Thanks Jon

So I would need to add

route inside 10.254.0.0 255.255.255..0 10.255.250.51

Thanks a mil!

drikilbride wrote:
Thanks Jon
So I would need to add
route inside 10.254.0.0 255.255.255..0 10.255.250.51
Thanks a mil!

If 10.255.250.51 is the vlan 1 interface IP on the switch then yes that should do it.

Jon

Hi John

I have tried that but still no luck.

From the 10.254.25.0/24 network I can ping my firewall. I just cant get internet.

In under routing I had one route set there from before all of this for my old network.

It was simply and outside rule

outside 0.0.0.0 0.0.0.0 77.75.x.x 255 (metric)

I thought this rule sends everything internal out through my ISP gateway.

I have added the inside rule also but this isnt working. Maybe I have missed something silly?

Thanks again, your help is much appreciated.

First off can you ping the next hop outside of the ASA from the network in question?  Also, I am just wondering why would you set a metric of 255 on the default route out to the Internet?

Thanks,

Kimberly

Hi Kimberly

No I cant ping the next hop which is the ISP's gateway.

Im actually not sure why the lads set the metric to 255, have just changed it back to 1.

Thanks a mil!

Metric of 1 for the default route is usually best and signifies that it is one hop away.  From the network in question are you able to ping anything outside of the ASA?  Some good tests to run would be run a continuous ping to 4.2.2.2 and then telnet/ssh into the ASA and see if you are hitting the xlate table or connection table.

commands would be:

show xlate | include [your systems ip here]

show conn | include [your systems ip here]

This is just another test to see what the ASA is doing.  By the way, what is the default gateway of the subnet that cannot get to the internet?

Kimberly

Now here lies the problem.....

Our new subnets are being created by a third party engineer and he is the one who is saying I need to make changes on my firewall although he cant tell me what.

The subnet he has created has the following dgw 10.254.25.3. This subnet has been created on a 6500 switch which has a dgw set to 10.255.250.39

I hope that makes sense.

If I ping 4.2.2.2 from the pc on the new subnet i get the following

reply from 10.254.25.2 (which is the DHCP Server on the new 6500 Switch)...destination host unreachable

I am assuming there is a route somewhere on your network that points to the ASA for Internet.  At this time I am not seeing where that would be coming from.  Can you please provide a little more information on the routing on your LAN and if you can get to the ASA at all?

Thanks,

Kimberly

drikilbride wrote:
Now here lies the problem.....
Our new subnets are being created by a third party engineer and he is the one who is saying I need to make changes on my firewall although he cant tell me what.
The subnet he has created has the following dgw 10.254.25.3. This subnet has been created on a 6500 switch which has a dgw set to 10.255.250.39
I hope that makes sense.
If I ping 4.2.2.2 from the pc on the new subnet i get the following
reply from 10.254.25.2 (which is the DHCP Server on the new 6500 Switch)...destination host unreachable

Why is the DHCP server coming back with a destination host unreachable message ?

Is the 6500 routing for the vlans ?

What is 10.254.25.3, is this the L3 vlan interface on the 6500 switch ?

The 6500 has a default-gateway ?? - is the 6500 routing or simply acting as a L2 switch.  The dgw of 10.255.250.39, what exactly is that device.

As Kimberly says, if the 6500 is responsible for routing the vlans then you need a default-route (not default-gateway) pointing to the ASA. But it sounds like it is a bit more complicated than this.

Jon

Jon

Hi Jon

I have managed to persuade the third party engineer to add a default route on his 6500 to the firewall.

So now instead of getting destination host unreachable I am getting the normal request timed out when I ping an external IP Address so I now suspect it must be an access rule issue on the firewall.

It looks like my ping is getting out but just not being returned to the new vlan 10.254.25.0/24. Is there anything additional I can add in on the firewall to test this?

Thanks again

On the firewall, you may need a route inside statement that would look like this:

route inside 10.254.25.0 255.255.255.0 [IP of your 6500]

See if this helps the traffic come back to your new network.

Kimberly

Hi Kimberly

Unfort I already have that route added.

Still no internet.

Thanks

Can you post up a new copy of your configuration of your firewall please?

This will help us help you with the changes needed to get the internet working.

Kimberly