topic Re: Cisco switch 3560 cannot get internet from ASA 5505 in Network Security

Cisco switch 3560 cannot get internet from ASA 5505

phugiay — Tue, 29 Nov 2022 19:42:23 GMT

Hi all,
I am new for Cisco and try to set a new ASA 5505 and switch 3560. I can make the internet work from my Comcast to ASA 5505 to my laptop with DHCP from ASA. However, my switch cannot get to the internet from ASA. From switch, I can ping the ip port from ASA and also from ASA but no internet. The switch gets the DHCP from Windows server with VLAN10 and the port that connect to ASA is VLAN 20. I want to make sure it works before I can do other configuration. Thank you for all your help

Re: Cisco switch 3560 cannot get internet from ASA 5505

balaji.bandi — Tue, 08 Nov 2022 18:45:57 GMT

You have not provided the some information - to get clarity

when you connected the laptop ( what interface you connected on ASA, what IP address you used on the laptop)

after testing- what port was ASA used to connect to switch?

some reference :

https://www.cisco.com/c/en/us/td/docs/security/asa/asa72/configuration/guide/conf_gd/int5505.html

Re: Cisco switch 3560 cannot get internet from ASA 5505

phugiay — Tue, 08 Nov 2022 19:48:53 GMT

Hi Bandi,

Thank you for quick response. I use Vlan15 from port 3 when I connect from ASA to my laptop. They get the DHCP from ASA and I can get to internet without any problem.

------ASA-----

interface Ethernet0/3 -> port connect to switch
switchport access vlan 15

interface Vlan15
nameif VPHAM
security-level 100
ip address 172.168.10.1 255.255.255.0

dhcpd address 172.168.10.100-172.168.10.100 VPHAM
dhcpd dns 8.8.8.8 interface VPHAM
dhcpd enable VPHAM

----switch

interface GigabitEthernet0/2 -> Connect to ASA
switchport access vlan 20
switchport trunk allowed vlan 1,10,20

interface Vlan20
ip address 172.168.10.3 255.255.255.0

From switch, I can ping 172.168.10.1 and 172.168.10.3 and also from ASA but if I connect my laptop to switch, I cannot ping those IPs. I hope that make sense.

Thank you

Re: Cisco switch 3560 cannot get internet from ASA 5505

balaji.bandi — Tue, 08 Nov 2022 20:29:21 GMT

what port laptop connected ? did Laptop got IP address ( ipconfig /all - give you IP address)

looking at switch config, (other than 1 or 2 trunk port belong to vlan 20) rest all not have any access vlan 20 config on the interface ?

if you looking to get IP from ASA :

interface Vlan20
ip address 172.168.10.3 255.255.255.0

ip helper-address 172.168.10.1

and one of the port should be as below config for the Laptop to work :

interface GigabitEthernetx/x
switchport access vlan 20
switchport mode access

no shutdown

Re: Cisco switch 3560 cannot get internet from ASA 5505

MHM Cisco World — Tue, 08 Nov 2022 20:36:50 GMT

I see ASA have VLAN 15 but where the config of VLAN 15 ? may be you meaning VLAN25 ?

Re: Cisco switch 3560 cannot get internet from ASA 5505

phugiay — Tue, 08 Nov 2022 21:22:57 GMT

Hi MHM,

There is vlan 15 in ASA I post above. I want to make sure the internet work first before I jump to other Vlan.

Thank you

interface Vlan15
nameif VPHAM
security-level 100
ip address 172.168.10.1 255.255.255.0
!

-----------------------------ASA 5505 ------------------

ciscoasa# show config
: Saved
:
: Serial Number: XXXX
: Hardware: ASA5505, 512 MB RAM, CPU Geode 500 MHz
: Written by enable_15 at 12:19:05.212 PST Sun Nov 6 2022
!
ASA Version 9.1(7)
!
hostname ciscoasa
domain-name testXXXXX
enable password XXXXX encrypted
xlate per-session deny tcp any4 any4
xlate per-session deny tcp any4 any6
xlate per-session deny tcp any6 any4
xlate per-session deny tcp any6 any6
xlate per-session deny udp any4 any4 eq domain
xlate per-session deny udp any4 any6 eq domain
xlate per-session deny udp any6 any4 eq domain
xlate per-session deny udp any6 any6 eq domain
passwd 2KFQnbNIdI.2KYOU encrypted
names

ip local pool vpn-pool xxxx.200 mask 255.255.255.0
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
switchport access vlan 15
!
interface Ethernet0/2
switchport access vlan 15
!
interface Ethernet0/3
switchport access vlan 15
!
interface Ethernet0/4
switchport access vlan 12
!
interface Ethernet0/5
switchport access vlan 15
!
interface Ethernet0/6
!
interface Ethernet0/7
!
interface Vlan1
nameif inside
security-level 100
ip address 10.33.20.3 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address dhcp setroute
!
interface Vlan12
nameif Wireless-guest
security-level 10
ip address 10.33.13.1 255.255.255.0
!
interface Vlan15
nameif VPHAM
security-level 100
ip address 172.168.10.1 255.255.255.0
!
boot system disk0:/asa917-k8.bin
ftp mode passive
clock timezone PST -8
clock summer-time PDT recurring
dns domain-lookup inside
dns domain-lookup outside
dns server-group DefaultDNS
name-server 10.33.10.50
domain-name XXXXX.com
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface

object network VPHAM
subnet 172.168.10.0 255.255.255.0
object network obj-192.168.10.0
subnet 192.168.10.0 255.255.255.0
object network LAN
object-group service RDP tcp
description for SIP
port-object eq 3389
object-group service rtp udp
description REal time for SIP
port-object range 1000 10500
object-group service DM_INLINE_UDP_1 udp
group-object rtp
port-object eq sip
object-group network XXXXX
network-object XXXXX 255.255.255.0
network-object XXXXXX255.255.255.0
network-object object XXXXX
object-group network Forefront-Servers
description AV servers at microsoft
network-object object forefront-2
network-object object forefront-1
network-object object forefront-3
network-object object forefront-7
network-object object forefront-9
network-object object forefront-8
network-object object forefront-10
network-object object forefront-11
network-object object forefront-12
network-object object forefront-13
network-object object forefront-4
network-object object forefront-5
network-object object forefront-6
object-group network DM_INLINE_NETWORK_2
network-object XXXXX 255.255.255.0
network-object host XXXXXX

access-list inside_access_in extended permit icmp any4 any4
access-list inside_access_in extended permit ip any4 any4
access-list inside_access_in extended permit ip host 192.0.0.0 any
access-list inside_access_in extended permit ip 192.0.0.0 255.0.0.0 any
access-list XXXXX_splitTunnelAcl standard permit XXXXXXX 255.255.0.0
access-list voice_access_in extended permit ip any4 any4
access-list voice_access_in extended permit icmp any4 any4
access-list Wireless-guest_access_in extended permit icmp any4 any4

access-list outside_access_in extended permit icmp any4 any4

pager lines 24
logging enable
logging timestamp
logging asdm-buffer-size 500
logging asdm informational
logging flash-bufferwrap
mtu inside 1500
mtu outside 1500
mtu Wireless-guest 1500
mtu VPHAM 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
icmp permit any inside
icmp permit any outside
asdm image disk0:/asdm-752-153.bin
no asdm history enable
arp timeout 14400
no arp permit-nonconnected

object network VPHAM
nat (VPHAM,outside) dynamic interface
object network obj-192.168.10.0
nat (inside,outside) dynamic interface
!
nat (inside,outside) after-auto source dynamic any interface
access-group inside_access_in in interface inside
access-group outside_access_in in interface outside
access-group Wireless-guest_access_in in interface Wireless-guest
route outside 0.0.0.0 0.0.0.0 10.0.0.1 1
route inside 192.168.10.0 255.255.255.0 172.168.10.3 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
aaa-server RADIUS protocol radius
aaa-server RADIUS (inside) host 10.33.10.50
key *****
radius-common-pw R@dius
user-identity default-domain LOCAL
nac-policy site2site-nac-framework-create nac-framework
reval-period 36000
sq-period 300
aaa authentication ssh console LOCAL
aaa authentication http console LOCAL
aaa authentication telnet console LOCAL
http server enable
http 0.0.0.0 0.0.0.0 inside
http 0.0.0.0 0.0.0.0 outside
no snmp-server location
no snmp-server contact
sla monitor 1
type echo protocol ipIcmpEcho XXXX interface outside
frequency 5
sla monitor schedule 1 life forever start-time now
crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec security-association pmtu-aging infinite
crypto dynamic-map outside_dyn_map 20 set pfs group1
crypto dynamic-map outside_dyn_map 20 set ikev1 transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 40 set pfs group1
crypto dynamic-map outside_dyn_map 40 set ikev1 transform-set ESP-3DES-SHA
crypto map outside_map 2 match address outside_2_cryptomap
crypto map outside_map 2 set pfs
crypto map outside_map 2 set peer XXXXXXX
crypto map outside_map 2 set ikev1 transform-set ESP-AES-128-SHA
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
crypto ca trustpoint XXXX-onsite
enrollment self
crl configure
crypto ca trustpool policy
crypto ikev1 enable outside
crypto ikev1 policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 201
authentication pre-share
encryption aes
hash sha
group 2
lifetime 28800
telnet 0.0.0.0 0.0.0.0 inside
telnet timeout 5
ssh stricthostkeycheck
ssh 0.0.0.0 0.0.0.0 inside
ssh 0.0.0.0 0.0.0.0 outside
ssh timeout 5
ssh key-exchange group dh-group1-sha1
console timeout 0
management-access inside

dhcpd address 172.168.10.100-172.168.10.100 VPHAM
dhcpd dns 8.8.8.8 interface VPHAM
dhcpd enable VPHAM
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept

webvpn
enable outside
anyconnect-essentials
anyconnect image disk0:/anyconnect-dart-win-2.5.3055-k9.pkg 1
anyconnect image disk0:/anyconnect-macosx-i386-2.5.3055-k9.pkg 2
anyconnect image disk0:/sslclient-win-1.1.0.154.pkg 3
anyconnect enable
tunnel-group-list enable
cache
disable
group-policy ssl-cal-ssf internal
group-policy ssl-cal-ssf attributes
banner none
wins-server none
dns-server value 10.33.10.10
vpn-access-hours none
vpn-simultaneous-logins 3
vpn-idle-timeout 30
vpn-session-timeout none
vpn-filter none
ipv6-vpn-filter none
vpn-tunnel-protocol ssl-client ssl-clientless
group-lock none
split-tunnel-policy tunnelspecified
split-tunnel-network-list value XXXX_splitTunnelAcl
default-domain value XXXXX.com
split-dns value XXXXX.com
vlan none
nac-settings none
address-pools none
ipv6-address-pools none
smartcard-removal-disconnect enable
webvpn
url-list none
filter none
anyconnect ask enable default anyconnect
group-policy XXXXX internal
group-policy XXXXXX attributes
dns-server value XXXXXX XXXXX
vpn-tunnel-protocol ikev1
split-tunnel-policy tunnelspecified
split-tunnel-network-list value XXXXX_splitTunnelAcl
default-domain value XXXX.com
split-dns value XXXX.com
address-pools value vpn-pool
group-policy users internal
group-policy users attributes
dns-server value XXXXX
vpn-tunnel-protocol ikev1
split-tunnel-policy tunnelspecified
split-tunnel-network-list value XXXX_splitTunnelAcl
default-domain value XXXX.com
split-dns value XXXX.com
address-pools value vpn-pool
group-policy site2site internal
group-policy site2site attributes
vpn-access-hours none
vpn-simultaneous-logins 3
vpn-idle-timeout 30
vpn-session-timeout none
vpn-tunnel-protocol l2tp-ipsec
ip-comp disable
re-xauth disable
group-lock none
split-tunnel-policy tunnelall
split-tunnel-network-list none
default-domain none
split-dns none
secure-unit-authentication disable
user-authentication disable
user-authentication-idle-timeout none
ip-phone-bypass disable
leap-bypass disable
nem disable
nac-settings value site2site-nac-framework-create
address-pools none
smartcard-removal-disconnect enable
client-firewall none
group-policy any-gp internal
group-policy any-gp attributes
dns-server value XXXXXX
vpn-tunnel-protocol ssl-client ssl-clientless
split-tunnel-policy tunnelspecified
split-tunnel-network-list value XXXX
default-domain value calithera.com
split-dns value XXXX.com
webvpn
anyconnect ssl dtls enable
anyconnect mtu 1406
anyconnect keep-installer installed
anyconnect ssl keepalive 20
anyconnect ssl compression none
anyconnect ssl df-bit-ignore disable
anyconnect routing-filtering-ignore disable
username administrator password nbRyFH1UC.tq1qxD encrypted privilege 15
username administrator attributes
vpn-group-policy XXXXX

tunnel-group XXXXX type remote-access
tunnel-group XXXXXX general-attributes
address-pool vpn-pool
default-group-policy XXXXXX
tunnel-group XXXXX ipsec-attributes
ikev1 pre-shared-key *****

ikev1 pre-shared-key *****
chain
tunnel-group users type remote-access
tunnel-group users general-attributes
address-pool vpn-pool
authentication-server-group RADIUS
default-group-policy users
tunnel-group users ipsec-attributes
ikev1 pre-shared-key *****
tunnel-group any-ssl type remote-access
tunnel-group any-ssl general-attributes
address-pool vpn-pool
authentication-server-group RADIUS LOCAL
default-group-policy any-gp
tunnel-group any-ssl webvpn-attributes
group-alias Anyconnect enable

ikev1 pre-shared-key *****
!
!
prompt hostname context
no call-home reporting anonymous
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email callhome@cisco.com
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:4e5ad507be2d97ab1195823b9f8b9d9a

Re: Cisco switch 3560 cannot get internet from ASA 5505

phugiay — Tue, 08 Nov 2022 21:33:57 GMT

From ASA Port 0/3 and I set up DHCP and if I connect straight to the laptop, the laptop gets the IP 172.168.10.100 and it has internet.

dhcpd address 172.168.10.100-172.168.10.200 VPHAM
dhcpd dns 8.8.8.8 interface VPHAM
dhcpd enable VPHAM

However, if I connect ASA port 0/ 3 to switch port # 0/2 (Vlan20 and it is only port belong to Vlan20), nothing happen because the rest of switch is vlan 10 and 12 and I use switchport trunk allowed vlan 1,10,20 to talk each other. May be I am wrong?

Re: Cisco switch 3560 cannot get internet from ASA 5505

phugiay — Tue, 08 Nov 2022 21:44:56 GMT

I still figure out from ASA connect to switch port 0/2 vlan 20(only this port is vlan20), how internet go to Vlan10,12 ?

I connect the laptop to vlan10,12, the laptop will get the IP from DHCP server 192.168.10.100.. I can ping the servers and the server can ping the laptop but no internet or cannot ping the port 0/2 vlan 20 . I think I miss something here.

interface GigabitEthernet0/2 -> Connect to ASA port
switchport access vlan 20
switchport trunk allowed vlan 1,10,20

interface Vlan20
ip address 172.168.10.3 255.255.255.0
!

interface Vlan10
ip address 192.168.10.1 255.255.255.0
!
interface Vlan12
ip address 10.33.12.1 255.255.255.0
ip helper-address 10.33.10.10
ip helper-address 192.168.10.10
!

Re: Cisco switch 3560 cannot get internet from ASA 5505

MHM Cisco World — Tue, 08 Nov 2022 21:56:12 GMT

sorry if I am not clear, I am asking where the config of VLAN15 in SW no in ASA ?

for the interconnect between VLAN through ASA you need
same security traffic permit inter/inter-interface

for internet you need
nat (inside,outside) dynamic any interface

nat (Wireless-guest,outside) dynamic any interface

nat (VPHAM,outside) dynamic any interface

one dynamic NAT for each VLAN.

Re: Cisco switch 3560 cannot get internet from ASA 5505

MHM Cisco World — Tue, 08 Nov 2022 22:00:01 GMT

for the routing which I think is big issue here, you config VLAN in ASA that reach via other VLAN to L3SW ??
can you draw topology?

Re: Cisco switch 3560 cannot get internet from ASA 5505

phugiay — Tue, 08 Nov 2022 22:50:28 GMT

Hi MHM,

Thank you for quick response. There is no VLAN15 in switch. From ASA port 0/3 Vlan 15 to switch port 0/2 vlan 20.

1. Do they have to be the same vlan for both ASA and switch?

Re: Cisco switch 3560 cannot get internet from ASA 5505

phugiay — Tue, 08 Nov 2022 23:21:57 GMT

Hi MHH,

Here it is. I still figure out how connect internet from ASA to switch. I will configure Wifi with another switch.

Thank you

Re: Cisco switch 3560 cannot get internet from ASA 5505

MHM Cisco World — Tue, 08 Nov 2022 23:32:03 GMT

Sure yes, otherwise the tag make traffic drop

Re: Cisco switch 3560 cannot get internet from ASA 5505

phugiay — Wed, 09 Nov 2022 20:29:58 GMT

Thank you so much. Admin just removed me from spam

Re: Cisco switch 3560 cannot get internet from ASA 5505

phugiay — Sat, 19 Nov 2022 21:08:46 GMT

Thank you so much. Finally I made it works.

Re: Cisco switch 3560 cannot get internet from ASA 5505

phugiay — Sat, 19 Nov 2022 21:09:38 GMT

Thank you so much for point out the same vlan 15 for both ASA and switch. It works. Thank you.