Solved: 2nd subnet has no internet

erick.hemmen · ‎01-28-2013

Hi all,

This is about a Cisco Asa 5512-X which I configured succesfully for the first subnet to get to internet. Remotevpn to this subnet is working as wel. The Cisco has several ethernet ports and I configured an extra subnet on a new physical port. Whatever I'll try, the new subnet doesn't get to the internet. Please see my config attached below. What am I missing or what am I doing wrong?

Config:

ASA Version 8.6(1)2

!

hostname ASA

domain-name domain.lan

names

!

interface GigabitEthernet0/0

speed 100

duplex full

nameif outside

security-level 0

pppoe client vpdn group INT

ip address pppoe setroute

!

interface GigabitEthernet0/1

speed 100

duplex full

nameif inside

security-level 100

ip address 10.0.11.254 255.255.255.0

!

interface GigabitEthernet0/2

duplex full

nameif Wifi

security-level 100

ip address 192.168.11.254 255.255.255.0

!

interface Management0/0

nameif management

security-level 0

ip address 172.16.251.254 255.255.255.0

management-only

!

ftp mode passive

clock timezone CEST 1

clock summer-time CEDT recurring last Sun Mar 2:00 last Sun Oct 3:00

dns server-group DefaultDNS

domain-name domain.lan

same-security-traffic permit inter-interface

same-security-traffic permit intra-interface

object network obj_any

subnet 0.0.0.0 0.0.0.0

object network Internal

subnet 10.0.11.0 255.255.255.0

object network Vid

host 10.0.0.240

object network Wifi

subnet 192.168.11.0 255.255.255.0

object network obj_any_Wifi

subnet 0.0.0.0 0.0.0.0

access-list PermitOutsideIn extended permit icmp any any echo

access-list PermitOutsideIn extended permit icmp any any echo-reply

access-list PermitOutsideIn extended permit icmp any any source-quench

access-list PermitOutsideIn extended permit icmp any any time-exceeded

pager lines 24

logging enable

logging asdm informational

mtu outside 1500

mtu inside 1500

mtu management 1500

mtu Wifi 1500

icmp unreachable rate-limit 1 burst-size 1

no asdm history enable

arp timeout 14400

nat (Wifi,outside) source dynamic Wifi interface

!

object network obj_any

nat (inside,outside) dynamic interface

access-group PermitOutsideIn in interface outside

route outside 0.0.0.0 0.0.0.0 37.0.81.170 1

route inside 10.0.12.0 255.255.255.0 10.0.11.99 2

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

timeout floating-conn 0:00:00

dynamic-access-policy-record DfltAccessPolicy

user-identity default-domain LOCAL

aaa authentication ssh console LOCAL

http server enable 4433

http 172.16.251.0 255.255.255.0 management

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart

sysopt noproxyarp inside

telnet timeout 5

ssh 172.16.151.0 255.255.255.0 management

ssh timeout 5

console timeout 0

vpdn group INT request dialout pppoe

vpdn group INT localname ...

vpdn group INT ppp authentication pap

vpdn username ... password ***** store-local

dhcpd auto_config outside

!

dhcpd address 192.168.11.10-192.168.11.40 Wifi

dhcpd dns 8.8.8.8 208.67.222.222 interface Wifi

dhcpd enable Wifi

!

threat-detection basic-threat

threat-detection scanning-threat

threat-detection statistics

threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200

webvpn

username admin password ***** encrypted privilege 15

!

olicy-map type inspect dns preset_dns_map

parameters

message-length maximum client auto

message-length maximum 512

policy-map type inspect http block-url-policy

parameters

class block-url-class

drop-connection log

policy-map global_policy

class inspection_default

inspect dns preset_dns_map

inspect ftp

inspect h323 h225

inspect h323 ras

inspect ip-options

inspect netbios

inspect rsh

inspect rtsp

inspect skinny

inspect esmtp

inspect sqlnet

inspect sunrpc

inspect tftp

inspect sip

inspect xdmcp

inspect http block-url-policy

policy-map tcp_bypass_policy

class bypass_traffic

set connection conn-max 256 random-sequence-number disable

policy-map custom-shaper-10000kbps

class class-default

!

service-policy global_policy global

service-policy custom-shaper-10000kbps interface outside

prompt hostname context

jj27 · ‎01-30-2013

Did you remove the nat(wifi,outside) source dynamic interface command?

Run the following command and paste the output:

packet-tracer input Wifi tcp 192.168.11.10 80 8.8.8.8 80

View solution in original post

jj27 · ‎01-29-2013

I assume the 'inside' subnet can get to the internet, but the Wifi cannot.

In that case, you're missing these command:

object network obj_any_Wifi

nat (Wifi,outside) dynamic interface

It looks like you attempted to set something up by the following command, which I do not believe you need at this point if you put in the others above:

nat (Wifi,outside) source dynamic Wifi interface

erick.hemmen · ‎01-30-2013

Thank you for your answer. The inside subnet is indeed the one that has internet, the Wifi doesnt. I tried the suggested command earlier, but without any success. At this moment I'm thinking of clearing the config and starting with building the config form scratch again.

Any help is greatly appreciated.

jj27 · ‎01-30-2013

Did you remove the nat(wifi,outside) source dynamic interface command?

Run the following command and paste the output:

packet-tracer input Wifi tcp 192.168.11.10 80 8.8.8.8 80

erick.hemmen · ‎01-30-2013

I did remove the nat as you suggested and added the nat in the object network like this:

object network obj_any_Wifi

nat (Wifi,outside) dynamic interface

The trace usually isn't a problem, neither is it now, but still no internet :(:

packet-tracer input Wifi tcp 192.168.11.10 80

Phase: 1

Type: ROUTE-LOOKUP

Subtype: input

Result: ALLOW

Config:

Additional Information:

in 0.0.0.0 0.0.0.0 outside

Phase: 2

Type: IP-OPTIONS

Subtype:

Result: ALLOW

Config:

Additional Information:

Phase: 3

Type: INSPECT

Subtype: inspect-http

Result: ALLOW

Config:

Additional Information:

Phase: 4

Type: NAT

Subtype:

Result: ALLOW

Config:

object network obj_any_Wifi

nat (Wifi,outside) dynamic interface

Additional Information:

Dynamic translate 192.168.11.10/80 to 137.190.181.176/166

Phase: 5

Type: IP-OPTIONS

Subtype:

Result: ALLOW

Config:

Additional Information:

Phase: 6

Type: FLOW-CREATION

Subtype:

Result: ALLOW

Config:

Additional Information:

New flow created with id 992342, packet dispatched to next module

Result:

input-interface: Wifi

input-status: up

input-line-status: up

output-interface: outside

output-status: up

output-line-status: up

Action: allow

erick.hemmen · ‎01-31-2013

I got it working, well sort of. The config in the ASA was good after all, the switches behind the ASA are ruining the internet access. Next thing to do for now is to find out how to get this working.

Thanks jjohnston for having a look at my config.

jj27 · ‎01-31-2013

That's good. I was beginning to go a little bit insane since it should have worked!

Good luck figuring out your switch problem.