Solved: VLAN internet access via ASA 5510

neillradford · ‎05-20-2014

Hopefully there are some ASA experts out there! I have been having an issue getting internet access working on VLANs and am literally tearing my hair out!

Ok, just a quick summary of my environment. We have a 3750X cisco switch trunked over to an ASA 5510.

Internet access is fine for the inside network but having no joy whatsoever with additional vlans and internet access. My steps so far have been:

Create a VLAN2 on the 3750X - 10.10.20.250
Create subinterface on the ASA with same security level as inside network - IP of subinterface is 10.10.20.2
From VLAN2 I can ping the ASA subinterface IP and all of the inside network except the ASA inside IP address. Maybe this is my problem??
I have inserted NAT statements for VLAN2 internet traffic.
The inbuilt packet tracer from VLAN2 to outside is showing as ok.

What am I missing? I can post the switch and ASA configs if anyone would like to help me out. ASA license is base and firewall mode is routed.

Thanks

Neill

Marvin Rhoads · ‎05-22-2014

From what host on VLAN 2 are you initiating the pings? Does that host have your ASA VLAN 2 interface set as the gateway?

I ask because your "show nat" output indicates no translate hits for traffic coming from VLAN 2:

3 (VLAN2) to (outside) source dynamic vlan2 interface
translate_hits = 0, untranslate_hits = 0

View solution in original post

Marvin Rhoads · ‎05-20-2014

The ASA config would help, as would the running-config and "show interface" for the switch interface connecting to the ASA.

You didn't mention where the interface connecting the switch to the ASA is configured as a trunk - i.e. "switchport mode trunk"

neillradford · ‎05-21-2014

Hi Marvin

Thanks for replying. Didn't want to post the config in my initial post as it would have saturated the query!

See below, I've stripped out stuff that isn't relevant like VPN's etc

3750X Config

interface GigabitEthernet1/0/1

description ASA 5510

switchport trunk encapsulation dot1q

switchport trunk allowed vlan 1,2

switchport mode trunk

!

interface GigabitEthernet1/0/2

description SSM Module

switchport trunk encapsulation dot1q

switchport trunk allowed vlan 1,2

switchport mode trunk

!

interface Vlan1

ip address 192.168.3.250 255.255.255.0

!

interface Vlan2

description Testing

ip address 10.10.20.250 255.255.255.0

ip helper-address 192.168.3.x

!

interface Vlan5

description Voice Vlan

ip address 10.10.10.250 255.255.255.0

ip helper-address 192.168.3.x

!

ip http server

ip http secure-server

!

ASA Config

:

ASA Version 9.1(3)

!

hostname ……..ASA

domain-name ………

enable password QnKyFyFK6LWudLeM encrypted

xlate per-session deny tcp any4 any4

xlate per-session deny tcp any4 any6

xlate per-session deny tcp any6 any4

xlate per-session deny tcp any6 any6

xlate per-session deny udp any4 any4 eq domain

xlate per-session deny udp any4 any6 eq domain

xlate per-session deny udp any6 any4 eq domain

xlate per-session deny udp any6 any6 eq domain

xlate per-session permit tcp any4 any4

xlate per-session permit tcp any4 any6

xlate per-session permit tcp any6 any4

xlate per-session permit tcp any6 any6

xlate per-session permit udp any4 any4 eq domain

xlate per-session permit udp any4 any6 eq domain

xlate per-session permit udp any6 any4 eq domain

xlate per-session permit udp any6 any6 eq domain

passwd gerd0WPZAcHKQ1jK encrypted

names

ip local pool remotes 11.1.1.1-11.1.1.10 mask 255.255.255.0

!

interface Ethernet0/0

nameif outside

security-level 0

ip address x.x.x.x 255.255.255.240

!

interface Ethernet0/1

nameif inside

security-level 100

ip address 192.168.3.2 255.255.255.0

!

interface Ethernet0/1.2

description Test VLAN

vlan 2

nameif VLAN2

security-level 100

ip address 10.10.20.2 255.255.255.0

!

interface Ethernet0/2

shutdown

no nameif

no security-level

no ip address

!

interface Ethernet0/3

shutdown

no nameif

no security-level

no ip address

!

interface Management0/0

shutdown

no nameif

no security-level

no ip address

!

boot system disk0:/asa913-k8.bin

boot system disk0:/asa846-5-k8.bin

boot system disk0:/asa842-k8.bin

ftp mode passive

clock timezone GMT/BST 0

clock summer-time GMT/BDT recurring last Sun Mar 1:00 last Sun Oct 2:00

dns domain-lookup outside

dns domain-lookup inside

dns server-group DefaultDNS

name-server 8.8.8.8

domain-name xxxxxxxxx

same-security-traffic permit inter-interface

same-security-traffic permit intra-interface

object network NETWORK_OBJ_11.1.1.0_28

subnet 11.1.1.0 255.255.255.240

object network inside_network

subnet 192.168.3.0 255.255.255.0

object network NETWORK_OBJ_192.168.3.0_24

subnet 192.168.3.0 255.255.255.0

object network module

host 192.168.3.8

object network vlantest

host 10.10.20.250

object network vlan2

range 10.10.20.0 255.255.255.0

object-group service DM_INLINE_TCP_2 tcp

port-object eq 3388

port-object eq 4550

port-object eq 5511

port-object eq 5550

port-object eq 5552

port-object eq 5553

port-object eq 5611

port-object eq 6550

port-object eq 81

port-object eq 8554

port-object eq 8866

object-group service DM_INLINE_TCP_3 tcp

port-object eq ftp

port-object eq pop3

port-object eq smtp

port-object eq www

object-group service DM_INLINE_TCP_4 tcp

port-object eq ftp

port-object eq www

port-object eq pop3

port-object eq smtp

object-group protocol TCPUDP

protocol-object udp

protocol-object tcp

access-list outside_access_in extended permit tcp any object exchange eq smtp

access-list outside_access_in extended permit tcp any object exchangeportal eq https

access-list outside_access_in extended permit tcp any4 object x.x.x.x eq smtp

access-list outside_access_in extended permit tcp any4 object x.x.x.x eq 6521

access-list outside_access_in extended permit tcp any4 object x.x.x.x eq pptp

access-list outside_access_in extended permit tcp any4 object x.x.x.x object-group DM_INLINE_TCP_2

access-list outside_access_in extended permit ip any4 object x.x.x.x

access-list ACL_VLAN2 extended permit ip 10.10.20.0 255.255.255.0 any

access-list acl_inside extended permit ip any any

access-list acl_inside extended permit icmp any any

access-list global_mpc extended permit tcp any any object-group DM_INLINE_TCP_3

access-list inside_mpc extended permit tcp 192.168.3.0 255.255.255.0 x.x.x.x 255.255.255.240 object-group DM_INLINE_TCP_4

pager lines 24

logging enable

logging monitor informational

logging buffered debugging

logging asdm informational

logging from-address ASAalerts@.........

logging recipient-address …………. level errors

mtu outside 1500

mtu inside 1500

mtu VLAN2 1500

icmp unreachable rate-limit 1 burst-size 1

icmp permit any VLAN2

asdm image disk0:/asdm-714.bin

no asdm history enable

arp timeout 14400

no arp permit-nonconnected

nat (inside,outside) source static inside_network inside_network destination static NETWORK_OBJ_11.1.1.0_28 NETWORK_OBJ_11.1.1.0_28 no-proxy-arp

!

object network inside_network

nat (inside,outside) dynamic interface

object network exchange

nat (inside,outside) static interface service tcp smtp smtp

object network exchangeportal

nat (inside,outside) static interface service tcp https https

object network vlan2

nat (VLAN2,outside) dynamic interface

access-group outside_access_in in interface outside

route outside 0.0.0.0 0.0.0.0 x.x.x.x

timeout xlate 3:00:00

timeout pat-xlate 0:00:30

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

timeout floating-conn 0:00:00

dynamic-access-policy-record DfltAccessPolicy

user-identity default-domain LOCAL

aaa authentication ssh console LOCAL

http server enable 444

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

ntp server x.x.x.x source outside prefer

tftp-server inside 192.168.3..x ASA5510.cfg

ssl trust-point ASDM_TrustPoint0 inside

ssl trust-point ASDM_TrustPoint0 outside

webvpn

port 444

enable outside

enable inside

anyconnect image disk0:/anyconnect-win-2.5.2014-k9.pkg 1

anyconnect image disk0:/anyconnect-macosx-i386-2.4.1012-k9.pkg 2

anyconnect image disk0:/anyconnect-linux-2.4.1012-k9.pkg 3

anyconnect image disk0:/anyconnect-wince-ARMv4I-2.4.1012-k9.pkg 4

anyconnect enable

tunnel-group-list enable

group-policy DfltGrpPolicy attributes

dns-server value 8.8.8.8

vpn-tunnel-protocol ssl-clientless

default-domain value ………

wins-server none

dns-server value 192.168.3.x

vpn-tunnel-protocol ikev1 ikev2 l2tp-ipsec ssl-client

default-domain value …..

address-pools value remotes

webvpn

group-policy GroupPolicy1 internal

group-policy remotes internal

group-policy remotes attributes

dns-server value 192.168.3.x

vpn-tunnel-protocol ikev1 ikev2 l2tp-ipsec ssl-client

default-domain value ……..

address-pool remotes

!

class-map global-class

match access-list global_mpc

class-map inspection_default

match default-inspection-traffic

!

policy-map type inspect dns preset_dns_map

parameters

message-length maximum client auto

message-length maximum 512

policy-map global_policy

class inspection_default

inspect dns preset_dns_map

inspect ftp

inspect h323 h225

inspect h323 ras

inspect ip-options

inspect netbios

inspect rsh

inspect rtsp

inspect skinny

inspect esmtp

inspect sqlnet

inspect sunrpc

inspect tftp

inspect sip

inspect xdmcp

class global-class

csc fail-close

!

service-policy global_policy global

smtp-server 192.168.3.x

prompt hostname context

no call-home reporting anonymous

call-home

profile CiscoTAC-1

no active

destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService

destination address email callhome@cisco.com

destination transport-method http

subscribe-to-alert-group diagnostic

subscribe-to-alert-group environment

subscribe-to-alert-group inventory periodic monthly

subscribe-to-alert-group configuration periodic monthly

subscribe-to-alert-group telemetry periodic daily

Cryptochecksum:1f5c2e807da97877abac7e15bb5a5143

: end

asdm image disk0:/asdm-714.bin

no asdm history enable

Marvin Rhoads · ‎05-21-2014

Your:

object network vlan2
range 10.10.20.0 255.255.255.0

is mis-formed. Try instead:

object network vlan2
subnet 10.10.20.0 255.255.255.0

neillradford · ‎05-21-2014

Hopefully thats what it is! I'll give that a go tomorrow and let you know if that resolved.

Thanks Marvin

neillradford · ‎05-22-2014

Hi Marvin,

Still no internet access with the object change from range to subnet.

Should I be able to ping the inside interface IP of 192.168.3.2 from VLAN2? At the moment I can't but I can ping everything else on the 192.168.3.x subnet.

See below for output from the show nat command:

Auto NAT Policies (Section 2)
1 (inside) to (outside) source static exchange interface service tcp smtp smtp
translate_hits = 0, untranslate_hits = 538
2 (inside) to (outside) source static exchangeportal interface service tcp htt ps https
translate_hits = 0, untranslate_hits = 7319
3 (VLAN2) to (outside) source dynamic vlan2 interface
translate_hits = 0, untranslate_hits = 0
4 (inside) to (outside) source dynamic inside_network interface
translate_hits = 617483, untranslate_hits = 24596

Show below for output from packet tracer ( I get exactly the same when tracing from an IP on the inside network)

packet-tracer input vlan2 tcp 10.10.20.51 http 8.8.8.8 http

Phase: 1
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
MAC Access list

Phase: 2
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 0.0.0.0 0.0.0.0 outside

Phase: 3
Type: NAT
Subtype:
Result: ALLOW
Config:
object network vlan2
nat (VLAN2,outside) dynamic interface
Additional Information:
Dynamic translate 10.10.20.51/80 to x.x.x.x /80

Phase: 4
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:

Phase: 5
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 6
Type: SSM-DIVERT
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 7
Type: SSM_SERVICE
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 8
Type: SSM_SERVICE
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 9
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:

Phase: 10
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 11
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 639142, packet dispatched to next module

Result:
input-interface: VLAN2
input-status: up
input-line-status: up
output-interface: outside
output-status: up
output-line-status: up
Action: allow

Any other thoughts on where I'm going wrong?

Marvin Rhoads · ‎05-22-2014

From what host on VLAN 2 are you initiating the pings? Does that host have your ASA VLAN 2 interface set as the gateway?

I ask because your "show nat" output indicates no translate hits for traffic coming from VLAN 2:

3 (VLAN2) to (outside) source dynamic vlan2 interface
translate_hits = 0, untranslate_hits = 0

neillradford · ‎05-22-2014

The pings are initiated from a PC that has obtained an IP from the DHCP server.

The DHCP scope router for VLAN2 is configured as 10.10.20.250 which is the same gateway defined on the 3750 switch.

Should the DHCP scope router IP match the ASA sub interface IP of 10.10.20.2?

neillradford · ‎05-23-2014

Problem sorted! The issue was with the router IP of the DHCP scope. One the gateway was changed to the sub interface VLAN2 IP address it worked.

Marvin - thanks for taking the time to read the config and give advice.

Marvin Rhoads · ‎05-23-2014

You're welcome.

Glad to see my analysis was correct. Thanks for the rating.