02-16-2021 06:35 PM
Hello
I have a 192.168.1.0 subnet from an ASA 5508-X (GE0/2) going to a Catalyst Switch for it's own management / Internet access from ASA IP which has a 192.168.1.5 IP Address assigned manually via vlan 1. I have several Interfaces dedicated to that's same vlan (1) that connect and grab an IP of, let's say, 192.168.1.4. This specific IP can PING the vlan 10 10.0.1.0 subnet and vlan 11 10.0.2.0 subnet but when I try to connect to the 10.0.2.111 NAS, it just times out.
When I am on either 10.0.1.0 or 10.0.2.0 they both connect to the NAS as well as Ping the 192.168.1.0 subnet (and even 192.168.1.5 IP).
I know this is an IP ROUTE issue but I am just unsure as to which Router needs the route made... Because I CAN see the IP's, just can not connect.
This is my Switch;
Current configuration : 5333 bytes
!
! Last configuration change at 00:59:56 UTC Tue Mar 2 1993
!
version 12.2
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Switch
!
boot-start-marker
boot-end-marker
!
!
no aaa new-model
switch 1 provision ws-c3750g-24ps
system mtu routing 1500
ip routing
!
!
!
!
crypto pki trustpoint TP-self-signed-29955072
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-29955072
revocation-check none
rsakeypair TP-self-signed-29955072
!
!
crypto pki certificate chain TP-self-signed-29955072
certificate self-signed 01
3082023A 308201A3 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
2F312D30 2B060355 04031324 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 32393935 35303732 301E170D 39333033 30313030 30323334
5A170D32 30303130 31303030 3030305A 302F312D 302B0603 55040313 24494F53
2D53656C 662D5369 676E6564 2D436572 74696669 63617465 2D323939 35353037
3230819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281 8100A65F
74202A89 76D25FA8 C7ED81DD 6800558E C377B8AD 0E9C26DD E23EFB16 13D19F33
E8B17063 CA28B794 5AF243D3 64EBBD2B 9E26BBCE 358DCA6C 0F540D6A F9F209AF
A59302E1 2A0C9E50 953DD959 1FF3F060 04A6BD71 4EE6E5E6 5E7B179E 36A7969E
7826FDE4 1A8879A7 413462E5 E37FADBC C6C103E4 495052BE 4F8CCA36 E3030203
010001A3 66306430 0F060355 1D130101 FF040530 030101FF 30110603 551D1104
0A300882 06537769 74636830 1F060355 1D230418 30168014 C03E07C1 6E991C9D
FAF8C1A0 2C538489 E1799507 301D0603 551D0E04 160414C0 3E07C16E 991C9DFA
F8C1A02C 538489E1 79950730 0D06092A 864886F7 0D010104 05000381 81004F6A
EB507D1D 80E269DF E29286DA 503C01BE 41F89DEA 60AF1952 FD30B9F3 5DDB929E
1FA39766 E8FDC791 D1B5E3B3 23D211CF F1293208 15252277 F7FF8918 75E493E9
27F915AE 5C1AB8CF BC2B4DE3 6A7E68BE B37A9DD9 6F0CC609 DBA27505 979B09A3
BE1D6C77 1FDC4040 D986CC6A 49F67E8B B5586A13 57ABA87B 8C956A87 DDE2
quit
!
!
!
spanning-tree mode pvst
spanning-tree extend system-id
!
vlan internal allocation policy ascending
!
!
!
!
!
!
interface GigabitEthernet1/0/1
switchport access vlan 10
switchport mode access
spanning-tree portfast
!
interface GigabitEthernet1/0/2
switchport access vlan 10
switchport mode access
spanning-tree portfast
!
interface GigabitEthernet1/0/3
switchport access vlan 10
switchport mode access
spanning-tree portfast
!
interface GigabitEthernet1/0/4
switchport access vlan 10
switchport mode access
spanning-tree portfast
!
interface GigabitEthernet1/0/5
switchport access vlan 10
switchport mode access
spanning-tree portfast
!
interface GigabitEthernet1/0/6
switchport access vlan 10
switchport mode access
spanning-tree portfast
!
interface GigabitEthernet1/0/7
switchport access vlan 10
switchport mode access
spanning-tree portfast
!
interface GigabitEthernet1/0/8
switchport access vlan 10
switchport mode access
spanning-tree portfast
!
interface GigabitEthernet1/0/9
switchport access vlan 10
switchport mode access
spanning-tree portfast
!
interface GigabitEthernet1/0/10
switchport access vlan 10
switchport mode access
spanning-tree portfast
!
interface GigabitEthernet1/0/11
switchport access vlan 11
switchport mode access
spanning-tree portfast
!
interface GigabitEthernet1/0/12
switchport access vlan 11
switchport mode access
spanning-tree portfast
!
interface GigabitEthernet1/0/13
switchport access vlan 11
switchport mode access
spanning-tree portfast
!
interface GigabitEthernet1/0/14
switchport access vlan 11
switchport mode access
spanning-tree portfast
!
interface GigabitEthernet1/0/15
switchport access vlan 11
switchport mode access
spanning-tree portfast
!
interface GigabitEthernet1/0/16
switchport access vlan 11
switchport mode access
spanning-tree portfast
!
interface GigabitEthernet1/0/17
switchport access vlan 11
switchport mode access
spanning-tree portfast
!
interface GigabitEthernet1/0/18
switchport access vlan 11
switchport mode access
spanning-tree portfast
!
interface GigabitEthernet1/0/19
switchport access vlan 11
switchport mode access
spanning-tree portfast
!
interface GigabitEthernet1/0/20
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 1,10,11
switchport mode trunk
!
interface GigabitEthernet1/0/21
description TPLink
switchport access vlan 12
spanning-tree portfast
!
interface GigabitEthernet1/0/22
description DLink
switchport access vlan 13
switchport mode access
spanning-tree portfast
!
interface GigabitEthernet1/0/23
switchport mode access
spanning-tree portfast
!
interface GigabitEthernet1/0/24
switchport mode access
spanning-tree portfast
!
interface GigabitEthernet1/0/25
!
interface GigabitEthernet1/0/26
!
interface GigabitEthernet1/0/27
!
interface GigabitEthernet1/0/28
!
interface Vlan1
description ASA
ip address 192.168.1.5 255.255.255.0
!
interface Vlan10
description Home LAN
no ip address
!
interface Vlan11
description Home VPN
no ip address
!
interface Vlan12
description TPlink
ip address 10.0.1.161 255.255.255.0
!
interface Vlan13
description DLink
ip address 10.0.2.124 255.255.255.0
!
ip http server
ip http secure-server
!
ip route 192.168.3.0 255.255.255.0 192.168.1.1
!
logging esm config
no cdp run
!
!
line con 0
line vty 0 4
login
line vty 5 15
login
!
end
Solved! Go to Solution.
02-22-2021 03:00 PM
That makes total sense to me. I knew that I had it over configured and therefore the packets got lost within my mess I just did not understand why.
I was unaware I could have a vlan 10 and an Interface vlan 10 both share "vlan 10". This is why I made a separate vlan for the actual IP for the routing. But yes, I see the error in my ways.
Again, I will let you know this evening of my success.
02-22-2021 05:20 PM - edited 02-22-2021 05:22 PM
Alright so after recnfiguruing my 2 Wireless Routers with static routes and my Catalyst with correct config, 10.0.1.0 can see 10.0.2.0/192.168.1.0 & 192.168.3.0.
10.0.2.0 can see 10.0.1.0/192.168.1.0 and 192.168.3.0.
10.0.1.0 can ACCESS 10.0.2.1 GUI & NAS on 10.0.2.111
10.0.2.0 can ACCESS 10.0.1.1 GUI
192.168.1.0 can SEE but NOT connect to Either GUI or NAS.
Now, 192.168.1.0 IS being routed through 192.168.1.1 ASA 5508-X DHCP so maybe I need an ip route there? Though I assume it has one cause I can ping them. I just feel like "data" is being blocked and or timing out.
ASA5508-X does have a;
route inside 10.0.1.0 255.255.255.0 192.168.1.5
route inside 10.0.2.0 255.255.255.0 192.168.1.5
02-22-2021 06:19 PM
Could there be a chance it would be an ACL considering 10.0.1.0/10.0.2.0 are NOT routed on the ASA they'd not need one but being that 192.168.1.0 is routed on the ASA it would not work?
Just a thought... I have tried various ACL's to no avail so maybe not the issue
02-23-2021 04:50 AM
So far we have focused on the switch side of the issue and I believe have made progress in getting it straightened out. I believe that now we do need to look a bit more at the ASA side. Can you provide some specifics about what device in the 192.168.1.0 network is having issues to access the NAS? What kind of device, what is its IP, what is its gateway, and where is it connected?
02-23-2021 07:17 AM
Morning
You are absolutely right we got the Switch end of things situated and I believe things have a quicker response time as well.
On the ASA I have GE 1/2 as the Interface that connects to the Switch. The ASA Interface is 192.168.1.1 and has DHCP Enabled. It's purpose is for me to connect to ASA via ASDM.
On the Switch I have interface vlan 1 ip address 192.168.1.5 and the ASA link is plugged into GE 1/0/23.
What I was having to do was plug in my PC to the Switch to do ASA and then unplug and plug in Home network to get to NAS etc. I wanted a one and done.
I gave the 192.168.1.0 internet access and ASDAM access to the ASA through the Switch via vlan 1 (ports 23 (incoming ASA) and 24 (out to PC)). My PC dynamically grabs 192.168.1.4.
192.168.1.4, my PC, can ping each and every device on any network but can not actually lock on when needing to connect. I.E my NAS drive times out. The GUI to TPLink (10.0.1.0) won't load nor will the DLink GUI (10.0.2.1) but like I said it can ping them.
These devices, when on either 10.X subnet will open all on each network so it is specific to the 192.x
Specifically
192.168.1.4, PC connected to GE1/0/24 on Switch (192.168.1.5) which connects from GE 1/0/23 to ASA GE 1/2 (192.168.1.1)
NAS is 10.0.2.111 using SMB (Ports 445 and/or 139) Gateway is 10.0.2.1 and is connected to GE 1/0/12 on Switch.
The only time I have used a Gateway not of the Router was for both TPLink and DLink. For them to get out/receive I use the Switch vlan IP(10/11) IP's as Gateway.
TPLink ;
10.0.2.0 255.255.255.0 10.0.1.161
192.168.1.0 255.255.255.0 10.0.1.161
192.168.3.0 255.255.255.0 10.0.1.161
Using .161 cause they are the farthest out on the network touching the next network.
DLink ;
10.0.1.0 255.255.255.0 10.0.2.124
192.168.1.0 255.255.255.0 10.0.2.124
192.168.3.0 255.255.255.0 10.0.2.124
Using .124 for same reason.
ASA;
inside 10.0.1.0 255.255.255.0 192.168.1.5
inside 10.0.2.0 255.255.255.0 192.168.1.5
outside 0.0.0.0 0.0.0.0 207.108.131.182
Catalyst;
192.168.3.0 255.255.255.0 192.168.1.1
02-23-2021 07:44 AM
Thank you for the additional information. Am I correct in understanding these things:
- your PC is currently connected in vlan 1 and has IP address 192.168.1.4.
- your PC is successful in ping to TPLink (what is the IP address used by TPLink).
- your PC fails when attempting access to GUI of TPLink (what access is this? HTTP? HTTPS? something else?)
- your PC is successful in ping to DLink. (what is the IP address used by DLink)
- your PC fails when attempting access to GUI of DLink (what access is this? HTTP? HTTPS? something else?)
- your PC is successful in ping to NAS at 10.0.2.211.
- your PC fails when it attempts to access data from NAS.
- if you move your PC to either vlan 10 or vlan 11 then all of these access are successful?
02-23-2021 07:57 AM
You are spot on with all of that.
TPLink GUI / Gateway Address is 10.0.1.1, it is the DHCP Server of that Network
DLink GUI / Gateway Address is 10.0.2.1, it is also the DHCP Server of that Network.
Though I do not put any port at the end of the connection, I simply type "10.0.1.1" or "10.0.2.1" in Address BAR and it brings me to ;
or
So I have to assume http port 80..
And then yes, if I connect PC to either vlan 10 or 11(thus grabbing an IP on either network) I can connect to either GUI or NAS from either network.
02-23-2021 08:25 AM
This is quite puzzling. I have been thinking that this might well be some issue on the ASA (especially since I thought that we had the switch straightened out). But with the symptoms that I described it is difficult to see it as an ASA issue.
If you can ping the address it pretty much takes IP connectivity or IP routing out as a cause of the issue. I have experienced issues when ping works but applications do not work that related to issues about MTU. But I am not sure that would be the case here. It almost sounds like a security policy. And I could easily think security policy if the traffic were going through the ASA, but it does not appear to be doing that.
Would you post the output from the PC for ipconfig /all Also the output of tracert from PC to 10.0.2.211, and to 10.0.2.1, and to 10.0.1.1
Is there DHCP for the 192.168.1.0 network? Would that come from the ASA?
02-23-2021 08:54 AM - edited 02-23-2021 08:55 AM
Ethernet adapter Ethernet:
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Intel(R) Ethernet Connection (7) I219-V
Physical Address. . . . . . . . . : 70-85-C2-C2-61-58
DHCP Enabled. . . . . . . . . . . : Yes
Autoconfiguration Enabled . . . . : Yes
IPv4 Address. . . . . . . . . . . : 192.168.1.4(Preferred)
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Lease Obtained. . . . . . . . . . : Tuesday, February 23, 2021 9:50:13 AM
Lease Expires . . . . . . . . . . : Tuesday, February 23, 2021 10:50:12 AM
Default Gateway . . . . . . . . . : 192.168.1.1
DHCP Server . . . . . . . . . . . : 192.168.1.1
DNS Servers . . . . . . . . . . . : 205.171.3.65
205.171.2.65
NetBIOS over Tcpip. . . . . . . . : Enabled
Tracing route to 10.0.1.1 over a maximum of 30 hops
1 <1 ms <1 ms 1 ms 192.168.1.5
2 2 ms 1 ms 1 ms 10.0.1.1
Trace complete.
Tracing route to 10.0.2.1 over a maximum of 30 hops
1 <1 ms <1 ms <1 ms 192.168.1.5
2 <1 ms <1 ms <1 ms 10.0.2.1
Trace complete.
Tracing route to TS1400R549 [10.0.2.111]
over a maximum of 30 hops:
1 <1 ms <1 ms <1 ms 192.168.1.5
2 * <1 ms <1 ms TS1400R549 [10.0.2.111]
Trace complete.
ASA;
interface GigabitEthernet1/2
nameif inside
security-level 100
ip address 192.168.1.1 255.255.255.0
!
dhcpd address 192.168.1.5-192.168.1.254 inside
dhcpd enable inside
02-23-2021 09:09 AM
Thank you for the information. Would you change the configuration of the PC? Keep the same IP address of 192.168.1.4 and the same mask of 255.255.255.0 but change its gateway from 192.168.1.1 to 192.168.1.5 and change the DNS server from 205.171.2.65 205.171.3.65 to whatever DNS server you would get when you connect to vlan 10 or 11. Make these changes and let us know if the behavior changes.
02-23-2021 10:04 AM
Very strange. So by changing the default gateway I can now indeed, from 192.168.0.4 to 10.0.1.1/10.0.2.1 GUI but now have lost internet Access.
The 205.171.3.65 is what my ISP gives me and I believe TP and DLink grab them as well. I had to go out for 30 so can’t verify what DNS they are set as.. I do know ASA has no name servers set up, though.
I did indeed set the PC DNS though, and no Internet.
Something with that Gateway maybe cause prior to, using 192.168.1.1 as GW I had Internet but no GUI. How weird
02-23-2021 10:09 AM
Glad we are making progress. Please post the output of show ip route from the switch.
02-23-2021 10:13 AM
We might want to do some testing and try to figure out how much of the improvement was due to changing the gateway and how much to changing the DNS. Perhaps change the PC so that the gateway goes back to 192.168.1.1 and keep the different DNS.
02-23-2021 10:20 AM
Sounds like a plan. Not home just yet but will update when I get there.
I am 99% sure both 192.168.1.0 and the 10.x sub nets use the default 205.171.3.65 but I can verify, I may have left 192.x default and changed TP/DLink to 8.8.8.8, 8.8.4.4.
Even so, if I set the gateway back to .1 would it need a NAME-SERVER to access an IP, locally?
My other comment was that maybe having 1.1 as gateway it’s grabbing my ISP NS as it should but maybe changing it to 1.5 there is NO NS configured on the Switch, so no resolution. But doesn’t PC IP settings bypass that anyway?
02-23-2021 10:54 AM
I am not certain about how much of the issue relates to DNS. But in thinking about why you might be successful in ping but not successful with NAS or GUI it occurs to me that for ping all you need is the IP address. But in processing with NAS or perhaps with GUI is it possible that the processing sends a name which the PC needs to resolve, and if the PC is not able to resolve the name could that cause NAS to hang or GUI to hang?
It might be interesting to check when connected to 10.0.1.0 and to 10.0.2.0 what do you get for name server?
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide