Our current network only has a handful of vlans with vlan1 with an ip range for PC's and servers of 10.255.0.0 255.255.0.0.
We have started to create new Vlans and our first test one is VLAN2 with an IP address range of 10.254.25.0/24.
We have a new 6500 switch and the subnet and dhcp is created on that with a static default gateway set to our firewall of 10.255.251.211.
On the firewall for testing purposes has an any any rule allowing everyone internally access out to the internet (or so I thought)
Currently anyone on the 10.255.0.0 range has internet access, those on the 10.254.25.0 range don't.
Have I missed something on the firewall config for this new subnet?
Thanks in advance
Solved! Go to Solution.
If I wanted to test a ping from 10.254.25.42 to 188.8.131.52 what rule would I add to accomplish this?I have tried a few but have had no luck with
I already have an outside rule with the source being 208.67.222 and destination any and this allows pings to work from my old network out and back in.
Just no luck with the new subnet.
I still feel there could be an issue on the 6500 but its hard to prove as the engineer feels its all firewall and I cant access the config of it!
Your config shows a NAT statement for users in the 10.255.x.x subnet- nat (inside) 1 10.255.0.0 255.255.0.0, but this does not cover the users in the new subnet, 10.254.25.0. I would remove the current nat (inside) command and add the following line- nat (inside) 1 0.0.0.0 0.0.0.0 - this command will cover all of your internal subnets and will PAT them to the outside interface.
Please let me know if this works for you.
Hi, have you tried running the Packet Tracer utility in the ASDM for the ASA in question? This tool will tell you whether or not your packets are being dropped by the firewall. If you put in the Source IP And port and destination IP and port and it comes back as passing the traffic, then there is most likely another routing/networking issue somewhere else n your network.
Also, you can log into the ASA and use the Capture command to see if the traffic is hitting your firewall and being passed to the internet or being dropped, or not hitting t\your firewall at all. For example, if the IP Address of the PC you are testing from is 10.254.25.100, you can ping any Internet address (such as 184.108.40.206 which was mentioned earlier), you would use the command (from the Configuration prompt)- capture
I would recommend using the Packet tracer first to see if the packet would be permitted or denied, then run the capture.
Edit- also, after you configured the new NAT/Global configuration above, did you issue the 'clear xlate' command?
I actually think I have narrowed down the issue to DNS on the 6500 the other engineer is installing.
When on the new subnet I can ping external IP Addresses and can also navigate to websites using IP Addresses - just not by name.
The problem I have had all along is that the external engineer has full control of the 6500 so I have been unable to check their config's.
I think internet access on the ASA is now configured fine thanks to your last post regarding the NAT line.
I am now going to bounce the DNS issue back to the other engineer.
Thanks again for all your help, it has been much appreciated!