10-04-2022 08:06 PM - edited 10-04-2022 08:08 PM
OK for the life of me, I cannot figure out how to route VLANs so that they have Internet access. Whether I choose Access or Trunk, I simply cannot get it to work. Online searches turned up absolutely nothing, not even the Cisco documentation could explain it.
I have my main Vlan1 (inside) which works fine. I am trying to create Vlan10 and Vlan 20. Testing Vlan10 for now which is assigned 10.0.10.1/27. I created a DHCP server for it so when I connect to the port for it, in this case, Ethernet 1/6, I get a DHCP lease and the OpenDNS servers. However, I cannot reach the internet.
My goal is to have these Vlans access the Internet without being able to access the other Vlans. The documentation does not clearly explain how to do this so I am at a loss. I have a call scheduled with TAC tomorrow on another matter but wanted to see if anyone knew how to do this in the mean time.
I am using the web interface for now since I am less than novice on the CLI. i.e. I don't know how to use it. This is for a lab so not production, for now I am trying to learn the product. I am using software 7.2.1-40.
Solved! Go to Solution.
10-04-2022 08:47 PM
A VLAN interface needs an IP address (which you apparently have), access control policy rule(s) (otherwise it hits the default -0 usually deny all) and a NAT (usually a dynamic NAT to the outside interface).
Can you check the second and third items in your case?
10-04-2022 08:47 PM
A VLAN interface needs an IP address (which you apparently have), access control policy rule(s) (otherwise it hits the default -0 usually deny all) and a NAT (usually a dynamic NAT to the outside interface).
Can you check the second and third items in your case?
10-04-2022 08:55 PM
Thanks for the reply. Yes there is the default NAT and the default access control set which was created upon first setup.
Access Control:
Inside_Outside_Rule
Action: Trust
inside_zone > any network > any port >any sgt group
outside_zone > any network > any port > any sgt group
NAT:
InsideOutsideNatRule
Manual NAT
Status Enabled
Placement: Before Auto NAT Rules
Type Dynamic
Source interface: inside
Source address: any-ipv4
Source port, Destination address and destination port set to any.
Destination interface: outside
source address: interface
Source port, Destination address and destination port set to any.
10-04-2022 09:17 PM - edited 10-04-2022 09:18 PM
Wow, I got it! Thanks for the clue on access control and nat. I was missing the security zone and the nat interface. Vlan was for my wifi so I created a wifi security zone and created a new access control rule for that zone to allow it to the outside zone. Then I created a new dynamic nat rule for the wifi interface to translate to the outside interface. After deploying it finally worked! That was an adventure.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide