- Cisco Community
- Technology and Support
- Security
- Network Security
- Can ping up to default gateway but cant get to internet.
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
09-04-2020 07:41 PM - edited 09-04-2020 07:44 PM
users can ping up to the default gateway but cant get to internet.
the firewall can get to internet and can ping all SVI gateways
Please help me get the data out to the internet.
Both Firewall and Switch Configs below.
............
FIREWALL CONFIG:
fsllc-fw1(config)#
fsllc-fw1(config)#
fsllc-fw1(config)# sh run
: Saved
: Hardware: ASA5520
:
ASA Version 9.1(7)19
!
hostname fsllc-fw1
domain-name mspnt.local
enable password qgYdLINfbTBZT36. encrypted
xlate per-session deny tcp any4 any4
xlate per-session deny tcp any4 any6
xlate per-session deny tcp any6 any4
xlate per-session deny tcp any6 any6
xlate per-session deny udp any4 any4 eq domain
xlate per-session deny udp any4 any6 eq domain
xlate per-session deny udp any6 any4 eq domain
xlate per-session deny udp any6 any6 eq domain
passwd 2KFQnbNIdI.2KYOU encrypted
names
name 172.17.3.0 USER
name 172.17.4.0 VOIP
name 172.17.5.0 SECURITY
name 172.17.7.0 WIFI-GUEST
name 172.17.8.0 SAN
name 172.17.9.0 DMZ
name 172.17.6.0 WIFI-MAN
name 172.17.1.0 TRANSIT
name 172.17.2.0 SERVER
!
interface GigabitEthernet0/0
nameif outside
security-level 0
ip address dhcp setroute
!
interface GigabitEthernet0/1
description Trunk for Inside Connections
nameif trunkport
security-level 100
no ip address
!
interface GigabitEthernet0/1.10
description NETWORK TRANSIT
vlan 10
nameif TRANSIT
security-level 100
ip address 172.17.1.1 255.255.255.0
!
interface GigabitEthernet0/1.20
description SERVER
vlan 20
nameif SERVER
security-level 100
ip address 172.17.2.1 255.255.255.0
!
interface GigabitEthernet0/1.30
description USER
vlan 30
nameif USER
security-level 100
ip address 172.17.3.1 255.255.255.0
!
interface GigabitEthernet0/1.40
description VOIP
vlan 40
nameif VOIP
security-level 100
ip address 172.17.4.1 255.255.255.0
!
interface GigabitEthernet0/1.50
vlan 50
nameif SECURITY
security-level 100
ip address 172.17.5.1 255.255.255.0
!
interface GigabitEthernet0/1.60
vlan 60
nameif WIFI-MAM
security-level 100
ip address 172.17.6.1 255.255.255.0
!
interface GigabitEthernet0/1.70
vlan 70
nameif WIFI-GUEST
security-level 100
ip address 172.17.7.1 255.255.255.0
!
interface GigabitEthernet0/1.80
vlan 80
nameif SAN
security-level 100
ip address 172.17.8.1 255.255.255.0
!
interface GigabitEthernet0/1.90
vlan 90
nameif DMZ
security-level 100
ip address 172.17.9.1 255.255.255.0
!
interface GigabitEthernet0/2
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
management-only
nameif management
security-level 100
ip address 172.17.69.3 255.255.255.0
!
boot system disk0:/asa917-19-k8.bin
ftp mode passive
clock timezone CST -6
clock summer-time CDT recurring
dns domain-lookup trunkport
dns server-group DefaultDNS
name-server 172.17.1.11
name-server 172.17.1.13
domain-name mspnt.local
same-security-traffic permit inter-interface
object network FSLLCG_VPN_Hosts
subnet 172.17.1.56 255.255.255.248
object network obj_any
subnet 0.0.0.0 0.0.0.0
object-group protocol TCPUDP
protocol-object udp
protocol-object tcp
object-group service DM_INLINE_SERVICE_2
service-object ip
service-object tcp-udp destination eq domain
object-group network network1
network-object TRANSIT 255.255.255.0
object-group service DM_INLINE_SERVICE_3
service-object ip
service-object tcp destination eq ssh
object-group service DM_INLINE_SERVICE_4
service-object ip
service-object tcp destination eq ssh
access-list inside_access_in extended permit object-group DM_INLINE_SERVICE_2 172.17.1.0 255.255.255.0 any4
access-list inside_access_in extended permit object-group DM_INLINE_SERVICE_2 172.17.0.0 255.255.255.0 any4
pager lines 24
logging enable
logging asdm informational
mtu outside 1500
mtu trunkport 1500
mtu TRANSIT 1500
mtu SERVER 1500
mtu USER 1500
mtu VOIP 1500
mtu SECURITY 1500
mtu WIFI-MAM 1500
mtu WIFI-GUEST 1500
mtu SAN 1500
mtu DMZ 1500
mtu management 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-716.bin
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
!
object network obj_any
nat (trunkport,outside) dynamic interface
!
nat (trunkport,outside) after-auto source dynamic any interface
access-group inside_access_in in interface trunkport
route outside 0.0.0.0 0.0.0.0 192.168.1.254 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
webvpn
url-list value Main
aaa-server DEVICE_AUTH protocol radius
aaa-server DEVICE_AUTH (trunkport) host 172.17.1.11
key *****
authentication-port 1646
radius-common-pw *****
aaa-server LDAP_SERV_GROUP protocol ldap
aaa-server LDAP_SERV_GROUP (trunkport) host 172.17.1.11
ldap-base-dn dc=mydomain, dc=local
ldap-scope subtree
ldap-naming-attribute sAMAccountName
ldap-login-password *****
ldap-login-dn ldap-login-dn cn=dsingh-a, cn=Users, dc=mydomain, dc=local
server-type microsoft
user-identity default-domain LOCAL
aaa authentication enable console DEVICE_AUTH LOCAL
aaa authorization command LOCAL
http server enable
http 0.0.0.0 0.0.0.0 trunkport
no snmp-server location
no snmp-server contact
crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec ikev2 ipsec-proposal DES
protocol esp encryption des
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal 3DES
protocol esp encryption 3des
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES
protocol esp encryption aes
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES192
protocol esp encryption aes-192
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES256
protocol esp encryption aes-256
protocol esp integrity sha-1 md5
crypto ipsec security-association pmtu-aging infinite
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev2 ipsec-proposal AES256 AES192 AES 3DES DES
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set security-association lifetime seconds 28800
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set security-association lifetime kilobytes 4608000
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto ca trustpool policy
crypto ikev2 policy 1
encryption aes-256
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 10
encryption aes-192
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 20
encryption aes
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 30
encryption 3des
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 40
encryption des
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 enable outside client-services port 443
crypto ikev1 enable outside
crypto ikev1 policy 10
authentication crack
encryption aes-256
hash sha
group 2
lifetime 86400
crypto ikev1 policy 20
authentication rsa-sig
encryption aes-256
hash sha
group 2
lifetime 86400
crypto ikev1 policy 30
authentication pre-share
encryption aes-256
hash sha
group 2
lifetime 86400
crypto ikev1 policy 40
authentication crack
encryption aes-192
hash sha
group 2
lifetime 86400
crypto ikev1 policy 50
authentication rsa-sig
encryption aes-192
hash sha
group 2
lifetime 86400
crypto ikev1 policy 60
authentication pre-share
encryption aes-192
hash sha
group 2
lifetime 86400
crypto ikev1 policy 70
authentication crack
encryption aes
hash sha
group 2
lifetime 86400
crypto ikev1 policy 80
authentication rsa-sig
encryption aes
hash sha
group 2
lifetime 86400
crypto ikev1 policy 90
authentication pre-share
encryption aes
hash sha
group 2
lifetime 86400
crypto ikev1 policy 100
authentication crack
encryption 3des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 110
authentication rsa-sig
encryption 3des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 120
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 130
authentication crack
encryption des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 140
authentication rsa-sig
encryption des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 150
authentication pre-share
encryption des
hash sha
group 2
lifetime 86400
telnet TRANSIT 255.255.255.0 trunkport
telnet timeout 5
ssh stricthostkeycheck
ssh TRANSIT 255.255.255.0 trunkport
ssh 0.0.0.0 0.0.0.0 trunkport
ssh timeout 5
ssh key-exchange group dh-group1-sha1
console timeout 0
dhcp-client client-id interface outside
dhcpd dns 172.17.1.31 172.17.1.32 interface trunkport
dhcpd lease 604800 interface trunkport
dhcpd domain mspnt.local interface trunkport
dhcpd update dns both interface trunkport
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ntp server 216.239.35.8 source trunkport prefer
username fwadmin password rtGE/O.KQUNnhNCL encrypted privilege 15
username admin password 7KKG/zg/Wo8c.YfN encrypted
username dsingh password KLSC14Ndlyr0MTZd encrypted privilege 15
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect ftp
inspect rsh
inspect rtsp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect dns
inspect http
inspect icmp
inspect icmp error
inspect ip-options
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email callhome@cisco.com
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:5a057ebd7b24561c5abd3e5cae22c576
SWITCH CONFIG:
MSPNT-MAG-SW01(config)#
MSPNT-MAG-SW01(config)#
MSPNT-MAG-SW01(config)#
MSPNT-MAG-SW01(config)#
MSPNT-MAG-SW01(config)#
MSPNT-MAG-SW01(config)#
MSPNT-MAG-SW01(config)#
MSPNT-MAG-SW01(config)#
MSPNT-MAG-SW01(config)#
MSPNT-MAG-SW01(config)#
MSPNT-MAG-SW01(config)#
MSPNT-MAG-SW01(config)#do sh run
Building configuration...
Current configuration : 8255 bytes
!
! Last configuration change at 07:45:53 UTC Mon Aug 31 2020
!
version 15.2
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname MSPNT-MAG-SW01
!
boot-start-marker
boot-end-marker
!
!
username admin privilege 15 secret 5 $1$5/2C$LP6.6/EyNDAjkxHLRK7e50
no aaa new-model
switch 1 provision ws-c2960x-24ps-l
ip routing
no ip cef optimize neighbor resolution
ip dhcp excluded-address 172.17.3.1 172.17.3.49
ip dhcp excluded-address 172.17.3.200 172.17.3.255
ip dhcp excluded-address 172.17.6.1 172.17.6.49
ip dhcp excluded-address 172.17.6.200 172.17.6.255
ip dhcp excluded-address 172.17.7.200 172.17.7.255
ip dhcp excluded-address 172.17.7.1 172.17.7.49
!
ip dhcp pool VLAN60-WIFI-MAN
network 172.17.6.0 255.255.255.0
default-router 172.17.6.1
dns-server 172.17.1.11 172.17.1.13
domain-name mspnt.local
option 43 hex f104.ac10.913f
!
ip dhcp pool VLAN10-TRANSIT
network 172.17.1.0 255.255.255.0
dns-server 172.17.1.11 172.17.1.13
default-router 172.17.1.1
domain-name mspnt.local
!
ip dhcp pool VLAN20-SERVER
network 172.17.2.0 255.255.255.0
default-router 172.17.2.1
dns-server 172.17.1.11 172.17.1.13 8.8.8.8
domain-name mspnt.local
!
ip dhcp pool VLAN30-USER
network 172.17.3.0 255.255.255.0
default-router 172.17.3.1
dns-server 172.17.1.11 172.17.1.13 8.8.8.8
domain-name mspnt.local
!
!
no ip domain-lookup
!
!
!
!
!
!
!
!
archive
log config
hidekeys
path tftp://172.17.1.104/$h$t
write-memory
spanning-tree mode pvst
spanning-tree extend system-id
!
!
!
!
vlan internal allocation policy ascending
!
!
!
!
!
!
!
!
!
!
!
interface FastEthernet0
no ip address
no ip route-cache
shutdown
!
interface GigabitEthernet1/0/1
switchport mode trunk
spanning-tree portfast
!
interface GigabitEthernet1/0/2
switchport access vlan 10
switchport mode access
spanning-tree portfast
!
interface GigabitEthernet1/0/3
switchport access vlan 10
switchport mode access
spanning-tree portfast
!
interface GigabitEthernet1/0/4
switchport access vlan 30
switchport mode access
spanning-tree portfast
!
interface GigabitEthernet1/0/5
switchport access vlan 10
switchport mode access
spanning-tree portfast
!
interface GigabitEthernet1/0/6
switchport access vlan 10
switchport mode access
spanning-tree portfast
!
interface GigabitEthernet1/0/7
switchport access vlan 10
switchport mode access
spanning-tree portfast
!
interface GigabitEthernet1/0/8
switchport access vlan 10
switchport mode access
spanning-tree portfast
!
interface GigabitEthernet1/0/9
switchport access vlan 10
switchport mode access
spanning-tree portfast
!
interface GigabitEthernet1/0/10
switchport access vlan 10
switchport mode access
spanning-tree portfast
!
interface GigabitEthernet1/0/11
switchport access vlan 10
switchport mode access
spanning-tree portfast
!
interface GigabitEthernet1/0/12
switchport access vlan 10
switchport mode access
spanning-tree portfast
!
interface GigabitEthernet1/0/13
switchport access vlan 10
switchport mode access
spanning-tree portfast
!
interface GigabitEthernet1/0/14
switchport access vlan 10
switchport mode access
spanning-tree portfast
!
interface GigabitEthernet1/0/15
switchport access vlan 10
switchport mode access
spanning-tree portfast
!
interface GigabitEthernet1/0/16
switchport access vlan 10
switchport mode access
spanning-tree portfast
!
interface GigabitEthernet1/0/17
switchport access vlan 10
switchport mode access
spanning-tree portfast
!
interface GigabitEthernet1/0/18
switchport access vlan 10
switchport mode access
spanning-tree portfast
!
interface GigabitEthernet1/0/19
switchport access vlan 10
switchport mode access
spanning-tree portfast
!
interface GigabitEthernet1/0/20
switchport access vlan 10
switchport mode access
spanning-tree portfast
!
interface GigabitEthernet1/0/21
switchport access vlan 10
switchport mode access
spanning-tree portfast
!
interface GigabitEthernet1/0/22
switchport access vlan 10
switchport mode access
spanning-tree portfast
!
interface GigabitEthernet1/0/23
switchport access vlan 10
switchport mode access
spanning-tree portfast
!
interface GigabitEthernet1/0/24
switchport access vlan 10
switchport mode access
spanning-tree portfast
!
interface GigabitEthernet1/0/25
switchport access vlan 10
switchport mode access
spanning-tree portfast
!
interface GigabitEthernet1/0/26
switchport access vlan 10
switchport mode access
spanning-tree portfast
!
interface GigabitEthernet1/0/27
switchport access vlan 10
switchport mode access
spanning-tree portfast
!
interface GigabitEthernet1/0/28
switchport access vlan 10
switchport mode access
spanning-tree portfast
!
interface Vlan1
no ip address
shutdown
!
interface Vlan10
description TRANSIT
ip address 172.17.1.2 255.255.255.0
!
interface Vlan20
description SERVER
ip address 172.17.2.2 255.255.255.0
!
interface Vlan30
description USER
ip address 172.17.3.2 255.255.255.0
!
interface Vlan40
description VOIP
ip address 172.17.4.2 255.255.255.0
!
interface Vlan50
description Security
ip address 172.17.5.2 255.255.255.0
!
interface Vlan60
description WIFI-MAN
ip address 172.17.6.2 255.255.255.0
!
interface Vlan70
description WIFI-GUEST
ip address 172.17.7.2 255.255.255.0
ip access-group WIFIGUESTIN in
!
interface Vlan80
ip address 172.17.8.2 255.255.255.0
!
ip default-gateway 172.17.1.1
ip http server
ip http authentication local
ip http secure-server
!
ip route 0.0.0.0 0.0.0.0 172.17.1.1
!
ip access-list extended WIFIGUESTIN
permit icmp any any
permit tcp any any eq www
permit tcp any any eq 443
permit udp any any eq domain
permit udp any any eq bootpc
permit udp any any eq bootps
permit tcp any any range 5067 5068
permit tcp any any range 5060 5062
permit tcp any any range 50000 59999
permit tcp any any eq 444
permit tcp any any eq 4431
permit tcp any any eq 5269
permit udp any any eq 5060
permit udp any any eq 3478
permit udp any any range 60000 65535
permit udp any any range 50000 59999
!
snmp-server community public RO
snmp-server community private RW
!
banner login ^C
_____ ___________________ _______ __ __ ___________ .__ .__
/ \ / _____/\______ \ \ \ _____/ |___ _ _____________| | __ \__ ___/___ ____ | |__ ____ ____ | | ____ ____ ___.__.
/ \ / \ \_____ \ | ___/ / | \_/ __ \ __\ \/ \/ / _ \_ __ \ |/ / | |_/ __ \_/ ___\| | \ / \ / _ \| | / _ \ / ___< | |
/ Y \/ \ | | / | \ ___/| | \ ( <_> ) | \/ < | |\ ___/\ \___| Y \ | ( <_> ) |_( <_> ) /_/ >___ |
\____|__ /_______ / |____| \____|__ /\___ >__| \/\_/ \____/|__| |__|_ \ |____| \___ >\___ >___| /___| /\____/|____/\____/\___ // ____|
\/ \/ \/ \/ \/ \/ \/ \/ \/ /_____/ \/
^C
!
line con 0
exec-timeout 0 0
privilege level 15
logging synchronous
login local
line vty 0 4
logging synchronous
login local
line vty 5 15
password password
login
transport input telnet ssh
!
ntp server 13.65.88.161
ntp server 172.17.1.11
ntp server 172.17.1.13
end
MSPNT-MAG-SW01(config)#
MSPNT-MAG-SW01(config)#
MSPNT-MAG-SW01(config)#
MSPNT-MAG-SW01(config)#
Solved! Go to Solution.
Accepted Solutions
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
09-05-2020 01:05 PM - edited 09-05-2020 01:05 PM
That was it !!! Thank you so much Rob !!! You are a gentleman and a scholar !
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
09-05-2020 12:14 AM - edited 09-05-2020 12:33 AM
Hi,
The source interface on your NAT rules is incorrect, the traffic will not come via the "trunkport" interface it will come from SERVER, USER, VOIP etc.
Be more specific and create multiple NAT rules for each inside interface, one for VOIP another for SERVER etc or alternatively just use one NAT rule with "any" as the source, which would apply to all inside interfaces.
Examples:
object network SERVER
subnet 172.17.2.0 255.255.255.0
nat (SERVER,OUTSIDE) dynamic interface
object network USER
subnet 172.17.3.0 255.255.255.0
nat (USER,OUTSIDE) dynamic interface
OR
object network obj_any
nat (any,outside) dynamic interface
!
nat (any,outside) after-auto source dynamic any interface
FYI - you don't need the last NAT rule if you have object NAT rules already in place.
HTH
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
09-05-2020 01:05 PM - edited 09-05-2020 01:05 PM
That was it !!! Thank you so much Rob !!! You are a gentleman and a scholar !
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide
