ASA 5510 cannot access internet through Procurve 5406zl

hmongstrong · ‎10-31-2013

I cannot access the internet with my current configurations. Clients on vlan100/101 can obtain ip address but wired clients cannot access outside.

What's weird is that I have mobiles devices ran off a Ruckus ZoneDirector and wireless APs in vlan101 and for some reason those work! Any client PCs even on vlan101 cannot get to internet.

:
ASA Version 8.0(2)
!
hostname ciscoasa
domain-name default.domain.invalid
enable password sfOF4HJkXcLFJ08N encrypted
names
name 10.10.10.70 S2_server description S2 web server
name 8.8.8.8 GOOGLE_DNS description Google's DNS server
!
interface Ethernet0/0
nameif outside
security-level 0
ip address EXTERNAL IP
!
interface Ethernet0/1
speed 100
duplex full
no nameif
no security-level
no ip address
!
interface Ethernet0/1.100
shutdown
vlan 100
nameif WIRED
security-level 100
ip address 10.50.2.1 255.255.255.0
!
interface Ethernet0/1.101
vlan 101
nameif WIRELESS
security-level 100
ip address 10.50.3.1 255.255.255.0
!
interface Ethernet0/2
nameif S2
security-level 100
ip address 10.10.10.10 255.255.255.0
!
interface Ethernet0/3
nameif temp_dhcp
security-level 100
ip address 10.50.1.1 255.255.255.0
!
interface Management0/0
nameif management
security-level 100
ip address 10.50.0.1 255.255.255.0
management-only
!
passwd 2KFQnbNIdI.2KYOU encrypted
boot system disk0:/asa802-k8.bin
ftp mode passive
clock timezone CST -6
clock summer-time CDT recurring
dns server-group DefaultDNS
domain-name default.domain.invalid
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
pager lines 24
logging enable
logging asdm debugging
logging mail warnings
logging class auth mail debugging
mtu outside 1500
mtu WIRED 1500
mtu S2 1500
mtu management 1500
mtu WIRELESS 1500
mtu temp_dhcp 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
icmp deny any outside
asdm image disk0:/asdm-602.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (WIRED) 1 0.0.0.0 0.0.0.0
nat (WIRELESS) 1 0.0.0.0 0.0.0.0
nat (temp_dhcp) 1 0.0.0.0 0.0.0.0
route outside 0.0.0.0 0.0.0.0 EXTERNAL GATEWAY 1
route WIRELESS 10.0.0.0 255.0.0.0 10.50.4.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 10.50.2.0 255.255.255.0 WIRED
http 10.50.0.0 255.255.255.0 management
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
no crypto isakmp nat-traversal
telnet 0.0.0.0 0.0.0.0 management
telnet timeout 5
ssh timeout 5
console timeout 10
management-access WIRED
dhcpd dns 208.18.47.61 GOOGLE_DNS
!
dhcpd address 10.50.2.50-10.50.2.254 WIRED
dhcpd enable WIRED
!
dhcpd address 10.50.0.2-10.50.0.10 management
dhcpd enable management
!
dhcpd address 10.50.3.50-10.50.3.254 WIRELESS
dhcpd enable WIRELESS
!
dhcpd address 10.50.1.50-10.50.1.254 temp_dhcp
dhcpd enable temp_dhcp
!
threat-detection basic-threat
threat-detection statistics access-list
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
!
service-policy global_policy global
username admin password HEU0LnYme.ESFRyI encrypted privilege 15
prompt hostname context
Cryptochecksum:07a8d4c85adb387752d1b18fd9152773
: end
asdm image disk0:/asdm-602.bin
no asdm history enable

HP Procurve 5406zl

---

; J8697A Configuration Editor; Created on release #K.15.12.0010

; Ver #04:01.ff.3f.ef:2a

hostname "Wireless_Switch"

module 1 type j9536a

module 2 type j9536a

module 3 type j9536a

module 4 type j9536a

trunk A1 trk1 trunk

time daylight-time-rule continental-us-and-canada

time timezone -360

ip authorized-managers 10.50.0.0 255.255.0.0 access manager

ip route 0.0.0.0 0.0.0.0 EXTERNAL IP

ip routing

interface A1

name "Cisco ASA 5510"

exit

interface A3

name "Track-It!"

exit

interface B1

flow-control

name "DC-01"

exit

interface D1

name "BELKIN_wireless"

exit

interface D19

name "Access Point-01"

exit

interface D20

name "ZoneDirector"

exit

snmp-server community "public" unrestricted

router rip

redistribute connected

exit

vlan 1

name "DEFAULT_VLAN"

no untagged B1,C1-C20,D1-D20

untagged A2-A22,B2-B22,C21-C22,D21-D22

tagged Trk1

ip address 10.50.4.1 255.255.255.0

exit

vlan 5

name "Domain_Controllers"

untagged B1

tagged Trk1

ip address 10.50.5.1 255.255.255.0

exit

vlan 100

name "WIRED"

untagged C1-C20

tagged Trk1

ip address 10.50.2.1 255.255.255.0

ip helper-address 10.50.2.1

exit

vlan 101

name "WIRELESS"

untagged D1-D20

tagged Trk1

ip address 10.50.3.1 255.255.255.0

ip helper-address 10.50.3.1

exit

spanning-tree

spanning-tree Trk1 priority 4

Message was edited by: Bee Yang

jumora · ‎10-31-2013

Please check the logs when you try to go out to the Internet through the ASA.

enable

config t

logging on

logging buffered debugging

logging buffer-size 1048576

clear log buffer

show log | in

Can you please get me a "ipconfig /all", "route print" and "arp -a" of the PC from where you are testing from + logs of the ASA.

Value our effort and rate the assistance!

Marius Gunnerud · ‎10-31-2013

Looks like you are missing NAT for the Wired nettwork.

global (outside) 1 interface
nat (WIRELESS) 1 0.0.0.0 0.0.0.0
nat (temp_dhcp) 1 0.0.0.0 0.0.0.0

Add a nat statment for the WIRED nettwork and see if that solves your issue.

--
Please remember to select a correct answer and rate helpful posts

hmongstrong · ‎10-31-2013

I added a NAT for wired and changed ip of vlan1 to 10.50.4.1

I've managed to get it to work sometimes....then it stops working. It also appears way slower.

Julio Carvajal · ‎10-31-2013

Hello,

Okey so you have added the missing NAT statement right?

Add the following

FIxup protocol ICMP

Then try to ping from an wired vlan PC to 4.2.2.2 and provide the results

Rate all of the helpful posts!!!

Regards,

Jcarvaja

Follow me on http://laguiadelnetworking.com

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

jumora · ‎10-31-2013

Please setup a wireshark on your PC (enable it to capture traffic on the PC NIC) and while downloading or video streaming.

I am not sure if you can upload files to support forums.

Get me the next information from cmd:

ipconfig /all

arp -a

route print

The ping test will show us how much delay you see on the response but first we need to add the inspect ICMP:

enable

config t

policy-map global_policy

class inspection_default

inspect icmp

We need the show tech because we need to look at the interface settings and statistics so please get that information to us and we will take a look.

Value our effort and rate the assistance!

jumora · ‎10-31-2013

Also, get off that OS version that you are running on the ASA and update it to something a bit newer, you should be able to get to 8.2.5 but if your memory runs low you might need to upgrade memory to 1GB, this is only done if your free memory is less that 20%.

Value our effort and rate the assistance!

hmongstrong · ‎11-01-2013

arp -a

Interface: 10.50.3.124 --- 0xb
Internet Address      Physical Address      Type
10.50.3.1             2c-76-8a-31-06-00     dynamic
10.50.3.10            24-c9-a1-24-a7-e4     dynamic
10.50.3.255           ff-ff-ff-ff-ff-ff     static
224.0.0.22            01-00-5e-00-00-16     static
224.0.0.252           01-00-5e-00-00-fc     static
239.255.255.250       01-00-5e-7f-ff-fa     static
255.255.255.255       ff-ff-ff-ff-ff-ff     static

ipconfig /all

Windows IP Configuration

   Host Name . . . . . . . . . . . . : techshopws3
   Primary Dns Suffix . . . . . . . :
   Node Type . . . . . . . . . . . . : Hybrid
   IP Routing Enabled. . . . . . . . : No
   WINS Proxy Enabled. . . . . . . . : No

Ethernet adapter PELCO:

   Connection-specific DNS Suffix . :
   Description . . . . . . . . . . . : Intel(R) 82579LM Gigabit Network Connecti
on
   Physical Address. . . . . . . . . : 90-B1-1C-99-C9-DB
   DHCP Enabled. . . . . . . . . . . : Yes
   Autoconfiguration Enabled . . . . : Yes
   IPv4 Address. . . . . . . . . . . : 10.50.3.124(Preferred)
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Lease Obtained. . . . . . . . . . : Friday, November 01, 2013 8:38:52 AM
   Lease Expires . . . . . . . . . . : Friday, November 01, 2013 9:38:52 AM
   Default Gateway . . . . . . . . . : 10.50.3.1
   DHCP Server . . . . . . . . . . . : 10.50.3.1
   DNS Servers . . . . . . . . . . . : 208.18.47.61
                                       8.8.8.8
   NetBIOS over Tcpip. . . . . . . . : Enabled

route print
===========================================================================
Interface List
11...90 b1 1c 99 c9 db ......Intel(R) 82579LM Gigabit Network Connection
1...........................Software Loopback Interface 1
12...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter
13...00 00 00 00 00 00 00 e0 Microsoft 6to4 Adapter
18...00 00 00 00 00 00 00 e0 Teredo Tunneling Pseudo-Interface
===========================================================================

IPv4 Route Table
===========================================================================
Active Routes:
Network Destination        Netmask          Gateway       Interface Metric
          0.0.0.0          0.0.0.0        10.50.3.1      10.50.3.124     10
        10.50.3.0    255.255.255.0         On-link       10.50.3.124    266
      10.50.3.124 255.255.255.255         On-link       10.50.3.124    266
      10.50.3.255 255.255.255.255         On-link       10.50.3.124    266
        127.0.0.0        255.0.0.0         On-link         127.0.0.1    306
        127.0.0.1 255.255.255.255         On-link         127.0.0.1    306
127.255.255.255 255.255.255.255         On-link         127.0.0.1    306
        224.0.0.0        240.0.0.0         On-link         127.0.0.1    306
        224.0.0.0        240.0.0.0         On-link       10.50.3.124    266
255.255.255.255 255.255.255.255         On-link         127.0.0.1    306
255.255.255.255 255.255.255.255         On-link       10.50.3.124    266
===========================================================================
Persistent Routes:
None

IPv6 Route Table
===========================================================================
Active Routes:
If Metric Network Destination      Gateway
1    306 ::1/128                  On-link
1    306 ff00::/8                 On-link
===========================================================================
Persistent Routes:
None

hmongstrong · ‎11-01-2013

I've updated first post with current running configurations.

I have ASA interface Ethernet0/3 going to a Cisco 3560 and wired devices can get to internet from its vlan1.

jumora · ‎11-04-2013

Ok, I don't see the show tech, what you posted is a show config that is not the same. Then I don't understand where you did the configuration change for VLAN1. We need to put order to what we are troubleshooting.

Trouebleshooting WIRED interface.

I am not sure why this interface is showing down at this moment and then you send me configuration from interface Wireless interface.

Value our effort and rate the assistance!