04-24-2015 02:39 PM - edited 03-11-2019 10:50 PM
We are setting up a new network using a Cisco 2960-X switch through a Cisco ASA 5525 to get to the Internet. The Cisco 2960-X is set up with VLANS and the interface with subinterfaces have been created on the Cisco ASA. As far as we can tell we are set up correctly on the switch side. We can connect (ping) Cisco ASA interface and subinterface IP addresses from the switch and we can connect (ping) the subinterface IP on the Cisco ASA from a workstation (subinterface for the VLAN only).
We are unable to connect to the default gateway (external connection), or any other port on the Cisco ASA from the new network. We suspect we need to set up static NATing but having difficulty figuring out what NAT rules we need to create. Our ASA is running version 9.1 and most of the information we have found on-line is for older versions as the NAT commands have changed considerably.
This diagram show approx. how we are set up.
What do we need to do to establish Internet connectivity from a VLAN through the Cisco ASA?
04-24-2015 03:08 PM
You need to create a trunk link between the switch and the ASA. Set the gateway of the devices to the VLAN subinterfaces on the ASA.Then you need to set up NAT. What are you using to manage the ASA, CLI or ASDM? Please add the switch and ASA configs if you need more assistance?
04-24-2015 03:15 PM
Andre,
Thanks for replying. We have set up the trunk link, subinterfaces, and gateways. We have been unable to get the NAT configuration to work. We are able to use both the CLI and ASDM.
Gene
04-24-2015 03:17 PM
Can you post your switch and ASA config then?
04-24-2015 05:58 PM
Hi Andre,
Checking the Topology on this issue , i see that we are using both the Physical Interface and have created sub interfaces on them.
I would not recommend that as the best practice.
Secondly , are you able to ping the ASA Sub Interfaces from the hosts in the separate VLAN's ? If yes , what about the Public IP address:- 4.2.2.1 for ex
If yes , post the relevant configuration and packet trace for the traffic outbound to the internet ?
https://supportforums.cisco.com/document/29601/troubleshooting-access-problems-using-packet-tracer
Thanks and Regards,
Vibhor Amrodia
04-27-2015 06:02 AM
Andre and Vibhor,
We are unable to reach the public our exterior facing IP addresses from the Cisco 2960-X. The traceroutes either show only one hop, or indefinite hops with all asterisks. We would have to greatly sanitize the two configurations to post them.
We are certain that it is the static NAT that is the problem. There are a lot of examples using the old command, but not for the new command (version 9.1 and later).
Gene
04-27-2015 09:04 AM
Hi. Can you please post the configs? As Vibhor said. It's not best practice to use the physical interface as well as subinterfaces. Using traceroute may not work because by default the ASA does not inspect ICMP traffic, unless you have enabled it under your global policy map. Seeing the configs will help in troubleshooting the problem.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide