05-20-2014 02:08 PM - edited 03-11-2019 09:13 PM
Hopefully there are some ASA experts out there! I have been having an issue getting internet access working on VLANs and am literally tearing my hair out!
Ok, just a quick summary of my environment. We have a 3750X cisco switch trunked over to an ASA 5510.
Internet access is fine for the inside network but having no joy whatsoever with additional vlans and internet access. My steps so far have been:
What am I missing? I can post the switch and ASA configs if anyone would like to help me out. ASA license is base and firewall mode is routed.
Thanks
Neill
Solved! Go to Solution.
05-22-2014 03:06 PM
From what host on VLAN 2 are you initiating the pings? Does that host have your ASA VLAN 2 interface set as the gateway?
I ask because your "show nat" output indicates no translate hits for traffic coming from VLAN 2:
3 (VLAN2) to (outside) source dynamic vlan2 interface
translate_hits = 0, untranslate_hits = 0
05-20-2014 03:01 PM
The ASA config would help, as would the running-config and "show interface" for the switch interface connecting to the ASA.
You didn't mention where the interface connecting the switch to the ASA is configured as a trunk - i.e. "switchport mode trunk"
05-21-2014 11:08 AM
Hi Marvin
Thanks for replying. Didn't want to post the config in my initial post as it would have saturated the query!
See below, I've stripped out stuff that isn't relevant like VPN's etc
3750X Config
interface GigabitEthernet1/0/1
description ASA 5510
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 1,2
switchport mode trunk
!
interface GigabitEthernet1/0/2
description SSM Module
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 1,2
switchport mode trunk
!
!
interface Vlan1
ip address 192.168.3.250 255.255.255.0
!
interface Vlan2
description Testing
ip address 10.10.20.250 255.255.255.0
ip helper-address 192.168.3.x
!
interface Vlan5
description Voice Vlan
ip address 10.10.10.250 255.255.255.0
ip helper-address 192.168.3.x
!
ip http server
ip http secure-server
!
ASA Config
:
ASA Version 9.1(3)
!
hostname ……..ASA
domain-name ………
enable password QnKyFyFK6LWudLeM encrypted
xlate per-session deny tcp any4 any4
xlate per-session deny tcp any4 any6
xlate per-session deny tcp any6 any4
xlate per-session deny tcp any6 any6
xlate per-session deny udp any4 any4 eq domain
xlate per-session deny udp any4 any6 eq domain
xlate per-session deny udp any6 any4 eq domain
xlate per-session deny udp any6 any6 eq domain
xlate per-session permit tcp any4 any4
xlate per-session permit tcp any4 any6
xlate per-session permit tcp any6 any4
xlate per-session permit tcp any6 any6
xlate per-session permit udp any4 any4 eq domain
xlate per-session permit udp any4 any6 eq domain
xlate per-session permit udp any6 any4 eq domain
xlate per-session permit udp any6 any6 eq domain
passwd gerd0WPZAcHKQ1jK encrypted
names
ip local pool remotes 11.1.1.1-11.1.1.10 mask 255.255.255.0
!
interface Ethernet0/0
nameif outside
security-level 0
ip address x.x.x.x 255.255.255.240
!
interface Ethernet0/1
nameif inside
security-level 100
ip address 192.168.3.2 255.255.255.0
!
interface Ethernet0/1.2
description Test VLAN
vlan 2
nameif VLAN2
security-level 100
ip address 10.10.20.2 255.255.255.0
!
interface Ethernet0/2
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
shutdown
no nameif
no security-level
no ip address
!
boot system disk0:/asa913-k8.bin
boot system disk0:/asa846-5-k8.bin
boot system disk0:/asa842-k8.bin
ftp mode passive
clock timezone GMT/BST 0
clock summer-time GMT/BDT recurring last Sun Mar 1:00 last Sun Oct 2:00
dns domain-lookup outside
dns domain-lookup inside
dns server-group DefaultDNS
name-server 8.8.8.8
domain-name xxxxxxxxx
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object network NETWORK_OBJ_11.1.1.0_28
subnet 11.1.1.0 255.255.255.240
object network inside_network
subnet 192.168.3.0 255.255.255.0
object network NETWORK_OBJ_192.168.3.0_24
subnet 192.168.3.0 255.255.255.0
object network module
host 192.168.3.8
object network vlantest
host 10.10.20.250
object network vlan2
range 10.10.20.0 255.255.255.0
object-group service DM_INLINE_TCP_2 tcp
port-object eq 3388
port-object eq 4550
port-object eq 5511
port-object eq 5550
port-object eq 5552
port-object eq 5553
port-object eq 5611
port-object eq 6550
port-object eq 81
port-object eq 8554
port-object eq 8866
object-group service DM_INLINE_TCP_3 tcp
port-object eq ftp
port-object eq pop3
port-object eq smtp
port-object eq www
object-group service DM_INLINE_TCP_4 tcp
port-object eq ftp
port-object eq www
port-object eq pop3
port-object eq smtp
object-group protocol TCPUDP
protocol-object udp
protocol-object tcp
access-list outside_access_in extended permit tcp any object exchange eq smtp
access-list outside_access_in extended permit tcp any object exchangeportal eq https
access-list outside_access_in extended permit tcp any4 object x.x.x.x eq smtp
access-list outside_access_in extended permit tcp any4 object x.x.x.x eq 6521
access-list outside_access_in extended permit tcp any4 object x.x.x.x eq pptp
access-list outside_access_in extended permit tcp any4 object x.x.x.x object-group DM_INLINE_TCP_2
access-list outside_access_in extended permit ip any4 object x.x.x.x
access-list ACL_VLAN2 extended permit ip 10.10.20.0 255.255.255.0 any
access-list acl_inside extended permit ip any any
access-list acl_inside extended permit icmp any any
access-list global_mpc extended permit tcp any any object-group DM_INLINE_TCP_3
access-list inside_mpc extended permit tcp 192.168.3.0 255.255.255.0 x.x.x.x 255.255.255.240 object-group DM_INLINE_TCP_4
pager lines 24
logging enable
logging monitor informational
logging buffered debugging
logging asdm informational
logging from-address ASAalerts@.........
logging recipient-address …………. level errors
mtu outside 1500
mtu inside 1500
mtu VLAN2 1500
icmp unreachable rate-limit 1 burst-size 1
icmp permit any VLAN2
asdm image disk0:/asdm-714.bin
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
nat (inside,outside) source static inside_network inside_network destination static NETWORK_OBJ_11.1.1.0_28 NETWORK_OBJ_11.1.1.0_28 no-proxy-arp
!
object network inside_network
nat (inside,outside) dynamic interface
object network exchange
nat (inside,outside) static interface service tcp smtp smtp
object network exchangeportal
nat (inside,outside) static interface service tcp https https
object network vlan2
nat (VLAN2,outside) dynamic interface
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 x.x.x.x
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
aaa authentication ssh console LOCAL
http server enable 444
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
ntp server x.x.x.x source outside prefer
tftp-server inside 192.168.3..x ASA5510.cfg
ssl trust-point ASDM_TrustPoint0 inside
ssl trust-point ASDM_TrustPoint0 outside
webvpn
port 444
enable outside
enable inside
anyconnect image disk0:/anyconnect-win-2.5.2014-k9.pkg 1
anyconnect image disk0:/anyconnect-macosx-i386-2.4.1012-k9.pkg 2
anyconnect image disk0:/anyconnect-linux-2.4.1012-k9.pkg 3
anyconnect image disk0:/anyconnect-wince-ARMv4I-2.4.1012-k9.pkg 4
anyconnect enable
tunnel-group-list enable
group-policy DfltGrpPolicy attributes
dns-server value 8.8.8.8
vpn-tunnel-protocol ssl-clientless
default-domain value ………
wins-server none
dns-server value 192.168.3.x
vpn-tunnel-protocol ikev1 ikev2 l2tp-ipsec ssl-client
default-domain value …..
address-pools value remotes
webvpn
group-policy GroupPolicy1 internal
group-policy remotes internal
group-policy remotes attributes
dns-server value 192.168.3.x
vpn-tunnel-protocol ikev1 ikev2 l2tp-ipsec ssl-client
default-domain value ……..
address-pool remotes
!
class-map global-class
match access-list global_mpc
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect ip-options
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
class global-class
csc fail-close
!
service-policy global_policy global
smtp-server 192.168.3.x
prompt hostname context
no call-home reporting anonymous
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email callhome@cisco.com
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:1f5c2e807da97877abac7e15bb5a5143
: end
asdm image disk0:/asdm-714.bin
no asdm history enable
05-21-2014 11:08 AM
Your:
object network vlan2
range 10.10.20.0 255.255.255.0
is mis-formed. Try instead:
object network vlan2
subnet 10.10.20.0 255.255.255.0
05-21-2014 01:57 PM
Hopefully thats what it is! I'll give that a go tomorrow and let you know if that resolved.
Thanks Marvin
05-22-2014 02:26 PM
Hi Marvin,
Still no internet access with the object change from range to subnet.
Should I be able to ping the inside interface IP of 192.168.3.2 from VLAN2? At the moment I can't but I can ping everything else on the 192.168.3.x subnet.
See below for output from the show nat command:
Auto NAT Policies (Section 2)
1 (inside) to (outside) source static exchange interface service tcp smtp smtp
translate_hits = 0, untranslate_hits = 538
2 (inside) to (outside) source static exchangeportal interface service tcp htt ps https
translate_hits = 0, untranslate_hits = 7319
3 (VLAN2) to (outside) source dynamic vlan2 interface
translate_hits = 0, untranslate_hits = 0
4 (inside) to (outside) source dynamic inside_network interface
translate_hits = 617483, untranslate_hits = 24596
Show below for output from packet tracer ( I get exactly the same when tracing from an IP on the inside network)
packet-tracer input vlan2 tcp 10.10.20.51 http 8.8.8.8 http
Phase: 1
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
MAC Access list
Phase: 2
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 0.0.0.0 0.0.0.0 outside
Phase: 3
Type: NAT
Subtype:
Result: ALLOW
Config:
object network vlan2
nat (VLAN2,outside) dynamic interface
Additional Information:
Dynamic translate 10.10.20.51/80 to x.x.x.x /80
Phase: 4
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
Phase: 5
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 6
Type: SSM-DIVERT
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 7
Type: SSM_SERVICE
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 8
Type: SSM_SERVICE
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 9
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
Phase: 10
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 11
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 639142, packet dispatched to next module
Result:
input-interface: VLAN2
input-status: up
input-line-status: up
output-interface: outside
output-status: up
output-line-status: up
Action: allow
Any other thoughts on where I'm going wrong?
05-22-2014 03:06 PM
From what host on VLAN 2 are you initiating the pings? Does that host have your ASA VLAN 2 interface set as the gateway?
I ask because your "show nat" output indicates no translate hits for traffic coming from VLAN 2:
3 (VLAN2) to (outside) source dynamic vlan2 interface
translate_hits = 0, untranslate_hits = 0
05-22-2014 03:06 PM
The pings are initiated from a PC that has obtained an IP from the DHCP server.
The DHCP scope router for VLAN2 is configured as 10.10.20.250 which is the same gateway defined on the 3750 switch.
Should the DHCP scope router IP match the ASA sub interface IP of 10.10.20.2?
05-23-2014 01:20 PM
Problem sorted! The issue was with the router IP of the DHCP scope. One the gateway was changed to the sub interface VLAN2 IP address it worked.
Marvin - thanks for taking the time to read the config and give advice.
05-23-2014 02:53 PM
You're welcome.
Glad to see my analysis was correct. Thanks for the rating.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide