ASA 5510 internal network cannot connect to internet

dino-chirico · ‎05-13-2012

Hi All,

I have been scratching my head trying to figure this one out.

I have an ASA 5510 configured 3 interface Internet_AAPT, Internal_Network and Server_Network. The server network works fine as is able to connect to the internet and services like port 80 work from the internet in. But from the Internal_Network can only get to the server network but not internet (

6

May 13 2012

14:17:40

302013

10.153.111.212

53663

199.47.216.148

80

Built outbound TCP connection 42508 for Internet_AAPT:199.47.216.148/80 (199.47.216.148/80) to Server_Network:10.153.111.212/53663 (10.153.111.212/53663)

. The weird thing in logs i see a connection being made but for some reason its referring to the Server_Network interface?? below is my current config...

ASA Version 8.2(5)

!

hostname ASA01

domain-name names

name 10.153.11.184 QNAP

name 10.153.11.192 exc2010

name 10.153.11.133 zeacom

name 10.153.11.183 helpdesk

!

interface Ethernet0/0

nameif Internet_AAPT

security-level 0

ip address xxx.xxx.xxx.222 255.255.255.252

!

interface Ethernet0/1

shutdown

no nameif

no security-level

no ip address

!

interface Ethernet0/2

nameif Server_Network

security-level 90

ip address 10.153.11.254 255.255.255.0

!

interface Ethernet0/3

nameif Internal_Network

security-level 100

ip address 10.153.111.254 255.255.255.0

!

interface Management0/0

nameif management

security-level 100

ip address 10.153.100.254 255.255.255.0

management-only

!

ftp mode passive

clock timezone EST 10

clock summer-time EDT recurring last Sun Oct 2:00 last Sun Mar 3:00

dns server-group DefaultDNS

domain-name prosum.local

same-security-traffic permit inter-interface

same-security-traffic permit intra-interface

object-group service proxy tcp

description port 8080

port-object eq 8080

object-group service OWA tcp

description Outlook Web Access Port

port-object eq 987

object-group service FTP_ports_QNAP tcp

port-object range 55536 55550

access-list Internet_AAPT_access_in extended permit tcp any host xxx.xx.xxx.96 eq ftp

access-list Internet_AAPT_access_in extended permit tcp any host xxx.xx.xxx.96 eq https

access-list Internet_AAPT_access_in extended permit tcp any host xxx.xx.xxx.96 object-group FTP_ports_QNAP

access-list Internet_AAPT_access_in extended permit tcp any interface Internet_AAPT object-group proxy

access-list Internet_AAPT_access_in extended permit tcp any interface Internet_AAPT eq https

access-list Internet_AAPT_access_in extended permit tcp any interface Internet_AAPT object-group OWA

access-list Internet_AAPT_access_in extended permit tcp any interface Internet_AAPT eq smtp

access-list Internet_AAPT_access_in extended permit tcp any interface Internet_AAPT eq pop3

access-list Internet_AAPT_access_in extended permit tcp any host xxx.xx.xxx.97 eq www

access-list Internet_AAPT_access_in extended permit tcp any host xxx.xx.xxx.97 eq https

access-list Internet_AAPT_access_in extended permit ip any any inactive

access-list easyvpn_splitTunnelAcl standard permit 10.153.111.0 255.255.255.0

access-list easyvpn_splitTunnelAcl standard permit 10.153.11.0 255.255.255.0

access-list Internet_AAPT_1_cryptomap extended permit ip 10.153.111.0 255.255.255.0 Aecom_Melbourne 255.255.255.0

pager lines 24

logging enable

logging asdm informational

level errors

mtu Internet_AAPT 1500

mtu Server_Network 1500

mtu Internal_Network 1500

mtu management 1500

ip local pool VPN_Pool 172.153.111.1-172.153.111.50 mask 255.255.255.0

no failover

icmp unreachable rate-limit 1 burst-size 1

no asdm history enable

arp Internet_AAPT xxx.xxx.xxx.97 44d3.cafd.96fe alias

arp Internet_AAPT xxx.xxx.xxx.98 44d3.cafd.96fe alias

arp Internet_AAPT xxx.xxx.xxx.99 44d3.cafd.96fe alias

arp Internet_AAPT xxx.xxx.xxx.100 44d3.cafd.96fe alias

arp Internet_AAPT xxx.xxx.xxx.101 44d3.cafd.96fe alias

arp Internet_AAPT xxx.xxx.xxx.102 44d3.cafd.96fe alias

arp Internet_AAPT xxx.xxx.xxx.103 44d3.cafd.96fe alias

arp Internet_AAPT xxx.xxx.xxx.104 44d3.cafd.96fe alias

arp Internet_AAPT xxx.xxx.xxx.105 44d3.cafd.96fe alias

arp Internet_AAPT xxx.xxx.xxx.106 44d3.cafd.96fe alias

arp Internet_AAPT xxx.xxx.xxx.107 44d3.cafd.96fe alias

arp Internet_AAPT xxx.xxx.xxx.108 44d3.cafd.96fe alias

arp Internet_AAPT xxx.xxx.xxx.109 44d3.cafd.96fe alias

arp Internet_AAPT xxx.xxx.xxx.110 44d3.cafd.96fe alias

arp timeout 14400

global (Internet_AAPT) 1 interface

nat (Server_Network) 1 10.153.11.0 255.255.255.0

nat (Internal_Network) 1 10.153.111.0 255.255.255.0

static (Server_Network,Internet_AAPT) tcp interface smtp exc2010 smtp netmask 255.255.255.255

static (Server_Network,Internet_AAPT) tcp interface pop3 exc2010 pop3 netmask 255.255.255.255

static (Server_Network,Internet_AAPT) tcp xxx.xxx.xxx.96 ftp QNAP ftp netmask 255.255.255.255

static (Server_Network,Internet_AAPT) tcp xxx.xxx.xxx.96 https QNAP https netmask 255.255.255.255

static (Server_Network,Internet_AAPT) tcp interface https exc2010 https netmask 255.255.255.255

static (Server_Network,Internet_AAPT) tcp interface 8080 zeacom 8080 netmask 255.255.255.255

static (Server_Network,Internet_AAPT) tcp interface 987 exc2010 987 netmask 255.255.255.255

static (Server_Network,Internet_AAPT) tcp xxx.xxx.xxx.96 55536 QNAP 55536 netmask 255.255.255.255

static (Server_Network,Internet_AAPT) tcp xxx.xxx.xxx.96 55537 QNAP 55537 netmask 255.255.255.255

static (Server_Network,Internet_AAPT) tcp xxx.xxx.xxx.96 55538 QNAP 55538 netmask 255.255.255.255

static (Server_Network,Internet_AAPT) tcp xxx.xxx.xxx.96 55539 QNAP 55539 netmask 255.255.255.255

static (Server_Network,Internet_AAPT) tcp xxx.xxx.xxx.96 55540 QNAP 55540 netmask 255.255.255.255

static (Server_Network,Internet_AAPT) tcp xxx.xxx.xxx.96 55541 QNAP 55541 netmask 255.255.255.255

static (Server_Network,Internet_AAPT) tcp xxx.xxx.xxx.96 55542 QNAP 55542 netmask 255.255.255.255

static (Server_Network,Internet_AAPT) tcp xxx.xxx.xxx.96 55543 QNAP 55543 netmask 255.255.255.255

static (Server_Network,Internet_AAPT) tcp xxx.xxx.xxx.96 55544 QNAP 55544 netmask 255.255.255.255

static (Server_Network,Internet_AAPT) tcp xxx.xxx.xxx.96 55545 QNAP 55545 netmask 255.255.255.255

static (Server_Network,Internet_AAPT) tcp xxx.xxx.xxx.96 55546 QNAP 55546 netmask 255.255.255.255

static (Server_Network,Internet_AAPT) tcp xxx.xxx.xxx.96 55547 QNAP 55547 netmask 255.255.255.255

static (Server_Network,Internet_AAPT) tcp xxx.xxx.xxx.96 55548 QNAP 55548 netmask 255.255.255.255

static (Server_Network,Internet_AAPT) tcp xxx.xxx.xxx.96 55549 QNAP 55549 netmask 255.255.255.255

static (Server_Network,Internet_AAPT) tcp xxx.xxx.xxx.96 55550 QNAP 55550 netmask 255.255.255.255

static (Server_Network,Internet_AAPT) tcp xxx.xxx.xxx.97 www helpdesk www netmask 255.255.255.255

static (Server_Network,Internet_AAPT) tcp xxx.xxx.xxx.97 https helpdesk https netmask 255.255.255.255

static (Server_Network,Internet_AAPT) tcp xxx.xxx.xxx.96 ftp-data QNAP ftp-data netmask 255.255.255.255

access-group Internet_AAPT_access_in in interface Internet_AAPT

route Internet_AAPT 0.0.0.0 0.0.0.0 203.174.178.221 1

route management 10.153.11.0 255.255.255.0 10.153.100.1 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

timeout floating-conn 0:00:00

dynamic-access-policy-record DfltAccessPolicy

aaa-server ADAuth protocol ldap

aaa-server ADAuth (Server_Network) host 10.153.11.190

ldap-base-dn DC=prosum,DC=local

ldap-scope subtree

ldap-naming-attribute sAMAccountName

ldap-login-password *****

ldap-login-dn CN=Administrator,CN=Users,DC=prosum,DC=local

server-type microsoft

http server enable

http 172.153.0.0 255.255.0.0 management

http 10.153.111.0 255.255.255.0 management

http 10.153.0.0 255.255.0.0 management

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac

crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac

crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac

crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac

crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac

crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac

crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac

crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac

crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5

crypto map Internet_AAPT_map 1 match address Internet_AAPT_1_cryptomap

crypto map Internet_AAPT_map 1 set pfs group1

crypto map Internet_AAPT_map 1 set peer

crypto map Internet_AAPT_map 1 set transform-set ESP-3DES-SHA

crypto map Internet_AAPT_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP

crypto map Internet_AAPT_map interface Internet_AAPT

crypto ca trustpoint _SmartCallHome_ServerCA

crl configure

crypto isakmp enable Internet_AAPT

crypto isakmp policy 10

authentication crack

encryption aes-256

hash sha

group 2

lifetime 86400

crypto isakmp policy 20

authentication rsa-sig

encryption aes-256

hash sha

group 2

lifetime 86400

crypto isakmp policy 30

authentication pre-share

encryption aes-256

hash sha

group 2

lifetime 86400

crypto isakmp policy 40

authentication crack

encryption aes-192

hash sha

group 2

lifetime 86400

crypto isakmp policy 50

authentication rsa-sig

encryption aes-192

hash sha

group 2

lifetime 86400

crypto isakmp policy 60

authentication pre-share

encryption aes-192

hash sha

group 2

lifetime 86400

crypto isakmp policy 70

authentication crack

encryption aes

hash sha

group 2

lifetime 86400

crypto isakmp policy 80

authentication rsa-sig

encryption aes

hash sha

group 2

lifetime 86400

crypto isakmp policy 90

authentication pre-share

encryption aes

hash sha

group 2

lifetime 86400

crypto isakmp policy 100

authentication crack

encryption 3des

hash sha

group 2

lifetime 86400

crypto isakmp policy 110

authentication rsa-sig

encryption 3des

hash sha

group 2

lifetime 86400

crypto isakmp policy 120

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

crypto isakmp policy 130

authentication crack

encryption des

hash sha

group 2

lifetime 86400

crypto isakmp policy 140

authentication rsa-sig

encryption des

hash sha

group 2

lifetime 86400

crypto isakmp policy 150

authentication pre-share

encryption des

hash sha

group 2

lifetime 86400

telnet 10.153.0.0 255.255.0.0 Internal_Network

telnet 10.153.100.0 255.255.255.0 management

telnet timeout 5

ssh timeout 5

console timeout 1

dhcp-client client-id interface Internet_AAPT

threat-detection basic-threat

threat-detection statistics access-list

threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200

ntp server 192.189.54.17 source management prefer

webvpn

group-policy easyvpn internal

group-policy easyvpn attributes

dns-server value 10.153.11.190

vpn-tunnel-protocol IPSec

split-tunnel-policy tunnelspecified

split-tunnel-network-list value easyvpn_splitTunnelAcl

default-domain value prosum.local

group-policy GroupPolicy2 internal

group-policy GroupPolicy2 attributes

vpn-tunnel-protocol IPSec l2tp-ipsec

group-policy GroupPolicy1 internal

group-policy GroupPolicy1 attributes

vpn-tunnel-protocol IPSec l2tp-ipsec

split-dns value prosum.local

tunnel-group "IPSEC VPN Client" type remote-access

tunnel-group "IPSEC VPN Client" general-attributes

address-pool (Internet_AAPT) VPN_Pool

authentication-server-group ADAuth LOCAL

authentication-server-group (Server_Network) ADAuth LOCAL

authorization-server-group ADAuth

authorization-server-group (Server_Network) ADAuth

default-group-policy GroupPolicy1

password-management password-expire-in-days 5

tunnel-group "IPSEC VPN Client" ipsec-attributes

pre-shared-key *****

tunnel-group "IPSEC VPN Client" ppp-attributes

authentication pap

authentication ms-chap-v2

authentication eap-proxy

tunnel-group TunnelGroup1 type remote-access

tunnel-group TunnelGroup1 general-attributes

default-group-policy GroupPolicy2

tunnel-group TunnelGroup1 ppp-attributes

authentication pap

no authentication chap

no authentication ms-chap-v1

tunnel-group easyvpn type remote-access

tunnel-group easyvpn general-attributes

address-pool VPN_Pool

authentication-server-group ADAuth

default-group-policy easyvpn

tunnel-group easyvpn ipsec-attributes

pre-shared-key *****

!

class-map inspection_default

match default-inspection-traffic

!

policy-map type inspect dns preset_dns_map

parameters

message-length maximum client auto

message-length maximum 512

policy-map global_policy

class inspection_default

inspect ftp

inspect h323 h225

inspect h323 ras

inspect rsh

inspect rtsp

inspect esmtp

inspect sqlnet

inspect skinny

inspect sunrpc

inspect xdmcp

inspect sip

inspect netbios

inspect tftp

inspect ip-options

!

service-policy global_policy global

prompt hostname context

call-home reporting anonymous

Cryptoc

varrao · ‎05-14-2012

Hi Dino,

Please check the IP addressing in your internal lan, and verify if there are any IP address conflicts due to which it is showing the log, the configuration looks good to me.

Thanks,
Varun Rao
Security Team,
Cisco TAC

Thanks,
Varun Rao

dino-chirico · ‎05-14-2012

Hi varun

I have check and I have 10.153.11.0/24 and 10.153.12.0/24 definately not the 10.153.111.0/24 range. When I send a packet from say 10.153.11.190 the log shows about the server LAN. Does make sense. Anything else? I can't use this internal LAN at all.

Kevin P Sheahan · ‎05-14-2012

Please run a packet-tracer and respond to this thread with the output.

packet-tracer in Internal_Network tcp 10.153.111.50 http 8.8.8.8 http det

Kind Regards,

Kevin

**Please remember to rate helpful posts as well as mark the question as 'answered' once your issue is resolved. This will help others to find your solution faster.

Kind Regards, Kevin Sheahan, CCIE # 41349

dino-chirico · ‎05-14-2012

Hi Kevin

Here is the packet trace

Thanks

ASA01# packet-tracer in Internal_Network tcp 10.153.111.50 http 8.8.8.8 http d$

Phase: 1

Type: ROUTE-LOOKUP

Subtype: input

Result: ALLOW

Config:

Additional Information:

in 0.0.0.0 0.0.0.0 Internet_AAPT

Phase: 2

Type: IP-OPTIONS

Subtype:

Result: ALLOW

Config:

Additional Information:

Forward Flow based lookup yields rule:

in id=0xab95e6d0, priority=0, domain=inspect-ip-options, deny=true

hits=236, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0

src ip=0.0.0.0, mask=0.0.0.0, port=0

dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0

Phase: 3

Type: IP-OPTIONS

Subtype:

Result: ALLOW

Config:

Additional Information:

Reverse Flow based lookup yields rule:

in id=0xab8c7848, priority=0, domain=inspect-ip-options, deny=true

hits=75711, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0

src ip=0.0.0.0, mask=0.0.0.0, port=0

dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0

Phase: 4

Type: FLOW-CREATION

Subtype:

Result: ALLOW

Config:

Additional Information:

New flow created with id 77767, packet dispatched to next module

Module information for forward flow ...

snp_fp_tracer_drop

snp_fp_inspect_ip_options

snp_fp_tcp_normalizer

snp_fp_translate

snp_fp_adjacency

snp_fp_fragment

snp_ifc_stat

Module information for reverse flow ...

snp_fp_tracer_drop

snp_fp_inspect_ip_options

snp_fp_translate

snp_fp_tcp_normalizer

snp_fp_adjacency

snp_fp_fragment

snp_ifc_stat

Result:

input-interface: Internal_Network

input-status: up

input-line-status: up

output-interface: Internet_AAPT

output-status: up

output-line-status: up

Action: allow

Regards,

Dino Chirico | IT Manager

T: 03 9697 2222 | F: 03 9697 2200 | M: 04 0745 4600

W: Prosum.com.au | E: Dino.Chirico@prosum.com.au

A: 6 Ross Street , South Melbourne 3205

Disclaimer

This message may contain confidential, proprietary or legally privileged information and is intended only for the individual named. No confidentiality or privilege is waived or lost by mistaken transmission. If you are not the named addressee you should not disseminate, distribute, copy or disclose its contents to anyone. Please notify the sender immediately by e-mail if you have received this e-mail in error and delete all copies and destroy any hard copies from your system. PABX Sales and Service Pty Ltd Trading as Prosum of 6 Ross Street South Melbourne ABN 53 087 133 702 and any of its subsidiaries each reserve the right to monitor all e-mail communications through its networks. Any views expressed in this message are those of the individual sender, except where the message states otherwise and the sender is authorized to state them to be the views of any such entity.

Kevin P Sheahan · ‎05-14-2012

The Asa is not your problem. What other devices are in play here?

Sent from Cisco Technical Support iPhone App

Kind Regards, Kevin Sheahan, CCIE # 41349

dino-chirico · ‎05-14-2012

I have a HP switch that is doing the routing for the different subnets and is the default gateway

Kevin P Sheahan · ‎05-14-2012

Setup a capture to see if the packets are even getting to the ASA, because I think if they do they will go out as desired.

Access-list cap extended permit ip 10.53.111.0 255.255.255.0 any

Capture cap cap

Initiate traffic with the capture running and then check it out by issuing the following command....

Sho cap cap

If nothing is there then the packets are not making it to your Asa and you need too look at your switch as the offending device.

Please let us know how it goes!

Sent from Cisco Technical Support iPhone App

Kind Regards, Kevin Sheahan, CCIE # 41349

dino-chirico · ‎05-14-2012

Ok so I did below

Capture cap access-list cap right?

Result after trying to browse from 10.153.111.0 subnet

ASA01# sh cap cap

0 packet captured

0 packet shown

I did another capture for the 10.153.111.0 network and also got 0 packets as above, I did the commands below???? I know the ASA is passing through traffic… is what I did above right?

access-list cap2 extended permit ip 10.53.11.0 255.255.255.0 any

capture cap2 access-list cap2

ASA01# sh capture cap2

0 packet captured

0 packet shown

Below is the HP switch config

HP_SWITCH_2650# sh run

Running configuration:

; J8165A Configuration Editor; Created on release #H.10.38

hostname "HP_SWITCH_2650"

max-vlans 253

ip routing

snmp-server community "public" Unrestricted

vlan 1

name "DEFAULT_VLAN"

ip address dhcp-bootp

no untagged 1-50

exit

vlan 11

name "Servers"

untagged 7,10,15-16,42,47-48

ip address 10.153.11.1 255.255.255.0

tagged 44,50

exit

vlan 12

name "Voice"

untagged 1-2,25

ip address 10.153.12.1 255.255.255.0

ip helper-address 10.153.11.190

tagged 3-24,26-50

exit

vlan 13

name "1801 VLAN 1"

untagged 17-18

ip address 10.153.13.1 255.255.255.0

exit

vlan 15

name "Cisco Voice"

untagged 6

ip address 10.153.15.5 255.255.255.0

exit

vlan 30

name "Lab Network"

ip address 10.153.30.1 255.255.255.0

ip helper-address 10.153.11.191

exit

vlan 40

name "Lync"

untagged 49

ip address 10.153.40.1 255.255.255.0

ip helper-address 10.153.11.190

exit

vlan 100

name "Management"

untagged 44,46

ip address 10.153.100.1 255.255.255.0

tagged 50

exit

vlan 111

name "Data"

untagged 3-5,8-9,11-14,19-24,26-35,37-41,43,45,50

ip address 10.153.111.1 255.255.255.0

ip helper-address 10.153.11.190

exit

ip route 0.0.0.0 0.0.0.0 10.153.11.254

spanning-tree

password manager

password operator

Regards,

Dino Chirico | IT Manager

T: 03 9697 2222 | F: 03 9697 2200 | M: 04 0745 4600

W: Prosum.com.au | E: Dino.Chirico@prosum.com.au

A: 6 Ross Street , South Melbourne 3205

Disclaimer

This message may contain confidential, proprietary or legally privileged information and is intended only for the individual named. No confidentiality or privilege is waived or lost by mistaken transmission. If you are not the named addressee you should not disseminate, distribute, copy or disclose its contents to anyone. Please notify the sender immediately by e-mail if you have received this e-mail in error and delete all copies and destroy any hard copies from your system. PABX Sales and Service Pty Ltd Trading as Prosum of 6 Ross Street South Melbourne ABN 53 087 133 702 and any of its subsidiaries each reserve the right to monitor all e-mail communications through its networks. Any views expressed in this message are those of the individual sender, except where the message states otherwise and the sender is authorized to state them to be the views of any such entity.

Kevin P Sheahan · ‎05-14-2012

Your log message indicates that the packets are being received on the Server_Network interface which leads me to believe that they are being sent out by the HP switch on the default route, which is to the server_network interface on your ASA. So that makes sense, and I'll bet that if you change your default route to hit the ASA on the internal_network interface (10.153.111.254) your internal_network will function properly but your server_network will suffer.

I'm not so familiar with HP switches that I can recommend a fix for this, perhaps someone who is also HP savvy will come along to offer some help.

Kind Regards,

Kevin

**Please remember to rate helpful posts as well as mark the question as 'answered' once your issue is resolved. This will help others to find your solution faster.

Kind Regards, Kevin Sheahan, CCIE # 41349

dino-chirico · ‎05-23-2012

Hi,

Thanks for your help.

It was due to the HP switch. I removed the IP’s for the switch making it Layer 2 and used the ASA as the gateway for each VLAN.

Thanks

Regards,

Dino Chirico | IT Manager

T: 03 9697 2222 | F: 03 9697 2200 | M: +61 (407) 454600

W: Prosum.com.au | E: Dino.Chirico@prosum.com.au

A: 6 Ross Street , South Melbourne 3205

Disclaimer

This message may contain confidential, proprietary or legally privileged information and is intended only for the individual named. No confidentiality or privilege is waived or lost by mistaken transmission. If you are not the named addressee you should not disseminate, distribute, copy or disclose its contents to anyone. Please notify the sender immediately by e-mail if you have received this e-mail in error and delete all copies and destroy any hard copies from your system. PABX Sales and Service Pty Ltd Trading as Prosum of 6 Ross Street South Melbourne ABN 53 087 133 702 and any of its subsidiaries each reserve the right to monitor all e-mail communications through its networks. Any views expressed in this message are those of the individual sender, except where the message states otherwise and the sender is authorized to state them to be the views of any such entity.