ASA5515 additional VLAN need internet access

smcneil · ‎07-14-2016

Background - Doing an upgrade for a client and I am not a rocket scientist with ASAs. Upgraded from a 5505 to a 5515 with very little issues. Currently there are about 9 VLANS on the LAN or INSIDE interface. Only VLAN 1 has internet access. In order to access the other 8 VLANS, one must remote into a server on VLAN 1 and then access assets on the other VLANs. The internal inter VLAN routing is taken care of by the core switch.

So on to the issue. The client wants to migrate servers and assets off of VLAN 1 to the newly created VLAN 5 and change subnets so as to get off of the default range of 192.168.1.X (yuck lol). Now then, VLAN 1 comes into the ASA on an untagged (non-subinterfaced) port and that is INSIDE at 192.168.1.254/24. All of the NATs, access rules and internet access work for this VLAN/address range. I created another inside interface I called INSIDE-II, also untagged (non-subinterfaced) at 192.168.25.254/24. I connected VLAN 5 to it, put my laptop at an appropriate address with .5.254 as my gateway and I cannot get out. It doesn't seem as if the default route/gateway is working for this network.

Unfortunately I cannot post the config but I wanted to get some advice/suggestions on what to look for or things to try.

Thanks in advance for any responses!

johnlloyd_13 · ‎07-14-2016

hi,

can post a brief topology?

did you create your Layer 2 VLAN (VLAN 5) on the core switch?

posting a sanitized ASA config will also help a lot.

smcneil · ‎07-14-2016

Let's see if this helps...

Richard Burts · ‎07-15-2016

As John has suggested the first question is whether the switch is sending frames untagged on the connection for the new vlan.

A second question is what is the default gateway for the PC? If it points to ASA then Internet should be ok but might create problems with inter vlan routing. If it uses switch as gateway then there is a question whether the switch has policies that restrict what it forwards to ASA. Can you verify that traffic from the PC is getting to the ASA?

a third question is whether the ASA has NAT rules for the new subnet?

HTH

Rick

HTH

Rick

smcneil · ‎07-15-2016

I'll see if I can get a config of the ASA and sanitize it for posting...

Richard - I am using the VLAN .253 addresses on the core switches for the PC/End device addresses so that the LAN routing works.

Richard Burts · ‎07-15-2016

Thanks for the information confirming the default gateway. So can you confirm whether traffic from the PC is getting to the ASA?

HTH

Rick

HTH

Rick

smcneil · ‎07-15-2016

Richard (or is it Rick?) - For testing, if I set my laptop in to the proper range for VLAN 5 and use the .253 gateway, I CAN ping .254 on the ASA, also, if I set my gateway as .254, I CAN ping .254. So this leads me to believe its an issue on the ASA its self. When my laptop is set to either gateway, I cannot get out to the universe.

- side note, when my gateway is set to .253, interVLAN routing on the core switches works, when set to .254 it doesn't (obviously)

Richard Burts · ‎07-15-2016

Richard is my official name, Rick is what most people call me. I happily respond to either. It would be expected that with gateway set to 253 that you would be able to ping 254. That does not necessarily mean that the switch will forward Internet traffic to 254. Can you confirm that attempts to access Internet are reaching the ASA?

HTH

Rick

HTH

Rick