11-08-2022 10:15 AM - edited 11-29-2022 11:42 AM
Hi all,
I am new for Cisco and try to set a new ASA 5505 and switch 3560. I can make the internet work from my Comcast to ASA 5505 to my laptop with DHCP from ASA. However, my switch cannot get to the internet from ASA. From switch, I can ping the ip port from ASA and also from ASA but no internet. The switch gets the DHCP from Windows server with VLAN10 and the port that connect to ASA is VLAN 20. I want to make sure it works before I can do other configuration. Thank you for all your help
Solved! Go to Solution.
11-08-2022 01:33 PM
From ASA Port 0/3 and I set up DHCP and if I connect straight to the laptop, the laptop gets the IP 172.168.10.100 and it has internet.
dhcpd address 172.168.10.100-172.168.10.200 VPHAM
dhcpd dns 8.8.8.8 interface VPHAM
dhcpd enable VPHAM
However, if I connect ASA port 0/ 3 to switch port # 0/2 (Vlan20 and it is only port belong to Vlan20), nothing happen because the rest of switch is vlan 10 and 12 and I use switchport trunk allowed vlan 1,10,20 to talk each other. May be I am wrong?
11-08-2022 01:44 PM
I still figure out from ASA connect to switch port 0/2 vlan 20(only this port is vlan20), how internet go to Vlan10,12 ?
I connect the laptop to vlan10,12, the laptop will get the IP from DHCP server 192.168.10.100.. I can ping the servers and the server can ping the laptop but no internet or cannot ping the port 0/2 vlan 20 . I think I miss something here.
interface GigabitEthernet0/2 -> Connect to ASA port
switchport access vlan 20
switchport trunk allowed vlan 1,10,20
interface Vlan20
ip address 172.168.10.3 255.255.255.0
!
interface Vlan10
ip address 192.168.10.1 255.255.255.0
!
interface Vlan12
ip address 10.33.12.1 255.255.255.0
ip helper-address 10.33.10.10
ip helper-address 192.168.10.10
!
11-08-2022 10:45 AM
You have not provided the some information - to get clarity
when you connected the laptop ( what interface you connected on ASA, what IP address you used on the laptop)
after testing- what port was ASA used to connect to switch?
some reference :
https://www.cisco.com/c/en/us/td/docs/security/asa/asa72/configuration/guide/conf_gd/int5505.html
11-19-2022 01:08 PM
Thank you so much. Finally I made it works.
11-08-2022 11:48 AM
Hi Bandi,
Thank you for quick response. I use Vlan15 from port 3 when I connect from ASA to my laptop. They get the DHCP from ASA and I can get to internet without any problem.
------ASA-----
interface Ethernet0/3 -> port connect to switch
switchport access vlan 15
interface Vlan15
nameif VPHAM
security-level 100
ip address 172.168.10.1 255.255.255.0
dhcpd address 172.168.10.100-172.168.10.100 VPHAM
dhcpd dns 8.8.8.8 interface VPHAM
dhcpd enable VPHAM
----switch
interface GigabitEthernet0/2 -> Connect to ASA
switchport access vlan 20
switchport trunk allowed vlan 1,10,20
interface Vlan20
ip address 172.168.10.3 255.255.255.0
From switch, I can ping 172.168.10.1 and 172.168.10.3 and also from ASA but if I connect my laptop to switch, I cannot ping those IPs. I hope that make sense.
Thank you
11-08-2022 12:29 PM
what port laptop connected ? did Laptop got IP address ( ipconfig /all - give you IP address)
looking at switch config, (other than 1 or 2 trunk port belong to vlan 20) rest all not have any access vlan 20 config on the interface ?
if you looking to get IP from ASA :
interface Vlan20
ip address 172.168.10.3 255.255.255.0
ip helper-address 172.168.10.1
and one of the port should be as below config for the Laptop to work :
interface GigabitEthernetx/x
switchport access vlan 20
switchport mode access
no shutdown
11-08-2022 01:33 PM
From ASA Port 0/3 and I set up DHCP and if I connect straight to the laptop, the laptop gets the IP 172.168.10.100 and it has internet.
dhcpd address 172.168.10.100-172.168.10.200 VPHAM
dhcpd dns 8.8.8.8 interface VPHAM
dhcpd enable VPHAM
However, if I connect ASA port 0/ 3 to switch port # 0/2 (Vlan20 and it is only port belong to Vlan20), nothing happen because the rest of switch is vlan 10 and 12 and I use switchport trunk allowed vlan 1,10,20 to talk each other. May be I am wrong?
11-08-2022 12:36 PM
I see ASA have VLAN 15 but where the config of VLAN 15 ? may be you meaning VLAN25 ?
11-08-2022 01:22 PM
Hi MHM,
There is vlan 15 in ASA I post above. I want to make sure the internet work first before I jump to other Vlan.
Thank you
interface Vlan15
nameif VPHAM
security-level 100
ip address 172.168.10.1 255.255.255.0
!
-----------------------------ASA 5505 ------------------
ciscoasa# show config
: Saved
:
: Serial Number: XXXX
: Hardware: ASA5505, 512 MB RAM, CPU Geode 500 MHz
: Written by enable_15 at 12:19:05.212 PST Sun Nov 6 2022
!
ASA Version 9.1(7)
!
hostname ciscoasa
domain-name testXXXXX
enable password XXXXX encrypted
xlate per-session deny tcp any4 any4
xlate per-session deny tcp any4 any6
xlate per-session deny tcp any6 any4
xlate per-session deny tcp any6 any6
xlate per-session deny udp any4 any4 eq domain
xlate per-session deny udp any4 any6 eq domain
xlate per-session deny udp any6 any4 eq domain
xlate per-session deny udp any6 any6 eq domain
passwd 2KFQnbNIdI.2KYOU encrypted
names
ip local pool vpn-pool xxxx.200 mask 255.255.255.0
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
switchport access vlan 15
!
interface Ethernet0/2
switchport access vlan 15
!
interface Ethernet0/3
switchport access vlan 15
!
interface Ethernet0/4
switchport access vlan 12
!
interface Ethernet0/5
switchport access vlan 15
!
interface Ethernet0/6
!
interface Ethernet0/7
!
interface Vlan1
nameif inside
security-level 100
ip address 10.33.20.3 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address dhcp setroute
!
interface Vlan12
nameif Wireless-guest
security-level 10
ip address 10.33.13.1 255.255.255.0
!
interface Vlan15
nameif VPHAM
security-level 100
ip address 172.168.10.1 255.255.255.0
!
boot system disk0:/asa917-k8.bin
ftp mode passive
clock timezone PST -8
clock summer-time PDT recurring
dns domain-lookup inside
dns domain-lookup outside
dns server-group DefaultDNS
name-server 10.33.10.50
domain-name XXXXX.com
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object network VPHAM
subnet 172.168.10.0 255.255.255.0
object network obj-192.168.10.0
subnet 192.168.10.0 255.255.255.0
object network LAN
object-group service RDP tcp
description for SIP
port-object eq 3389
object-group service rtp udp
description REal time for SIP
port-object range 1000 10500
object-group service DM_INLINE_UDP_1 udp
group-object rtp
port-object eq sip
object-group network XXXXX
network-object XXXXX 255.255.255.0
network-object XXXXXX255.255.255.0
network-object object XXXXX
object-group network Forefront-Servers
description AV servers at microsoft
network-object object forefront-2
network-object object forefront-1
network-object object forefront-3
network-object object forefront-7
network-object object forefront-9
network-object object forefront-8
network-object object forefront-10
network-object object forefront-11
network-object object forefront-12
network-object object forefront-13
network-object object forefront-4
network-object object forefront-5
network-object object forefront-6
object-group network DM_INLINE_NETWORK_2
network-object XXXXX 255.255.255.0
network-object host XXXXXX
access-list inside_access_in extended permit icmp any4 any4
access-list inside_access_in extended permit ip any4 any4
access-list inside_access_in extended permit ip host 192.0.0.0 any
access-list inside_access_in extended permit ip 192.0.0.0 255.0.0.0 any
access-list XXXXX_splitTunnelAcl standard permit XXXXXXX 255.255.0.0
access-list voice_access_in extended permit ip any4 any4
access-list voice_access_in extended permit icmp any4 any4
access-list Wireless-guest_access_in extended permit icmp any4 any4
access-list outside_access_in extended permit icmp any4 any4
pager lines 24
logging enable
logging timestamp
logging asdm-buffer-size 500
logging asdm informational
logging flash-bufferwrap
mtu inside 1500
mtu outside 1500
mtu Wireless-guest 1500
mtu VPHAM 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
icmp permit any inside
icmp permit any outside
asdm image disk0:/asdm-752-153.bin
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
!
object network VPHAM
nat (VPHAM,outside) dynamic interface
object network obj-192.168.10.0
nat (inside,outside) dynamic interface
!
nat (inside,outside) after-auto source dynamic any interface
access-group inside_access_in in interface inside
access-group outside_access_in in interface outside
access-group Wireless-guest_access_in in interface Wireless-guest
route outside 0.0.0.0 0.0.0.0 10.0.0.1 1
route inside 192.168.10.0 255.255.255.0 172.168.10.3 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
aaa-server RADIUS protocol radius
aaa-server RADIUS (inside) host 10.33.10.50
key *****
radius-common-pw R@dius
user-identity default-domain LOCAL
nac-policy site2site-nac-framework-create nac-framework
reval-period 36000
sq-period 300
aaa authentication ssh console LOCAL
aaa authentication http console LOCAL
aaa authentication telnet console LOCAL
http server enable
http 0.0.0.0 0.0.0.0 inside
http 0.0.0.0 0.0.0.0 outside
no snmp-server location
no snmp-server contact
sla monitor 1
type echo protocol ipIcmpEcho XXXX interface outside
frequency 5
sla monitor schedule 1 life forever start-time now
crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec security-association pmtu-aging infinite
crypto dynamic-map outside_dyn_map 20 set pfs group1
crypto dynamic-map outside_dyn_map 20 set ikev1 transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 40 set pfs group1
crypto dynamic-map outside_dyn_map 40 set ikev1 transform-set ESP-3DES-SHA
crypto map outside_map 2 match address outside_2_cryptomap
crypto map outside_map 2 set pfs
crypto map outside_map 2 set peer XXXXXXX
crypto map outside_map 2 set ikev1 transform-set ESP-AES-128-SHA
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
crypto ca trustpoint XXXX-onsite
enrollment self
crl configure
crypto ca trustpool policy
crypto ikev1 enable outside
crypto ikev1 policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 201
authentication pre-share
encryption aes
hash sha
group 2
lifetime 28800
telnet 0.0.0.0 0.0.0.0 inside
telnet timeout 5
ssh stricthostkeycheck
ssh 0.0.0.0 0.0.0.0 inside
ssh 0.0.0.0 0.0.0.0 outside
ssh timeout 5
ssh key-exchange group dh-group1-sha1
console timeout 0
management-access inside
dhcpd address 172.168.10.100-172.168.10.100 VPHAM
dhcpd dns 8.8.8.8 interface VPHAM
dhcpd enable VPHAM
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
enable outside
anyconnect-essentials
anyconnect image disk0:/anyconnect-dart-win-2.5.3055-k9.pkg 1
anyconnect image disk0:/anyconnect-macosx-i386-2.5.3055-k9.pkg 2
anyconnect image disk0:/sslclient-win-1.1.0.154.pkg 3
anyconnect enable
tunnel-group-list enable
cache
disable
group-policy ssl-cal-ssf internal
group-policy ssl-cal-ssf attributes
banner none
wins-server none
dns-server value 10.33.10.10
vpn-access-hours none
vpn-simultaneous-logins 3
vpn-idle-timeout 30
vpn-session-timeout none
vpn-filter none
ipv6-vpn-filter none
vpn-tunnel-protocol ssl-client ssl-clientless
group-lock none
split-tunnel-policy tunnelspecified
split-tunnel-network-list value XXXX_splitTunnelAcl
default-domain value XXXXX.com
split-dns value XXXXX.com
vlan none
nac-settings none
address-pools none
ipv6-address-pools none
smartcard-removal-disconnect enable
webvpn
url-list none
filter none
anyconnect ask enable default anyconnect
group-policy XXXXX internal
group-policy XXXXXX attributes
dns-server value XXXXXX XXXXX
vpn-tunnel-protocol ikev1
split-tunnel-policy tunnelspecified
split-tunnel-network-list value XXXXX_splitTunnelAcl
default-domain value XXXX.com
split-dns value XXXX.com
address-pools value vpn-pool
group-policy users internal
group-policy users attributes
dns-server value XXXXX
vpn-tunnel-protocol ikev1
split-tunnel-policy tunnelspecified
split-tunnel-network-list value XXXX_splitTunnelAcl
default-domain value XXXX.com
split-dns value XXXX.com
address-pools value vpn-pool
group-policy site2site internal
group-policy site2site attributes
vpn-access-hours none
vpn-simultaneous-logins 3
vpn-idle-timeout 30
vpn-session-timeout none
vpn-tunnel-protocol l2tp-ipsec
ip-comp disable
re-xauth disable
group-lock none
split-tunnel-policy tunnelall
split-tunnel-network-list none
default-domain none
split-dns none
secure-unit-authentication disable
user-authentication disable
user-authentication-idle-timeout none
ip-phone-bypass disable
leap-bypass disable
nem disable
nac-settings value site2site-nac-framework-create
address-pools none
smartcard-removal-disconnect enable
client-firewall none
group-policy any-gp internal
group-policy any-gp attributes
dns-server value XXXXXX
vpn-tunnel-protocol ssl-client ssl-clientless
split-tunnel-policy tunnelspecified
split-tunnel-network-list value XXXX
default-domain value calithera.com
split-dns value XXXX.com
webvpn
anyconnect ssl dtls enable
anyconnect mtu 1406
anyconnect keep-installer installed
anyconnect ssl keepalive 20
anyconnect ssl compression none
anyconnect ssl df-bit-ignore disable
anyconnect routing-filtering-ignore disable
username administrator password nbRyFH1UC.tq1qxD encrypted privilege 15
username administrator attributes
vpn-group-policy XXXXX
tunnel-group XXXXX type remote-access
tunnel-group XXXXXX general-attributes
address-pool vpn-pool
default-group-policy XXXXXX
tunnel-group XXXXX ipsec-attributes
ikev1 pre-shared-key *****
ikev1 pre-shared-key *****
chain
tunnel-group users type remote-access
tunnel-group users general-attributes
address-pool vpn-pool
authentication-server-group RADIUS
default-group-policy users
tunnel-group users ipsec-attributes
ikev1 pre-shared-key *****
tunnel-group any-ssl type remote-access
tunnel-group any-ssl general-attributes
address-pool vpn-pool
authentication-server-group RADIUS LOCAL
default-group-policy any-gp
tunnel-group any-ssl webvpn-attributes
group-alias Anyconnect enable
ikev1 pre-shared-key *****
!
!
prompt hostname context
no call-home reporting anonymous
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email callhome@cisco.com
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:4e5ad507be2d97ab1195823b9f8b9d9a
11-09-2022 12:29 PM
Thank you so much. Admin just removed me from spam
11-19-2022 01:09 PM
Thank you so much for point out the same vlan 15 for both ASA and switch. It works. Thank you.
11-08-2022 01:44 PM
I still figure out from ASA connect to switch port 0/2 vlan 20(only this port is vlan20), how internet go to Vlan10,12 ?
I connect the laptop to vlan10,12, the laptop will get the IP from DHCP server 192.168.10.100.. I can ping the servers and the server can ping the laptop but no internet or cannot ping the port 0/2 vlan 20 . I think I miss something here.
interface GigabitEthernet0/2 -> Connect to ASA port
switchport access vlan 20
switchport trunk allowed vlan 1,10,20
interface Vlan20
ip address 172.168.10.3 255.255.255.0
!
interface Vlan10
ip address 192.168.10.1 255.255.255.0
!
interface Vlan12
ip address 10.33.12.1 255.255.255.0
ip helper-address 10.33.10.10
ip helper-address 192.168.10.10
!
11-08-2022 01:56 PM
sorry if I am not clear, I am asking where the config of VLAN15 in SW no in ASA ?
for the interconnect between VLAN through ASA you need
same security traffic permit inter/inter-interface
for internet you need
nat (inside,outside) dynamic any interface
nat (Wireless-guest,outside) dynamic any interface
nat (VPHAM,outside) dynamic any interface
one dynamic NAT for each VLAN.
11-08-2022 02:00 PM
for the routing which I think is big issue here, you config VLAN in ASA that reach via other VLAN to L3SW ??
can you draw topology?
11-08-2022 03:21 PM
11-08-2022 02:50 PM
Hi MHM,
Thank you for quick response. There is no VLAN15 in switch. From ASA port 0/3 Vlan 15 to switch port 0/2 vlan 20.
1. Do they have to be the same vlan for both ASA and switch?
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide