Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Network and Internet access for new VLAN

Good morning!

I’m a little stumped as to why this isn’t working… That's probably because I'm not too savvy when it comes to router configs!


Basically, I have a network which has a LAN and a DMZ. Everything on my network works correctly and communications between switches, router, Internet and other internal resources flow correctly. The only thing I’m having a problem with is VLAN4…

I need to isolate a few servers and users from the LAN so I created VLAN4 on the switch. I assigned it an IP address in a different subnet and assigned ports to the VLAN. Port forwarding is configured on the switch.

For testing purposes, before this goes live, I connected a computer directly to one of the switch ports (Gi4/5) and assigned it a static IP in that subnet, the gateway being the VLAN IP. I can ping the VLAN IP but I can’t ping the router or get to the Internet…

The switch can ping 10.165.11.1 (ASA).

The ASA can ping 10.165.11.2 (switch) but it can’t ping 10.165.13.2 (VLAN4).

The ASA e0/1 is connected to switchport Gi2/20 which doesn’t have any specific config, just the default settings shown below:

Name: Gi2/20

Switchport: Enabled

Administrative Mode: dynamic auto

Operational Mode: static access

Administrative Trunking Encapsulation: dot1q

Operational Trunking Encapsulation: native

Negotiation of Trunking: On

Access Mode VLAN: 1 (default)

Trunking Native Mode VLAN: 1 (default)

Administrative Native VLAN tagging: enabled

Voice VLAN: none

Administrative private-vlan host-association: none

Administrative private-vlan mapping: none

Administrative private-vlan trunk native VLAN: none

Administrative private-vlan trunk Native VLAN tagging: enabled

Administrative private-vlan trunk encapsulation: dot1q

Administrative private-vlan trunk normal VLANs: none

Administrative private-vlan trunk associations: none

Administrative private-vlan trunk mappings: none

Operational private-vlan: none

Trunking VLANs Enabled: ALL

Pruning VLANs Enabled: 2-1001

Capture Mode Disabled

Capture VLANs Allowed: ALL


The 1st step is to get Internet access. The next step will be to allow access to the Exchange server on the LAN.

There are many devices not shown on the diagram but the important ones are there…

I'd appreciate any help in getting this straight! Thanks

ASA and switch configs below (removed irrelevant info):

ASA Version 8.2(3)
!
names
name 10.165.10.6 edge description Edge server
name 10.165.11.15 hub description Hub server
name 204.xxx.xxx.21 mail-outside description Edge public
name 204.xxx.xxx.18 A-204.xxx.xxx.18 description ASA public
name 204.xxx.xxx.17 A-204.xxx.xxx.17 description Telco modem
name 10.165.13.0 purch-network description Purchasing VLAN
!
interface Ethernet0/0
nameif outside
security-level 0
ip address A-204.xxx.xxx.18 255.255.255.240
!
interface Ethernet0/1
nameif inside
security-level 100
ip address 10.165.11.1 255.255.255.0
!
interface Ethernet0/2
nameif dmz
security-level 70
ip address 10.165.10.1 255.255.255.0
!
interface Ethernet0/3
no nameif
no security-level
no ip address
!
interface Management0/0
nameif management
security-level 100
ip address 192.168.1.1 255.255.255.0
management-only
!
ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
dns domain-lookup outside
dns domain-lookup inside
dns domain-lookup dmz
dns domain-lookup management
same-security-traffic permit inter-interface
object-group service DM_INLINE_TCP_5 tcp
port-object eq www
port-object eq https
access-list outside_access_in extended permit tcp any host mail-outside eq smtp
access-list dmz_access_in extended permit tcp host edge any eq smtp
access-list inside_access_in_1 remark Implicit rule: Permit all traffic to less secure networks
access-list inside_access_in_1 extended permit ip any any
mtu outside 1500
mtu inside 1500
mtu dmz 1500
mtu management 1500
mtu purch 1500
no asdm history enable
arp timeout 14400
nat-control
global (outside) 1 interface
global (dmz) 1 10.165.10.50-10.165.10.220 netmask 255.255.255.0
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
nat (dmz) 1 0.0.0.0 0.0.0.0
static (dmz,outside) mail-outside edge netmask 255.255.255.255
access-group outside_access_in in interface outside
access-group inside_access_in_1 in interface inside
access-group dmz_access_in in interface dmz
route outside 0.0.0.0 0.0.0.0 A-204.xxx.xxx.17 1

route inside purch-network 255.255.255.0 10.165.11.1 1
class-map inspection_default
match default-inspection-traffic
: end


version 12.2
no service pad
service timestamps debug uptime
service timestamps log datetime
no service password-encryption
service compress-config
service sequence-numbers
!
hostname ABC
!
boot-start-marker
boot system flash bootflash:cat4500e-ipbasek9-mz.122-52.SG.bin
boot-end-marker
!
clock timezone EST -5
clock summer-time EDT recurring
ip subnet-zero
ip domain-name something.org
ip name-server 10.165.11.13
ip name-server 10.165.11.6
!
!
vtp domain something.org
vtp mode transparent
cluster run
!
spanning-tree mode pvst
spanning-tree extend system-id
!
vlan internal allocation policy ascending
!
vlan 2
name OUT
!
vlan 3
name DMZ
!
vlan 4
name Purch
!
interface FastEthernet1
ip vrf forwarding mgmtVrf
no ip address
speed auto
duplex auto
!

interface GigabitEthernet2/20

description ASA LAN

!
interface GigabitEthernet4/5
description purch
switchport access vlan 4
switchport mode access
!
interface Vlan1
ip address 10.165.11.2 255.255.255.0
!
interface Vlan2
no ip address
shutdown
!
interface Vlan4
ip address 10.165.13.2 255.255.255.0
!
ip default-gateway 10.165.11.1
ip route 0.0.0.0 0.0.0.0 10.165.11.1
ip http server
ip http authentication local
no ip http secure-server
!
end

Everyone's tags (4)
17 REPLIES
VIP Purple

Re: Network and Internet access for new VLAN

Your route on the ASA is pointing to itself instead to the switch:

interface Ethernet0/1

  nameif inside

  security-level 100

  ip address 10.165.11.1 255.255.255.0

!

route inside purch-network 255.255.255.0 10.165.11.1 1

-- 
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni


--
Don't stop after you've improved your network! Improve the world by lending money to the working poor: http://www.kiva.org/invitedby/karsteni
New Member

Re: Network and Internet access for new VLAN

Thanks!

So what should the route be?

I tried with

route inside purch-network 255.255.255.0 10.165.11.2 1

and

route inside purch-network 255.255.255.0 10.165.13.2 1

Still can't ping to the outside world...

If I do an IP packet trace with any of those routes from 10.165.13.10 to 8.8.8.8, I get the following error message:

nat (inside) 1 0.0.0.0 0.0.0.0

nat-control

match ip inside any outside any

dynamic translation to pool 1 (A-204.xxx.xxx.18 [Interface PAT])

If I do a TCP packet trace from 10.165.13.10:1000 to 74.125.134.147:80, the packets are allowed...

VIP Purple

Re: Network and Internet access for new VLAN

The route has to use a reachable next-hop. So you only need the route

route inside purch-network 255.255.255.0 10.165.11.2 1

but not

route inside purch-network 255.255.255.0 10.165.13.2 1

If I do an IP packet trace with any of those routes from 10.165.13.10 to 8.8.8.8, I get the following error message:

nat (inside) 1 0.0.0.0 0.0.0.0

nat-control

match ip inside any outside any

dynamic translation to pool 1 (A-204.xxx.xxx.18 [Interface PAT])

that's not an error message, just an info that the translation was build.

If I do a TCP packet trace from 10.165.13.10:1000 to 74.125.134.147:80, the packets are allowed..

so, you can communicate with TCP but not with ICMP? For that the reason could be that you don't have any inspections enabled on the ASA.

For that you need the following (this is the ASA-default and ICMP enabled):

policy-map global_policy

class inspection_default

  inspect dns preset_dns_map

  inspect ftp

  inspect h323 h225

  inspect h323 ras

  inspect ip-options

  inspect netbios

  inspect rsh

  inspect rtsp

  inspect skinny 

  inspect sqlnet

  inspect sunrpc

  inspect tftp

  inspect sip 

  inspect xdmcp

  inspect icmp

!

service-policy global_policy global

-- 
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni


--
Don't stop after you've improved your network! Improve the world by lending money to the working poor: http://www.kiva.org/invitedby/karsteni
New Member

Re: Network and Internet access for new VLAN

I changed the route to

route inside purch-network 255.255.255.0 10.165.11.2 1

I still can't get to the outside world (either by URL, IP or ping) from the computer connected to Gi4/5.

The ASA cant get to the Gi4/5 switchport either.

Packet trace results (Inside interface - Type IP):

10.165.11.1 --> 10.165.13.2 = Flow is denied by configured rule (inside implicit rule)

10.165.13.10 --> 10.165.11.1 = Flow is denied by configured rule (inside implicit rule)

The Syslog shows the following messages (syslog ID 106007):

Deny inbound UDP from 8.8.8.8/53 to 10.165.13.10/56964 due to DNS Response

I have all of the inspections enabled except for the h323 ones. That shouldn't be a problem since we're not dealing with voice packets...

VIP Purple

Re: Network and Internet access for new VLAN

What are your actual routes on the ASA? Please post the following output:

sh run route

On the ASA you have a configuration for NAT-Excemption:

nat (inside) 0 access-list inside_nat0_outbound

but the referenced ACL is not in your config above. Please post that ACL or remove the nat-statement if not needed.

And post the result of the following command:

packet-tracer input inside tcp 10.165.13.10 1234 1.2.3.4 80

-- 
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni


--
Don't stop after you've improved your network! Improve the world by lending money to the working poor: http://www.kiva.org/invitedby/karsteni
New Member

Re: Network and Internet access for new VLAN

Here's the requested info:

asa# sh run route

route outside 0.0.0.0 0.0.0.0 A-204.xxx.xxx.17 1

route inside purch-network 255.255.255.0 10.165.11.2 1

I’ve removed the inside_nat0_outbound NAT-Exemption which was probably leftover from some other configuration attempt…

asa# packet-tracer input inside tcp 10.165.13.10 1234 1.2.3.4 8

Phase: 1

Type: ROUTE-LOOKUP

Subtype: input

Result: ALLOW

Config:

Additional Information:

in   0.0.0.0         0.0.0.0         outside

Phase: 2

Type: ACCESS-LIST

Subtype: log

Result: ALLOW

Config:

access-group inside_access_in_1 in interface inside

access-list inside_access_in_1 extended permit ip any any

Additional Information:

Phase: 3

Type: IP-OPTIONS

Subtype:

Result: ALLOW

Config:

Additional Information:

Phase: 4

Type: NAT

Subtype:

Result: ALLOW

Config:

nat (inside) 1 0.0.0.0 0.0.0.0

nat-control

match ip inside any outside any

   dynamic translation to pool 1 (A-204.xxx.xxx.18 [Interface PAT])

   translate_hits = 417777, untranslate_hits = 40159

Additional Information:

Dynamic translate 10.165.13.10/1234 to A-204.xxx.xxx.18/15391 using netmask 255.255.255.255

Phase: 5

Type: NAT

Subtype: host-limits

Result: ALLOW

Config:

nat (inside) 1 0.0.0.0 0.0.0.0

nat-control

match ip inside any outside any

   dynamic translation to pool 1 (A-204.xxx.xxx.18 [Interface PAT])

   translate_hits = 417777, untranslate_hits = 40159

Additional Information:

Phase: 6

Type: IP-OPTIONS

Subtype:

Result: ALLOW

Config:

Additional Information:

Phase: 7

Type: FLOW-CREATION

Subtype:

Result: ALLOW

Config:

Additional Information:

New flow created with id 643746, packet dispatched to next module

Result:

input-interface: inside

input-status: up

input-line-status: up

output-interface: outside

output-status: up

output-line-status: up

Action: allow

VIP Purple

Re: Network and Internet access for new VLAN

The ASA would allow that traffic.

Can the Servers reach systems in other subnets?

Can the Server ping the ASA inside IP?

Can the Switch ping the ASA inside IP?

-- 
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni


--
Don't stop after you've improved your network! Improve the world by lending money to the working poor: http://www.kiva.org/invitedby/karsteni
New Member

Re: Network and Internet access for new VLAN

For now, I only have one computer on the 10.165.13.0 subnet which is the 10.165.13.10 one.

Ping results:

10.165.13.10 --> 10.165.13.2 – OK

10.165.13.10 --> 10.165.11.1 – Timed out

10.165.13.10 --> 10.165.10.1 – Timed out

asa# ping 10.165.13.2

Success rate is 0 percent (0/5)

switch# ping 10.165.11.1

Success rate is 100 percent (5/5)

switch# ping 10.165.13.2

Success rate is 100 percent (5/5)

switch# ping 10.165.13.10

Success rate is 0 percent (0/5)

New Member

Re: Network and Internet access for new VLAN

Anything else to try?

Network and Internet access for new VLAN

hello

could you post the output of "show ip route" from the switch?

andy

New Member

Re: Network and Internet access for new VLAN

VLAN10 shown below is not of any concern here...

switch#sh ip route
Gateway of last resort is 10.165.11.1 to network

     10.0.0.0/24 is subnetted, 3 subnets
C       10.165.13.0 is directly connected, Vlan4
C       10.165.12.0 is directly connected, Vlan10
C       10.165.11.0 is directly connected, Vlan1
S*   0.0.0.0/0 [1/0] via 10.165.11.1

Network and Internet access for new VLAN

hello - has this config always been on an asa or has it been migrated from a pix? if so, you could try the following

no route inside purch-network 255.255.255.0 10.165.11.2 1

no name 10.165.13.0 purch-network description Purchasing VLAN

route inside 10.165.13.0 255.255.255.0 10.165.11.2 1

hth

andy

New Member

Network and Internet access for new VLAN

Are you doing any layer 3 stuff on the 3560?  Wondering why you have svi's on there.  If so, can you post the show run and show ip route for the 3560

Network and Internet access for new VLAN

Hello Dave,

But I mean the interface connected to the ASA is a trunk so you should use sub-interface on the ASA so it can work with the trunk link ( 802.1Q)

interface Ethernet0/1

nameif inside

no ip add

Interface ethernet 0/1.4

nameif Vlan4

ip address 10.165.13.1 255.255.255.0

security-level 100

no shut

nat (Vlan4) 1 0 0

Let me know how it goes

Looking for some Networking Assistance? Contact me directly at jcarvaja@laguiadelnetworking.com I will fix your problem ASAP. Cheers, Julio Carvajal Segura http://laguiadelnetworking.com
New Member

Re: Network and Internet access for new VLAN

Thanks for the suggestions!

@andrewswanson

I had a PIX 515 in place before the ASA but I didn’t do a migration. I configured the ASA from scratch. Being that I’m not too proficient with ASAs, and I was on a tight schedule during Christmas break, there are probably some configuration mistakes that could be corrected. Globally, things are working fine for now so I’d prefer not to “break” anything. If something needs to be done that won’t disrupt anyone’s connectivity, I’m all for it…

I did what you suggested but I still can’t get to the outside world from VLAN4.

@Robert Rivera

I have a wireless network with guest access on a separate VLAN. The access points serve the internal users with Radius authentication (VLAN1) as well as the guests for Internet access via a ZeroShell captive portal (VLAN10). 2 of the access points are connected to the 3560.

For now, the 3560 is not part of the problem yet but it will probably be when comes time to see about clients on VLAN4 getting access to the Exchange server in VLAN1.

Nevertheless, here’s the switch config and route info:

switch2#sh run

Current configuration : 4987 bytes

!

version 12.2

no service pad

service timestamps debug uptime

service timestamps log datetime

no service password-encryption

service sequence-numbers

!

hostname switch2

!

no aaa new-model

clock timezone UTC -5

clock summer-time UTC recurring

system mtu routing 1500

vtp domain fdresa.org

vtp mode transparent

authentication mac-move permit

ip subnet-zero

ip domain-name something.org

!

spanning-tree mode pvst

spanning-tree etherchannel guard misconfig

spanning-tree extend system-id

!

vlan internal allocation policy ascending

!

vlan 4

name Purch

!

vlan 10

name GuestNet

!

interface GigabitEthernet0/1

switchport trunk encapsulation dot1q

switchport trunk allowed vlan 1,4,10

switchport mode trunk

!

interface GigabitEthernet0/47

switchport trunk encapsulation dot1q

switchport trunk allowed vlan 1,10

switchport mode trunk

!

interface GigabitEthernet0/48

switchport trunk encapsulation dot1q

switchport trunk allowed vlan 1,10

switchport mode trunk

!

interface GigabitEthernet0/51

switchport access vlan 4

switchport mode access

spanning-tree portfast

!

interface Vlan1

ip address 10.165.11.3 255.255.255.0

!

interface Vlan4

ip address 10.165.13.3 255.255.255.0

!

interface Vlan10

ip address 10.165.12.3 255.255.255.0

!

ip default-gateway 10.165.11.1

ip classless

ip http server

ip http authentication local

ip http secure-server

!

end

switch2#sh ip route

Default gateway is 10.165.11.1

@jcarvaja

I added the sub-interface back to the ASA, made the config changes specified (except for what concerns e0/1) but still no Internet access for VLAN4.

Here’s the latest ASA config and route info:

ASA Version 8.2(3)

!

names

name 10.165.11.13 ad1 description Domain controller

name 10.165.10.6 edge description Edge server

name 10.165.11.15 hub description Hub server

name 204.xxx.xxx.21 mail-outside description Edge public

name 10.165.12.0 wguests-network

name 10.165.12.38 zeroshell description Wireless Captive Portal

name 204.xxx.xxx.17 A-204.xxx.xxx.17 description Telco modem

name 204.xxx.xxx.18 A-204.xxx.xxx.18 description ASA public

!

interface Ethernet0/0

nameif outside

security-level 0

ip address A-204.xxx.xxx.18 255.255.255.240

!

interface Ethernet0/1

nameif inside

security-level 100

ip address 10.165.11.1 255.255.255.0

!

interface Ethernet0/1.4

vlan 4

nameif purch

security-level 100

ip address 10.165.13.1 255.255.255.0

!

interface Ethernet0/2

nameif dmz

security-level 70

ip address 10.165.10.1 255.255.255.0

!

interface Ethernet0/3

no nameif

no security-level

no ip address

!

interface Management0/0

nameif management

security-level 100

ip address 192.168.1.1 255.255.255.0

management-only

!

ftp mode passive

clock timezone EST -5

clock summer-time EDT recurring

dns domain-lookup outside

dns domain-lookup inside

dns domain-lookup dmz

dns domain-lookup management

same-security-traffic permit inter-interface

object-group service DM_INLINE_TCP_5 tcp

port-object eq www

port-object eq https

access-list outside_access_in extended permit tcp any host mail-outside eq smtp

access-list dmz_access_in extended permit tcp host edge any eq smtp

access-list inside_access_in_1 remark Implicit rule: Permit all traffic to less secure networks

access-list inside_access_in_1 extended permit ip any any

mtu outside 1500

mtu inside 1500

mtu purch 1500

mtu dmz 1500

mtu management 1500

no asdm history enable

arp timeout 14400

nat-control

global (outside) 1 interface

global (dmz) 1 10.165.10.50-10.165.10.220 netmask 255.255.255.0

nat (inside) 1 0.0.0.0 0.0.0.0

nat (purch) 1 0.0.0.0 0.0.0.0

nat (dmz) 1 0.0.0.0 0.0.0.0

static (dmz,outside) mail-outside edge netmask 255.255.255.255

access-group outside_access_in in interface outside

access-group inside_access_in_1 in interface inside

access-group dmz_access_in in interface dmz

route outside 0.0.0.0 0.0.0.0 A-204.xxx.xxx.17 1

route inside wguests-network 255.255.255.0 10.165.11.1 1

route inside 10.165.13.0 255.255.255.0 10.165.11.2 1

class-map inspection_default

match default-inspection-traffic

policy-map global_policy

class inspection_default

inspect dns preset_dns_map

inspect ftp

inspect rsh

inspect rtsp

inspect sqlnet

inspect skinny

inspect sunrpc

inspect xdmcp

inspect sip

inspect netbios

inspect tftp

inspect ip-options

inspect pptp

inspect icmp

service-policy global_policy global

: end

asa# sh route

Gateway of last resort is A-204.xxx.xxx.17 to network 0.0.0.0

C   A-204.xxx.xxx.16 255.255.255.240 is directly connected, outside

C   10.165.13.0 255.255.255.0 is directly connected, purch

S   wguests-network 255.255.255.0 [1/0] via 10.165.11.1, inside

C   10.165.11.0 255.255.255.0 is directly connected, inside

C   10.165.10.0 255.255.255.0 is directly connected, dmz

S*   0.0.0.0 0.0.0.0 [1/0] via A-204.xxx.xxx.17, outside

New Member

Network and Internet access for new VLAN

Ok... Lets say I scrap the whole VLAN4 config entries that I've made on the switch and ASA. I'll pretend it never existed and start from scratch!

Exactly what entries should be made on both the switch and ASA so that a computer connected to VLAN4 can:

- access the Internet?

- send and receive email from the Exchange server on the AD LAN?

Thanks

New Member

Network and Internet access for new VLAN

Removed everything that I had done trying to configure this VLAN, both on the ASA and the switch.

Ready to start from scratch!

1953
Views
0
Helpful
17
Replies
CreatePlease login to create content