02-16-2021 06:35 PM
Hello
I have a 192.168.1.0 subnet from an ASA 5508-X (GE0/2) going to a Catalyst Switch for it's own management / Internet access from ASA IP which has a 192.168.1.5 IP Address assigned manually via vlan 1. I have several Interfaces dedicated to that's same vlan (1) that connect and grab an IP of, let's say, 192.168.1.4. This specific IP can PING the vlan 10 10.0.1.0 subnet and vlan 11 10.0.2.0 subnet but when I try to connect to the 10.0.2.111 NAS, it just times out.
When I am on either 10.0.1.0 or 10.0.2.0 they both connect to the NAS as well as Ping the 192.168.1.0 subnet (and even 192.168.1.5 IP).
I know this is an IP ROUTE issue but I am just unsure as to which Router needs the route made... Because I CAN see the IP's, just can not connect.
This is my Switch;
Current configuration : 5333 bytes
!
! Last configuration change at 00:59:56 UTC Tue Mar 2 1993
!
version 12.2
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Switch
!
boot-start-marker
boot-end-marker
!
!
no aaa new-model
switch 1 provision ws-c3750g-24ps
system mtu routing 1500
ip routing
!
!
!
!
crypto pki trustpoint TP-self-signed-29955072
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-29955072
revocation-check none
rsakeypair TP-self-signed-29955072
!
!
crypto pki certificate chain TP-self-signed-29955072
certificate self-signed 01
3082023A 308201A3 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
2F312D30 2B060355 04031324 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 32393935 35303732 301E170D 39333033 30313030 30323334
5A170D32 30303130 31303030 3030305A 302F312D 302B0603 55040313 24494F53
2D53656C 662D5369 676E6564 2D436572 74696669 63617465 2D323939 35353037
3230819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281 8100A65F
74202A89 76D25FA8 C7ED81DD 6800558E C377B8AD 0E9C26DD E23EFB16 13D19F33
E8B17063 CA28B794 5AF243D3 64EBBD2B 9E26BBCE 358DCA6C 0F540D6A F9F209AF
A59302E1 2A0C9E50 953DD959 1FF3F060 04A6BD71 4EE6E5E6 5E7B179E 36A7969E
7826FDE4 1A8879A7 413462E5 E37FADBC C6C103E4 495052BE 4F8CCA36 E3030203
010001A3 66306430 0F060355 1D130101 FF040530 030101FF 30110603 551D1104
0A300882 06537769 74636830 1F060355 1D230418 30168014 C03E07C1 6E991C9D
FAF8C1A0 2C538489 E1799507 301D0603 551D0E04 160414C0 3E07C16E 991C9DFA
F8C1A02C 538489E1 79950730 0D06092A 864886F7 0D010104 05000381 81004F6A
EB507D1D 80E269DF E29286DA 503C01BE 41F89DEA 60AF1952 FD30B9F3 5DDB929E
1FA39766 E8FDC791 D1B5E3B3 23D211CF F1293208 15252277 F7FF8918 75E493E9
27F915AE 5C1AB8CF BC2B4DE3 6A7E68BE B37A9DD9 6F0CC609 DBA27505 979B09A3
BE1D6C77 1FDC4040 D986CC6A 49F67E8B B5586A13 57ABA87B 8C956A87 DDE2
quit
!
!
!
spanning-tree mode pvst
spanning-tree extend system-id
!
vlan internal allocation policy ascending
!
!
!
!
!
!
interface GigabitEthernet1/0/1
switchport access vlan 10
switchport mode access
spanning-tree portfast
!
interface GigabitEthernet1/0/2
switchport access vlan 10
switchport mode access
spanning-tree portfast
!
interface GigabitEthernet1/0/3
switchport access vlan 10
switchport mode access
spanning-tree portfast
!
interface GigabitEthernet1/0/4
switchport access vlan 10
switchport mode access
spanning-tree portfast
!
interface GigabitEthernet1/0/5
switchport access vlan 10
switchport mode access
spanning-tree portfast
!
interface GigabitEthernet1/0/6
switchport access vlan 10
switchport mode access
spanning-tree portfast
!
interface GigabitEthernet1/0/7
switchport access vlan 10
switchport mode access
spanning-tree portfast
!
interface GigabitEthernet1/0/8
switchport access vlan 10
switchport mode access
spanning-tree portfast
!
interface GigabitEthernet1/0/9
switchport access vlan 10
switchport mode access
spanning-tree portfast
!
interface GigabitEthernet1/0/10
switchport access vlan 10
switchport mode access
spanning-tree portfast
!
interface GigabitEthernet1/0/11
switchport access vlan 11
switchport mode access
spanning-tree portfast
!
interface GigabitEthernet1/0/12
switchport access vlan 11
switchport mode access
spanning-tree portfast
!
interface GigabitEthernet1/0/13
switchport access vlan 11
switchport mode access
spanning-tree portfast
!
interface GigabitEthernet1/0/14
switchport access vlan 11
switchport mode access
spanning-tree portfast
!
interface GigabitEthernet1/0/15
switchport access vlan 11
switchport mode access
spanning-tree portfast
!
interface GigabitEthernet1/0/16
switchport access vlan 11
switchport mode access
spanning-tree portfast
!
interface GigabitEthernet1/0/17
switchport access vlan 11
switchport mode access
spanning-tree portfast
!
interface GigabitEthernet1/0/18
switchport access vlan 11
switchport mode access
spanning-tree portfast
!
interface GigabitEthernet1/0/19
switchport access vlan 11
switchport mode access
spanning-tree portfast
!
interface GigabitEthernet1/0/20
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 1,10,11
switchport mode trunk
!
interface GigabitEthernet1/0/21
description TPLink
switchport access vlan 12
spanning-tree portfast
!
interface GigabitEthernet1/0/22
description DLink
switchport access vlan 13
switchport mode access
spanning-tree portfast
!
interface GigabitEthernet1/0/23
switchport mode access
spanning-tree portfast
!
interface GigabitEthernet1/0/24
switchport mode access
spanning-tree portfast
!
interface GigabitEthernet1/0/25
!
interface GigabitEthernet1/0/26
!
interface GigabitEthernet1/0/27
!
interface GigabitEthernet1/0/28
!
interface Vlan1
description ASA
ip address 192.168.1.5 255.255.255.0
!
interface Vlan10
description Home LAN
no ip address
!
interface Vlan11
description Home VPN
no ip address
!
interface Vlan12
description TPlink
ip address 10.0.1.161 255.255.255.0
!
interface Vlan13
description DLink
ip address 10.0.2.124 255.255.255.0
!
ip http server
ip http secure-server
!
ip route 192.168.3.0 255.255.255.0 192.168.1.1
!
logging esm config
no cdp run
!
!
line con 0
line vty 0 4
login
line vty 5 15
login
!
end
Solved! Go to Solution.
02-23-2021 01:02 PM
As I think about it I believe that issues with DNS server of 205.171.3.65 and loss of Internet access when you changed the gateway address for the PC are probably related. When you changed the gateway address to use the switch IP then forwarding the PC traffic would be done by the switch. I am not clear whether the switch has a default route (which is a reason I asked for the output of show ip route from the switch). If there is no default route then that certainly explains why the PC loses Internet access when its gateway is the switch. And even if the switch does have a default route, what next hop does the switch use and would that path have address translation for the 192.168.1.0 network. If there is no address translation then certainly there is no Internet access.
So we need to go a step at a time in figuring what is the underlying issue and how to fix it.
02-23-2021 06:01 PM
First I will say,
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Intel(R) Dual Band Wireless-AC 3168
Physical Address. . . . . . . . . : 48-F1-7F-D3-BB-07
DHCP Enabled. . . . . . . . . . . : Yes
Autoconfiguration Enabled . . . . : Yes
IPv4 Address. . . . . . . . . . . : 10.0.1.103(Preferred)
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Lease Obtained. . . . . . . . . . : Tuesday, February 23, 2021 6:53:34 PM
Lease Expires . . . . . . . . . . : Tuesday, February 23, 2021 8:53:34 PM
Default Gateway . . . . . . . . . : 10.0.1.1
DHCP Server . . . . . . . . . . . : 10.0.1.1
DNS Servers . . . . . . . . . . . : 10.0.1.1
10.0.1.1
NetBIOS over Tcpip. . . . . . . . : Enabled
TPLink Router, 10.0.1.1 has 205.171.3.65, 8.8.8.8 as it's DNS.
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Intel(R) Dual Band Wireless-AC 3168
Physical Address. . . . . . . . . : 48-F1-7F-D3-BB-07
DHCP Enabled. . . . . . . . . . . : Yes
Autoconfiguration Enabled . . . . : Yes
IPv4 Address. . . . . . . . . . . : 10.0.2.102(Preferred)
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Lease Obtained. . . . . . . . . . : Tuesday, February 23, 2021 6:56:59 PM
Lease Expires . . . . . . . . . . : Wednesday, February 24, 2021 6:57:00 PM
Default Gateway . . . . . . . . . : 10.0.2.1
DHCP Server . . . . . . . . . . . : 10.0.2.1
DNS Servers . . . . . . . . . . . : 10.0.2.1
NetBIOS over Tcpip. . . . . . . . : Enabled
DLink Router, 10.0.2.1 has 205.171.3.65, 8.8.8.8 as it's DNS
Now, when I was using 192.168.1.1 Gateway and I could not connect to the 10.x subnets, I could then surf the web. Now I can communicate with the 10.x subnets but no Internet, when 192.168.1.5 is gateway.
The Switch has NO default route other than to 192.168.3.0 for email server so this may be it? I need a default route for Swith (192.168.1.5) to touch the net? The ASA Must have a route outside cause as I said when I use it (192.168.1.1) I get internet access.
So ip route 0.0.0.0 0.0.0.0 192.168.1.1 ?
02-23-2021 06:10 PM
That was it.
I made 0.0.0.0 0.0.0.0 192.168.1.1 and now my 192.168.1.4 can see/connect to both GUI/NAS and Internet access.
Now, will 10.0.1.1/1.2 use their own router as their Gateway/Path to the Internet? I ask cause those 2 routers have their own static ip's for their own purpose and want those specific routers to touch the internet with the IP's I gave them. I.E TPLink 207.108.131.177 and 207.108.131.178.
02-24-2021 06:03 AM
Thanks for confirming that now my 192.168.1.4 can see/connect to both GUI/NAS and Internet access. The part about which gateway to use was more straightforward while the role of DNS was much more subtle. I am glad that we have worked out both parts.
I would think that the changes that you have made to allow 192.168.1.4 to access resources would not impact 10.0.1.1/1.2. Monitor their performance and if you find issues let us know. I believe that we could address it if the default route on the switch turns out to be a problem.
Thank you for marking this question as solved. This will help other participants in the community to identify discussions which have helpful information. This community is an excellent place to ask questions and to learn about networking. I hope to see you continue to be active in the community.
02-24-2021 06:24 PM
I have a follow up question. For my scenario it is not important as my goal was to be on 1 network and access all 3, which I now can.
But my question was, though I can access the GUI 10.0.2.1 and the data on 10.0.2.111, I can not access the GUI on 10.0.2.103. This is port 8080. Now this 10.0.2.103 is an add-on application that is run out of 10.0.2.111. I am looking to see any type of restrictions and what not but was curious, being that 192.168.1.5 is essentially my gateway, do I need an ACL for port 8080 being it is not a common port?
02-25-2021 07:02 AM
This is an interesting follow up question. Can you tell us a bit more about the relationship between 10.0.2.111 and 10.0.2.103? Can you verify that you have IP connectivity to 10.0.2.103 (ping or traceroute to the address)?
Whether an access list would help is not clear at this point. We have not seen evidence that access lists are used in your network to control traffic for inside subnets. Are there acl configured to control inside subnets?
Am I correct in assuming that from an address in the 10.0.1.0 subnet that you are successful in accessing the application on 10.0.2.103? How do you access the application? Do you specify the 8080 in your request? Or do you just use http and the device handles the different port number? Do you send the request to 10.0.2.103 directly or do you send the request to 10.0.2.211 and it redirects the request?
02-25-2021 06:06 PM
Well unfortunately I have no further information. I came home from work and out of curiosity I tried to connect to it and it worked. For hours yesterday it did not. I changed nothing.
02-26-2021 07:02 AM
Glad to know that it is now working. Sorry that we were not able to identify the issue. The fact that it started working and that you did not change anything suggests that something timed out, perhaps learned a new value, and that allowed your access to work.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide