cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
624
Views
0
Helpful
10
Replies

No internet access on new LAN eth0/2

I have an ASA 5510 and just configured eth0/2 as 192.168.200.1 to expand my network.

Eth0/1 is 192.168.100.1.

I enabled bi-directional traffic using the following command:

static (inside,inside-wlan) 192.168.100.0 192.168.100.0 netmask 255.255.255.0

Now I can RDP to a computer on the 192.168.200.0 network, but from that computer I cannot get to the internet or ping the router on the 100.x network (192.168.100.1). I can connect to ALL OTHER COMPUTERS on the "main" network (192.168.100.0), I just can't ping the router on that network or get to the internet.

I tried:

static (inside-wlan,inside) 192.168.200.0 192.168.200.0 netmask 255.255.255.0

...but still no luck.

 

What do I need to do to get internet on eth0/2? Also, what's the name of what I'm trying to do because I am finding it very difficult to search online for what I thought would be commonplace.

 

Enabling internet on eth 0/2 will let me set up all the WAPs on it and free up almost half the scope from iThings, droids, and laptop wifi.

:(

no ip left

Additional info:

ASA Version 8.2(2)
ASDM Version 6.2(1)
Firewall mode: Routed
License: Security Plus

 

Thanks!

10 Replies 10

Reza Sharifi
Hall of Fame
Hall of Fame

Since you are using private IP range, most likely you are NATing 192.168.100.0/24 network to get to Internet.  You also need to configure 192.168.200.0/24 the same.

What is your NAT config?

Can you post "sh run"?

HTH

 

Hi Reza. That sounds about right. Here's the config:

 

Result of the command: "sh run"

: Saved
:
ASA Version 8.2(2) 
!
hostname ciscoasa
domain-name domain.com
enable 
passwd 
names
!
interface Ethernet0/0
 description from Fiber
 speed 100
 duplex full
 nameif newISP
 security-level 0
 ip address x.x.x.x 255.255.255.248 
!
interface Ethernet0/1
 description inside lan
 speed 100
 duplex full
 nameif inside
 security-level 100
 ip address 192.168.100.1 255.255.255.0 
!
interface Ethernet0/2
 description inside wlan network
 nameif inside-wlan
 security-level 100
 ip address 192.168.200.1 255.255.255.0 
!
interface Ethernet0/3
 description From oldISP
 speed 100
 shutdown
 nameif oldISP
 security-level 1
 ip address x.x.x.x 255.255.255.248 
!
interface Management0/0
 shutdown
 nameif management
 security-level 100
 ip address x.x.x.x 255.255.255.0 
 management-only
!
boot system disk0:/asa822-k8.bin
ftp mode passive
dns domain-lookup newISP
dns domain-lookup inside
dns domain-lookup inside-wlan
dns server-group DefaultDNS
 name-server DHCP-Relay-Server
 name-server 192.168.100.2
 domain-name domain.com
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
access-list inside_nat0_outbound extended permit ip 192.168.100.0 255.255.255.0 Connection_Profile_0 255.255.255.0 
access-list inside_nat0_outbound extended permit ip 192.168.100.0 255.255.255.0 10.10.10.0 255.255.255.0 
access-list inside_nat0_outbound extended permit ip 192.168.100.0 255.255.255.0 my_subnet 255.255.255.0 
access-list vpn_splitTunnelAcl standard permit 192.168.100.0 255.255.255.0 
access-list vpn_splitTunnelAcl standard permit Connection_Profile_0 255.255.255.0 
access-list outside_1_cryptomap extended permit ip 192.168.100.0 255.255.255.0 Connection_Profile_0 255.255.255.0 
access-list outside_1_cryptomap extended permit ip 10.10.10.0 255.255.255.0 Connection_Profile_0 255.255.255.0 
access-list outside_1_cryptomap extended permit ip 192.168.100.0 255.255.255.0 my_subnet 255.255.255.0 
pager lines 10
mtu newISP 1500
mtu inside 1500
mtu inside-wlan 1500
mtu management 1500
ip verify reverse-path interface newISP
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-621.bin
arp timeout 14400
global (newISP) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,inside-wlan) 192.168.100.0 192.168.100.0 netmask 255.255.255.0 
access-group outside_access_in in interface newISP
route newISP 0.0.0.0 0.0.0.0 x.x.x.x 1
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns migrated_dns_map_1
 parameters
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns migrated_dns_map_1 
  inspect ftp 
  inspect h323 h225 
  inspect h323 ras 
  inspect rsh 
  inspect rtsp 
  inspect sqlnet 
  inspect skinny  
  inspect sunrpc 
  inspect sip  
  inspect tftp 
  inspect http 
  inspect icmp 
  inspect icmp error 
  inspect ip-options 
!
: end

ok,

static (inside,inside-wlan) 192.168.100.0 192.168.100.0 netmask 255.255.255.0 

Above line is for 192.168.100.0/24 subnet

add  the same for 192.168.200.0/24 subnet

also, these statements are only for 100 subnet do the same for 200 and test

access-list inside_nat0_outbound extended permit ip 192.168.100.0 255.255.255.0 Connection_Profile_0 255.255.255.0 
access-list inside_nat0_outbound extended permit ip 192.168.100.0 255.255.255.0 10.10.10.0 255.255.255.0 
access-list inside_nat0_outbound extended permit ip 192.168.100.0 255.255.255.0 my_subnet 255.255.255.0 
access-list vpn_splitTunnelAcl standard permit 192.168.100.0 255.255.255.0 
access-list vpn_splitTunnelAcl standard permit Connection_Profile_0 255.255.255.0 
access-list outside_1_cryptomap extended permit ip 192.168.100.0 255.255.255.0 Connection_Profile_0 255.255.255.0 
access-list outside_1_cryptomap extended permit ip 192.168.100.0 255.255.255.0 my_subnet 255.255.255.0 

 

Awesome. Would I reverse the interfaces?

i.e. static (inside-wlan,inside) 192.168.200.0 192.168.200.0 netmask 255.255.255.0

-or should it be-

static (inside,inside-wlan) 192.168.200.0 192.168.200.0 netmask 255.255.255.0

Thanks!

 

 

It should look like this:

static (inside,inside-wlan) 192.168.200.0 netmask 255.255.255.0

Hi Reza, I added:

static (inside,inside-wlan) 192.168.200.0 192.168.200.0 netmask 255.255.255.0 

But that didn't do anything. Communication seems to be working fine between the two networks; just can't get out to the internet from 192.168.200.x.

Any ideas? Please be as detailed as possible as I am somewhat new to this. I have read the manual about this but if you're not an expert, it's somewhat difficult to come up with a solution to a specific scenario.

 

Thanks anyone, for any input!

Hellooooooooo? Not another suggestion-and-run!?!?! :( Seems to be a theme on this Cisco support forum. Sigh....

Well, I added:

static (inside-wlan,inside) 192.168.200.0 192.168.200.0 netmask 255.255.255.0

...and still no luck. 

So I've got:

static (inside,inside-wlan) 192.168.100.0 192.168.100.0 netmask 255.255.255.0 
static (inside-wlan,inside) 192.168.200.0 192.168.200.0 netmask 255.255.255.0 

Anyone know how to get internet access for the 200 network? I already have bi-directional communication between 100.x and 200.x networks.

Sincerely,

-Officially lost

 

In case anyone is having the same problem is me, here is the fix: 

 

nat (inside-wlan) 1 0.0.0.0 0.0.0.0 

 

...can someone with more points than me mark this as answered?

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Innovations in Cisco Full Stack Observability - A new webinar from Cisco