07-17-2014 02:38 PM - edited 03-11-2019 09:29 PM
I have a sub-interface 'on' the inside (see below) and setup the VLAN ID --> Connected the VLAN to the SWITCH and routed to the PORT. The Server(s) recognize the 'new' VLAN / IPs; but do not have connectivity to the internet.
My assumption is it's at the gateway? Also; I can ping an IP on the inside interface from the VLAN, but not the inside interface itself.
!
interface GigabitEthernet0/1
speed 100
duplex full
nameif Inside
security-level 100
ip address 10.10.10.1 255.255.255.0
!
interface GigabitEthernet0/1.20
vlan 20
nameif IOS_DC
security-level 100
ip address 10.10.2.1 255.255.255.0
!
Solved! Go to Solution.
07-18-2014 12:35 AM
Hi,
I don think so your configuration has problems from interface perspective. But make sure that you have all the settings defined below.
1) You switch has the VLAN 20 and you are trying to access internet from VLAN 20 connected machine.
2) Make sure that you have access-list binded to the subinterface in case if you have anything such.... say
access-list ios-dc permit tcp 0.10.2.0 255.255.255.0 any www
access-list ios-dc permit tcp 0.10.2.0 255.255.255.0 any https
access-list ios-dc permit udp 0.10.2.0 255.255.255.0 any domain
!
access-group ios-dc in interface IOS_DC
!
3) Make sure that NAT/PAT is configured for this...
nat (IOS_DC,Outside) dynamic interface -- In new version
if it is old version
nat (inside) 1 10.10.2.0 255.255.255.0
global (outside) 1 interface
Set your default gateway for VLAN 20 PC machine to 10.10.2.1... you should be able to reach that.... if it is trunked and connected to FW......
If all this things are there... then you should be able to get to internet...
Regards
Karthik
07-18-2014 12:07 AM
Hi,
I am attaching a screen shot which is config for sub interface generally implemented in the shown manner.
Regards,
Anim Saxena
Community Manager (Security)
07-18-2014 12:35 AM
Hi,
I don think so your configuration has problems from interface perspective. But make sure that you have all the settings defined below.
1) You switch has the VLAN 20 and you are trying to access internet from VLAN 20 connected machine.
2) Make sure that you have access-list binded to the subinterface in case if you have anything such.... say
access-list ios-dc permit tcp 0.10.2.0 255.255.255.0 any www
access-list ios-dc permit tcp 0.10.2.0 255.255.255.0 any https
access-list ios-dc permit udp 0.10.2.0 255.255.255.0 any domain
!
access-group ios-dc in interface IOS_DC
!
3) Make sure that NAT/PAT is configured for this...
nat (IOS_DC,Outside) dynamic interface -- In new version
if it is old version
nat (inside) 1 10.10.2.0 255.255.255.0
global (outside) 1 interface
Set your default gateway for VLAN 20 PC machine to 10.10.2.1... you should be able to reach that.... if it is trunked and connected to FW......
If all this things are there... then you should be able to get to internet...
Regards
Karthik
07-18-2014 12:35 AM
Hi,
The configuration seems kinda strange. I mean the fact that you have configured IP address under the actual physical interface but also configured subinterface for the physical interface. Typically when you configure a Trunk you leave the physical interface configurations blank other than set the duplex/speed and description configurations.
How is the switchport connected to this ASA configured?
EDIT: Just to add. I presume that if your "inside" users are in Vlan 1 of the switched network then this is probably understandable that is works as the traffic comes to the ASA probably untagged.
If you want to test the ASA configurations then you can use the command
packet-tracer input IOS_DC tcp 10.10.2.100 12345 8.8.8.8 80
The above IPs are just chosen by me randomly. The output of the above command should show you what rules such a packet would match on the ASA. We could for example see if the traffic is even allowed and if its allowed does it have proper NAT configurations and so on.
- Jouni
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide