05-04-2013 05:41 PM - edited 03-11-2019 06:38 PM
hi all
i have internet before i did lacp/trunking/vlan between my asa and switch, now i can't
! asa config (incomplete--------------------------)
hostname asa
domain-name abc.com
Interface GigabitEthernet0/1
no shutdown
nameif dmz
security-level 100
ip address 10.0.80.1 255.255.255.0
Interface GigabitEthernet0/0
no shutdown
nameif outside
security-level 0
ip address x.x.x.188 255.255.255.248
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
nat (dmz,outside) after-auto 1 source dynamic any interface
route dmz 10.0.80.0 255.255.255.0 10.0.80.1 10
route management 192.168.1.0 255.255.255.0 192.168.1.1 10
route outside 0.0.0.0 0.0.0.0 x.x.x.185 1
logging enable
policy-map global_policy
class inspection_default
inspect icmp
! interface for inside lacp
int g0/2
no shut
channel-group 1 mode active
int g0/4
no shut
channel-group 1 mode active
! interface for port channel
int port-channel 1
no shut
! interface for port channel vlan 190
int po1.190
vlan 190
nameif vlan190
security-level 100
ip address 10.0.90.1 255.255.255.0
no shut
exit
! interface for port channel vlan 191
int po1.191
vlan 191
nameif vlan191
security-level 100
ip address 10.0.100.1 255.255.255.0
no shut
exit
nat (vlan190,outside) after-auto 2 source dynamic any interface
nat (vlan191,outside) after-auto 3 source dynamic any interface
!my switch 2960 (incomplete--------------------------)
!
!
spanning-tree mode rapid-pvst
spanning-tree portfast bpduguard default
spanning-tree extend system-id
!
vlan internal allocation policy ascending
!
vlan 190
name vlan-190
!
vlan 191
name vlan-191
!
!
!
interface Port-channel1
switchport trunk allowed vlan 190,191
switchport mode trunk
switchport nonegotiate
!
!
interface GigabitEthernet0/1
description description asa2sw-trunk G01
switchport trunk allowed vlan 190,191
switchport mode trunk
switchport nonegotiate
channel-group 1 mode active
spanning-tree portfast
!
interface GigabitEthernet0/2
description description asa2sw-trunk G02
switchport trunk allowed vlan 190,191
switchport mode trunk
switchport nonegotiate
channel-group 1 mode active
spanning-tree portfast
!
interface Vlan1
no ip address
shutdown
!
interface Vlan190
description vlan 190
ip address 10.0.90.2 255.255.255.0
!
interface Vlan191
description vlan 190
ip address 10.0.100.2 255.255.255.0
!
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
i can ping from asa to 2960/switch and vice versa, i can ping internet from asa but no internet on my switch (or i can't ping 8.8.8.8 or my isp gateway on my switch)...
and if i use the packet tracer................
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
asa# packet-tracer input vlan191 tcp 10.0.100.2 1025 8.8.8.8 80
Phase: 1
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 0.0.0.0 0.0.0.0 outside
Phase: 2
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 3
Type: NAT
Subtype:
Result: ALLOW
Config:
nat (vlan191,outside) after-auto source dynamic any interface
Additional Information:
Dynamic translate 10.0.100.2/1025 to x.x.x.188/22100
Phase: 4
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 5
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 226, packet dispatched to next module
Result:
input-interface: vlan191
input-status: up
input-line-status: up
output-interface: outside
output-status: up
output-line-status: up
Action: allow
asa#
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
It's allowing it.
One thing i know on my test 2960 is that i can't set
-the clock correctly, switch just accept the command but not set it.
-spanning-tree vlan 190,191 priority 32768 (is also just accepting but the switch never show on the config).
On my asa 5515x, it's a security plus license and it's say that you can trunk only that license but if i entered "switchport trunk" or just switchport on the interface configuration, command is not allowed.
thanks for any comment you may add to help my problem.
05-06-2013 03:05 PM
the solution to this is to put "ip default-gateway 10.0.90.1" on 2960 (layer 2 switch).
if you setup vlan 191 on the client, it will still work on the internet, just don't know if i can setup third vlan. but i don't need third vlan, so i'm fine for now...
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide