I have Cisco ASA 5506 Firewall and total three Cisco 34XX Switch, 

1) Cisco ASA interface Gig1/8 is connected to ISP Router , Cisco ASA 5506 interface Gig 1/1 is connected to Master switch interface Gig 0/1. and two more Tower switch Tower-1 and Tower-2 , both are connected to master switch 

 

Cisco ASA interface Gig 1/8=  IP Address 123.123.X.X /29

Cisco ASA Interface Gig1/1 = IP Address  10.10.10.1/24 

Master Switch interface Gig 0/1 = IP Address 10.10.10.2/24

 

We are configured total three Internal VLAN detail 

VLAN-2 =10.20.10.0/24

VLAN-3 =10.30.10.0/24

VLAN-4 =10.40.10.0/24

 

Inter-VLAN function are working properly, I can access Inter-VLAN environment properly.

 

I can access network from VLAN-2 computer IP address 10.20.10.1/24 to Cisco ASA interface IP address 10.10.10.1

I can access network from VLAN-2 computer IP address 10.20.10.1/24 to other computer IP address 10.30.10.1 

I can't  access from VLAN-2 computer IP address 10.20.10.1/24 to internet.

 

  

 

 

 

 

 

Which ASA interface is in the 10.20.10.0/24 network?  You only mention Gig1/1, Gig1/8 and Mgmt switch. 

 

It would be helpful if you posted your full running configuration (remember to remove any public IPs, usernames and passwords).

All device configuration are share here

To simplify and understand better. You have a Core L3 switch which has 3 VLANs configured and L3 interface IP configured on the switch is configured as Gateway for Computers/Devices connected in the respective VLANs. There is a Separate VLAN/Interface/Subnet configured between your ASA and Core Switch (10.10.10.0/24).
Your inter-VLAN routing is working fine. But your Devices/Computers in this VLANs are not able to reach to internet. This is what my understanding about your query. The following solution is based on this.

1: Your Core L3 Switch should have default Route pointing towards Cisco ASA (interface Gig 1/1 - 10.10.10.1/24).
Example: "ip route 0.0.0.0 0.0.0.0 10.10.10.1"

2: Your ASA (interface Gig 1/1) should have Routes for all your three VLANs (10.20.10.0/24, 10.30.10.0/24, 10.40.10.0/24) Pointing towards Core Switch L3 interface on 10.10.10.0/24 subnet.
Example: "route INSIDE 10.20.10.0 255.255.255.0 10.10.10.2
route INSIDE 10.30.10.0 255.255.255.0 10.10.10.2
route INSIDE 10.40.10.0 255.255.255.0 10.10.10.2"

3: On your ASA you should have a default route pointing towards ISP on interface GIG 1/8 IP Address 123.123.X.X /29
Example: "route OUTSIDE 0.0.0.0 0.0.0.0 123.123.123.1"

4: You have NAT configuration for all your VLANs on the ASA.
Example: "object network VLAN2
subnet 10.20.10.0 255.255.255.0
object network VLAN3
subnet 10.30.10.0 255.255.255.0
object network VLAN4
subnet 10.40.10.0 255.255.255.0
object-group network LAN
network-object object VLAN2
network-object object VLAN3
network-object object VLAN4
nat (INSIDE,OUTSIDE) dynamic interface"

5: If you are testing your Internet Connectivity through Ping (ICMP) you should inspect the ICMP on ASA for that command is
"fixup protocol icmp"


I have not allowed 10.10.10.0/24 network for Internet access assuming it is only used as a internal connection between ASA and Core Switch. If you want you can create another object and add it to object group.

If you still have problem please share your configuration (remove all sensitive information like public ip, username, password etc.).
You can also run Packet-tracer to see what is wrong on your ASA.
Example: "packet-tracer input INSIDE tcp 10.20.10.10 80 8.8.8.8 80 detailed"

HTH
### RATE ALL HELPFUL RESPONSES ###

If this is the full configuration of all your devices then you are missing a default route on the Master-Switch pointing to 10.10.10.1

You are also missing a NAT statment for the 10.20.10.0/24, 10.30.10.0/24 and 10.40.10.0/24 networks.  The NAT statment you have only matches the 10.10.10.0/24 network.  So on the ASA you need to add three more NAT statments. Or you can creat an object that matches on any IP (0.0.0.0 0.0.0.0) and create a NAT for that.

 

Config for ASA:

object network LAN
subnet 10.20.10.0 255.255.255.0

nat (inside,outside) dynamic interface

 

object network LAN
subnet 10.30.10.0 255.255.255.0

nat (inside,outside) dynamic interface

 

object network LAN
subnet 10.40.10.0 255.255.255.0

nat (inside,outside) dynamic interface

 

Configuration for Master-Switch:

ip route 0.0.0.0 0.0.0.0 10.10.10.1

Your configuration is partial so we are assuming some points. As per the expert Marius Gunnerud you are missing default route in your switch and missing NAT statements for your VLANs/Subnets already mentioned. You should check and verify these configuration and make necessary changes.

Along with this you will also require Route back to your inside networks on ASA as well which I mentioned in my previous post.

route INSIDE 10.20.10.0 255.255.255.0 10.10.10.2
route INSIDE 10.30.10.0 255.255.255.0 10.10.10.2
route INSIDE 10.40.10.0 255.255.255.0 10.10.10.2

After making necessary changes, if you still having issue. please post the packet tracer output so that we can investigate further.

packet-tracer input INSIDE tcp 10.0.0.10 80 1.1.1.1 80 detailed

HTH
### RATE ALL HELPFUL RESPONSES ###

All changes has been done but still facing problem

For testing purpose , I configure network environment into Cisco packet Tracer. Please find Attachment

Public IP address are changed into attached file.

 

Tested:-

1. InterVLAN are working fine.

2. LAN and DMZ are communicate properly.

3. DMZ AV server are ping to Live AV server properly.

 

problem is:

1. LAN network computer not able to communicate to Live AV server (124.124.124.2) . It is use for download AV package for update LAN computer.

2. Live AV server are not able to ping to DMZ server for daily AV update.

 

 

 

 

 

We need to see you full running configuration (remember to remove any public IPs, usernames and passwords).

Also I am unable to open the file you attached.  Could you post it as a .pcap file please.

Hi,

Your configuration is good but you are using ASA 5506 in PT and It is having some bug with NAT. NAT is not working ASA 5506 in PT. You can use the same configuration on Cisco ASA 5505 and it will work.

 

We faced the same NAT issue on 5506 with many users.

Just testing purpose ,Configure into PT. Actually My network used ASA 5510. We are not able to solve my problem which is mention here