×

Warning message

  • Cisco Support Forums is in Read Only mode while the site is being migrated.
  • Cisco Support Forums is in Read Only mode while the site is being migrated.

Sub_interface not connection to internet

Answered Question
Jul 17th, 2014
User Badges:

 

I have a sub-interface 'on' the inside (see below) and setup the VLAN ID  --> Connected the VLAN to the SWITCH and  routed to the PORT.  The Server(s) recognize the 'new' VLAN / IPs; but do not have connectivity to the internet. 
My assumption is it's at the gateway? Also; I can ping an IP on the inside interface from the VLAN, but not the inside interface itself.

!
interface GigabitEthernet0/1
 speed 100
 duplex full
 nameif Inside
 security-level 100
 ip address 10.10.10.1 255.255.255.0 
!
interface GigabitEthernet0/1.20
 vlan 20
 nameif IOS_DC
 security-level 100
 ip address 10.10.2.1 255.255.255.0 
!

Correct Answer by nkarthikeyan about 3 years 1 month ago

Hi,

 

I don think so your configuration has problems from interface perspective. But make sure that you have all the settings defined below.

 

1) You switch has the VLAN 20 and you are trying to access internet from VLAN 20 connected machine.

2) Make sure that you have access-list binded to the subinterface in case if you have anything such.... say

access-list ios-dc permit tcp 0.10.2.0 255.255.255.0 any www

access-list ios-dc permit tcp 0.10.2.0 255.255.255.0 any https

access-list ios-dc permit udp 0.10.2.0 255.255.255.0 any domain

!

access-group ios-dc in interface IOS_DC

!

3) Make sure that NAT/PAT is configured for this...

nat (IOS_DC,Outside) dynamic interface -- In new version

if it is old version

nat (inside) 1 10.10.2.0 255.255.255.0

global (outside) 1 interface

 

Set your default gateway for VLAN 20 PC machine to 10.10.2.1... you should be able to reach that.... if it is trunked and connected to FW......

 

If all this things are there... then you should be able to get to internet...

 

Regards

Karthik

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Jouni Forss Fri, 07/18/2014 - 00:35
User Badges:
  • Super Bronze, 10000 points or more

Hi,

 

The configuration seems kinda strange. I mean the fact that you have configured IP address under the actual physical interface but also configured subinterface for the physical interface. Typically when you configure a Trunk you leave the physical interface configurations blank other than set the duplex/speed and description configurations.

 

How is the switchport connected to this ASA configured?

 

EDIT: Just to add. I presume that if your "inside" users are in Vlan 1 of the switched network then this is probably understandable that is works as the traffic comes to the ASA probably untagged.

 

If you want  to test the ASA configurations then you can use the command

 

packet-tracer input IOS_DC tcp 10.10.2.100 12345 8.8.8.8 80

 

The above IPs are just chosen by me randomly. The output of the above command should show you what rules such a packet would match on the ASA. We could for example see if the traffic is even allowed and if its allowed does it have proper NAT configurations and so on.

 

- Jouni

Anim Saxena Fri, 07/18/2014 - 00:07
User Badges:
  • Silver, 250 points or more

Hi,

 

I am attaching a screen shot which is config for sub interface generally implemented in the shown manner.

 


 

Regards,

Anim Saxena

Community Manager (Security) 

Correct Answer
nkarthikeyan Fri, 07/18/2014 - 00:35
User Badges:
  • Gold, 750 points or more

Hi,

 

I don think so your configuration has problems from interface perspective. But make sure that you have all the settings defined below.

 

1) You switch has the VLAN 20 and you are trying to access internet from VLAN 20 connected machine.

2) Make sure that you have access-list binded to the subinterface in case if you have anything such.... say

access-list ios-dc permit tcp 0.10.2.0 255.255.255.0 any www

access-list ios-dc permit tcp 0.10.2.0 255.255.255.0 any https

access-list ios-dc permit udp 0.10.2.0 255.255.255.0 any domain

!

access-group ios-dc in interface IOS_DC

!

3) Make sure that NAT/PAT is configured for this...

nat (IOS_DC,Outside) dynamic interface -- In new version

if it is old version

nat (inside) 1 10.10.2.0 255.255.255.0

global (outside) 1 interface

 

Set your default gateway for VLAN 20 PC machine to 10.10.2.1... you should be able to reach that.... if it is trunked and connected to FW......

 

If all this things are there... then you should be able to get to internet...

 

Regards

Karthik

Actions

This Discussion

Related Content