06-23-2018 02:05 PM - edited 02-21-2020 07:54 AM
Hope there is somebody that can help me berceuse i'm stuck set the back up 4 times back now but not working.
Vlan40 need to go out on vlan997 Back up line ADSL 110 mb up and runnin
Vlan45 main server Vlan needs to be on vlan998 500mb cable also running but in bridge mode
Al the rest needs to stay in Vlan999 als a bridge cabele network 500mb
The vlan settings on core switch and main switch are oke and it was working.
I try nat and travic zone and secure lvl is how it needs to be the same
Vlan 997 needs als to be a back up line if Vlan 998 and 999 go down that was also working.
My touble begon wenn i add the 997 vlan.
Can onlu ping the outside world on Vlan998 the other 2 give no respone if i conect my ltop direct to the roters all is fine and no troubles with speed or lag.
My back up config how it is running on the moment.
I set it back in the hope it wil work like it was eff disconect the VLan997.
On the moment i feel like a donkey runnin tru a rock every single time.
If any has a id plz let me know
: Serial Number: JAD2042014S : Hardware: ASA5506, 4096 MB RAM, CPU Atom C2000 series 1250 MHz, 1 CPU (4 cores) : ASA Version 9.6(1) ! hostname ASA5506 enable password 8Ry2YjIyt7RRXU24 encrypted xlate per-session deny tcp any4 any4 xlate per-session deny tcp any4 any6 xlate per-session deny tcp any6 any4 xlate per-session deny tcp any6 any6 xlate per-session deny udp any4 any4 eq domain xlate per-session deny udp any4 any6 eq domain xlate per-session deny udp any6 any4 eq domain xlate per-session deny udp any6 any6 eq domain passwd hVxRMGvjmxCeVxgf encrypted names ip local pool SSLClientPool 192.168.100.1-192.168.100.50 mask 255.255.255.0 ! interface GigabitEthernet1/1 description *** Ziggo2 *** mac-address aaaa.bbbb.cccc nameif VLAN999 security-level 0 ip address dhcp setroute ipv6 enable ! interface GigabitEthernet1/2 description *** Ziggo1 *** nameif VLAN998 security-level 2 ip address dhcp setroute ! interface GigabitEthernet1/3 no nameif no security-level no ip address ! interface GigabitEthernet1/3.1 description *** Management *** vlan 1 nameif VLAN1 security-level 25 ip address 10.10.50.2 255.255.255.0 ! interface GigabitEthernet1/3.20 description *** Office *** vlan 20 nameif VLAN20 security-level 0 ip address 10.10.20.2 255.255.255.0 policy-route route-map PBR-ZIGGO2 ipv6 enable ! interface GigabitEthernet1/3.30 description *** Wi-Fi *** vlan 30 nameif VLAN30 security-level 0 ip address 10.10.30.2 255.255.255.0 policy-route route-map PBR-ZIGGO2 ! interface GigabitEthernet1/3.40 description *** Printer *** vlan 40 nameif VLAN40 security-level 1 ip address 10.10.40.2 255.255.255.0 ! interface GigabitEthernet1/3.45 description *** Server *** vlan 45 nameif VLAN45 security-level 2 ip address 10.10.45.2 255.255.255.0 policy-route route-map RMAP-Gi1/3.45 ! interface GigabitEthernet1/4 shutdown no nameif no security-level no ip address ! interface GigabitEthernet1/5 shutdown no nameif no security-level no ip address ! interface GigabitEthernet1/6 shutdown no nameif no security-level no ip address ! interface GigabitEthernet1/7 shutdown no nameif no security-level no ip address ! interface GigabitEthernet1/8 description ***Telfort*** nameif VlAN997 security-level 1 ip address dhcp setroute ! interface Management1/1 description *** ASA Management *** management-only nameif MNGT security-level 100 ip address 10.10.100.2 255.255.255.0 ! banner motd ************************************************************************ banner motd * Unauthorized access is prohibited * banner motd ************************************************************************ banner motd * This system is to be used only by specifically authorized personnel. * banner motd * Any unauthorized use of the system is unlawful, and may be subject * banner motd * to civil and/or criminal penalties. * banner motd * * banner motd * Any use of the system may be logged or monitored without further * banner motd * notice and resulting logs may be used as evidence in court. * banner motd ************************************************************************ ftp mode passive clock timezone CEST 1 clock summer-time CEDT recurring last Sun Mar 2:00 last Sun Oct 3:00 same-security-traffic permit inter-interface same-security-traffic permit intra-interface object network OBJ-NET-VLAN1 subnet 10.10.50.0 255.255.255.0 object network OBJ-NET-VLAN20 subnet 10.10.20.0 255.255.255.0 object network OBJ-NET-VLAN30 subnet 10.10.30.0 255.255.255.0 object network OBJ-NET-VLAN40 subnet 10.10.40.0 255.255.255.0 object network OBJ-NET-VLAN45 subnet 10.10.45.0 255.255.255.0 object network NETWORK_OBJ_192.168.100.0_26 subnet 192.168.100.0 255.255.255.192 object network OBJ-NET-HOST-10.10.20.105 host 10.10.20.105 object service OBJ-SRV-TCP-3389 service tcp source eq 3389 object service OBJ-SRV-TCP-5000_6000 service tcp source range 5000 6000 object network OBJ-NET-HOST-82.94.75.162 host 82.94.75.162 object network OBJ-NET-HOST-82.94.75.163 host 82.94.75.163 object network OBJ-NET-HOST-82.94.75.164 host 82.94.75.164 object network OBJ-NET-HOST-82.94.75.165 host 82.94.75.165 object network OBJ-NET-HOST-82.94.75.166 host 82.94.75.166 object network OBJ-NET-HOST-10.10.45.10 host 10.10.45.10 object network OBJ-NET-HOST-10.10.20.10 host 10.10.20.10 object network 10.10.60.2 host 10.10.60.2 object-group network OBJ-GRP-NET-RFC1918 network-object 10.0.0.0 255.0.0.0 network-object 172.16.0.0 255.240.0.0 network-object 192.168.0.0 255.255.0.0 access-list ACL-VLAN999-INBOUND remark *** Fritbox - Internetverkeer *** access-list ACL-VLAN999-INBOUND extended permit icmp any any echo-reply access-list ACL-VLAN999-INBOUND extended permit icmp any any unreachable access-list ACL-VLAN999-INBOUND extended permit icmp any any time-exceeded access-list ACL-VLAN999-INBOUND extended permit icmp any any source-quench access-list ACL-VLAN999-INBOUND extended permit tcp 193.173.85.0 255.255.255.192 object OBJ-NET-HOST-10.10.45.10 eq 3389 access-list ACL-VLAN999-INBOUND remark Trans_ip Rdp access-list ACL-VLAN999-INBOUND extended permit tcp host 37.97.201.18 object OBJ-NET-HOST-10.10.45.10 eq 3389 access-list ACL-VLAN999-INBOUND extended permit tcp any any range 5000 6000 access-list ACL-VLAN998-INBOUND remark *** Ziggo - Internetverkeer *** access-list ACL-VLAN998-INBOUND extended permit icmp any any echo-reply access-list ACL-VLAN998-INBOUND extended permit icmp any any unreachable access-list ACL-VLAN998-INBOUND extended permit icmp any any time-exceeded access-list ACL-VLAN998-INBOUND extended permit icmp any any source-quench access-list ACL-VLAN998-INBOUND remark Trans_ip Rdp access-list ACL-VLAN998-INBOUND extended permit tcp host 37.97.201.18 object OBJ-NET-HOST-10.10.45.10 eq 3389 access-list ACL-VLAN998-INBOUND extended permit ip any any access-list ACL-VLAN998-INBOUND extended permit tcp any host 10.10.20.10 eq 3389 access-list ACL-VLAN45-INBOUND remark *** RFC1918 *** access-list ACL-VLAN45-INBOUND extended deny ip object OBJ-NET-VLAN45 object-group OBJ-GRP-NET-RFC1918 access-list ACL-VLAN45-INBOUND remark *** Internetverkeer *** access-list ACL-VLAN45-INBOUND extended permit ip any any access-list ACL-RMAP-VLAN45 extended deny ip object OBJ-NET-VLAN45 object-group OBJ-GRP-NET-RFC1918 access-list ACL-RMAP-VLAN45 extended permit ip object OBJ-NET-VLAN45 any access-list ACL-VPN-SPLIT standard permit 10.10.0.0 255.255.0.0 access-list ACL-PBR-ZIGGO2 extended permit ip 10.10.20.0 255.255.255.0 any access-list VlAN997_access_in extended permit ip interface VLAN45 interface VlAN997 pager lines 24 logging enable logging asdm informational mtu VLAN999 1500 mtu VLAN998 1500 mtu VLAN1 1500 mtu VLAN20 1500 mtu VLAN30 1500 mtu VLAN40 1500 mtu VLAN45 1500 mtu VlAN997 1500 mtu MNGT 1500 icmp unreachable rate-limit 1 burst-size 1 asdm image disk0:/asdm-761.bin no asdm history enable arp timeout 14400 no arp permit-nonconnected nat (VLAN1,any) source static OBJ-GRP-NET-RFC1918 OBJ-GRP-NET-RFC1918 destination static OBJ-GRP-NET-RFC1918 OBJ-GRP-NET-RFC1918 no-proxy-arp route-lookup nat (VLAN20,any) source static OBJ-GRP-NET-RFC1918 OBJ-GRP-NET-RFC1918 destination static OBJ-GRP-NET-RFC1918 OBJ-GRP-NET-RFC1918 no-proxy-arp route-lookup nat (VLAN30,any) source static OBJ-GRP-NET-RFC1918 OBJ-GRP-NET-RFC1918 destination static OBJ-GRP-NET-RFC1918 OBJ-GRP-NET-RFC1918 no-proxy-arp route-lookup nat (VLAN40,any) source static OBJ-GRP-NET-RFC1918 OBJ-GRP-NET-RFC1918 destination static OBJ-GRP-NET-RFC1918 OBJ-GRP-NET-RFC1918 no-proxy-arp route-lookup nat (VLAN45,any) source static OBJ-GRP-NET-RFC1918 OBJ-GRP-NET-RFC1918 destination static OBJ-GRP-NET-RFC1918 OBJ-GRP-NET-RFC1918 no-proxy-arp route-lookup nat (VLAN20,VLAN998) source static OBJ-NET-HOST-10.10.20.10 interface service OBJ-SRV-TCP-3389 OBJ-SRV-TCP-3389 nat (VLAN45,VLAN999) source static OBJ-NET-HOST-10.10.45.10 OBJ-NET-HOST-82.94.75.165 nat (VLAN1,VLAN999) source dynamic any interface nat (VLAN20,VLAN999) source dynamic any interface nat (VLAN30,VLAN999) source dynamic any interface nat (VLAN40,VLAN999) source dynamic any interface nat (VLAN1,VLAN998) source dynamic any interface nat (VLAN20,VLAN998) source dynamic any interface nat (VLAN30,VLAN998) source dynamic any interface nat (VLAN40,VLAN998) source dynamic any interface nat (VLAN45,VLAN999) source dynamic any interface nat (VLAN45,VLAN998) source dynamic any interface access-group ACL-VLAN999-INBOUND in interface VLAN999 access-group ACL-VLAN998-INBOUND in interface VLAN998 access-group ACL-VLAN45-INBOUND in interface VLAN45 access-group VlAN997_access_in in interface VlAN997 ! route-map PBR-ZIGGO1 permit 10 match ip address ACL-VLAN998-INBOUND match interface VLAN998 ! route-map PBR-ZIGGO2 permit 10 match ip address ACL-PBR-ZIGGO2 set ip next-hop 212.187.37.1 ! route-map RMAP-Gi1/3.45 permit 10 match ip address ACL-RMAP-VLAN45 set ip next-hop verify-availability 82.94.75.161 1 track 10 ! route-map PBR-Telfort permit 10 ! route VLAN999 8.8.4.4 255.255.255.255 192.168.200.1 1 route VLAN998 8.8.8.8 255.255.255.255 192.168.199.1 1 route VLAN999 193.173.85.5 255.255.255.255 192.168.200.1 1 timeout xlate 3:00:00 timeout pat-xlate 0:00:30 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 sctp 0:02:00 icmp 0:00:02 timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00 timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00 timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute timeout tcp-proxy-reassembly 0:01:00 timeout floating-conn 0:00:00 user-identity default-domain LOCAL aaa authentication telnet console LOCAL aaa authentication ssh console LOCAL aaa authentication http console LOCAL aaa authentication serial console LOCAL aaa authentication enable console LOCAL aaa authorization exec LOCAL auto-enable http server enable http 0.0.0.0 0.0.0.0 MNGT http 0.0.0.0 0.0.0.0 VLAN20 http 0.0.0.0 0.0.0.0 VLAN999 no snmp-server location no snmp-server contact sla monitor 1 type echo protocol ipIcmpEcho 8.8.8.8 interface VLAN998 timeout 300 threshold 15000 frequency 5 sla monitor schedule 1 life forever start-time now sla monitor 2 type echo protocol ipIcmpEcho 8.8.4.4 interface VLAN999 timeout 300 threshold 15000 frequency 5 sla monitor schedule 2 life forever start-time now sla monitor 3 type echo protocol ipIcmpEcho 8.8.8.8 interface VLAN999 sla monitor schedule 3 life forever start-time now service sw-reset-button crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac crypto ipsec ikev2 ipsec-proposal DES protocol esp encryption des protocol esp integrity sha-1 md5 crypto ipsec ikev2 ipsec-proposal 3DES protocol esp encryption 3des protocol esp integrity sha-1 md5 crypto ipsec ikev2 ipsec-proposal AES protocol esp encryption aes protocol esp integrity sha-1 md5 crypto ipsec ikev2 ipsec-proposal AES192 protocol esp encryption aes-192 protocol esp integrity sha-1 md5 crypto ipsec ikev2 ipsec-proposal AES256 protocol esp encryption aes-256 protocol esp integrity sha-1 md5 crypto ipsec security-association pmtu-aging infinite crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5 crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev2 ipsec-proposal AES256 AES192 AES 3DES DES crypto map VLAN20_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP crypto map VLAN20_map interface VLAN20 crypto map VLAN30_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP crypto map VLAN30_map interface VLAN30 crypto map VLAN40_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP crypto map VLAN40_map interface VLAN40 crypto map VLAN998_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP crypto map VLAN998_map interface VLAN998 crypto map VLAN45_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP crypto ca trustpoint localtrust enrollment self fqdn sslvpn.4udomein.com subject-name CN=sslvpn.4udomein.com keypair sslvpnkey crl configure crypto ca trustpool policy crypto ca certificate chain localtrust certificate 6bd0bf58 30820300 308201e8 a0030201 0202046b d0bf5830 0d06092a 864886f7 0d010105 05003042 311c301a 06035504 03131373 736c7670 6e2e3475 646f6d65 696e2e63 6f6d3122 30200609 2a864886 f70d0109 02161373 736c7670 6e2e3475 646f6d65 696e2e63 6f6d301e 170d3137 30333130 30373431 32305a17 0d323730 33303830 37343132 305a3042 311c301a 06035504 03131373 736c7670 6e2e3475 646f6d65 696e2e63 6f6d3122 30200609 2a864886 f70d0109 02161373 736c7670 6e2e3475 646f6d65 696e2e63 6f6d3082 0122300d 06092a86 4886f70d 01010105 00038201 0f003082 010a0282 010100a1 b2fe7671 f610a388 6d51851c 502093f5 cb5a944b 6285bb0d 37a01743 532f1914 11494c9e fbdaae6e 2e08cdb0 328cb667 5942d4e6 cc5e61a5 fb692d38 f4d46f75 2f8227f8 245bc7df a467dc68 7621b0c2 13a36762 b7bfb486 14272c49 1eb14f1a a307c724 532cfa3d 50c8a646 9cc06d06 3f2efab4 e10d491b 54fc42cb bee423d0 4e8df04b 6154146e f095ee82 8f41364e c94c7533 913cc866 79c6a32a 11b13718 895e23cb bc7b3502 ad7e1013 78b34526 cee075c1 ffd74c4c 9f41299d 9f40207a dfe083b4 717c9853 96090207 6135d21d f0d55558 c952eda0 15a61b45 f13789d6 47c82828 4cdb6b03 806415d6 8c14157d f85f09c4 02ebe725 fe9bf345 f407c102 03010001 300d0609 2a864886 f70d0101 05050003 82010100 03b31914 58eeb2c6 3c23e006 8bd5a4f5 563503d2 03fcd341 8bcf451d 722a6d78 a57a9808 ad1a282c 77530dd5 24eca366 8455f14d 86e51ed9 426d9790 a1a274ec 2116ec1b 97506c2f 73fe491c b3706142 b5cba46f 890efa41 dc26053d 320204e4 2b21b7fc a6a2f521 1fffa05b c37de564 13cc4289 c8043907 b6b9f21c 0566c173 496a0a1d 5f9fa630 d51d76db 7e88a9d8 8c6aa3b0 29109dc6 d13dd6a5 01e17d31 5209671e ea139e42 40637c43 dbee0608 670fe6c1 72e73a85 e710bc1a 9d2f1d6b dded7d12 ffafe1d2 cc097a20 0595a446 a508f613 047250e7 1091bf87 68c813da 8cdd30d8 96598a1c 1a615f84 a21871a8 f8be0459 5dcfe69f 72a9fcf2 aadc283f quit crypto ikev2 policy 1 encryption aes-256 integrity sha group 5 2 prf sha lifetime seconds 86400 crypto ikev2 policy 10 encryption aes-192 integrity sha group 5 2 prf sha lifetime seconds 86400 crypto ikev2 policy 20 encryption aes integrity sha group 5 2 prf sha lifetime seconds 86400 crypto ikev2 policy 30 encryption 3des integrity sha group 5 2 prf sha lifetime seconds 86400 crypto ikev2 policy 40 encryption des integrity sha group 5 2 prf sha lifetime seconds 86400 crypto ikev2 enable VLAN998 client-services port 443 crypto ikev2 enable VLAN20 client-services port 443 crypto ikev2 remote-access trustpoint localtrust crypto ikev1 enable VLAN20 crypto ikev1 enable VLAN30 crypto ikev1 enable VLAN40 crypto ikev1 policy 20 authentication rsa-sig encryption aes-256 hash sha group 2 lifetime 86400 crypto ikev1 policy 30 authentication pre-share encryption aes-256 hash sha group 2 lifetime 86400 crypto ikev1 policy 50 authentication rsa-sig encryption aes-192 hash sha group 2 lifetime 86400 crypto ikev1 policy 60 authentication pre-share encryption aes-192 hash sha group 2 lifetime 86400 crypto ikev1 policy 80 authentication rsa-sig encryption aes hash sha group 2 lifetime 86400 crypto ikev1 policy 90 authentication pre-share encryption aes hash sha group 2 lifetime 86400 crypto ikev1 policy 110 authentication rsa-sig encryption 3des hash sha group 2 lifetime 86400 crypto ikev1 policy 120 authentication pre-share encryption 3des hash sha group 2 lifetime 86400 crypto ikev1 policy 140 authentication rsa-sig encryption des hash sha group 2 lifetime 86400 crypto ikev1 policy 150 authentication pre-share encryption des hash sha group 2 lifetime 86400 ! track 10 rtr 1 reachability ! track 11 rtr 3 reachability ! track 20 rtr 2 reachability telnet timeout 5 ssh stricthostkeycheck ssh 193.173.85.0 255.255.255.192 VLAN999 ssh 193.173.85.0 255.255.255.192 VLAN998 ssh 0.0.0.0 0.0.0.0 VLAN20 ssh 0.0.0.0 0.0.0.0 MNGT ssh timeout 15 ssh key-exchange group dh-group1-sha1 console timeout 15 dhcp-client client-id interface VLAN999 dhcp-client client-id interface VLAN998 dhcp-client client-id interface VlAN997 dhcpd address 10.10.50.200-10.10.50.250 VLAN1 dhcpd dns 208.67.222.222 208.67.220.220 interface VLAN1 dhcpd enable VLAN1 ! dhcpd address 10.10.20.200-10.10.20.250 VLAN20 dhcpd dns 208.67.222.222 208.67.220.220 interface VLAN20 dhcpd enable VLAN20 ! dhcpd address 10.10.30.200-10.10.30.250 VLAN30 dhcpd dns 208.67.222.222 208.67.220.220 interface VLAN30 dhcpd enable VLAN30 ! dhcpd address 10.10.40.200-10.10.40.250 VLAN40 dhcpd dns 208.67.222.222 208.67.220.220 interface VLAN40 dhcpd enable VLAN40 ! dhcpd address 10.10.45.200-10.10.45.250 VLAN45 dhcpd dns 208.67.222.222 208.67.220.220 interface VLAN45 dhcpd enable VLAN45 ! dhcpd address 10.10.100.200-10.10.100.250 MNGT dhcpd dns 208.67.222.222 208.67.220.220 interface MNGT dhcpd enable MNGT ! ntp server 85.255.214.66 source VLAN999 ssl trust-point localtrust VLAN999 ssl trust-point localtrust VLAN998 ssl trust-point localtrust VLAN20 webvpn enable VLAN999 enable VLAN998 enable VLAN20 anyconnect image disk0:/anyconnect-linux64-4.4.01054-webdeploy-k9.pkg 1 anyconnect image disk0:/anyconnect-win-4.4.01054-webdeploy-k9.pkg 2 anyconnect profiles 4uDomein_client_profile disk0:/4uDomein_client_profile.xml anyconnect enable tunnel-group-list enable cache disable error-recovery disable group-policy SSLCLient internal group-policy SSLCLient attributes dns-server value 192.168.200.5 vpn-tunnel-protocol ssl-client default-domain value mysite.com address-pools value SSLClientPool group-policy GroupPolicy_4uDomein internal group-policy GroupPolicy_4uDomein attributes wins-server none dns-server value 10.10.20.100 10.10.20.101 vpn-tunnel-protocol ikev1 ikev2 ssl-client password-storage disable split-tunnel-policy tunnelspecified split-tunnel-network-list value ACL-VPN-SPLIT default-domain none webvpn anyconnect profiles value 4uDomein_client_profile type user dynamic-access-policy-record DfltAccessPolicy username Dave password L4o29iC9zK9nTS7P encrypted privilege 15 username Dave attributes service-type admin username Davevpn password leb4YKzqGcsujPoJ encrypted privilege 15 username vlietd password Q101T2coMJVYHrL6 encrypted privilege 15 tunnel-group SSLClient type remote-access tunnel-group SSLClient general-attributes default-group-policy SSLCLient tunnel-group SSLClient webvpn-attributes group-alias MY_RA enable tunnel-group 4uDomein type remote-access tunnel-group 4uDomein general-attributes address-pool SSLClientPool default-group-policy GroupPolicy_4uDomein tunnel-group 4uDomein webvpn-attributes group-alias 4uDomein enable tunnel-group 4uDomein ipsec-attributes ikev1 trust-point localtrust ! class-map inspection_default match default-inspection-traffic class-map CMAP-DEFAULT match default-inspection-traffic ! ! policy-map type inspect dns preset_dns_map parameters message-length maximum client auto message-length maximum 512 policy-map global_policy class inspection_default inspect dns preset_dns_map inspect ftp inspect h323 h225 inspect h323 ras inspect rsh inspect rtsp inspect esmtp inspect sqlnet inspect skinny inspect sunrpc inspect xdmcp inspect sip inspect netbios inspect tftp inspect ip-options policy-map PMAP-GLOBAL class CMAP-DEFAULT inspect http inspect ftp inspect icmp class class-default user-statistics accounting ! service-policy global_policy global prompt hostname context ! jumbo-frame reservation ! no call-home reporting anonymous Cryptochecksum:3c559b8068d83a3e7f3c8077dc410dee : end asdm image disk0:/asdm-761.bin no asdm history enable
Solved! Go to Solution.
06-30-2018 04:50 PM
It seems the problem is back every Vlan is back to ip on internet of vlan 999.
There was nothing done on the asa beside setting up a NAT for 5060 that i eff remove right away on the ASA and all 3 lines are up and running
Setting back the back up config is no the selution and reboot after
This is frustrating i think that there was still a running config not active
Plz help becouse i really do not want to setback the config from before the trouble or reset the asa to default
07-01-2018 11:49 PM
07-02-2018 12:12 AM
Hey thx for ansering
I reset tyhe config compleet back to default and did most work but internet still goes now on vlan999.
Have to say that i'm on 60 procent of the config but think i do it wrong or i just do not see it.
Sorry i like this to do yhis i learn from it and that is good but it is strange.
I put the config like it is now
It needs to be like this
wan
Vlan999 is 212.187.37.131 255.255.255.0 with gateway so next hop 212.187.37.1
Vlan998 is 62.194.166.32 255.255.255.0 with gateway so next hop 62.194.166.1
Vlan997 is 10.10.60.2 255.255.255.0 with gateway so next hop 10.10.60.1
Lan
Vlan20 needs to go on vlan999 interm network 10.10.20.xx
Vlan30 needs to go on vlan998 nterm network 10.10.30.xx
Vlan40 needs to go on vlan997 nterm network 10.10.40.xx
Vlan45 needs to go on vlan998 nterm network 10.10.45.xx
Lan has dhcp on intern wan and i get the right intern adres
Hope this ansers your post and clears it up
07-02-2018 02:45 PM
Status update
Working:
Vlan 40 out on 997 and has the right ip
Vlan 20 out on 997 and has the right ip
Still not workin:
Vlan 30 Compleet no inter net so als not has the 212.187.37.130 adres just nothing
Vlan 45 Compleet no inter net so als not has the 212.187.37.130 adres just nothing
Slow i getting where i want to be but strange that 30 and 45 down are now.
Lines are up if i conect my ltop direct i get the 212 adres .
Also strange is that vlan 30 now a down speed has off 50 mb and it is 500mbps
upload is 50 and that is corect
new cofig is with this post
07-02-2018 02:48 PM
Working
Vlan 20 out on 999 and has the right ip
Typo last post
07-02-2018 05:45 PM
For VLAN30:
- the route-map calls an acl named ACL-PBR-ZIGGO2. However, this acl is saying you should have 10.10.20.0/24 as source instead of 10.10.30.0/24:
access-list ACL-PBR-ZIGGO2 extended permit ip 10.10.20.0 255.255.255.0 any
You should create a dedicated acl to match your VLAN30 subnet as source.
- The nat for VLAN30 will apply when the traffic get out through VLAN998.
- In your route-map the next-hop ip is 62.194.166.1 and I hope this the one from vlan 998 but can't confirm because this interface is in dhcp.
FOR VLAN45:
The interface refers to a PBR (route-map) called PBR-VLAN45, but it doesn't exists in your config.
This vlan has to go out through vlan 998 as well.
07-03-2018 01:28 PM
H[
Thanks for your help and i try what you say
But then all 3 lines go down.
Status and i use the config from yesterday(Backup config)
Still not workin:
Vlan 30 Compleet no inter net so also not has the VLAN998 adres just nothing
Vlan 45 Compleet no inter net so also not has the VLAN998 adres just nothing
I get Dhcp but no cone
Next hop is oke and is 62.194.166.1 what is the gw for the 62.194.166.xx network.
To be complete sure ltop on the Cat that is normal in the asa
07-03-2018 11:19 PM
Yes
Vlan999 is 212.187.37.131 255.255.255.0 with gateway so next hop 212.187.37.1
yes and that one works with VLAN20 and is up
VLAN40 out on 997 is also oke
VLAN#) and 45 Wifi and server vlan that go out on 998 are still down
I will try your options again today
And manny thanks
07-04-2018 04:25 AM
07-04-2018 05:39 PM
Please try this config:
access-list PBR-VLAN30 extended permit ip 10.10.30.0 255.255.255.0 any
access-list PBR-VLAN45 extended permit ip 10.10.30.0 255.255.255.0 any
!
no route-map PBR-VLAN30
no route-map PBR-VLAN45
!
route-map PBR-VLAN30 permit 10
match ip address PBR-VLAN30
set ip next-hop xxx.xxx.xxx.xxx ==> Has to be your ISP router IP
!
route-map PBR-VLAN45 permit 10
match ip address PBR-VLAN45
set ip next-hop xxx.xxx.xxx.xxx ==> Has to be your ISP router IP
!
interface GigabitEthernet1/8.30
policy-route route-map PBR-VLAN30
interface GigabitEthernet1/8.45
policy-route route-map PBR-VLAN45
Make sure to set the right ISP VLAN998 IP as next-hop
07-04-2018 11:37 PM
Hey
I did the config but still no internet on VLAN30 and 45
ASA5506(config-route-map)# set ip next-hop 62.194.166.1
traceroute 8.8.8.8 source VLAN998
Type escape sequence to abort.
Tracing the route to 8.8.8.8
1 62.194.166.1 10 msec 10 msec 10 msec
2 212.142.3.81 10 msec 10 msec 10 msec
3 84.116.244.5 10 msec 10 msec 20 msec
4 84.116.135.33 10 msec 20 msec 20 msec
5 84.116.135.34 10 msec 20 msec 10 msec
6 74.125.146.228 20 msec 10 msec 20 msec
7 108.170.241.225 20 msec
108.170.241.161 10 msec
108.170.241.129 10 msec
8 216.239.42.115 10 msec
108.170.236.219 10 msec
216.239.51.175 20 msec
9 8.8.8.8 10 msec 20 msec 20 msec
And the new config the compleet back up this time in zip
Not a cl;u what is wrong
07-05-2018 08:03 PM
07-05-2018 10:42 PM
Phase: 1
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
Forward Flow based lookup yields rule:
in id=0x2aaacbf63270, priority=1, domain=permit, deny=false
hits=20523, user_data=0x0, cs_id=0x0, l3_type=0x8
src mac=0000.0000.0000, mask=0000.0000.0000
dst mac=0000.0000.0000, mask=0100.0000.0000
input_ifc=VLAN30, output_ifc=any
Phase: 2
Type: PBR-LOOKUP
Subtype: policy-route
Result: ALLOW
Config:
route-map PBR-VLAN30 permit 10
match ip address PBR-VLAN30
set ip next-hop 62.194.166.1
Additional Information:
Matched route-map PBR-VLAN30, sequence 10, permit
Found next-hop 62.194.166.1 using egress ifc VLAN998
Phase: 3
Type: ACCESS-LIST
Subtype:
Result: DROP
Config:
Implicit Rule
Additional Information:
Forward Flow based lookup yields rule:
in id=0x2aaacc0d89e0, priority=11, domain=permit, deny=true
hits=21109, user_data=0x6, cs_id=0x0, use_real_addr, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0
input_ifc=VLAN30, output_ifc=any
Result:
input-interface: VLAN30
input-status: up
input-line-status: up
output-interface: VLAN998
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule
07-05-2018 10:50 PM
And from 45 the same
Result of the command: "packet-tracer in VLAN45 icmp 10.10.30.20 8 0 8.8.8.8 detail"
Phase: 1
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
Forward Flow based lookup yields rule:
in id=0x2aaacc023c50, priority=1, domain=permit, deny=false
hits=2204, user_data=0x0, cs_id=0x0, l3_type=0x8
src mac=0000.0000.0000, mask=0000.0000.0000
dst mac=0000.0000.0000, mask=0100.0000.0000
input_ifc=VLAN45, output_ifc=any
Phase: 2
Type: PBR-LOOKUP
Subtype: policy-route
Result: ALLOW
Config:
route-map PBR-VLAN45 permit 10
match ip address PBR-VLAN45
set ip next-hop 62.194.166.1
Additional Information:
Matched route-map PBR-VLAN45, sequence 10, permit
Found next-hop 62.194.166.1 using egress ifc VLAN998
Phase: 3
Type: ACCESS-LIST
Subtype:
Result: DROP
Config:
Implicit Rule
Additional Information:
Forward Flow based lookup yields rule:
in id=0x2aaacc0dae60, priority=11, domain=permit, deny=true
hits=1896, user_data=0x6, cs_id=0x0, use_real_addr, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0
input_ifc=VLAN45, output_ifc=any
Result:
input-interface: VLAN45
input-status: up
input-line-status: up
output-interface: VLAN998
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule
07-06-2018 02:03 PM
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide