cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2439
Views
0
Helpful
15
Replies

Cisco ASA Inter-VLAN with public network not working

dinchavan
Level 1
Level 1

We have configured total three VLAN . Internal vlan computer are reached at Cisco ASA internal interface IP address. mean I am able to ping internal IP address 10.100.100.1 from vlan 2 system (10.10.10.100) but not able to ping outside IP address from internal VLAN system.

 

Internal VLAN detail

VLAN 2 =10.10.10.0/24

VLAN 3 =10.20.10.0/24

VLAN 4 =10.30.10.0/24

15 Replies 15

Hi,
That's by design, you cannot ping the outside ASA interface if you are connected to an inside ASA interface. When testing, ping through the ASA, to the next hop router. Ensure you are permitting icmp response by entering the command "fixup protocol icmp".

HTH

You cannot ping an ASA interface which is not the ingress interface.  So you can only ping the ASA interface on which the ICMP traffic enters.

--
Please remember to select a correct answer and rate helpful posts

I have Cisco ASA 5506 Firewall and total three Cisco 34XX Switch, 

1) Cisco ASA interface Gig1/8 is connected to ISP Router , Cisco ASA 5506 interface Gig 1/1 is connected to Master switch interface Gig 0/1. and two more Tower switch Tower-1 and Tower-2 , both are connected to master switch 

 

Cisco ASA interface Gig 1/8=  IP Address 123.123.X.X /29

Cisco ASA Interface Gig1/1 = IP Address  10.10.10.1/24 

Master Switch interface Gig 0/1 = IP Address 10.10.10.2/24

 

We are configured total three Internal VLAN detail 

VLAN-2 =10.20.10.0/24

VLAN-3 =10.30.10.0/24

VLAN-4 =10.40.10.0/24

 

Inter-VLAN function are working properly, I can access Inter-VLAN environment properly.

 

I can access network from VLAN-2 computer IP address 10.20.10.1/24 to Cisco ASA interface IP address 10.10.10.1

I can access network from VLAN-2 computer IP address 10.20.10.1/24 to other computer IP address 10.30.10.1 

I can't  access from VLAN-2 computer IP address 10.20.10.1/24 to internet.

 

  

 

 

 

 

 

Which ASA interface is in the 10.20.10.0/24 network?  You only mention Gig1/1, Gig1/8 and Mgmt switch. 

 

It would be helpful if you posted your full running configuration (remember to remove any public IPs, usernames and passwords).

--
Please remember to select a correct answer and rate helpful posts

All device configuration are share here

To simplify and understand better. You have a Core L3 switch which has 3 VLANs configured and L3 interface IP configured on the switch is configured as Gateway for Computers/Devices connected in the respective VLANs. There is a Separate VLAN/Interface/Subnet configured between your ASA and Core Switch (10.10.10.0/24).
Your inter-VLAN routing is working fine. But your Devices/Computers in this VLANs are not able to reach to internet. This is what my understanding about your query. The following solution is based on this.

1: Your Core L3 Switch should have default Route pointing towards Cisco ASA (interface Gig 1/1 - 10.10.10.1/24).
Example: "ip route 0.0.0.0 0.0.0.0 10.10.10.1"

2: Your ASA (interface Gig 1/1) should have Routes for all your three VLANs (10.20.10.0/24, 10.30.10.0/24, 10.40.10.0/24) Pointing towards Core Switch L3 interface on 10.10.10.0/24 subnet.
Example: "route INSIDE 10.20.10.0 255.255.255.0 10.10.10.2
route INSIDE 10.30.10.0 255.255.255.0 10.10.10.2
route INSIDE 10.40.10.0 255.255.255.0 10.10.10.2"

3: On your ASA you should have a default route pointing towards ISP on interface GIG 1/8 IP Address 123.123.X.X /29
Example: "route OUTSIDE 0.0.0.0 0.0.0.0 123.123.123.1"

4: You have NAT configuration for all your VLANs on the ASA.
Example: "object network VLAN2
subnet 10.20.10.0 255.255.255.0
object network VLAN3
subnet 10.30.10.0 255.255.255.0
object network VLAN4
subnet 10.40.10.0 255.255.255.0
object-group network LAN
network-object object VLAN2
network-object object VLAN3
network-object object VLAN4
nat (INSIDE,OUTSIDE) dynamic interface"

5: If you are testing your Internet Connectivity through Ping (ICMP) you should inspect the ICMP on ASA for that command is
"fixup protocol icmp"


I have not allowed 10.10.10.0/24 network for Internet access assuming it is only used as a internal connection between ASA and Core Switch. If you want you can create another object and add it to object group.

If you still have problem please share your configuration (remove all sensitive information like public ip, username, password etc.).
You can also run Packet-tracer to see what is wrong on your ASA.
Example: "packet-tracer input INSIDE tcp 10.20.10.10 80 8.8.8.8 80 detailed"

HTH
### RATE ALL HELPFUL RESPONSES ###

dinchavan
Level 1
Level 1

All device configuration are here

==========================Cisco ASA Firewall====================

ASA

interface GigabitEthernet1/1
nameif inside
security-level 100
ip address 10.10.10.1 255.255.255.0
!
interface GigabitEthernet1/8
nameif outside
security-level 0
ip address 123.123.123.2 255.255.255.0
!
object network LAN
subnet 10.10.10.0 255.255.255.0
!
route outside 0.0.0.0 0.0.0.0 123.123.123.1 1
!
access-list in-to-internet extended permit ip any any
access-list in-to-internet extended permit icmp any any
!

access-group in-to-internet in interface outside
access-group in-to-internet in interface dmz
object network LAN
nat (inside,outside) dynamic interface
!
class-map inspection-default
match default-inspection-traffic
!
policy-map global-policy
class inspection-default
inspect dns
inspect http
inspect icmp
!
service-policy global-policy global
!

 

==========================Master-Switch =====================

master

interface FastEthernet0/1
no switchport
ip address 10.10.10.2 255.255.255.0
!
interface FastEthernet0/24
switchport trunk encapsulation dot1q
switchport mode trunk
!
interface range GigabitEthernet0/1-2
switchport trunk encapsulation dot1q
switchport mode trunk
!
interface Vlan2
ip address 10.20.10.1 255.255.255.0
!
interface Vlan3
ip address 10.30.10.1 255.255.255.0
!
interface Vlan4
ip address 10.40.10.1 255.255.255.0
!
access-list 110 permit ip 10.20.10.0 0.0.0.255 any
access-list 110 permit udp 10.20.10.0 0.0.0.255 any
access-list 110 permit udp any eq bootps any
access-list 110 permit icmp 10.20.10.0 0.0.0.255 any
!
access-list 111 permit ip 10.30.10.0 0.0.0.255 any
access-list 111 permit udp 10.30.10.0 0.0.0.255 any
access-list 110 permit udp any eq bootps any
access-list 111 permit icmp 10.30.10.0 0.0.0.255 any
!
access-list 112 permit ip 10.40.10.0 0.0.0.255 any
access-list 112 permit udp 10.40.10.0 0.0.0.255 any
access-list 110 permit udp any eq bootps any
access-list 112 permit icmp 10.40.10.0 0.0.0.255 any

==========================Tower-Switch (Access Switch)=======================

interface range FastEthernet0/5-9
description 'For IT_Department'
switchport access vlan 2
switchport mode access
!
interface range FastEthernet0/10-14
description 'For Sale_Department'
switchport access vlan 3
switchport mode access
!
interface range FastEthernet0/15-19
description 'For Purchase_Department'
switchport access vlan 4
switchport mode access
!
interface range GigabitEthernet0/1-2
switchport trunk encapsulation dot1q
switchport mode trunk
!

If this is the full configuration of all your devices then you are missing a default route on the Master-Switch pointing to 10.10.10.1

You are also missing a NAT statment for the 10.20.10.0/24, 10.30.10.0/24 and 10.40.10.0/24 networks.  The NAT statment you have only matches the 10.10.10.0/24 network.  So on the ASA you need to add three more NAT statments. Or you can creat an object that matches on any IP (0.0.0.0 0.0.0.0) and create a NAT for that.

 

Config for ASA:

object network LAN
subnet 10.20.10.0 255.255.255.0

nat (inside,outside) dynamic interface

 

object network LAN
subnet 10.30.10.0 255.255.255.0

nat (inside,outside) dynamic interface

 

object network LAN
subnet 10.40.10.0 255.255.255.0

nat (inside,outside) dynamic interface

 

Configuration for Master-Switch:

ip route 0.0.0.0 0.0.0.0 10.10.10.1

--
Please remember to select a correct answer and rate helpful posts

Your configuration is partial so we are assuming some points. As per the expert Marius Gunnerud you are missing default route in your switch and missing NAT statements for your VLANs/Subnets already mentioned. You should check and verify these configuration and make necessary changes.

Along with this you will also require Route back to your inside networks on ASA as well which I mentioned in my previous post.

route INSIDE 10.20.10.0 255.255.255.0 10.10.10.2
route INSIDE 10.30.10.0 255.255.255.0 10.10.10.2
route INSIDE 10.40.10.0 255.255.255.0 10.10.10.2

After making necessary changes, if you still having issue. please post the packet tracer output so that we can investigate further.

packet-tracer input INSIDE tcp 10.0.0.10 80 1.1.1.1 80 detailed

HTH
### RATE ALL HELPFUL RESPONSES ###

All changes has been done but still facing problem

For testing purpose , I configure network environment into Cisco packet Tracer. Please find Attachment

Public IP address are changed into attached file.

 

Tested:-

1. InterVLAN are working fine.

2. LAN and DMZ are communicate properly.

3. DMZ AV server are ping to Live AV server properly.

 

problem is:

1. LAN network computer not able to communicate to Live AV server (124.124.124.2) . It is use for download AV package for update LAN computer.

2. Live AV server are not able to ping to DMZ server for daily AV update.

 

 

 

 

 

We need to see you full running configuration (remember to remove any public IPs, usernames and passwords).

Also I am unable to open the file you attached.  Could you post it as a .pcap file please.

--
Please remember to select a correct answer and rate helpful posts

Hi,

Your configuration is good but you are using ASA 5506 in PT and It is having some bug with NAT. NAT is not working ASA 5506 in PT. You can use the same configuration on Cisco ASA 5505 and it will work.

 

We faced the same NAT issue on 5506 with many users.

Regards,
Deepak Kumar,
Don't forget to vote and accept the solution if this comment will help you!

Just testing purpose ,Configure into PT. Actually My network used ASA 5510. We are not able to solve my problem which is mention here

Review Cisco Networking for a $25 gift card