07-25-2015 08:24 AM - edited 03-11-2019 11:19 PM
Need help in configuring internet access for a particular sub-net on an ASA 5525 firewall.
I am pretty new to ASA. From the configuration, all sub-nets are in a separate vlan and all the vlans configured have internet access. I introduced a new vlan and there is no internet access for devices in that vlan.
A portion of my ASA config is as follows:
object network INSIDE
subnet 0.0.0.0 0.0.0.0
object network obj-XX.XXX.XXX..0
subnet XX.XXX.XXX.0 XXX.XXX.XXX.0
object network NETWORK_OBJ_XX.XXX.XX.XX_24
subnet XX.XXX.XXX.0 XXX.255.255.0
description
object network NETWORK_OBJ_
subnet XX.XX.XXX.0 XXX.XXX.XX.0
description VPN
object network NETWORK_OBJ_VLAN
subnet XXX.XX.XX.0 XX.XX.252.0
description VLAN20
object network NETWORK_OBJ_VLAN60
subnet XXX.XXX.XXX.0 XXX.XXX.XXX.0
description VLAN60
object network NETWORK_OBJ_VLAN62
subnet XXX.XXX.XXX.0 255.255.255.0
description VLAN62
07-25-2015 08:58 AM
Please share which subnet/vlan is not able to access internet and also share the natting rules configured on the firewall.
Regards.
Dinesh Moudgil
P.S. Please rate helpful posts.
07-25-2015 12:59 PM
The subnet/vlan not able to access internet is:
object network NETWORK_OBJ_VLAN25
subnet 192.168.100.0 255.255.255.254
description VLAN25
This config was entered by me:
ASA1(config)# object network NETWORK_OBJ_VLAN24 5
ASA1(config-network-object)# subnet 192.168.100.0 255.255.254.0
ASA1(config-network-object)# description VLAN 25
ASA1(config-network-object)# END
ASA1# conf t
ASA1(config)# route inside 192.168.100.0 255.255.254.0 XX.XX.XX.X 1
ASA1(config)# end
These are the commands for nating in the firewall
nat (inside,outside) source static VPN-xxxxxxx-NETWORKS destination static VPN-XXXXXXXXno-proxy-arp route-lookup
nat (inside,outside) source static any any destination static NETWORK_OBJ_10.255.255.0_24 NETWORK_OBJ_10.255.255.0_24
!
object network INSIDE
nat (inside,outside) dynamic interface
07-25-2015 01:14 PM
Are you using subinterfaces on the ASA to connect to the VLANs / subnets on the local LAN or is it just a single routed interface between the ASA and a layer 3 swith or router on the LAN?
could you post the output of show int ip brief. Remember to remove any public IPs from the configuration that you post.
--
Please remember to select a correct answer and rate helpful posts
07-25-2015 02:29 PM
I believe there are subinterfaces on the ASA to connect to the VLANS. ASA is directly connected to a 3560 switch and config is as follows:
interface Port-channel30
description po towards Firewall-1
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 300,666
switchport mode trunk
spanning-tree portfast
inside interface config on the ASA is as follows:
interface Port-channel1.300
vlan 300
nameif inside
security-level 100
I dont have access to the ASA right now to display the output of the sh int ip brief.
07-26-2015 10:13 AM
Since you are using subinterfaces on the ASA for your VLANs you would just need to create a new subinterface and configure it to be in the new VLAN along with a security-level, interface name, and an IP address...also remember to issue the no shutdown command.
Then make sure that the switch at the other end is allowing that VLAN over the trunk link.
interface Port-channel30
switchport trunk allowed vlan add <VLAN number>
--
Please remember to select a correct answer and rate helpful posts
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide