cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
694
Views
35
Helpful
31
Replies
Highlighted
Beginner

Re: 3 internet lines 2 vlans need to be on another outside line

It seems the problem is back every Vlan is back to ip on internet of vlan 999.

There was nothing done on the asa beside setting up a NAT for 5060 that i eff remove right away on the ASA and all 3 lines are up and running

Setting back the back up config is no the selution and reboot after

This is frustrating i think that there was still a running config not active

Plz help becouse i really do not want to setback the config from before the trouble or reset the asa to default

Highlighted
VIP Advisor

Re: 3 internet lines 2 vlans need to be on another outside line

Ok I'm confused now. Please tell me which source vlans get out to which destination vlan?

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question
Highlighted
Beginner

Re: 3 internet lines 2 vlans need to be on another outside line

Hey thx for ansering

 

I reset tyhe config compleet back to default and did most work but internet still goes now on vlan999.

Have to say that i'm on 60 procent of the config but think i do it wrong or i just do not see it.

Sorry i like this to do yhis  i learn from it and that is good but it is strange.

I put the config like it is now

It needs to be like this

wan

Vlan999 is 212.187.37.131 255.255.255.0 with gateway so next hop 212.187.37.1

Vlan998 is 62.194.166.32 255.255.255.0 with gateway so next hop 62.194.166.1

Vlan997 is 10.10.60.2  255.255.255.0 with gateway so next hop 10.10.60.1

 

Lan

Vlan20 needs to go on vlan999 interm network 10.10.20.xx 

Vlan30 needs to go on vlan998 nterm network 10.10.30.xx 

Vlan40 needs to go on vlan997 nterm network 10.10.40.xx 

Vlan45 needs to go on vlan998 nterm network 10.10.45.xx 

 

Lan has dhcp on intern wan and i get the right intern adres

 

Hope this ansers your post and clears it up

 

 

 

Highlighted
Beginner

Re: 3 internet lines 2 vlans need to be on another outside line

Status update

 

Working:

Vlan 40 out on 997 and has the right ip

Vlan 20 out on 997 and has the right ip

 

Still not workin:

Vlan 30 Compleet no inter net so als not has the 212.187.37.130 adres just nothing

Vlan 45 Compleet no inter net so als not has the 212.187.37.130 adres just nothing

 

Slow  i getting where i want to be but strange that 30 and 45 down are now.

Lines are up if i conect my ltop direct i get the 212 adres .

Also strange is that vlan 30 now a down speed has off 50 mb and it is 500mbps

upload is 50 and that is corect

 

new cofig is with this post

Highlighted
Beginner

Re: 3 internet lines 2 vlans need to be on another outside line

Working

Vlan 20 out on 999 and has the right ip

Typo last post

Highlighted
VIP Advisor

Re: 3 internet lines 2 vlans need to be on another outside line

 

For VLAN30:

- the route-map calls an acl named ACL-PBR-ZIGGO2. However, this acl is saying you should have 10.10.20.0/24 as source instead of 10.10.30.0/24:

access-list ACL-PBR-ZIGGO2 extended permit ip 10.10.20.0 255.255.255.0 any

You should create a dedicated acl to match your VLAN30 subnet as source.

- The nat for VLAN30 will apply when the traffic get out through VLAN998.

- In your route-map the next-hop ip is 62.194.166.1 and I hope this the one from vlan 998 but can't confirm because this interface is in dhcp.

 

FOR VLAN45:

The interface refers to a PBR (route-map) called PBR-VLAN45, but it doesn't exists in your config.

This vlan has to go out through vlan 998 as well.


Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question
Highlighted
Beginner

Re: 3 internet lines 2 vlans need to be on another outside line

H[

Thanks for your help and i try  what you say

But then all 3 lines go down.

Status and i use the config from yesterday(Backup config)

 

Still not workin:

Vlan 30 Compleet no inter net so also not has the VLAN998  adres just nothing

Vlan 45 Compleet no inter net so also not has the VLAN998 adres just nothing

I get Dhcp but no cone

 

Next hop is oke and is 62.194.166.1 what is the gw for the 62.194.166.xx network.

To be complete sure ltop on the Cat that is normal in the asa

Beginner

Re: 3 internet lines 2 vlans need to be on another outside line

Yes

Vlan999 is 212.187.37.131 255.255.255.0 with gateway so next hop 212.187.37.1

yes and that one works with VLAN20 and is up

 

VLAN40 out on 997 is also oke

 

VLAN#) and 45 Wifi and server vlan that go out on 998 are still down

I will try your options again today

And manny thanks

Highlighted
Beginner

Re: 3 internet lines 2 vlans need to be on another outside line

New config but stiil vlan 998 is dead

Highlighted
VIP Advisor

Re: 3 internet lines 2 vlans need to be on another outside line

Please try this config:

 


access-list PBR-VLAN30 extended permit ip 10.10.30.0 255.255.255.0 any
access-list PBR-VLAN45 extended permit ip 10.10.30.0 255.255.255.0 any
!
no route-map PBR-VLAN30
no route-map PBR-VLAN45
!
route-map PBR-VLAN30 permit 10
match ip address PBR-VLAN30
set ip next-hop xxx.xxx.xxx.xxx ==> Has to be your ISP router IP
!
route-map PBR-VLAN45 permit 10
match ip address PBR-VLAN45
set ip next-hop xxx.xxx.xxx.xxx ==> Has to be your ISP router IP
!
interface GigabitEthernet1/8.30
policy-route route-map PBR-VLAN30
interface GigabitEthernet1/8.45
policy-route route-map PBR-VLAN45

 

 

 

Make sure to set the right ISP VLAN998 IP as next-hop


Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question
Highlighted
Beginner

Re: 3 internet lines 2 vlans need to be on another outside line

Hey

I did the config but still no internet on VLAN30 and 45

ASA5506(config-route-map)# set ip next-hop 62.194.166.1


traceroute 8.8.8.8 source VLAN998

Type escape sequence to abort.
Tracing the route to 8.8.8.8

1 62.194.166.1 10 msec 10 msec 10 msec
2 212.142.3.81 10 msec 10 msec 10 msec
3 84.116.244.5 10 msec 10 msec 20 msec
4 84.116.135.33 10 msec 20 msec 20 msec
5 84.116.135.34 10 msec 20 msec 10 msec
6 74.125.146.228 20 msec 10 msec 20 msec
7 108.170.241.225 20 msec
108.170.241.161 10 msec
108.170.241.129 10 msec
8 216.239.42.115 10 msec
108.170.236.219 10 msec
216.239.51.175 20 msec
9 8.8.8.8 10 msec 20 msec 20 msec

 

And the new config the compleet back up this time in zip

Not a cl;u what is wrong

Highlighted
VIP Advisor

Re: 3 internet lines 2 vlans need to be on another outside line

Run the following command please:

packet-tracer in VLAN30 icmp 10.10.30.20 8 0 8.8.8.8 detail

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question
Highlighted
Beginner

Re: 3 internet lines 2 vlans need to be on another outside line

Phase: 1
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
Forward Flow based lookup yields rule:
in id=0x2aaacbf63270, priority=1, domain=permit, deny=false
hits=20523, user_data=0x0, cs_id=0x0, l3_type=0x8
src mac=0000.0000.0000, mask=0000.0000.0000
dst mac=0000.0000.0000, mask=0100.0000.0000
input_ifc=VLAN30, output_ifc=any

Phase: 2
Type: PBR-LOOKUP
Subtype: policy-route
Result: ALLOW
Config:
route-map PBR-VLAN30 permit 10
match ip address PBR-VLAN30
set ip next-hop 62.194.166.1
Additional Information:
Matched route-map PBR-VLAN30, sequence 10, permit
Found next-hop 62.194.166.1 using egress ifc VLAN998

Phase: 3
Type: ACCESS-LIST
Subtype:
Result: DROP
Config:
Implicit Rule
Additional Information:
Forward Flow based lookup yields rule:
in id=0x2aaacc0d89e0, priority=11, domain=permit, deny=true
hits=21109, user_data=0x6, cs_id=0x0, use_real_addr, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0
input_ifc=VLAN30, output_ifc=any

Result:
input-interface: VLAN30
input-status: up
input-line-status: up
output-interface: VLAN998
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule

 

Highlighted
Beginner

Re: 3 internet lines 2 vlans need to be on another outside line

And from 45 the same

 

Result of the command: "packet-tracer in VLAN45 icmp 10.10.30.20 8 0 8.8.8.8 detail"

Phase: 1
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
Forward Flow based lookup yields rule:
in id=0x2aaacc023c50, priority=1, domain=permit, deny=false
hits=2204, user_data=0x0, cs_id=0x0, l3_type=0x8
src mac=0000.0000.0000, mask=0000.0000.0000
dst mac=0000.0000.0000, mask=0100.0000.0000
input_ifc=VLAN45, output_ifc=any

Phase: 2
Type: PBR-LOOKUP
Subtype: policy-route
Result: ALLOW
Config:
route-map PBR-VLAN45 permit 10
match ip address PBR-VLAN45
set ip next-hop 62.194.166.1
Additional Information:
Matched route-map PBR-VLAN45, sequence 10, permit
Found next-hop 62.194.166.1 using egress ifc VLAN998

Phase: 3
Type: ACCESS-LIST
Subtype:
Result: DROP
Config:
Implicit Rule
Additional Information:
Forward Flow based lookup yields rule:
in id=0x2aaacc0dae60, priority=11, domain=permit, deny=true
hits=1896, user_data=0x6, cs_id=0x0, use_real_addr, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0
input_ifc=VLAN45, output_ifc=any

Result:
input-interface: VLAN45
input-status: up
input-line-status: up
output-interface: VLAN998
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule

 

Highlighted
VIP Advisor

Re: 3 internet lines 2 vlans need to be on another outside line

We had a webex session.
The issue was ACL for PBR on vlan 45 and 30. These ACLs were wrong and not catching the right traffic.
ACL should have been as stated previously:
access-list VLAN45 extended permit ip 10.10.45.0 255.255.255.0 any
access-list VLAN30 extended permit ip 10.10.30.0 255.255.255.0 any
The second issue was acl applied on VLAN998, we allowed only ICMP and removed all others.
access-list VLAN998 extended permit icmp any any
Now everything works as expected. ACLs can be filtered later on.

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

View solution in original post