6 Posts 3 Posters 685 Views
Loading More Posts
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • G
    glyphmon
    last edited by Apr 20, 2023, 1:50 AM

    We have a somewhat sprawling campus that is tied together with fiber to an old Cisco WS-C3750G-12S fiber switch. There are a number of VLANs across the campus, but in the fiber switch's configuration, port 12, to which the ASA is connected, is configured as such:

    !
    interface GigabitEthernet1/0/12
    description *** Connected to 3825 Router ***
    switchport mode access
    !

    I cannot find any indication that the ASA 5512X (despite the model name in the switch configuration description line) is in the least bit recognizing or implementing VLANs on any of its ports. Likewise, the switch port configuration suggests to me that no VLAN is specifically assigned to that port.

    That being said, I have duplicated the settings from the ASA as best I can in the new Netgate including the LAN IP address. On the Netgate, ethernet port 1 has been designated the WAN port as lagg0.4090 while ethernet ports 2 through 8 are lagg0.4091 and are designated as the LAN interface. With a laptop directly connected to one of the LAN ports, I am able to access the internet, however connecting the fiber switch to those ports yields no internet connection to the rest of the network.

    Incidentally, I inadvertently at one point set the laptop's default gateway to the IP address of the fiber switch and was able then to ping any connected device in the network from the laptop, so it seems that traffic CAN flow over the connection if it originates on the Netgate side. I was not able to ping the laptop, or even the Netgate from the network side.

    I'm not a Cisco guy - this fiber switch will be the last Cisco component in our network remaining from an old government build. It still works well and is pretty rock solid for our needs, but I feel like its the port configuration on the switch that is making things difficult.

    Happy to provide further information/configuration/screenshots as necessary.

    M B 2 Replies Last reply Apr 21, 2023, 4:18 AM Reply Quote 0
    • M
      marvosa @glyphmon
      last edited by Apr 21, 2023, 4:18 AM

      @glyphmon
      The edge router is likely only handling internet traffic... if you have a campus design, there's a distribution stack somewhere doing the core routing... and you either have a bunch of static routes pointing back to the core or a summary route that covers everything.

      You'll need to review the config on the ASA and determine where those routes are pointing and duplicate them on the Netgate.

      If you'd like some assistance... post a network map and the ASA config.

      1 Reply Last reply Reply Quote 0
      • B
        bingo600 @glyphmon
        last edited by Apr 21, 2023, 5:54 AM

        @glyphmon
        My guess is that your Cisco switchport is set up for "Untagged Vlan1 access" (default native vlan).
        Aka. a normal "access ethernet port" no vlan tagging, member of Vlan1 (or whatever your native vlan is set to ... Default is Vlan1).

        /Bingo

        If you find my answer useful - Please give the post a 👍 - "thumbs up"

        pfSense+ 23.05.1 (ZFS)

        QOTOM-Q355G4 Quad Lan.
        CPU  : Core i5 5250U, Ram : 8GB Kingston DDR3LV 1600
        LAN  : 4 x Intel 211, Disk  : 240G SAMSUNG MZ7L3240HCHQ SSD

        1 Reply Last reply Reply Quote 0
        • G
          glyphmon
          last edited by Apr 22, 2023, 12:52 AM

          Thank you both for your help so far. After some additional troubleshooting, I've made some progress and I'm not certain that there is a configuration issue with the Cisco switch. I've attached a picture of the connections.

          netconfig.png

          Tonight, by creating a static route for internal traffic to be routed back to the rest of the network (10.10.0.0/16 to 10.10.10.1), I was able to reach all internal hosts on the network from the laptop. I did not specify an upstream gateway. I was also able to ping the laptop from hosts on the network, as well as access file sharing between them, so I know traffic is flowing well from laptop, through the Netgate, through the Cisco switch, out through the other switches on their various subnets and VLANs, to those hosts, and back.

          I was not initially able to ping the Netgate from the LAN however, but there was a setting in the Advanced configuration for the firewall to filter traffic on the same interface (i.e., LAN to LAN) which, when disabled, allowed hosts on the LAN to ping 10.10.10.25.

          The laptop has perfect internet access, yet nothing on the rest of the LAN can get out. Pinging 8.8.8.8 yields no result, and a traceroute gets to the subnet's default gateway (i.e., 10.10.70.1) but does not make the next hop to 10.10.10.25.

          ip route 0.0.0.0 0.0.0.0 10.10.10.25 is specified in the Cisco switch from the prior configuration with the ASA, as was an EIGRP setting, however, removing the EIGRP setting didn't change the situation.

          So the fact that I can get traffic between hosts on the LAN and the laptop connected directly to the Netgate suggests to me that the VLAN configuration (or lack thereof) on both the Netgate, and the Cisco switch port 12 is not what is preventing traffic from moving.

          I can provide configurations of the ASA and pfSense, but I'm not sure of the most efficient way to extract that for posting here, so if they're desired, let me know how best to do so. The output of show running-config on the Cisco switch is below with crypto and identifying information removed.

          Current configuration : 9702 bytes
          !
          ! Last configuration change at 10:28:38 EST Fri Mar 1 2019 by acadia
          ! NVRAM config last updated at 10:29:18 EST Fri Mar 1 2019 by acadia
          !
          version 12.2
          service nagle
          no service pad
          service tcp-keepalives-in
          service tcp-keepalives-out
          service timestamps debug uptime
          service timestamps log uptime
          service password-encryption
          !
          boot-start-marker
          boot-end-marker
          !
          logging buffered warnings
          logging console warnings
          logging monitor warnings
          !
          !
          aaa new-model
          !
          !
          aaa authentication login default local
          aaa authorization exec default local
          !
          !
          !
          aaa session-id common
          clock timezone EST -5
          clock summer-time EDT recurring
          switch 1 provision ws-c3750g-12s
          system mtu routing 1500
          vtp domain YourNameHere
          vtp mode transparent
          no ip source-route
          ip routing
          ip domain-name alternate.local
          ip dhcp excluded-address 10.10.20.1 10.10.20.50
          ip dhcp excluded-address 10.10.30.34
          ip dhcp excluded-address 10.10.20.200 10.10.20.254
          !
          ip dhcp pool AP
          network 10.10.20.0 255.255.255.0
          default-router 10.10.20.1
          option 60 ascii "CiscoAPc1130"
          option 43 hex f10c.0a0a.0a02.0a0a.0a03.0a0a.0a04
          dns-server 10.10.70.5
          domain-name substitute.local
          option 42 ip 10.10.10.1
          !
          !
          login on-failure log
          login on-success log
          !
          !
          !
          !
          !
          errdisable recovery cause bpduguard
          errdisable recovery interval 60
          !
          spanning-tree mode mst
          spanning-tree extend system-id
          spanning-tree vlan 1-4094 priority 4096
          !
          vlan internal allocation policy ascending
          !
          vlan 20
          name AP
          !
          vlan 30
          name FIRE_LIGHT_HVAC
          !
          vlan 40
          name DH
          !
          vlan 50
          name EH
          !
          vlan 60
          name WH
          !
          vlan 70
          name OPERATIONS
          !
          vlan 80
          name MESH
          !
          vlan 90
          name SC
          !
          vlan 100
          name GUEST
          !
          vlan 110
          name Rock
          !
          vlan 999
          name MANAGEMENT
          !
          ip ssh version 2
          !
          !
          interface GigabitEthernet1/0/1
          description *** Fiber to WH ***
          switchport trunk encapsulation dot1q
          switchport mode trunk
          speed nonegotiate
          udld port disable
          !
          interface GigabitEthernet1/0/2
          description *** Fiber to BH/DH ***
          switchport trunk encapsulation dot1q
          switchport mode trunk
          switchport nonegotiate
          udld port aggressive
          !
          interface GigabitEthernet1/0/3
          description *** Fiber to EH ***
          switchport trunk encapsulation dot1q
          switchport mode trunk
          switchport nonegotiate
          udld port aggressive
          !
          interface GigabitEthernet1/0/4
          description *** Fiber to MA ***
          switchport trunk encapsulation dot1q
          switchport mode trunk
          speed nonegotiate
          udld port disable
          !
          interface GigabitEthernet1/0/5
          description *** Fiber to WT AP through DH ***
          switchport trunk encapsulation dot1q
          switchport trunk native vlan 20
          switchport mode trunk
          !
          interface GigabitEthernet1/0/6
          description *** Fiber to Operations through MA ***
          switchport trunk encapsulation dot1q
          switchport mode trunk
          speed nonegotiate
          udld port disable
          !
          interface GigabitEthernet1/0/7
          description *** Fiber to GH ***
          switchport trunk encapsulation dot1q
          switchport mode trunk
          speed nonegotiate
          udld port disable
          !
          interface GigabitEthernet1/0/8
          description *** Fiber to SC ***
          switchport trunk encapsulation dot1q
          switchport mode trunk
          speed nonegotiate
          udld port disable
          !
          interface GigabitEthernet1/0/9
          !
          interface GigabitEthernet1/0/10
          description *** Connected to House Keeping ***
          switchport mode access
          !
          interface GigabitEthernet1/0/11
          description *** Uplink to ROCKSW1 ***
          switchport trunk encapsulation dot1q
          switchport mode trunk
          !
          interface GigabitEthernet1/0/12
          description *** Connected to 3825 Router ***
          switchport mode access
          !
          interface Vlan1
          ip address 10.10.10.1 255.255.255.0
          ip helper-address 10.10.70.5
          no ip redirects
          no ip unreachables
          no ip proxy-arp
          !
          interface Vlan20
          description *** AP VLAN ***
          ip address 10.10.20.1 255.255.255.0
          ip helper-address 10.10.70.5
          no ip redirects
          no ip unreachables
          no ip proxy-arp
          !
          interface Vlan30
          description *** Fire, HVAC, and Lighting VLAN ***
          ip address 10.10.30.1 255.255.255.0
          ip helper-address 10.10.70.5
          no ip redirects
          no ip unreachables
          no ip proxy-arp
          !
          interface Vlan40
          description *** DH VLAN ***
          ip address 10.10.40.1 255.255.255.0
          ip access-group ops_lockdown in
          ip helper-address 10.10.70.5
          no ip redirects
          no ip unreachables
          no ip proxy-arp
          !
          interface Vlan50
          description *** EH VLAN ***
          ip address 10.10.50.1 255.255.255.0
          ip access-group ops_lockdown in
          ip helper-address 10.10.10.6
          ip helper-address 10.10.70.5
          no ip redirects
          no ip unreachables
          no ip proxy-arp
          !
          interface Vlan60
          description *** WH VLAN ***
          ip address 10.10.60.1 255.255.255.0
          ip access-group ops_lockdown in
          ip helper-address 10.10.70.5
          no ip redirects
          no ip unreachables
          no ip proxy-arp
          !
          interface Vlan70
          description *** Operations VLAN ***
          ip address 10.10.70.1 255.255.255.0
          ip helper-address 10.10.70.5
          no ip redirects
          no ip unreachables
          no ip proxy-arp
          !
          interface Vlan80
          description *** Mesh VLAN ***
          ip address 10.10.80.1 255.255.255.0
          ip access-group ops_lockdown in
          ip helper-address 10.10.70.5
          no ip redirects
          no ip unreachables
          no ip proxy-arp
          !
          interface Vlan90
          description *** SC VLAN ***
          ip address 10.10.90.1 255.255.255.0
          ip access-group ops_lockdown in
          ip helper-address 10.10.70.5
          no ip redirects
          no ip unreachables
          no ip proxy-arp
          !
          interface Vlan100
          description *** Guest VLAN ***
          ip address 10.10.100.1 255.255.255.0
          ip access-group ops_lockdown in
          ip helper-address 10.10.70.5
          no ip redirects
          no ip unreachables
          no ip proxy-arp
          !
          interface Vlan110
          description *** Rock VLAN ***
          ip address 10.10.110.1 255.255.255.0
          ip helper-address 10.10.70.5
          no ip redirects
          no ip unreachables
          no ip proxy-arp
          !
          interface Vlan999
          description *** Management VLAN ***
          ip address 10.10.99.1 255.255.255.0
          no ip redirects
          no ip unreachables
          no ip proxy-arp
          !
          !
          router eigrp 10
          network 10.10.0.0 0.0.255.255
          passive-interface default
          no passive-interface Vlan1
          eigrp stub connected summary
          !
          ip classless
          ip route 0.0.0.0 0.0.0.0 10.10.10.25
          no ip http server
          ip http secure-server
          !
          ip access-list extended ops_lockdown
          permit tcp any host 10.10.70.5 eq domain
          permit udp any host 10.10.70.5 eq domain
          permit udp any host 10.10.70.5 eq bootpc
          permit udp any host 10.10.70.5 eq bootps
          permit ip any host 10.10.70.29
          permit udp 10.10.100.0 0.0.0.255 host 10.10.100.75 eq domain
          permit tcp 10.10.100.0 0.0.0.255 host 10.10.100.75 eq domain
          deny ip any 10.10.30.0 0.0.0.255
          deny ip any 10.10.70.0 0.0.0.255
          permit ip 10.10.100.0 0.0.0.255 host 10.10.100.1
          deny ip 10.10.100.0 0.0.0.255 10.0.0.0 0.255.255.255
          permit ip any any
          !
          logging trap notifications
          logging source-interface Vlan999
          logging 10.200.201.17
          logging 10.10.10.252
          logging 10.10.70.29
          !
          banner motd ^CCC




          ********** Unauthorized Access Prohibited **********




          ^C
          !
          line con 0
          exec-timeout 0 0
          line vty 0 4
          session-timeout 35791
          logging synchronous
          transport input ssh
          line vty 5 15
          session-timeout 35791
          logging synchronous
          transport input ssh
          !
          ntp clock-period 36029035
          ntp server 129.6.15.28
          end

          M 1 Reply Last reply Apr 22, 2023, 5:16 PM Reply Quote 0
          • M
            marvosa @glyphmon
            last edited by marvosa Apr 22, 2023, 7:12 PM Apr 22, 2023, 5:16 PM

            @glyphmon
            Regarding your ASA, you should be able to grab the config with "copy run tftp:" and then attach it.... or manually cut-n-paste, but I would add code tags if you're gonna do that, so it doesn't take up so much space.

            Looks like the 3750 is your core L3 switch. Personally, I would reconfigure G1/0/12 as a routed port but let's see what your ASA looks like. A couple things that also need to be looked at:

            • Are all your subnets covered in your outbound NAT rules? If not, you'll need to switch to Hybrid mode and add them.

            • Are the firewall rules on the LAN interface allowing traffic from your other subnets or is it still at the default "LAN net"? If not, I would switch to an any/any rule until basic IP communication is established.

            • Verify your DHCP server(s) are handing out the respective SVI's on your 3750 as the default gateway.

            G 1 Reply Last reply Apr 27, 2023, 3:37 AM Reply Quote 0
            • G
              glyphmon @marvosa
              last edited by Apr 27, 2023, 3:37 AM

              @marvosa Thanks again for your help. It is now working. It was at least the firewall rules issue ("LAN net" didn't cut it), and adding rules for each subnet was the final piece. I also went through and added the individual subnets in the outbound NAT rules. Between those two changes - we have access on all subnets.

              1 Reply Last reply Reply Quote 0
              6 out of 6
              • First post
                6/6
                Last post
              Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.
                This community forum collects and processes your personal information.
                consent.not_received