Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

host in vlan 20, 30, 40, cannot access to internet... telnet to vlan router and ping to internet = ok

ASA CONFIG

VRG-ASA5505# sh ru
: Saved
:
ASA Version 8.2(1)
!
hostname VRG-ASA5505
domain-name rutratoco.com.vn
enable password 8JDw.LfBlr2JcEOP encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface Vlan1
nameif inside
security-level 100
ip address 192.168.10.254 255.255.255.0
!
interface Vlan2
description ISP
nameif outside
security-level 0
pppoe client vpdn group ISP
ip address pppoe setroute
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
ftp mode passive
dns domain-lookup outside
dns server-group DefaultDNS
name-server 203.113.131.1
name-server 203.113.131.2
domain-name rutratoco.com.vn
access-list Internal_access_in extended permit ip 192.168.10.0 255.255.255.0 any

access-list External_access_in extended permit ip any 192.168.10.0 255.255.255.0

access-list External_access_in extended permit icmp any any echo-reply
access-list External_access_in extended permit icmp any interface outside time-e
xceeded
access-list acl_out extended permit gre any interface outside
pager lines 24
mtu inside 1500
mtu outside 1492
no failover
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
access-group Internal_access_in in interface inside
access-group External_access_in in interface outside
route inside 192.168.20.0 255.255.255.0 192.168.10.254 1
route inside 192.168.30.0 255.255.255.0 192.168.10.254 1
route inside 192.168.40.0 255.255.255.0 192.168.10.254 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 192.168.10.11 255.255.255.255 inside
http 192.168.20.21 255.255.255.255 inside
http 192.168.20.1 255.255.255.255 inside
http 192.168.20.11 255.255.255.255 inside
http 192.168.20.2 255.255.255.255 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
telnet timeout 5
ssh timeout 5
console timeout 0
vpdn group ISP request dialout pppoe
vpdn group ISP localname andresfjimenez@netc
vpdn group ISP ppp authentication pap
vpdn username andresfjimenez@netc password *********
dhcpd auto_config outside
!

threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
  message-length maximum 512
policy-map global_policy
class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect netbios
  inspect rsh
  inspect rtsp
  inspect skinny
  inspect esmtp
  inspect sqlnet
  inspect sunrpc
  inspect tftp
  inspect sip
  inspect xdmcp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:ee4f58a0d481f871134330c18d6d6d56
: end
VRG-ASA5505#


SWITCH CONFIG

User Access Verification

Password:
Geruco_CoreSW>en
Password:
Geruco_CoreSW#sh ru
Building configuration...

Current configuration : 3349 bytes
!
version 12.2
no service pad
service timestamps debug uptime
service timestamps log uptime
service password-encryption
!
hostname Geruco_CoreSW
!
enable password 7 01001F17540F040C
!
no aaa new-model
system mtu routing 1500
ip subnet-zero
ip routing
ip dhcp excluded-address 192.168.20.1 192.168.20.20
!
ip dhcp pool Guest
   network 192.168.30.0 255.255.255.0
   default-router 192.168.30.254
   dns-server 8.8.8.8
!
ip dhcp pool Office
   network 192.168.40.0 255.255.255.0
   default-router 192.168.40.254
   dns-server 8.8.8.8
!
ip dhcp pool Hotel
   network 192.168.20.0 255.255.255.0
   default-router 192.168.20.254
   dns-server 8.8.8.8
!
!
!
!
no file verify auto
spanning-tree mode pvst
spanning-tree extend system-id
!
vlan internal allocation policy ascending
!
interface GigabitEthernet0/1
switchport access vlan 40
switchport mode access
!
interface GigabitEthernet0/2
switchport access vlan 40
switchport mode access
!
interface GigabitEthernet0/3
switchport access vlan 40
switchport mode access
!
interface GigabitEthernet0/4
switchport access vlan 40
switchport mode access
!
interface GigabitEthernet0/5
switchport access vlan 40
switchport mode access
!
interface GigabitEthernet0/6
switchport access vlan 40
switchport mode access
!
interface GigabitEthernet0/7
switchport access vlan 40
switchport mode access
!
interface GigabitEthernet0/8
switchport access vlan 40
switchport mode access
!
interface GigabitEthernet0/9
switchport access vlan 40
switchport mode access
!
interface GigabitEthernet0/10
switchport access vlan 40
switchport mode access
!
interface GigabitEthernet0/11
switchport access vlan 40
switchport mode access
!
interface GigabitEthernet0/12
switchport access vlan 40
switchport mode access
!
interface GigabitEthernet0/13
switchport access vlan 30
switchport mode access
!
interface GigabitEthernet0/14
switchport access vlan 30
switchport mode access
!
interface GigabitEthernet0/15
switchport access vlan 30
switchport mode access
!
interface GigabitEthernet0/16
switchport access vlan 30
switchport mode access
!
interface GigabitEthernet0/17
switchport access vlan 20
switchport mode access
!
interface GigabitEthernet0/18
switchport access vlan 20
switchport mode access
!
interface GigabitEthernet0/19
switchport access vlan 20
switchport mode access
!
interface GigabitEthernet0/20
switchport access vlan 20
switchport mode access
!
interface GigabitEthernet0/21
switchport access vlan 20
switchport mode access
!
interface GigabitEthernet0/22
switchport access vlan 20
switchport mode access
!
interface GigabitEthernet0/23
switchport access vlan 20
switchport mode access
!
interface GigabitEthernet0/24
switchport trunk encapsulation dot1q
switchport mode access
!
interface GigabitEthernet0/25
!
interface GigabitEthernet0/26
!
interface GigabitEthernet0/27
!
interface GigabitEthernet0/28
!
interface Vlan1
ip address 192.168.10.253 255.255.255.0
!
interface Vlan20
ip address 192.168.20.254 255.255.255.0
!
interface Vlan30
ip address 192.168.30.254 255.255.255.0
!
interface Vlan40
ip address 192.168.40.254 255.255.255.0
!
ip classless
ip route 0.0.0.0 0.0.0.0 192.168.10.254
ip http server
!
!
control-plane
!
!
line con 0
line vty 0 4
password 7 111A00161816090F
login
line vty 5 15
password 7 111A00161816090F
login
!
end

Geruco_CoreSW#

  • LAN Switching and Routing
Everyone's tags (2)
1 ACCEPTED SOLUTION

Accepted Solutions
Hall of Fame Super Blue

Re: host in vlan 20, 30, 40, cannot access to internet... telnet

Not sure exactly what can ping - do you mean the firewall ?

Anyway you have this acl applied to your inside interface on the firewall -

access-list Internal_access_in extended permit ip 192.168.10.0 255.255.255.0 any

ie. vlan 20,30 & 40 are not allowed. You need to add their subnets as well.

Jon

4 REPLIES
Hall of Fame Super Blue

Re: host in vlan 20, 30, 40, cannot access to internet... telnet

Not sure exactly what can ping - do you mean the firewall ?

Anyway you have this acl applied to your inside interface on the firewall -

access-list Internal_access_in extended permit ip 192.168.10.0 255.255.255.0 any

ie. vlan 20,30 & 40 are not allowed. You need to add their subnets as well.

Jon

Re: host in vlan 20, 30, 40, cannot access to internet... telnet

Hi, Ray

You can use packet-tracer utility for resolve this

VRG-ASA5505# packet-tra in in tcp 192.168.20.22 2222 1.1.1.1 80

and

there is "nat-control"?

Regards, Vladimir

New Member

Re: host in vlan 20, 30, 40, cannot access to internet... telnet

Hello Vladimir and Jon,

I just added the acl to all of my vlan and it works like a charm.

Thanks,

Hall of Fame Super Blue

Re: host in vlan 20, 30, 40, cannot access to internet... telnet

No problem, glad you got it working,

Jon

1480
Views
0
Helpful
4
Replies