Solved: Sub_interface not connection to internet

IOS_support · ‎07-17-2014

I have a sub-interface 'on' the inside (see below) and setup the VLAN ID --> Connected the VLAN to the SWITCH and routed to the PORT. The Server(s) recognize the 'new' VLAN / IPs; but do not have connectivity to the internet.
My assumption is it's at the gateway? Also; I can ping an IP on the inside interface from the VLAN, but not the inside interface itself.

!
interface GigabitEthernet0/1
speed 100
duplex full
nameif Inside
security-level 100
ip address 10.10.10.1 255.255.255.0
!
interface GigabitEthernet0/1.20
vlan 20
nameif IOS_DC
security-level 100
ip address 10.10.2.1 255.255.255.0
!

nkarthikeyan · ‎07-18-2014

Hi,

I don think so your configuration has problems from interface perspective. But make sure that you have all the settings defined below.

1) You switch has the VLAN 20 and you are trying to access internet from VLAN 20 connected machine.

2) Make sure that you have access-list binded to the subinterface in case if you have anything such.... say

access-list ios-dc permit tcp 0.10.2.0 255.255.255.0 any www

access-list ios-dc permit tcp 0.10.2.0 255.255.255.0 any https

access-list ios-dc permit udp 0.10.2.0 255.255.255.0 any domain

!

access-group ios-dc in interface IOS_DC

!

3) Make sure that NAT/PAT is configured for this...

nat (IOS_DC,Outside) dynamic interface -- In new version

if it is old version

nat (inside) 1 10.10.2.0 255.255.255.0

global (outside) 1 interface

Set your default gateway for VLAN 20 PC machine to 10.10.2.1... you should be able to reach that.... if it is trunked and connected to FW......

If all this things are there... then you should be able to get to internet...

Regards

Karthik

View solution in original post

Anim Saxena · ‎07-18-2014

Hi,

I am attaching a screen shot which is config for sub interface generally implemented in the shown manner.

Regards,

Anim Saxena

Community Manager (Security)

nkarthikeyan · ‎07-18-2014

Hi,

I don think so your configuration has problems from interface perspective. But make sure that you have all the settings defined below.

1) You switch has the VLAN 20 and you are trying to access internet from VLAN 20 connected machine.

2) Make sure that you have access-list binded to the subinterface in case if you have anything such.... say

access-list ios-dc permit tcp 0.10.2.0 255.255.255.0 any www

access-list ios-dc permit tcp 0.10.2.0 255.255.255.0 any https

access-list ios-dc permit udp 0.10.2.0 255.255.255.0 any domain

!

access-group ios-dc in interface IOS_DC

!

3) Make sure that NAT/PAT is configured for this...

nat (IOS_DC,Outside) dynamic interface -- In new version

if it is old version

nat (inside) 1 10.10.2.0 255.255.255.0

global (outside) 1 interface

Set your default gateway for VLAN 20 PC machine to 10.10.2.1... you should be able to reach that.... if it is trunked and connected to FW......

If all this things are there... then you should be able to get to internet...

Regards

Karthik

Jouni Forss · ‎07-18-2014

Hi,

The configuration seems kinda strange. I mean the fact that you have configured IP address under the actual physical interface but also configured subinterface for the physical interface. Typically when you configure a Trunk you leave the physical interface configurations blank other than set the duplex/speed and description configurations.

How is the switchport connected to this ASA configured?

EDIT: Just to add. I presume that if your "inside" users are in Vlan 1 of the switched network then this is probably understandable that is works as the traffic comes to the ASA probably untagged.

If you want to test the ASA configurations then you can use the command

packet-tracer input IOS_DC tcp 10.10.2.100 12345 8.8.8.8 80

The above IPs are just chosen by me randomly. The output of the above command should show you what rules such a packet would match on the ASA. We could for example see if the traffic is even allowed and if its allowed does it have proper NAT configurations and so on.

- Jouni