09-22-2014 07:45 PM - edited 03-11-2019 09:48 PM
I have an ASA5505 I am trying to integrate into our network, however the ASA5505 won't allow our server to access the internet via our HP Procurve layer3 switch. Currently, only the server is connected via the switch as well as the two trunk lines to the ASA5505, for testing purposes. What I am hoping to accomplish is: Internet -> ASA5505 -> Layer3 Switch -> VLANS. The configuration is listed below:
CISCO ASA5505 / with Security Plus Lic:
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
switchport access vlan 1
!
interface Ethernet0/2
switchport trunk allowed vlan 10,20,30
switchport mode trunk
!
interface Ethernet0/3
switchport trunk allowed vlan 40,60,250
switchport mode trunk
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
interface Vlan1
nameif inside
security-level 100
ip address 192.168.80.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address 10.2.100.2 255.255.255.0
!
interface Vlan10
no nameif
security-level 100
no ip address
!
interface Vlan20
no nameif
security-level 100
no ip address
!
interface Vlan30
no nameif
security-level 100
no ip address
!
interface Vlan40
no nameif
security-level 100
no ip address
!
interface Vlan60
no nameif
security-level 100
no ip address
!
interface Vlan250
no nameif
security-level 100
no ip address
!
object network obj_any
subnet 0.0.0.0 0.0.0.0
access-list inside_access_in extended permit ip any any
!
object network obj_any
nat (inside,outside) dynamic interface
access-group inside_access_in in interface inside
route outside 0.0.0.0 0.0.0.0 10.2.100.1 1
route inside 192.168.10.0 255.255.255.0 192.168.80.1 1
HP Procurve E2620 Layer3 switch:
Status and Counters - VLAN Information
Primary VLAN : DEFAULT_VLAN
VLAN ID Name | Status Voice Jumbo
------- -------------------------------- + ---------- ----- -----
1 DEFAULT_VLAN | Port-based No No
10 SERVER | Port-based No No
IP Route Entries
Destination Gateway VLAN Type Sub-Type Metric Dist.
------------------ --------------- ---- --------- ---------- ---------- -----
0.0.0.0/0 192.168.80.1 1 static 1 1
127.0.0.0/8 reject static 0 0
127.0.0.1/32 lo0 connected 1 0
192.168.10.0/24 SERVER 10 connected 1 0
192.168.20.0/24 CLIENT 20 connected 1 0
192.168.30.0/24 WIFI 30 connected 1 0
192.168.40.0/24 GUEST 40 connected 1 0
192.168.60.0/24 STORAGE 60 connected 1 0
192.168.80.0/24 DEFAULT_VLAN 1 connected 1 0
192.168.250.0/24 Manage 250 connected 1 0
Load Balancing Method: L3-based (Default), L2-based if non-IP traffic
Port | Name Type | Group Type
---- + -------------------------------- --------- + ----- --------
23 | 10/100TX | Trk2 Trunk
24 | 10/100TX | Trk1 Trunk
Status and Counters - VLAN Information
Primary VLAN : DEFAULT_VLAN
Management VLAN :
Port Information Mode Unknown VLAN Status
---------------- -------- ------------ ----------
1 DEFAULT_VLAN | Port-based No No
10 SERVER | Port-based No No
20 CLIENT | Port-based No No
30 WIFI | Port-based No No
40 GUEST | Port-based No No
60 STORAGE | Port-based No No
250 Manage | Port-based No No
Switch Configuration - VLAN - VLAN Port Assignment
Port DEFAULT_VLAN SERVER CLIENT WIFI GUEST STORAGE Manage
---- + <----------- ------------ ------------ ------------ ------------ ------------ ------------
6 | No Untagged No No No No No
Trk1 | Untagged Tagged Tagged Tagged No No No
Trk2 | Untagged No No No Tagged Tagged Tagged
09-23-2014 02:47 AM
first off, what license do you have installed on the ASA (show version will tell you that)?
Second, if I remember correctly trunk in HP terms does not mean the same as trunk in Cisco terms. In HP a trunk refers to the bundling of an interface in what Cisco calls Etherchannels or Portchannels (which the 5505 does not support)
Also you need to configure names for all the VLAN interfaces and either dynamic NAT for each interface or configure a dynamic NAT that matches all the interfaces (with the any keyword)
object network obj_any
nat (any,outside) dynamic interface
--
Please remember to select a correct answer and rate helpful posts
09-23-2014 01:40 PM
Hi,
I smell a Layer 2 problem with this config and specially with VLANS.
I can see that your Inside Interface is linked to VLAN 1 (The Default), if that is the case then you need to mark VLAN 1 as Tagged in your Trunk (1 or 2).
Good luck
09-23-2014 02:38 PM
As per the HP switch output the server is connected to VLAN10, which has no name and therefore no NAT statement.
Add interface names to the VLANs and also add the NAT statement I provided above, and you should be able to get internet access.
--
Please remember to select a correct answer and rate helpful posts
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide