ASA only allows native vlan on 3350 switch to Internet

sediq2000 · ‎09-27-2016

hello everyone,

I have a 3550 Layer3 switch with 2 svi connected to an asa 5506 i don't know what i'm doing wrong but the ASA is allowing only the native vlan of 3505 switch to the internet. i can not get to internet from the hosts on the two vlans i can ping the asa .The two svi have the ip address of 172.16.77.0/24 172.16.44.0/24 here is the config of my ASA

any help would be greatly appreciated.

ASA Version 9.6(1)
!
hostname ******
domain-name Mydomain.local
enable password
names
zone InsideOut

!
interface GigabitEthernet1/1
nameif outside
security-level 0
ip address dhcp setroute
!
interface GigabitEthernet1/2
nameif inside
security-level 100
zone-member InsideOut
ip address 192.168.1.1 255.255.255.0
!
interface GigabitEthernet1/3
description Domain
nameif Mydomain
security-level 100
zone-member InsideOut
ip address 192.168.20.22 255.255.255.252
!
interface GigabitEthernet1/4
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet1/5
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet1/6
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet1/7
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet1/8
shutdown
no nameif
no security-level
no ip address
!
interface Management1/1
management-only
no nameif
no security-level
no ip address
!
ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
dns server-group DefaultDNS
domain-name Mydomain.local
object network obj_any
subnet 0.0.0.0 0.0.0.0
object network Mydomain
subnet 172.16.0.0 255.255.0.0
description Business
object-group network DM_INLINE_NETWORK_1
network-object 192.168.20.20 255.255.255.252
network-object object Mydomain
access-list Mydomain_access_in extended permit ip object-group DM_INLINE_NETWORK_1 any
access-list inside_access_in remark Allow Managment Outbound
access-list inside_access_in extended permit ip any any
pager lines 24
logging enable
logging asdm informational
mtu outside 1500
mtu inside 1500

icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
nat (any,outside) source dynamic Mydomain interface inactive
!
object network obj_any
nat (any,outside) dynamic interface
access-group inside_access_in in interface inside
access-group Mydomain_access_in in interface Intergalactica
router eigrp 100
network 192.168.20.0 255.255.255.0
!
route Mydomain 172.16.0.0 255.255.0.0 192.168.20.21 1
route Mydomain 172.16.44.0 255.255.255.0 192.168.20.21 1
route Mydomain 172.16.76.0 255.255.255.0 192.168.20.21 1
route Mydomain172.16.77.0 255.255.255.0 192.168.20.21 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 sctp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
user-identity default-domain LOCAL
http server enable
http 192.168.1.0 255.255.255.0 inside
http 172.16.77.0 255.255.255.255 Mydomain
no snmp-server location
no snmp-server contact
service sw-reset-button
crypto ipsec security-association pmtu-aging infinite
crypto ca trustpoint _SmartCallHome_ServerCA
no validation-usage
crl configure
crypto ca trustpoint ASDM_Launcher_Access_TrustPoint_0
enrollment self
fqdn none
subject-name CN=192.168.1.1,CN=****
keypair ASDM_LAUNCHER
crl configure
crypto ca trustpoint ASDM_Launcher_Access_TrustPoint_1
enrollment self
fqdn none
subject-name CN=192.168.1.1,CN=*******

Marvin Rhoads · ‎09-27-2016

if you want the ASA to recognize the VLAN tags, you need to create subinterfaces on the ASA physical interface.

When you do that, you assign each a VLAN ID and it will recognized traffic tagged thus.

sediq2000 · ‎09-27-2016

hi Marvin,

I have Two Svi created on a layer3 switch the svi is the gateway for different computers in the subnet and the link between layer3 switch and the ASA is set to Layer3 port " it has a /30 ip add assigned to it" and i have configured a default gateway on the layer 3 switch pointing to ASA's inside port i can ping ASA's inside port. What i don't understand why i would need subinterface on the ASA for Vlans ?

I did add static route to each SVI on the ASA.

thanks

Marvin Rhoads · ‎09-27-2016

Ah OK you are using L3 interface on the switch - I assumed a switchport.

If the switch is operating a L3 then it needs to have a default route defined, not a default-gateway. i.e:

ip route 0.0.0.0 0.0.0.0 192.168.20.22

....on the switch

When you ping without that, the source address on the switch is your routed port which knows the path due to it being a connected interface.

sediq2000 · ‎09-27-2016

Sorry i meant to say it does have a default route point to ASA inside interface. The problem i'm facing if you look at my ASA config I the ASA only allows the native vlan on layer3 switch to the internet. I'm new to ASA don't know what i'm doing wrong.

Marvin Rhoads · ‎09-27-2016

Ok, got it. I was focusing on your interface and routing setup towards the inside.

I notice you have no default route so the Internet writ large would not have a path out of the ASA unless you are learning a default route via EIGRP.

"show route" to check if you are learning a default route. If not, you need to add one.

Your NAT looks ok:

nat (any,outside) dynamic interface

Your access-list is ok, albeit unnecessary:

access-list inside_access_in extended permit ip any any
access-group inside_access_in in interface inside

(By default, an ASA permits traffic from high security to lower security interfaces unless there is an ACL applied in which case the ACL dicates the policy.)

You didn't share your service policy configuration but if you are not inspecting icmp, ping won't work through the firewall.

The ASA has a tool called packet-tracer. You can run it to check how a given packet will be treated as it is processed by the ASA. For instance, try:

packet-tracer input inside tcp 172.16.77.1 1025 8.8.8.8 53

..for example to test a Google public DNS lookup from one of your internal addresses. (Or substitute any other 5-tuple you want.)