Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
Community Member

ASA5505 won't allow Windows Server 2012 r2 to access internet

I have an ASA5505 I am trying to integrate into our network, however the ASA5505 won't allow our server to access the internet via our HP Procurve layer3 switch. Currently, only the server is connected via the switch as well as the two trunk lines to the ASA5505, for testing purposes. What I am hoping to accomplish is: Internet -> ASA5505 -> Layer3 Switch -> VLANS. The configuration is listed below:

CISCO ASA5505 / with Security Plus Lic:

!
interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
 switchport access vlan 1
!
interface Ethernet0/2
 switchport trunk allowed vlan 10,20,30
 switchport mode trunk
!
interface Ethernet0/3
 switchport trunk allowed vlan 40,60,250
 switchport mode trunk
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
interface Vlan1
 nameif inside
 security-level 100
 ip address 192.168.80.1 255.255.255.0
!
interface Vlan2
 nameif outside
 security-level 0
 ip address 10.2.100.2 255.255.255.0
!
interface Vlan10
 no nameif
 security-level 100
 no ip address
!
interface Vlan20
 no nameif
 security-level 100
 no ip address
!
interface Vlan30
 no nameif
 security-level 100
 no ip address
!
interface Vlan40
 no nameif
 security-level 100
 no ip address
!
interface Vlan60
 no nameif
 security-level 100
 no ip address
!
interface Vlan250
 no nameif
 security-level 100
 no ip address
!
object network obj_any
 subnet 0.0.0.0 0.0.0.0
access-list inside_access_in extended permit ip any any
!
object network obj_any
 nat (inside,outside) dynamic interface
access-group inside_access_in in interface inside
route outside 0.0.0.0 0.0.0.0 10.2.100.1 1
route inside 192.168.10.0 255.255.255.0 192.168.80.1 1

 

HP Procurve E2620 Layer3 switch:

Status and Counters - VLAN Information

  Primary VLAN : DEFAULT_VLAN

  VLAN ID Name                             | Status     Voice Jumbo
  ------- -------------------------------- + ---------- ----- -----
  1       DEFAULT_VLAN                     | Port-based No    No
  10      SERVER                           | Port-based No    No


IP Route Entries

  Destination        Gateway         VLAN Type      Sub-Type   Metric     Dist.
  ------------------ --------------- ---- --------- ---------- ---------- -----
  0.0.0.0/0          192.168.80.1    1    static               1          1
  127.0.0.0/8        reject               static               0          0
  127.0.0.1/32       lo0                  connected            1          0
  192.168.10.0/24    SERVER          10   connected            1          0
  192.168.20.0/24    CLIENT          20   connected            1          0
  192.168.30.0/24    WIFI            30   connected            1          0
  192.168.40.0/24    GUEST           40   connected            1          0
  192.168.60.0/24    STORAGE         60   connected            1          0
  192.168.80.0/24    DEFAULT_VLAN    1    connected            1          0
  192.168.250.0/24   Manage          250  connected            1          0


Load Balancing Method: L3-based (Default), L2-based if non-IP traffic

  Port | Name                             Type      | Group Type
  ---- + -------------------------------- --------- + ----- --------
  23   |                                  10/100TX  | Trk2  Trunk
  24   |                                  10/100TX  | Trk1  Trunk


Status and Counters - VLAN Information

  Primary VLAN : DEFAULT_VLAN
  Management VLAN :


  Port Information Mode     Unknown VLAN Status
  ---------------- -------- ------------ ----------
  1       DEFAULT_VLAN                     | Port-based No    No
  10      SERVER                           | Port-based No    No
  20      CLIENT                           | Port-based No    No
  30      WIFI                             | Port-based No    No
  40      GUEST                            | Port-based No    No
  60      STORAGE                          | Port-based No    No
  250     Manage                           | Port-based No    No


              Switch Configuration - VLAN - VLAN Port Assignment


  Port   DEFAULT_VLAN     SERVER        CLIENT         WIFI         GUEST        STORAGE        Manage
  ---- + <-----------  ------------  ------------  ------------  ------------  ------------  ------------  

  6    | No            Untagged         No            No            No            No            No

  Trk1 | Untagged      Tagged        Tagged        Tagged        No            No            No
  Trk2 | Untagged      No            No            No            Tagged        Tagged        Tagged

3 REPLIES

first off, what license do

first off, what license do you have installed on the ASA (show version will tell you that)?

Second, if I remember correctly trunk in HP terms does not mean the same as trunk in Cisco terms.  In HP a trunk refers to the bundling of an interface in what Cisco calls Etherchannels or Portchannels (which the 5505 does not support)

Also you need to configure names for all the VLAN interfaces and either dynamic NAT for each interface or configure a dynamic NAT that matches all the interfaces (with the any keyword)

object network obj_any
 nat (any,outside) dynamic interface

--

Please remember to select a correct answer and rate helpful posts

--
Please remember to rate and select a correct answer
Community Member

Hi,I smell a Layer 2 problem

Hi,

I smell a Layer 2 problem with this config and specially with VLANS.

I can see that your Inside Interface is linked to VLAN 1 (The Default), if that is the case then you need to mark VLAN 1 as Tagged in your Trunk (1 or 2).

Good luck

As per the HP switch output

As per the HP switch output the server is connected to VLAN10, which has no name and therefore no NAT statement.

Add interface names to the VLANs and also add the NAT statement I provided above, and you should be able to get internet access.

--

Please remember to select a correct answer and rate helpful posts

--
Please remember to rate and select a correct answer
348
Views
0
Helpful
3
Replies
CreatePlease to create content