Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

New Subnet Requiring Internet Access via ASA

Hi

Our current network only has a handful of vlans with vlan1 with an ip range for PC's and servers of 10.255.0.0 255.255.0.0.

We have started to create new Vlans and our first test one is VLAN2 with an IP address range of 10.254.25.0/24.

We have a new 6500 switch and the subnet and dhcp is created on that with a static default gateway set to our firewall of 10.255.251.211.

On the firewall for testing purposes has an any any rule allowing everyone internally access out to the internet (or so I thought)

Currently anyone on the 10.255.0.0 range has internet access, those on the 10.254.25.0 range don't.

Have I missed something on the firewall config for this new subnet?

Thanks in advance

1 ACCEPTED SOLUTION

Accepted Solutions
New Member

Re: New Subnet Requiring Internet Access via ASA

Your config shows a NAT statement for users in the 10.255.x.x subnet- nat (inside) 1 10.255.0.0 255.255.0.0, but this does not cover the users in the new subnet, 10.254.25.0.  I would remove the current nat (inside) command and add the following line- nat (inside) 1 0.0.0.0 0.0.0.0 - this command will cover all of your internal subnets and will PAT them to the outside interface.

Please let me know if this works for you.

22 REPLIES
Hall of Fame Super Blue

Re: New Subnet Requiring Internet Access via ASA

drikilbride wrote:

Hi

Our current network only has a handful of vlans with vlan1 with an ip range for PC's and servers of 10.255.0.0 255.255.0.0.

We have started to create new Vlans and our first test one is VLAN2 with an IP address range of 10.254.25.0/24.

We have a new 6500 switch and the subnet and dhcp is created on that with a static default gateway set to our firewall of 10.255.251.211.

On the firewall for testing purposes has an any any rule allowing everyone internally access out to the internet (or so I thought)

Currently anyone on the 10.255.0.0 range has internet access, those on the 10.254.25.0 range don't.

Have I missed something on the firewall config for this new subnet?

Thanks in advance

You need a route added so the firewall knows how to send the return traffic back ie.

route inside 10.254.0.0 255.255.255.0 

Jon

New Member

Re: New Subnet Requiring Internet Access via ASA

Thanks Jon

So I would need to add

route inside 10.254.0.0 255.255.255..0 10.255.250.51

Thanks a mil!

Hall of Fame Super Blue

Re: New Subnet Requiring Internet Access via ASA

drikilbride wrote:

Thanks Jon

So I would need to add

route inside 10.254.0.0 255.255.255..0 10.255.250.51

Thanks a mil!


If 10.255.250.51 is the vlan 1 interface IP on the switch then yes that should do it.

Jon

New Member

Re: New Subnet Requiring Internet Access via ASA

Hi John

I have tried that but still no luck.

From the 10.254.25.0/24 network I can ping my firewall. I just cant get internet.

In under routing I had one route set there from before all of this for my old network.

It was simply and outside rule

outside 0.0.0.0 0.0.0.0 77.75.x.x 255 (metric)

I thought this rule sends everything internal out through my ISP gateway.

I have added the inside rule also but this isnt working. Maybe I have missed something silly?

Thanks again, your help is much appreciated.

Re: New Subnet Requiring Internet Access via ASA

First off can you ping the next hop outside of the ASA from the network in question?  Also, I am just wondering why would you set a metric of 255 on the default route out to the Internet?

Thanks,

Kimberly

Thanks and Cheers! Kimberly Please remember to rate helpful posts.
New Member

Re: New Subnet Requiring Internet Access via ASA

Hi Kimberly

No I cant ping the next hop which is the ISP's gateway.

Im actually not sure why the lads set the metric to 255, have just changed it back to 1.

Thanks a mil!

Re: New Subnet Requiring Internet Access via ASA

Metric of 1 for the default route is usually best and signifies that it is one hop away.  From the network in question are you able to ping anything outside of the ASA?  Some good tests to run would be run a continuous ping to 4.2.2.2 and then telnet/ssh into the ASA and see if you are hitting the xlate table or connection table.

commands would be:

show xlate | include [your systems ip here]

show conn | include [your systems ip here]

This is just another test to see what the ASA is doing.  By the way, what is the default gateway of the subnet that cannot get to the internet?

Kimberly

Thanks and Cheers! Kimberly Please remember to rate helpful posts.
New Member

Re: New Subnet Requiring Internet Access via ASA

Now here lies the problem.....

Our new subnets are being created by a third party engineer and he is the one who is saying I need to make changes on my firewall although he cant tell me what.

The subnet he has created has the following dgw 10.254.25.3. This subnet has been created on a 6500 switch which has a dgw set to 10.255.250.39

I hope that makes sense.

If I ping 4.2.2.2 from the pc on the new subnet i get the following

reply from 10.254.25.2 (which is the DHCP Server on the new 6500 Switch)...destination host unreachable

Re: New Subnet Requiring Internet Access via ASA

I am assuming there is a route somewhere on your network that points to the ASA for Internet.  At this time I am not seeing where that would be coming from.  Can you please provide a little more information on the routing on your LAN and if you can get to the ASA at all?

Thanks,

Kimberly

Thanks and Cheers! Kimberly Please remember to rate helpful posts.
Hall of Fame Super Blue

Re: New Subnet Requiring Internet Access via ASA

drikilbride wrote:

Now here lies the problem.....

Our new subnets are being created by a third party engineer and he is the one who is saying I need to make changes on my firewall although he cant tell me what.

The subnet he has created has the following dgw 10.254.25.3. This subnet has been created on a 6500 switch which has a dgw set to 10.255.250.39

I hope that makes sense.

If I ping 4.2.2.2 from the pc on the new subnet i get the following

reply from 10.254.25.2 (which is the DHCP Server on the new 6500 Switch)...destination host unreachable

Why is the DHCP server coming back with a destination host unreachable message ?

Is the 6500 routing for the vlans ?

What is 10.254.25.3, is this the L3 vlan interface on the 6500 switch ?

The 6500 has a default-gateway ?? - is the 6500 routing or simply acting as a L2 switch.  The dgw of 10.255.250.39, what exactly is that device.

As Kimberly says, if the 6500 is responsible for routing the vlans then you need a default-route (not default-gateway) pointing to the ASA. But it sounds like it is a bit more complicated than this.

Jon

Jon

New Member

Re: New Subnet Requiring Internet Access via ASA

Hi Jon

I have managed to persuade the third party engineer to add a default route on his 6500 to the firewall.

So now instead of getting destination host unreachable I am getting the normal request timed out when I ping an external IP Address so I now suspect it must be an access rule issue on the firewall.

It looks like my ping is getting out but just not being returned to the new vlan 10.254.25.0/24. Is there anything additional I can add in on the firewall to test this?

Thanks again

Re: New Subnet Requiring Internet Access via ASA

On the firewall, you may need a route inside statement that would look like this:

route inside 10.254.25.0 255.255.255.0 [IP of your 6500]

See if this helps the traffic come back to your new network.


Kimberly

Thanks and Cheers! Kimberly Please remember to rate helpful posts.
New Member

Re: New Subnet Requiring Internet Access via ASA

Hi Kimberly

Unfort I already have that route added.

Still no internet.

Thanks

Re: New Subnet Requiring Internet Access via ASA

Can you post up a new copy of your configuration of your firewall please?

This will help us help you with the changes needed to get the internet working.

Kimberly

Thanks and Cheers! Kimberly Please remember to rate helpful posts.
New Member

Re: New Subnet Requiring Internet Access via ASA

If I wanted to test a ping from 10.254.25.42 to 208.67.222.222 what rule would I add to accomplish this?I have tried a few but have had no luck with

it.

I already have an outside rule with the source being 208.67.222 and destination any and this allows pings to work from my old network out and back in.

Just no luck with the new subnet.

I still feel there could be an issue on the 6500 but its hard to prove as the engineer feels its all firewall and I cant access the config of it!

New Member

Re: New Subnet Requiring Internet Access via ASA

Hi

Here is the updated config!

Thanks

New Member

Re: New Subnet Requiring Internet Access via ASA

Your config shows a NAT statement for users in the 10.255.x.x subnet- nat (inside) 1 10.255.0.0 255.255.0.0, but this does not cover the users in the new subnet, 10.254.25.0.  I would remove the current nat (inside) command and add the following line- nat (inside) 1 0.0.0.0 0.0.0.0 - this command will cover all of your internal subnets and will PAT them to the outside interface.

Please let me know if this works for you.

New Member

Re: New Subnet Requiring Internet Access via ASA

I've looked at your configuration and Scott Conklin is right. You are lacking a NAT statement for your new subnet. Using packet-tracer would have revealed this for you though as you would have seen the flow being created and no NAT rule matching.

New Member

Re: New Subnet Requiring Internet Access via ASA

Hi Scott

Thanks for that.

I have added that NAT command but still no luck.

Any ideas?

Thanks again for all your help.

New Member

Re: New Subnet Requiring Internet Access via ASA

Hi, have you tried running the Packet Tracer utility in the ASDM for the ASA in question?  This tool will tell you whether or not your packets are being dropped by the firewall.  If you put in the Source IP And port and destination IP and port and it comes back as passing the traffic, then there is most likely another routing/networking issue somewhere else n your network.

Also, you can log into the ASA and use the Capture command to see if the traffic is hitting your firewall and being passed to the internet or being dropped, or not hitting t\your firewall at all.  For example, if the IP Address of the PC you are testing from is 10.254.25.100, you can ping any Internet address (such as 4.2.2.2 which was mentioned earlier), you would use the command (from the Configuration prompt)- capture   trace interface inside match tcp 10.254.25.100 255.255.255.255 any eq http, then start a continuous ping from the test machine.  To see if this traffic is hitting the ASA, enter the command (from the Enable prompt) sh capture .  This will show any ICMP traffic flowing to the Internet from that specific source IP Address.

I would recommend using the Packet tracer first to see if the packet would be permitted or denied, then run the capture.

Edit- also, after you configured the new NAT/Global configuration above, did you issue the 'clear xlate' command?

New Member

Re: New Subnet Requiring Internet Access via ASA

Hi Scott

I actually think I have narrowed down the issue to DNS on the 6500 the other engineer is installing.

When on the new subnet I can ping external IP Addresses and can also navigate to websites using IP Addresses - just not by name.

The problem I have had all along is that the external engineer has full control of the 6500 so I have been unable to check their config's.

I think internet access on the ASA is now configured fine thanks to your last post regarding the NAT line.

I am now going to bounce the DNS issue back to the other engineer.

Thanks again for all your help, it has been much appreciated!

New Member

Re: New Subnet Requiring Internet Access via ASA

Great, glad it's working for you.

1296
Views
0
Helpful
22
Replies
CreatePlease to create content