Solved: Re: 3 internet lines 2 vlans need to be on another outside line - Page 2

vlietd · ‎06-23-2018

Hope there is somebody that can help me berceuse i'm stuck set the back up 4 times back now but not working.

Vlan40 need to go out on vlan997 Back up line ADSL 110 mb up and runnin

Vlan45 main server Vlan needs to be on vlan998 500mb cable also running but in bridge mode

Al the rest needs to stay in Vlan999 als a bridge cabele network 500mb

The vlan settings on core switch and main switch are oke and it was working.

I try nat and travic zone and secure lvl is how it needs to be the same

Vlan 997 needs als to be a back up line if Vlan 998 and 999 go down that was also working.

My touble begon wenn i add the 997 vlan.

Can onlu ping the outside world on Vlan998 the other 2 give no respone if i conect my ltop direct to the roters all is fine and no troubles with speed or lag.

My back up config how it is running on the moment.

I set it back in the hope it wil work like it was eff disconect the VLan997.

On the moment i feel like a donkey runnin tru a rock every single time.

If any has a id plz let me know

: Serial Number: JAD2042014S
: Hardware:   ASA5506, 4096 MB RAM, CPU Atom C2000 series 1250 MHz, 1 CPU (4 cores)
:
ASA Version 9.6(1) 
!
hostname ASA5506
enable password 8Ry2YjIyt7RRXU24 encrypted
xlate per-session deny tcp any4 any4
xlate per-session deny tcp any4 any6
xlate per-session deny tcp any6 any4
xlate per-session deny tcp any6 any6
xlate per-session deny udp any4 any4 eq domain
xlate per-session deny udp any4 any6 eq domain
xlate per-session deny udp any6 any4 eq domain
xlate per-session deny udp any6 any6 eq domain
passwd hVxRMGvjmxCeVxgf encrypted
names
ip local pool SSLClientPool 192.168.100.1-192.168.100.50 mask 255.255.255.0

!
interface GigabitEthernet1/1
 description *** Ziggo2 ***
 mac-address aaaa.bbbb.cccc
 nameif VLAN999
 security-level 0
 ip address dhcp setroute 
 ipv6 enable
!
interface GigabitEthernet1/2
 description *** Ziggo1 ***
 nameif VLAN998
 security-level 2
 ip address dhcp setroute 
!
interface GigabitEthernet1/3
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet1/3.1
 description *** Management ***
 vlan 1
 nameif VLAN1
 security-level 25
 ip address 10.10.50.2 255.255.255.0 
!
interface GigabitEthernet1/3.20
 description *** Office ***
 vlan 20
 nameif VLAN20
 security-level 0
 ip address 10.10.20.2 255.255.255.0 
 policy-route route-map PBR-ZIGGO2
 ipv6 enable
!
interface GigabitEthernet1/3.30
 description *** Wi-Fi ***
 vlan 30
 nameif VLAN30
 security-level 0
 ip address 10.10.30.2 255.255.255.0 
 policy-route route-map PBR-ZIGGO2
!
interface GigabitEthernet1/3.40
 description *** Printer ***
 vlan 40
 nameif VLAN40
 security-level 1
 ip address 10.10.40.2 255.255.255.0 
!
interface GigabitEthernet1/3.45
 description *** Server ***
 vlan 45
 nameif VLAN45
 security-level 2
 ip address 10.10.45.2 255.255.255.0 
 policy-route route-map RMAP-Gi1/3.45
!
interface GigabitEthernet1/4
 shutdown
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet1/5
 shutdown
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet1/6
 shutdown
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet1/7
 shutdown
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet1/8
 description ***Telfort***
 nameif VlAN997
 security-level 1
 ip address dhcp setroute 
!
interface Management1/1
 description *** ASA Management ***
 management-only
 nameif MNGT
 security-level 100
 ip address 10.10.100.2 255.255.255.0 
!
banner motd ************************************************************************
banner motd *                 Unauthorized access is prohibited                    *
banner motd ************************************************************************
banner motd * This system is to be used only by specifically authorized personnel. *
banner motd * Any unauthorized use of the system is unlawful, and may be subject   *
banner motd * to civil and/or criminal penalties.                                  *
banner motd *                                                                      *
banner motd * Any use of the system may be logged or monitored without further     *
banner motd * notice and resulting logs may be used as evidence in court.          *
banner motd ************************************************************************
ftp mode passive
clock timezone CEST 1
clock summer-time CEDT recurring last Sun Mar 2:00 last Sun Oct 3:00
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object network OBJ-NET-VLAN1
 subnet 10.10.50.0 255.255.255.0
object network OBJ-NET-VLAN20
 subnet 10.10.20.0 255.255.255.0
object network OBJ-NET-VLAN30
 subnet 10.10.30.0 255.255.255.0
object network OBJ-NET-VLAN40
 subnet 10.10.40.0 255.255.255.0
object network OBJ-NET-VLAN45
 subnet 10.10.45.0 255.255.255.0
object network NETWORK_OBJ_192.168.100.0_26
 subnet 192.168.100.0 255.255.255.192
object network OBJ-NET-HOST-10.10.20.105
 host 10.10.20.105
object service OBJ-SRV-TCP-3389
 service tcp source eq 3389 
object service OBJ-SRV-TCP-5000_6000
 service tcp source range 5000 6000 
object network OBJ-NET-HOST-82.94.75.162
 host 82.94.75.162
object network OBJ-NET-HOST-82.94.75.163
 host 82.94.75.163
object network OBJ-NET-HOST-82.94.75.164
 host 82.94.75.164
object network OBJ-NET-HOST-82.94.75.165
 host 82.94.75.165
object network OBJ-NET-HOST-82.94.75.166
 host 82.94.75.166
object network OBJ-NET-HOST-10.10.45.10
 host 10.10.45.10
object network OBJ-NET-HOST-10.10.20.10
 host 10.10.20.10
object network 10.10.60.2
 host 10.10.60.2
object-group network OBJ-GRP-NET-RFC1918
 network-object 10.0.0.0 255.0.0.0
 network-object 172.16.0.0 255.240.0.0
 network-object 192.168.0.0 255.255.0.0
access-list ACL-VLAN999-INBOUND remark *** Fritbox - Internetverkeer ***
access-list ACL-VLAN999-INBOUND extended permit icmp any any echo-reply 
access-list ACL-VLAN999-INBOUND extended permit icmp any any unreachable 
access-list ACL-VLAN999-INBOUND extended permit icmp any any time-exceeded 
access-list ACL-VLAN999-INBOUND extended permit icmp any any source-quench 
access-list ACL-VLAN999-INBOUND extended permit tcp 193.173.85.0 255.255.255.192 object OBJ-NET-HOST-10.10.45.10 eq 3389 
access-list ACL-VLAN999-INBOUND remark Trans_ip Rdp
access-list ACL-VLAN999-INBOUND extended permit tcp host 37.97.201.18 object OBJ-NET-HOST-10.10.45.10 eq 3389 
access-list ACL-VLAN999-INBOUND extended permit tcp any any range 5000 6000 
access-list ACL-VLAN998-INBOUND remark *** Ziggo - Internetverkeer ***
access-list ACL-VLAN998-INBOUND extended permit icmp any any echo-reply 
access-list ACL-VLAN998-INBOUND extended permit icmp any any unreachable 
access-list ACL-VLAN998-INBOUND extended permit icmp any any time-exceeded 
access-list ACL-VLAN998-INBOUND extended permit icmp any any source-quench 
access-list ACL-VLAN998-INBOUND remark Trans_ip Rdp
access-list ACL-VLAN998-INBOUND extended permit tcp host 37.97.201.18 object OBJ-NET-HOST-10.10.45.10 eq 3389 
access-list ACL-VLAN998-INBOUND extended permit ip any any 
access-list ACL-VLAN998-INBOUND extended permit tcp any host 10.10.20.10 eq 3389 
access-list ACL-VLAN45-INBOUND remark *** RFC1918 ***
access-list ACL-VLAN45-INBOUND extended deny ip object OBJ-NET-VLAN45 object-group OBJ-GRP-NET-RFC1918 
access-list ACL-VLAN45-INBOUND remark *** Internetverkeer ***
access-list ACL-VLAN45-INBOUND extended permit ip any any 
access-list ACL-RMAP-VLAN45 extended deny ip object OBJ-NET-VLAN45 object-group OBJ-GRP-NET-RFC1918 
access-list ACL-RMAP-VLAN45 extended permit ip object OBJ-NET-VLAN45 any 
access-list ACL-VPN-SPLIT standard permit 10.10.0.0 255.255.0.0 
access-list ACL-PBR-ZIGGO2 extended permit ip 10.10.20.0 255.255.255.0 any 
access-list VlAN997_access_in extended permit ip interface VLAN45 interface VlAN997 
pager lines 24
logging enable
logging asdm informational
mtu VLAN999 1500
mtu VLAN998 1500
mtu VLAN1 1500
mtu VLAN20 1500
mtu VLAN30 1500
mtu VLAN40 1500
mtu VLAN45 1500
mtu VlAN997 1500
mtu MNGT 1500
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-761.bin
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
nat (VLAN1,any) source static OBJ-GRP-NET-RFC1918 OBJ-GRP-NET-RFC1918 destination static OBJ-GRP-NET-RFC1918 OBJ-GRP-NET-RFC1918 no-proxy-arp route-lookup
nat (VLAN20,any) source static OBJ-GRP-NET-RFC1918 OBJ-GRP-NET-RFC1918 destination static OBJ-GRP-NET-RFC1918 OBJ-GRP-NET-RFC1918 no-proxy-arp route-lookup
nat (VLAN30,any) source static OBJ-GRP-NET-RFC1918 OBJ-GRP-NET-RFC1918 destination static OBJ-GRP-NET-RFC1918 OBJ-GRP-NET-RFC1918 no-proxy-arp route-lookup
nat (VLAN40,any) source static OBJ-GRP-NET-RFC1918 OBJ-GRP-NET-RFC1918 destination static OBJ-GRP-NET-RFC1918 OBJ-GRP-NET-RFC1918 no-proxy-arp route-lookup
nat (VLAN45,any) source static OBJ-GRP-NET-RFC1918 OBJ-GRP-NET-RFC1918 destination static OBJ-GRP-NET-RFC1918 OBJ-GRP-NET-RFC1918 no-proxy-arp route-lookup
nat (VLAN20,VLAN998) source static OBJ-NET-HOST-10.10.20.10 interface service OBJ-SRV-TCP-3389 OBJ-SRV-TCP-3389
nat (VLAN45,VLAN999) source static OBJ-NET-HOST-10.10.45.10 OBJ-NET-HOST-82.94.75.165
nat (VLAN1,VLAN999) source dynamic any interface
nat (VLAN20,VLAN999) source dynamic any interface
nat (VLAN30,VLAN999) source dynamic any interface
nat (VLAN40,VLAN999) source dynamic any interface
nat (VLAN1,VLAN998) source dynamic any interface
nat (VLAN20,VLAN998) source dynamic any interface
nat (VLAN30,VLAN998) source dynamic any interface
nat (VLAN40,VLAN998) source dynamic any interface
nat (VLAN45,VLAN999) source dynamic any interface
nat (VLAN45,VLAN998) source dynamic any interface
access-group ACL-VLAN999-INBOUND in interface VLAN999
access-group ACL-VLAN998-INBOUND in interface VLAN998
access-group ACL-VLAN45-INBOUND in interface VLAN45
access-group VlAN997_access_in in interface VlAN997
!
route-map PBR-ZIGGO1 permit 10
 match ip address ACL-VLAN998-INBOUND
 match interface VLAN998

!
route-map PBR-ZIGGO2 permit 10
 match ip address ACL-PBR-ZIGGO2
 set ip next-hop 212.187.37.1

!
route-map RMAP-Gi1/3.45 permit 10
 match ip address ACL-RMAP-VLAN45
 set ip next-hop verify-availability 82.94.75.161 1 track 10

!
route-map PBR-Telfort permit 10

!
route VLAN999 8.8.4.4 255.255.255.255 192.168.200.1 1
route VLAN998 8.8.8.8 255.255.255.255 192.168.199.1 1
route VLAN999 193.173.85.5 255.255.255.255 192.168.200.1 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 sctp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
user-identity default-domain LOCAL
aaa authentication telnet console LOCAL 
aaa authentication ssh console LOCAL 
aaa authentication http console LOCAL 
aaa authentication serial console LOCAL 
aaa authentication enable console LOCAL 
aaa authorization exec LOCAL auto-enable
http server enable
http 0.0.0.0 0.0.0.0 MNGT
http 0.0.0.0 0.0.0.0 VLAN20
http 0.0.0.0 0.0.0.0 VLAN999
no snmp-server location
no snmp-server contact
sla monitor 1
 type echo protocol ipIcmpEcho 8.8.8.8 interface VLAN998
 timeout 300
 threshold 15000
 frequency 5
sla monitor schedule 1 life forever start-time now
sla monitor 2
 type echo protocol ipIcmpEcho 8.8.4.4 interface VLAN999
 timeout 300
 threshold 15000
 frequency 5
sla monitor schedule 2 life forever start-time now
sla monitor 3
 type echo protocol ipIcmpEcho 8.8.8.8 interface VLAN999
sla monitor schedule 3 life forever start-time now
service sw-reset-button
crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac 
crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac 
crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac 
crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac 
crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac 
crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac 
crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac 
crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac 
crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac 
crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac 
crypto ipsec ikev2 ipsec-proposal DES
 protocol esp encryption des
 protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal 3DES
 protocol esp encryption 3des
 protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES
 protocol esp encryption aes
 protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES192
 protocol esp encryption aes-192
 protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES256
 protocol esp encryption aes-256
 protocol esp integrity sha-1 md5
crypto ipsec security-association pmtu-aging infinite
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev2 ipsec-proposal AES256 AES192 AES 3DES DES
crypto map VLAN20_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map VLAN20_map interface VLAN20
crypto map VLAN30_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map VLAN30_map interface VLAN30
crypto map VLAN40_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map VLAN40_map interface VLAN40
crypto map VLAN998_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map VLAN998_map interface VLAN998
crypto map VLAN45_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto ca trustpoint localtrust
 enrollment self
 fqdn sslvpn.4udomein.com
 subject-name CN=sslvpn.4udomein.com
 keypair sslvpnkey
 crl configure
crypto ca trustpool policy
crypto ca certificate chain localtrust
 certificate 6bd0bf58
    30820300 308201e8 a0030201 0202046b d0bf5830 0d06092a 864886f7 0d010105 
    05003042 311c301a 06035504 03131373 736c7670 6e2e3475 646f6d65 696e2e63 
    6f6d3122 30200609 2a864886 f70d0109 02161373 736c7670 6e2e3475 646f6d65 
    696e2e63 6f6d301e 170d3137 30333130 30373431 32305a17 0d323730 33303830 
    37343132 305a3042 311c301a 06035504 03131373 736c7670 6e2e3475 646f6d65 
    696e2e63 6f6d3122 30200609 2a864886 f70d0109 02161373 736c7670 6e2e3475 
    646f6d65 696e2e63 6f6d3082 0122300d 06092a86 4886f70d 01010105 00038201 
    0f003082 010a0282 010100a1 b2fe7671 f610a388 6d51851c 502093f5 cb5a944b 
    6285bb0d 37a01743 532f1914 11494c9e fbdaae6e 2e08cdb0 328cb667 5942d4e6 
    cc5e61a5 fb692d38 f4d46f75 2f8227f8 245bc7df a467dc68 7621b0c2 13a36762 
    b7bfb486 14272c49 1eb14f1a a307c724 532cfa3d 50c8a646 9cc06d06 3f2efab4 
    e10d491b 54fc42cb bee423d0 4e8df04b 6154146e f095ee82 8f41364e c94c7533 
    913cc866 79c6a32a 11b13718 895e23cb bc7b3502 ad7e1013 78b34526 cee075c1 
    ffd74c4c 9f41299d 9f40207a dfe083b4 717c9853 96090207 6135d21d f0d55558 
    c952eda0 15a61b45 f13789d6 47c82828 4cdb6b03 806415d6 8c14157d f85f09c4 
    02ebe725 fe9bf345 f407c102 03010001 300d0609 2a864886 f70d0101 05050003 
    82010100 03b31914 58eeb2c6 3c23e006 8bd5a4f5 563503d2 03fcd341 8bcf451d 
    722a6d78 a57a9808 ad1a282c 77530dd5 24eca366 8455f14d 86e51ed9 426d9790 
    a1a274ec 2116ec1b 97506c2f 73fe491c b3706142 b5cba46f 890efa41 dc26053d 
    320204e4 2b21b7fc a6a2f521 1fffa05b c37de564 13cc4289 c8043907 b6b9f21c 
    0566c173 496a0a1d 5f9fa630 d51d76db 7e88a9d8 8c6aa3b0 29109dc6 d13dd6a5 
    01e17d31 5209671e ea139e42 40637c43 dbee0608 670fe6c1 72e73a85 e710bc1a 
    9d2f1d6b dded7d12 ffafe1d2 cc097a20 0595a446 a508f613 047250e7 1091bf87 
    68c813da 8cdd30d8 96598a1c 1a615f84 a21871a8 f8be0459 5dcfe69f 72a9fcf2 
    aadc283f
  quit
crypto ikev2 policy 1
 encryption aes-256
 integrity sha
 group 5 2
 prf sha
 lifetime seconds 86400
crypto ikev2 policy 10
 encryption aes-192
 integrity sha
 group 5 2
 prf sha
 lifetime seconds 86400
crypto ikev2 policy 20
 encryption aes
 integrity sha
 group 5 2
 prf sha
 lifetime seconds 86400
crypto ikev2 policy 30
 encryption 3des
 integrity sha
 group 5 2
 prf sha
 lifetime seconds 86400
crypto ikev2 policy 40
 encryption des
 integrity sha
 group 5 2
 prf sha
 lifetime seconds 86400
crypto ikev2 enable VLAN998 client-services port 443
crypto ikev2 enable VLAN20 client-services port 443
crypto ikev2 remote-access trustpoint localtrust
crypto ikev1 enable VLAN20
crypto ikev1 enable VLAN30
crypto ikev1 enable VLAN40
crypto ikev1 policy 20
 authentication rsa-sig
 encryption aes-256
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 30
 authentication pre-share
 encryption aes-256
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 50
 authentication rsa-sig
 encryption aes-192
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 60
 authentication pre-share
 encryption aes-192
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 80
 authentication rsa-sig
 encryption aes
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 90
 authentication pre-share
 encryption aes
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 110
 authentication rsa-sig
 encryption 3des
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 120
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 140
 authentication rsa-sig
 encryption des
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 150
 authentication pre-share
 encryption des
 hash sha
 group 2
 lifetime 86400
!
track 10 rtr 1 reachability
!
track 11 rtr 3 reachability
!
track 20 rtr 2 reachability
telnet timeout 5
ssh stricthostkeycheck
ssh 193.173.85.0 255.255.255.192 VLAN999
ssh 193.173.85.0 255.255.255.192 VLAN998
ssh 0.0.0.0 0.0.0.0 VLAN20
ssh 0.0.0.0 0.0.0.0 MNGT
ssh timeout 15
ssh key-exchange group dh-group1-sha1
console timeout 15

dhcp-client client-id interface VLAN999
dhcp-client client-id interface VLAN998
dhcp-client client-id interface VlAN997
dhcpd address 10.10.50.200-10.10.50.250 VLAN1
dhcpd dns 208.67.222.222 208.67.220.220 interface VLAN1
dhcpd enable VLAN1
!
dhcpd address 10.10.20.200-10.10.20.250 VLAN20
dhcpd dns 208.67.222.222 208.67.220.220 interface VLAN20
dhcpd enable VLAN20
!
dhcpd address 10.10.30.200-10.10.30.250 VLAN30
dhcpd dns 208.67.222.222 208.67.220.220 interface VLAN30
dhcpd enable VLAN30
!
dhcpd address 10.10.40.200-10.10.40.250 VLAN40
dhcpd dns 208.67.222.222 208.67.220.220 interface VLAN40
dhcpd enable VLAN40
!
dhcpd address 10.10.45.200-10.10.45.250 VLAN45
dhcpd dns 208.67.222.222 208.67.220.220 interface VLAN45
dhcpd enable VLAN45
!
dhcpd address 10.10.100.200-10.10.100.250 MNGT
dhcpd dns 208.67.222.222 208.67.220.220 interface MNGT
dhcpd enable MNGT
!
ntp server 85.255.214.66 source VLAN999
ssl trust-point localtrust VLAN999
ssl trust-point localtrust VLAN998
ssl trust-point localtrust VLAN20
webvpn
 enable VLAN999
 enable VLAN998
 enable VLAN20
 anyconnect image disk0:/anyconnect-linux64-4.4.01054-webdeploy-k9.pkg 1
 anyconnect image disk0:/anyconnect-win-4.4.01054-webdeploy-k9.pkg 2
 anyconnect profiles 4uDomein_client_profile disk0:/4uDomein_client_profile.xml
 anyconnect enable
 tunnel-group-list enable
 cache
  disable
 error-recovery disable
group-policy SSLCLient internal
group-policy SSLCLient attributes
 dns-server value 192.168.200.5
 vpn-tunnel-protocol ssl-client 
 default-domain value mysite.com
 address-pools value SSLClientPool
group-policy GroupPolicy_4uDomein internal
group-policy GroupPolicy_4uDomein attributes
 wins-server none
 dns-server value 10.10.20.100 10.10.20.101
 vpn-tunnel-protocol ikev1 ikev2 ssl-client 
 password-storage disable
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value ACL-VPN-SPLIT
 default-domain none
 webvpn
  anyconnect profiles value 4uDomein_client_profile type user
dynamic-access-policy-record DfltAccessPolicy
username Dave password L4o29iC9zK9nTS7P encrypted privilege 15
username Dave attributes
 service-type admin
username Davevpn password leb4YKzqGcsujPoJ encrypted privilege 15
username vlietd password Q101T2coMJVYHrL6 encrypted privilege 15
tunnel-group SSLClient type remote-access
tunnel-group SSLClient general-attributes
 default-group-policy SSLCLient
tunnel-group SSLClient webvpn-attributes
 group-alias MY_RA enable
tunnel-group 4uDomein type remote-access
tunnel-group 4uDomein general-attributes
 address-pool SSLClientPool
 default-group-policy GroupPolicy_4uDomein
tunnel-group 4uDomein webvpn-attributes
 group-alias 4uDomein enable
tunnel-group 4uDomein ipsec-attributes
 ikev1 trust-point localtrust
!
class-map inspection_default
 match default-inspection-traffic
class-map CMAP-DEFAULT
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum client auto
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map 
  inspect ftp 
  inspect h323 h225 
  inspect h323 ras 
  inspect rsh 
  inspect rtsp 
  inspect esmtp 
  inspect sqlnet 
  inspect skinny  
  inspect sunrpc 
  inspect xdmcp 
  inspect sip  
  inspect netbios 
  inspect tftp 
  inspect ip-options 
policy-map PMAP-GLOBAL
 class CMAP-DEFAULT
  inspect http 
  inspect ftp 
  inspect icmp 
 class class-default
  user-statistics accounting
!
service-policy global_policy global
prompt hostname context 
!
jumbo-frame reservation
!
no call-home reporting anonymous
Cryptochecksum:3c559b8068d83a3e7f3c8077dc410dee
: end
asdm image disk0:/asdm-761.bin
no asdm history enable

vlietd · ‎06-30-2018

It seems the problem is back every Vlan is back to ip on internet of vlan 999.

There was nothing done on the asa beside setting up a NAT for 5060 that i eff remove right away on the ASA and all 3 lines are up and running

Setting back the back up config is no the selution and reboot after

This is frustrating i think that there was still a running config not active

Plz help becouse i really do not want to setback the config from before the trouble or reset the asa to default

Francesco Molino · ‎07-01-2018

Ok I'm confused now. Please tell me which source vlans get out to which destination vlan?

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

vlietd · ‎07-02-2018

Hey thx for ansering

I reset tyhe config compleet back to default and did most work but internet still goes now on vlan999.

Have to say that i'm on 60 procent of the config but think i do it wrong or i just do not see it.

Sorry i like this to do yhis i learn from it and that is good but it is strange.

I put the config like it is now

It needs to be like this

wan

Vlan999 is 212.187.37.131 255.255.255.0 with gateway so next hop 212.187.37.1

Vlan998 is 62.194.166.32 255.255.255.0 with gateway so next hop 62.194.166.1

Vlan997 is 10.10.60.2 255.255.255.0 with gateway so next hop 10.10.60.1

Lan

Vlan20 needs to go on vlan999 interm network 10.10.20.xx

Vlan30 needs to go on vlan998 nterm network 10.10.30.xx

Vlan40 needs to go on vlan997 nterm network 10.10.40.xx

Vlan45 needs to go on vlan998 nterm network 10.10.45.xx

Lan has dhcp on intern wan and i get the right intern adres

Hope this ansers your post and clears it up

vlietd · ‎07-02-2018

Status update

Working:

Vlan 40 out on 997 and has the right ip

Vlan 20 out on 997 and has the right ip

Still not workin:

Vlan 30 Compleet no inter net so als not has the 212.187.37.130 adres just nothing

Vlan 45 Compleet no inter net so als not has the 212.187.37.130 adres just nothing

Slow i getting where i want to be but strange that 30 and 45 down are now.

Lines are up if i conect my ltop direct i get the 212 adres .

Also strange is that vlan 30 now a down speed has off 50 mb and it is 500mbps

upload is 50 and that is corect

new cofig is with this post

vlietd · ‎07-02-2018

Working

Vlan 20 out on 999 and has the right ip

Typo last post

Francesco Molino · ‎07-02-2018

For VLAN30:

- the route-map calls an acl named ACL-PBR-ZIGGO2. However, this acl is saying you should have 10.10.20.0/24 as source instead of 10.10.30.0/24:

access-list ACL-PBR-ZIGGO2 extended permit ip 10.10.20.0 255.255.255.0 any

You should create a dedicated acl to match your VLAN30 subnet as source.

- The nat for VLAN30 will apply when the traffic get out through VLAN998.

- In your route-map the next-hop ip is 62.194.166.1 and I hope this the one from vlan 998 but can't confirm because this interface is in dhcp.

FOR VLAN45:

The interface refers to a PBR (route-map) called PBR-VLAN45, but it doesn't exists in your config.

This vlan has to go out through vlan 998 as well.

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

vlietd · ‎07-03-2018

H[

Thanks for your help and i try what you say

But then all 3 lines go down.

Status and i use the config from yesterday(Backup config)

Still not workin:

Vlan 30 Compleet no inter net so also not has the VLAN998 adres just nothing

Vlan 45 Compleet no inter net so also not has the VLAN998 adres just nothing

I get Dhcp but no cone

Next hop is oke and is 62.194.166.1 what is the gw for the 62.194.166.xx network.

To be complete sure ltop on the Cat that is normal in the asa

vlietd · ‎07-03-2018

Yes

Vlan999 is 212.187.37.131 255.255.255.0 with gateway so next hop 212.187.37.1

yes and that one works with VLAN20 and is up

VLAN40 out on 997 is also oke

VLAN#) and 45 Wifi and server vlan that go out on 998 are still down

I will try your options again today

And manny thanks

vlietd · ‎07-04-2018

New config but stiil vlan 998 is dead

Francesco Molino · ‎07-04-2018

Please try this config:

access-list PBR-VLAN30 extended permit ip 10.10.30.0 255.255.255.0 any
access-list PBR-VLAN45 extended permit ip 10.10.30.0 255.255.255.0 any
!
no route-map PBR-VLAN30
no route-map PBR-VLAN45
!
route-map PBR-VLAN30 permit 10
match ip address PBR-VLAN30
set ip next-hop xxx.xxx.xxx.xxx ==> Has to be your ISP router IP
!
route-map PBR-VLAN45 permit 10
match ip address PBR-VLAN45
set ip next-hop xxx.xxx.xxx.xxx ==> Has to be your ISP router IP
!
interface GigabitEthernet1/8.30
policy-route route-map PBR-VLAN30
interface GigabitEthernet1/8.45
policy-route route-map PBR-VLAN45

Make sure to set the right ISP VLAN998 IP as next-hop

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

vlietd · ‎07-04-2018

Hey

I did the config but still no internet on VLAN30 and 45

ASA5506(config-route-map)# set ip next-hop 62.194.166.1

traceroute 8.8.8.8 source VLAN998

Type escape sequence to abort.
Tracing the route to 8.8.8.8

1 62.194.166.1 10 msec 10 msec 10 msec
2 212.142.3.81 10 msec 10 msec 10 msec
3 84.116.244.5 10 msec 10 msec 20 msec
4 84.116.135.33 10 msec 20 msec 20 msec
5 84.116.135.34 10 msec 20 msec 10 msec
6 74.125.146.228 20 msec 10 msec 20 msec
7 108.170.241.225 20 msec
108.170.241.161 10 msec
108.170.241.129 10 msec
8 216.239.42.115 10 msec
108.170.236.219 10 msec
216.239.51.175 20 msec
9 8.8.8.8 10 msec 20 msec 20 msec

And the new config the compleet back up this time in zip

Not a cl;u what is wrong

Francesco Molino · ‎07-05-2018

Run the following command please:

packet-tracer in VLAN30 icmp 10.10.30.20 8 0 8.8.8.8 detail

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

vlietd · ‎07-05-2018

Phase: 1
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
Forward Flow based lookup yields rule:
in id=0x2aaacbf63270, priority=1, domain=permit, deny=false
hits=20523, user_data=0x0, cs_id=0x0, l3_type=0x8
src mac=0000.0000.0000, mask=0000.0000.0000
dst mac=0000.0000.0000, mask=0100.0000.0000
input_ifc=VLAN30, output_ifc=any

Phase: 2
Type: PBR-LOOKUP
Subtype: policy-route
Result: ALLOW
Config:
route-map PBR-VLAN30 permit 10
match ip address PBR-VLAN30
set ip next-hop 62.194.166.1
Additional Information:
Matched route-map PBR-VLAN30, sequence 10, permit
Found next-hop 62.194.166.1 using egress ifc VLAN998

Phase: 3
Type: ACCESS-LIST
Subtype:
Result: DROP
Config:
Implicit Rule
Additional Information:
Forward Flow based lookup yields rule:
in id=0x2aaacc0d89e0, priority=11, domain=permit, deny=true
hits=21109, user_data=0x6, cs_id=0x0, use_real_addr, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0
input_ifc=VLAN30, output_ifc=any

Result:
input-interface: VLAN30
input-status: up
input-line-status: up
output-interface: VLAN998
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule

vlietd · ‎07-05-2018

And from 45 the same

Result of the command: "packet-tracer in VLAN45 icmp 10.10.30.20 8 0 8.8.8.8 detail"

Phase: 1
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
Forward Flow based lookup yields rule:
in id=0x2aaacc023c50, priority=1, domain=permit, deny=false
hits=2204, user_data=0x0, cs_id=0x0, l3_type=0x8
src mac=0000.0000.0000, mask=0000.0000.0000
dst mac=0000.0000.0000, mask=0100.0000.0000
input_ifc=VLAN45, output_ifc=any

Phase: 2
Type: PBR-LOOKUP
Subtype: policy-route
Result: ALLOW
Config:
route-map PBR-VLAN45 permit 10
match ip address PBR-VLAN45
set ip next-hop 62.194.166.1
Additional Information:
Matched route-map PBR-VLAN45, sequence 10, permit
Found next-hop 62.194.166.1 using egress ifc VLAN998

Phase: 3
Type: ACCESS-LIST
Subtype:
Result: DROP
Config:
Implicit Rule
Additional Information:
Forward Flow based lookup yields rule:
in id=0x2aaacc0dae60, priority=11, domain=permit, deny=true
hits=1896, user_data=0x6, cs_id=0x0, use_real_addr, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0
input_ifc=VLAN45, output_ifc=any

Result:
input-interface: VLAN45
input-status: up
input-line-status: up
output-interface: VLAN998
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule

Francesco Molino · ‎07-06-2018

We had a webex session.
The issue was ACL for PBR on vlan 45 and 30. These ACLs were wrong and not catching the right traffic.
ACL should have been as stated previously:
access-list VLAN45 extended permit ip 10.10.45.0 255.255.255.0 any
access-list VLAN30 extended permit ip 10.10.30.0 255.255.255.0 any
The second issue was acl applied on VLAN998, we allowed only ICMP and removed all others.
access-list VLAN998 extended permit icmp any any
Now everything works as expected. ACLs can be filtered later on.

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question