Internet access from VLAN on Catalyst 2960

Unanswered Question
Apr 9th, 2008

I have a Catalyst 2960 switch and a Cisco 5510 ASA router operating as the firewall. I created a VLAN on a Cisco Catalyst 2960 and I have created the VLAN interface on the ASA.


I am having problems after I assign a static IP to the workstation, I cannot surf the web?


Please help!

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
evsrajatgupta Wed, 04/09/2008 - 12:30

Hi marcusfleming,

(Please rate)

You need to config Default gateway on the switch. Default gateway should be Ip address of AsA.

marcusfleming Thu, 04/10/2008 - 05:07

See configurations below. Currently that information already exists in the 2960.

Edison Ortiz Wed, 04/09/2008 - 13:18

If you assign an static IP to a workstation, there is additional information that needs to be provided - which usually is taken for granted when receiving an IP via DHCP.


Have you entered the DNS and default gateway information on this workstation?


Based on your post, the ASA is your default gateway as the 2950 is just a Layer2 switch, can you ping the ASA from this workstation?


__


Edison.

marcusfleming Thu, 04/10/2008 - 05:02

Here are the configs from the ASA and the 2960. The VLAN that I have set up is the "test_vlan" VLAN 20.


ASA config:


interface Ethernet0/0

speed 100

duplex full

nameif outside

security-level 0

ip address 12.x.x.x 255.255.255.224

ospf cost 10

!

interface Ethernet0/1

speed 100

duplex full

no nameif

no security-level

no ip address

!

interface Ethernet0/1.1

shutdown

no vlan

no nameif

no security-level

no ip address

!

interface Ethernet0/1.6

vlan 6

nameif inside

security-level 100

ip address 10.114.6.1 255.255.255.0

ospf cost 10

!

interface Ethernet0/1.20

vlan 20

nameif test_vlan

security-level 100

ip address 10.114.8.1 255.255.255.0

ospf cost 10


Cat 2960 config for int fa0/47:


hostname SW2960_A1

!

logging buffered informational

enable secret xxx

!

no aaa new-model

clock timezone EST -5

clock summer-time EDT recurring

udld aggressive


ip subnet-zero

!

ip domain-name test.com

!

mls qos map cos-dscp 0 8 16 26 32 46 46 56

!

!

macro global description cisco-global

errdisable recovery cause link-flap

errdisable recovery interval 60

no file verify auto

!

spanning-tree mode rapid-pvst

spanning-tree loopguard default

spanning-tree extend system-id

spanning-tree vlan 1-2048 priority 24576

!

vlan internal allocation policy ascending

!

interface FastEthernet0/1

switchport access vlan 6

switchport mode access

macro description cisco-desktop

spanning-tree portfast

spanning-tree bpduguard enable

!

interface FastEthernet0/2

switchport access vlan 6

switchport mode trunk

speed 100

duplex full

macro description cisco-desktop

spanning-tree portfast

spanning-tree bpduguard enable

!

interface FastEthernet0/3

switchport access vlan 6

switchport mode access

macro description cisco-desktop

spanning-tree portfast

spanning-tree bpduguard enable

!

interface FastEthernet0/4

switchport access vlan 6

switchport mode access

macro description cisco-desktop

spanning-tree portfast

spanning-tree bpduguard enable


!.......

interface FastEthernet0/47

switchport access vlan 20

switchport mode access

macro description cisco-desktop

spanning-tree portfast

spanning-tree bpduguard enable

!

interface FastEthernet0/48

switchport access vlan 6

switchport mode access

speed 100

duplex full

macro description cisco-desktop

spanning-tree portfast

!

interface GigabitEthernet0/1

switchport mode trunk

macro description cisco-switch

auto qos voip trust

spanning-tree link-type point-to-point

!

interface GigabitEthernet0/2

switchport mode trunk

media-type rj45

macro description cisco-switch

!

interface Vlan1

no ip address

no ip route-cache

!

interface Vlan6

ip address 10.114.6.12 255.255.255.0

no ip route-cache

!

ip default-gateway 10.114.6.1

ip http server


!

control-plane

!

!

line con 0

line vty 0 4

password xxx

login

line vty 5 15

password xxx

login

!

ntp clock-period 36028879

ntp server 130.207.244.240

end


(Some of the information has been stripped but for the most part it should all be in there.)


I have assigned a static IP to the workstation with the following information:


IP: 10.114.8.2/24

DG: 10.114.8.1

DNS: 10.114.6.10 (DNS server on main network)


With this information and settings, I am not able to ping the ASA from the workstation



Edison Ortiz Thu, 04/10/2008 - 05:18

I'm not very familiar with the ASA hardware but you should be able to ping the ASA interface if the interface from the 2960 is trunked toward the ASA.


What switchport is being used for this connection?


You may also want to make sure the Native Vlan matches between the trunk. By default, the Native Vlan on a switch is Vlan1. If the ASA is using another native Vlan, the trunk may fail.


You may want to repost in the FW section of this forum where the ASA experts hang out.


HTH,


__


Edison.

Actions

This Discussion