Buy or Renew
Buy or Renew
NOTICE: You can now engage in the community. Learn about the great new Cisco Umbrella content.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
376
Views
0
Helpful
4
Replies

Cannot connet to the internet through 5505 ASA

Go to solution
NETAD
Level 4
Level 4

‎09-11-2015 07:53 AM - edited ‎03-11-2019 11:35 PM

Hi guys, I have a problem that I've been trying to fix without any luck so I decided to reach out to you and get some of your help. I'm setting up a simple security lab at home and here's the setup:

 

Computer(in vlan10)----->Gi0/2(access port in vlan10 3560 switch)

Gi0/1(Access port in vlan 3 on 3560)------>eth0/1(5505 ASA assigned to vlan 2 inside)

then 

eth0/0(5505 assignet to vlan 1 outside)------>Modem

 

Here's the config: 

3560 switches is the DG for vlan 10 

I also have vlan 3 a Layer 3 vlan for transport between the 3560 and the ASA

 

on 3560 

inter vlan 10 

ip add 192.168.10.1 255.255.255.0 

inter vlan 3 10.2.2.1 255.255.255.0 

ip route 0.0.0.0 0.0.0.0 10.2.2.2 

on ASA 

inter vlan 2 

nameif inside

sec-level 100 

ip add 10.2.2.2 255.255.255.0

inter eth0/1

switchport access vlan 2

******************************************

inter vlan 1 

nameif outside 

sec-level 0 

ip address dhcp(this interface actualy gets an IP from the modem and I can ping 4.2.2.2 from the ASA) 

inter eth0/0 

switchport access vlan 1  

*******************************************

route inside 192.168.10.0 255.255.255.0 10.2.2.1 

route outside 0 0 10.0.0.1(modem)

That's it. My computer is able to ping its gateway on the 3560. the 3560 is able to ping the ASA on its inside vlan interface but PC isn't able to ping nor pass through the ASA. 

Note:ASA has a base security license so I could do trunking and subinterfaces. 

 

 

Labels:
0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
Vibhor Amrodia
Cisco Employee
Cisco Employee

‎09-12-2015 12:17 PM

Hi,

What if you configure the Switch Int Vkan 3 as the Trunk interface and the ASA interface as well on the ASA device ?

Also , the alternative way would be to use the 3560 as the Layer 2 Device and create sub interfaces on the ASA device for the Later 3 routing.

Thanks and Regards,

Vibhor Amrodia

View solution in original post

0 Helpful

Go to solution
Seb Rupik
VIP Alumni
VIP Alumni

‎09-13-2015 02:08 AM

Hi Sleiman,

Have you configured ICMP inspection and explictly allowed it on the ASA?

 

Is the ASA performing NAT, or is that taking place on the modem?

 

cheers,

Seb.

View solution in original post

0 Helpful
4 Replies 4

Go to solution
Vibhor Amrodia
Cisco Employee
Cisco Employee

‎09-12-2015 12:17 PM

Hi,

What if you configure the Switch Int Vkan 3 as the Trunk interface and the ASA interface as well on the ASA device ?

Also , the alternative way would be to use the 3560 as the Layer 2 Device and create sub interfaces on the ASA device for the Later 3 routing.

Thanks and Regards,

Vibhor Amrodia

0 Helpful

Go to solution
NETAD
Level 4
Level 4

‎09-13-2015 12:04 AM

Thanks for the reply Vibhor. The thing is that I dont have the sec plus license so no trunking nor sub interfaces are allowed.

0 Helpful

Go to solution
Seb Rupik
VIP Alumni
VIP Alumni

‎09-13-2015 02:08 AM

Hi Sleiman,

Have you configured ICMP inspection and explictly allowed it on the ASA?

 

Is the ASA performing NAT, or is that taking place on the modem?

 

cheers,

Seb.

0 Helpful

Go to solution
NETAD
Level 4
Level 4
In response to Seb Rupik

‎09-13-2015 07:17 PM

The modem will be doing  The natting but the asa will also nat to the private ip space if the modem. I got this working by configuring ospf between the switch and the asa and pushing a default route via ospf from the asa to the l3 switch. I dont know why the mentioned setup didnt work.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card