ASA5510 - How can I can get the ESXi Server and its Virtual Machines to connect to the Internet, ple...

Ventana.Hills · ‎08-19-2015

Only Device on the DATA VLAN 200 can access the internet?

How do I get DEVICES on the Server Vlan 100 and Voice Vlan 120 connect to the INTERNET?

Please refer to the drawing.

Andre Neethling · ‎08-19-2015

Can you share your config? Where are you doing NAT and inter-vlan routing?

Ventana.Hills · ‎08-20-2015

Please see config files for ASA5510 and SW1 attached.

Please note: replace subnet in the Diagram as follows:

172.16.130.0 /24 with Server Vlan 172.16.100.0 /24 and
172.16.120.0 /24 with Voice Vlan 172.16.150.0 /24

Voice VLAN 150

IP 172.16.150.0 /24 (IP Phones)

DATA VLAN

IP 172.16.200.0 /24 (this where ASA5510 is)

SERVER VLAN (ESXi and VMs )

Subnet IP 172.16.100.0 /24

ESXi = .100

VM_1 = .101

VM_2 = .103

VM_3 = .105

VM_4 = .109 (MS_2008_R2)

___________________________________________

Ventana.Hills · ‎08-20-2015

Orry I think I had attached an empty file for Sw1 config log.

Ventana.Hills · ‎08-20-2015

IP 172.16.100.0 /24 Default gateway IP 172.16.100.1

IP 172.16.150.0 /24 Default gateway IP 172.16.150.1

IP 172.16.200.0 /24 Default gateway IP 172.16.200.1

P/S: These are Inter vlan100 , Int vlan150, Int vlan200

Jon Marshall · ‎08-20-2015

Okay I originally thought the issue was because all vlans are routed by the L3 switch and the default route on the L3 switch points to the vlan 200 interface, which means your vlan 100 and vlan 150 interfaces on the ASA aren't doing anything, and so when traffic gets back to the ASA from the internet when it tries to send traffic to vlan 100 or vlan 150 it has no route.

But I just checked the ASA configuration guide and it says the return traffic will use the existing xlate entry to select the egress interface so it should just send it back the way it came.

Can you do the following and post the outputs -

"packet-tracer input DATA tcp 172.16.200.10 12345 8.8.8.8 www"

I just want the above output for comparison with the next outputs -

"packet-tracer input SERVERS tcp 172.16.100.10 12345 8.8.8.8 www"

Jon

Ventana.Hills · ‎08-20-2015

Jon,

I what commands do you want me to enter on the ASA5510. So sorry I am new to all these.

Edge5510# traceroute 8.8.8.8 source VOICE numeric port 12345

Type escape sequence to abort.
Tracing the route to 8.8.8.8

1   * * *
2   * * *
3   * * *
4   * * *
5   * * *

Edge5510# traceroute 8.8.8.8

Type escape sequence to abort.
Tracing the route to 8.8.8.8

1 104.183.194.198 10 msec 0 msec 0 msec
2   * * *
3 99.134.205.80 20 msec 20 msec 20 msec
4 99.134.205.60 20 msec 20 msec 20 msec
5 12.83.114.17 30 msec
    12.83.114.9 20 msec
    12.83.114.17 30 msec
6 12.122.96.81 30 msec 30 msec 40 msec
7 12.252.250.6 90 msec 90 msec 80 msec
8 209.85.241.49 40 msec
    209.85.248.97 30 msec 30 msec
9 66.249.95.99 40 msec
    64.233.175.195 30 msec
    209.85.240.231 30 msec
10 8.8.8.8 40 msec 30 msec 40 msec

Edge5510# traceroute 8.8.8.8 source SERVERS

Type escape sequence to abort.
Tracing the route to 8.8.8.8

1   * * *
2   * * *
3   * * *
4   * * *
5   * * *
6   * * *
7   * * *
8   * * *
9   * * *
10 * * *
11 * * *
12 * * *
13 * * *
14 * * *
15 * * *
16 * * *
17 * * *
18 * * *
19 * * *
20 * * *
21 * * *
22 * * *
23 * * *
24 * * *
25 * * *
26 * * *
27 * * *
28 * * *
29 * * *
30 * * *
Edge5510# %ASA-4-733100: [ Scanning] drop rate-1 exceeded. Current burst rate is 14 per second, max configured rate is 10; Current average rate is 1 per second, max configured rate is 5; Cumulative total count is 801
%ASA-4-733100: [ Scanning] drop rate-1 exceeded. Current burst rate is 10 per second, max configured rate is 10; Current average rate is 1 per second, max configured rate is 5; Cumulative total count is 980
%ASA-4-733100: [ Scanning] drop rate-1 exceeded. Current burst rate is 12 per second, max configured rate is 10; Current average rate is 2 per second, max configured rate is 5; Cumulative total count is 1216

Edge5510#

Ventana.Hills · ‎08-20-2015

I have downloaded wireshark. Will try capturing that way...

Andre Neethling · ‎08-20-2015

HI Ventana. I noticed your gateways for all your VLANs terminate on the Switch. This is good in my opinion. Your NAT statement on the ASA looks good too. I see an issue with your default route on the switch, and your Subinterfaces on the ASA. I would much rather do the following.

remove the vlan sub interfaces from the ASA. They are not required in my opinion because you are doing routing on your layer 3 switch.
the link between the switch ans ASA must not be a trunk
You must assign an ip address to the uplink ASA and switch ports
Make the link between the Switch and ASA it's own subnet (point to point /30)
Make the default route on your switch the next hop to the ASA

If you require specific Firewall policies for each VLAN then I would move the gateways for each VLAN to the ASA subinterfaces.

Let me know if you require assistance with the actual config.

Regards

Andre

PS. What bis the internet link from the switch to the router for, if you are using the ASA for internet access?

Ventana.Hills · ‎08-20-2015

Andre, I think I require assistance with the actual config.

P/S - All the routers are connected to SW1 - the production switch( I have 3 router I plan use for CME lab)

You can ignore it, ROUTER is for NTP server when installing CUCM, CUC VM_SERVERS

Kindly,

Ventana.Hills · ‎08-20-2015

This is what you were referring to? please ignore, I just deleted it.

!
interface FastEthernet0/23
description R3 Gi0/1 (Trunk)
no switchport
ip address 172.16.90.91 255.255.255.0
!

Thank you kindly,

Andre Neethling · ‎08-20-2015

Ok..... try this

ASA

conf t

no int ethernet 0/1.30

no int ethernet 0/1.100

no int ethernet 0/1.150

no int ethernet 0/1.200

int ethernet 0/1

ip address x.x.x.x 255.255.255.252

security level 100

nameif INSIDE

route INSIDE 172.16.100.0 255.255.255.0 y.y.y.y

route INSIDE 172.16.150.0 255.255.255.0 y.y.y.y

route INSIDE 172.16.200.0 255.255.255.0 y.y.y.y

Switch

conf t

int fa 0/24

description link to ASA

no switchport

ip address y.y.y.y 255.255.255.252

ip route 0.0.0.0 0.0.0.0 x.x.x.x

no ip route 0.0.0.0 0.0.0.0 172.16.200.10

This should work. Let me know how it goes.

Ventana.Hills · ‎08-20-2015

What does that error mean? ASA5510 is logging that error. I will enter the config you sent me, right away. Thank you kindly

Edge5510# %ASA-4-106023: Deny udp src outside:68.94.157.1/53 dst DATA:172.16.200.15/58776 by access-group "inbound" [0x0, 0x0]
%ASA-4-106023: Deny udp src outside:68.94.156.1/53 dst DATA:172.16.200.15/49902 by access-group "inbound" [0x0, 0x0]
%ASA-4-106023: Deny udp src outside:68.94.156.1/53 dst DATA:172.16.200.15/58776 by access-group "inbound" [0x0, 0x0]
%ASA-4-106023: Deny udp src outside:68.94.157.1/53 dst DATA:172.16.200.15/49902 by access-group "inbound" [0x0, 0x0]
%ASA-4-106023: Deny udp src outside:68.94.157.1/53 dst DATA:172.16.200.15/55267 by access-group "inbound" [0x0, 0x0]
%ASA-4-106023: Deny udp src outside:68.94.157.1/53 dst DATA:172.16.200.15/57510 by access-group "inbound" [0x0, 0x0]
%ASA-4-106023: Deny udp src outside:68.94.156.1/53 dst DATA:172.16.200.15/49902 by access-group "inbound" [0x0, 0x0]
%ASA-4-106023: Deny udp src outside:68.94.156.1/53 dst DATA:172.16.200.15/58776 by access-group "inbound" [0x0, 0x0]
%ASA-4-106023: Deny udp src outside:68.94.157.1/53 dst DATA:172.16.200.15/58776 by access-group "inbound" [0x0, 0x0]
%ASA-4-106023: Deny udp src outside:68.94.157.1/53 dst DATA:172.16.200.15/49902 by access-group "inbound" [0x0, 0x0]
%ASA-4-106023: Deny udp src outside:68.94.156.1/53 dst DATA:172.16.200.15/55267 by access-group "inbound" [0x0, 0x0]
%ASA-4-106023: Deny udp src outside:68.94.156.1/53 dst DATA:172.16.200.15/57510 by access-group "inbound" [0x0, 0x0]
%ASA-4-106023: Deny udp src outside:68.94.156.1/53 dst DATA:172.16.200.15/53897 by access-group "inbound" [0x0, 0x0]
%ASA-4-106023: Deny udp src outside:68.94.156.1/53 dst DATA:172.16.200.15/57510 by access-group "inbound" [0x0, 0x0]
%ASA-4-106023: Deny udp src outside:68.94.156.1/53 dst DATA:172.16.200.15/55267 by access-group "inbound" [0x0, 0x0]
%ASA-4-106023: Deny udp src outside:68.94.157.1/53 dst DATA:172.16.200.15/53897 by access-group "inbound" [0x0, 0x0]
%ASA-4-106023: Deny udp src outside:68.94.156.1/53 dst DATA:172.16.200.15/57870 by access-group "inbound" [0x0, 0x0]
%ASA-4-106023: Deny udp src outside:68.94.157.1/53 dst DATA:172.16.200.15/57870 by access-group "inbound" [0x0, 0x0]
%ASA-4-106023: Deny udp src outside:68.94.156.1/53 dst DATA:172.16.200.15/64102 by access-group "inbound" [0x0, 0x0]
%ASA-4-106023: Deny udp src outside:68.94.156.1/53 dst DATA:172.16.200.15/49178 by access-group "inbound" [0x0, 0x0]
%ASA-4-106023: Deny udp src outside:68.94.157.1/53 dst DATA:172.16.200.15/49178 by access-group "inbound" [0x0, 0x0]
%ASA-4-106023: Deny udp src outside:68.94.157.1/53 dst DATA:172.16.200.15/64102 by access-group "inbound" [0x0, 0x0]
%ASA-4-106023: Deny udp src outside:68.94.156.1/53 dst DATA:172.16.200.15/64102 by access-group "inbound" [0x0, 0x0]
%ASA-4-106023: Deny udp src outside:68.94.156.1/53 dst DATA:172.16.200.15/49178 by access-group "inbound" [0x0, 0x0]
%ASA-4-106023: Deny udp src outside:68.94.157.1/53 dst DATA:172.16.200.15/64102 by access-group "inbound" [0x0, 0x0]
%ASA-4-106023: Deny udp src outside:68.94.157.1/53 dst DATA:172.16.200.15/49178 by access-group "inbound" [0x0, 0x0]
%ASA-4-106023: Deny udp src outside:68.94.156.1/53 dst DATA:172.16.200.15/49494 by access-group "inbound" [0x0, 0x0]
%ASA-4-106023: Deny udp src outside:68.94.156.1/53 dst DATA:172.16.200.15/53793 by access-group "inbound" [0x0, 0x0]
%ASA-4-106023: Deny udp src outside:68.94.157.1/53 dst DATA:172.16.200.15/49494 by access-group "inbound" [0x0, 0x0]
%ASA-4-106023: Deny udp src outside:68.94.157.1/53 dst DATA:172.16.200.15/53793 by access-group "inbound" [0x0, 0x0]
%ASA-4-106023: Deny udp src outside:68.94.156.1/53 dst DATA:172.16.200.15/53793 by access-group "inbound" [0x0, 0x0]
%ASA-4-106023: Deny udp src outside:68.94.156.1/53 dst DATA:172.16.200.15/49494 by access-group "inbound" [0x0, 0x0]
%ASA-4-106023: Deny udp src outside:68.94.157.1/53 dst DATA:172.16.200.15/49494 by access-group "inbound" [0x0, 0x0]
%ASA-4-106023: Deny udp src outside:68.94.157.1/53 dst DATA:172.16.200.15/53793 by access-group "inbound" [0x0, 0x0]
%ASA-4-106023: Deny udp src outside:68.94.156.1/53 dst DATA:172.16.200.15/51169 by access-group "inbound" [0x0, 0x0]
%ASA-4-106023: Deny udp src outside:68.94.156.1/53 dst DATA:172.16.200.15/51169 by access-group "inbound" [0x0, 0x0]
%ASA-4-106023: Deny udp src outside:68.94.156.1/53 dst DATA:172.16.200.15/57037 by access-group "inbound" [0x0, 0x0]
%ASA-4-106023: Deny udp src outside:68.94.157.1/53 dst DATA:172.16.200.15/57037 by access-group "inbound" [0x0, 0x0]
%ASA-4-106023: Deny udp src outside:68.94.157.1/53 dst DATA:172.16.200.15/57037 by access-group "inbound" [0x0, 0x0]

Andre Neethling · ‎08-20-2015

That's your ASA dropping DNS traffic from 68.94.157.1

Ventana.Hills · ‎08-21-2015

ASA5510 can ping the internet successfully.

ip address 172.16.220.254 255.255.255.252

Swi fa0/24

ip address 172.16.220.253 255.255.255.252

pings are successful between ASA5510 and Sw1

ASA5510 can ping the internet (8.8.8.8) and SW1 successfully, BUT

SW1 can only ping ASA5510 but CANNOT ping internet 8.8.8.8 or 4.2.2.2.

Please see file attached.

So sorry for all the trouble

Thank you kindly,

ASA5510 - How can I can get the ESXi Server and its Virtual Machines to connect to the Internet, please?