cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
3955
Views
0
Helpful
22
Replies

New Subnet Requiring Internet Access via ASA

drikilbride
Level 1
Level 1

Hi

Our current network only has a handful of vlans with vlan1 with an ip range for PC's and servers of 10.255.0.0 255.255.0.0.

We have started to create new Vlans and our first test one is VLAN2 with an IP address range of 10.254.25.0/24.

We have a new 6500 switch and the subnet and dhcp is created on that with a static default gateway set to our firewall of 10.255.251.211.

On the firewall for testing purposes has an any any rule allowing everyone internally access out to the internet (or so I thought)

Currently anyone on the 10.255.0.0 range has internet access, those on the 10.254.25.0 range don't.

Have I missed something on the firewall config for this new subnet?

Thanks in advance

22 Replies 22

If I wanted to test a ping from 10.254.25.42 to 208.67.222.222 what rule would I add to accomplish this?I have tried a few but have had no luck with

it.

I already have an outside rule with the source being 208.67.222 and destination any and this allows pings to work from my old network out and back in.

Just no luck with the new subnet.

I still feel there could be an issue on the 6500 but its hard to prove as the engineer feels its all firewall and I cant access the config of it!

Hi

Here is the updated config!

Thanks

Your config shows a NAT statement for users in the 10.255.x.x subnet- nat (inside) 1 10.255.0.0 255.255.0.0, but this does not cover the users in the new subnet, 10.254.25.0.  I would remove the current nat (inside) command and add the following line- nat (inside) 1 0.0.0.0 0.0.0.0 - this command will cover all of your internal subnets and will PAT them to the outside interface.

Please let me know if this works for you.

I've looked at your configuration and Scott Conklin is right. You are lacking a NAT statement for your new subnet. Using packet-tracer would have revealed this for you though as you would have seen the flow being created and no NAT rule matching.

Hi Scott

Thanks for that.

I have added that NAT command but still no luck.

Any ideas?

Thanks again for all your help.

Hi, have you tried running the Packet Tracer utility in the ASDM for the ASA in question?  This tool will tell you whether or not your packets are being dropped by the firewall.  If you put in the Source IP And port and destination IP and port and it comes back as passing the traffic, then there is most likely another routing/networking issue somewhere else n your network.

Also, you can log into the ASA and use the Capture command to see if the traffic is hitting your firewall and being passed to the internet or being dropped, or not hitting t\your firewall at all.  For example, if the IP Address of the PC you are testing from is 10.254.25.100, you can ping any Internet address (such as 4.2.2.2 which was mentioned earlier), you would use the command (from the Configuration prompt)- capture   trace interface inside match tcp 10.254.25.100 255.255.255.255 any eq http, then start a continuous ping from the test machine.  To see if this traffic is hitting the ASA, enter the command (from the Enable prompt) sh capture .  This will show any ICMP traffic flowing to the Internet from that specific source IP Address.

I would recommend using the Packet tracer first to see if the packet would be permitted or denied, then run the capture.

Edit- also, after you configured the new NAT/Global configuration above, did you issue the 'clear xlate' command?

Hi Scott

I actually think I have narrowed down the issue to DNS on the 6500 the other engineer is installing.

When on the new subnet I can ping external IP Addresses and can also navigate to websites using IP Addresses - just not by name.

The problem I have had all along is that the external engineer has full control of the 6500 so I have been unable to check their config's.

I think internet access on the ASA is now configured fine thanks to your last post regarding the NAT line.

I am now going to bounce the DNS issue back to the other engineer.

Thanks again for all your help, it has been much appreciated!

Great, glad it's working for you.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: