Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
187
Views
0
Helpful
0
Replies

unable to have acces to internet from vlan network

statio
Level 1
Level 1

‎02-11-2023 09:17 AM - edited ‎02-28-2023 12:28 AM

Hi everyone,

I need your help

The network scenario is as follows:
We have three different internal LAN networks which host user computers and other I.T
infrastructure (servers, network printers, etc).
We want to separate the three internal LANs using an ASA firewall (either ASA5500 or the new
ASA5500-X models will work fine). The three internal LANs will be connected on the same
switch and separated at Layer2 level with three VLANs on the switch.
The ASA firewall will provide internet access to all internal LANs. Also, the ASA will act as
DHCP server for each internal LAN, assigning the required IP addresses for each LAN subnet
using a different DHCP scope for each one.
Also, we will use a single physical interface of the ASA to accommodate the three internal
network security zones (“inside1”, “inside2”, “inside3”).
Thus, we need to configure sub-interfaces on a physical interface of the ASA which will be
connected to a trunk port of the internal switch. Each sub-interface of the ASA will act as the
default gateway for its corresponding internal LAN subnet
 
I have two issue :
 
1-From internal LAN subnet, i wasn't able to get internet
2-i'm not able to access to from inside1 to inside2 or inside2 to inside3
 
 my ASA config
 

ASA Version 9.6(4)41
!
hostname ciscoasa

names

!
interface GigabitEthernet1/1
no nameif
no security-level
no ip address
!
interface GigabitEthernet1/1.1
vlan 10
nameif inside1
security-level 100
ip address 192.168.10.254 255.255.255.0
!
interface GigabitEthernet1/1.2
vlan 20
nameif inside2
security-level 100
ip address 192.168.20.254 255.255.255.0
!
interface GigabitEthernet1/1.3
vlan 30
nameif inside3
security-level 100
ip address 192.168.30.254 255.255.255.0
!
interface GigabitEthernet1/2
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet1/3
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet1/4
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet1/5
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet1/6
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet1/7
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet1/8
nameif outside
security-level 0
ip address 192.168.1.8 255.255.255.0
!
interface Management1/1
management-only
shutdown
no nameif
no security-level
no ip address
!
ftp mode passive
object network inside1_lan
subnet 192.168.10.0 255.255.255.0
object network inside2_lan
subnet 192.168.20.0 255.255.255.0
object network inside3_lan
subnet 192.168.30.0 255.255.255.0
access-list out extended permit icmp any any
pager lines 1000
mtu inside1 1500
mtu inside2 1500
mtu inside3 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
arp rate-limit 16384
!
object network inside1_lan
nat (inside3,outside) dynamic interface
access-group out in interface outside
route outside 0.0.0.0 0.0.0.0 192.168.1.1 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 sctp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
timeout conn-holddown 0:00:15
user-identity default-domain LOCAL
aaa authentication ssh console LOCAL
no snmp-server location
no snmp-server contact
service sw-reset-button
crypto ipsec security-association pmtu-aging infinite
crypto ca trustpool policy
telnet timeout 5
ssh stricthostkeycheck
ssh 192.168.10.0 255.255.255.0 inside1
ssh 192.168.20.0 255.255.255.0 inside2
ssh 192.168.1.0 255.255.255.0 outside
ssh timeout 5
ssh key-exchange group dh-group1-sha1
console timeout 0

dhcpd dns 8.8.8.8
!
dhcpd address 192.168.10.10-192.168.10.100 inside1
dhcpd enable inside1
!
dhcpd address 192.168.20.10-192.168.20.100 inside2
dhcpd enable inside2
!
dhcpd address 192.168.30.10-192.168.30.100 inside3
dhcpd enable inside3
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
dynamic-access-policy-record DfltAccessPolicy

!
!
prompt hostname context
no call-home reporting anonymous
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email callhome@cisco.com
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily

: end

switch 3750x config

Building configuration...

Current configuration : 2387 bytes
!
version 12.2
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Switch
!
boot-start-marker
boot-end-marker
!
!
!
!
no aaa new-model
switch 1 provision ws-c3750g-24ts
system mtu routing 1500
!
!
!
!
!
!
!
!
spanning-tree mode pvst
spanning-tree extend system-id
!
vlan internal allocation policy ascending
!
!
!
interface GigabitEthernet1/0/1
switchport trunk encapsulation dot1q
switchport mode trunk
!
interface GigabitEthernet1/0/2
switchport access vlan 10
switchport mode access
!
interface GigabitEthernet1/0/3
switchport access vlan 10
switchport mode access
!
interface GigabitEthernet1/0/4
switchport access vlan 10
switchport mode access
!
interface GigabitEthernet1/0/5
switchport access vlan 10
switchport mode access
!
interface GigabitEthernet1/0/6
switchport access vlan 10
switchport mode access
!
interface GigabitEthernet1/0/7
switchport access vlan 20
switchport mode access
!
interface GigabitEthernet1/0/8
switchport access vlan 20
switchport mode access
!
interface GigabitEthernet1/0/9
switchport access vlan 20
switchport mode access
!
interface GigabitEthernet1/0/10
switchport access vlan 20
switchport mode access
!
interface GigabitEthernet1/0/11
switchport access vlan 20
switchport mode access
!
interface GigabitEthernet1/0/12
switchport access vlan 20
switchport mode access
!
interface GigabitEthernet1/0/13
switchport access vlan 30
switchport mode access
!
interface GigabitEthernet1/0/14
switchport access vlan 30
switchport mode access
!
interface GigabitEthernet1/0/15
switchport access vlan 30
switchport mode access
!
interface GigabitEthernet1/0/16
switchport access vlan 30
switchport mode access
!
interface GigabitEthernet1/0/17
switchport access vlan 30
switchport mode access
!
interface GigabitEthernet1/0/18
switchport access vlan 30
switchport mode access
!
interface GigabitEthernet1/0/19
!
interface GigabitEthernet1/0/20
!
interface GigabitEthernet1/0/21
!
interface GigabitEthernet1/0/22
!
interface GigabitEthernet1/0/23
!
interface GigabitEthernet1/0/24
!
interface GigabitEthernet1/0/25
!
interface GigabitEthernet1/0/26
!
interface GigabitEthernet1/0/27
!
interface GigabitEthernet1/0/28
!
interface Vlan1
no ip address
!
ip classless
ip http server
ip http secure-server
!
!
!
line con 0
line vty 5 15
!

 

Cordially

 

 
Labels:
0 Helpful
0 Replies 0
Customers Also Viewed These Support Documents

Review Cisco Networking for a $25 gift card