Solved: Cant access internet from 2901 on new Vlan

cwillis001 · ‎08-23-2016

Afternoon,

Im having some trouble getting out of the 2901. here is what has been done so far..

New network is on Vlan70, computers can ping each other, and the gateway on the 2901 that is setup as a interface Port-channel1.70, i have also created an access list to pass through the router but still cant access an out side DNS for TCP internet... 192.168.70.5 is the new domain controller and DNS/DHCP server for this private Vlan

ip access-list extended xxxxx
permit ip host 192.168.70.5 any
permit udp any any eq domain
permit udp any eq domain any
permit tcp any any eq domain
permit tcp any eq domain any
permit tcp any any eq www

interface Port-channel1.70
description xxxxx
encapsulation dot1Q 70
ip address 192.168.70.1 255.255.255.0
ip access-group xxxxx in
ip access-group xxxxx out
ip nat inside
ip virtual-reassembly in

Gaurav Mahajan · ‎08-24-2016

ip nat inside source list no_nat interface Port-channel1.10 overload

ip access-list extended no-nat

deny ip 192.168.48.0 0.0.15.255 192.168.56.0 0.0.0.255
deny ip 192.168.48.0 0.0.15.255 192.168.30.0 0.0.0.255
deny ip 192.168.48.0 0.0.15.255 192.168.60.128 0.0.0.127
deny ip 192.168.30.0 0.0.0.255 192.168.60.128 0.0.0.127
deny ip 192.168.56.0 0.0.0.255 192.168.60.128 0.0.0.63
permit ip 192.168.48.0 0.0.15.255 any

permit 192.168.70.0 0.0.0.255 any --> add this line in this acl no-nat that should fix the issue.

View solution in original post

Hector Gustavo Serrano Gutierrez · ‎08-23-2016

If you remove both ACLs on the interface, connectivity starts working?

cwillis001 · ‎08-24-2016

Unfortunately no, still cant access anything WAN side.

Hector Gustavo Serrano Gutierrez · ‎08-24-2016

As Gaurav Mahajan mentioned, it is time to check the NAT configuration.

Gaurav Mahajan · ‎08-24-2016

You need to allow new subnet in NAT , as I can see interface Port-channel1.70 is part of ip nat inside.

share you NAT configuration from the device.

you must have not allowed this new subnet 192.168.70.x in the NAT acl.

in the ACL for NAT.

permit 192.168.70.0 0.0.0.255 any

cwillis001 · ‎08-24-2016

Gaurav,

Im now to this company and not familiar with they way they set it up, here is my list of ACLs on the 2901

ip nat inside source list no_nat interface Port-channel1.10 overload
ip nat inside source static tcp 192.168.50.16 5269 24.137.222.66 5269 extendable
ip nat inside source static 192.168.54.4 69.58.97.129 route-map nonatxxxx reversi ble
ip nat inside source static 192.168.54.13 69.58.97.130 route-map nonatxxxx revers ible
ip nat inside source static tcp 192.168.54.16 25 69.58.97.135 25 extendable
ip nat inside source static tcp 192.168.54.2 443 69.58.97.135 443 route-map nona txxxx extendable
ip route 0.0.0.0 0.0.0.0 24.137.222.65
ip route 173.46.30.0 255.255.255.0 10.0.6.209
ip route 192.168.48.0 255.255.240.0 192.168.60.1
ip route 192.168.56.0 255.255.255.0 24.137.222.65
!
ip access-list extended Server 3
deny ip host 192.168.54.2 192.168.56.0 0.0.0.255
deny ip host 192.168.54.2 192.168.30.0 0.0.0.255
permit ip host 192.168.54.2 any
ip access-list extended Server 2
deny ip host 192.168.54.13 192.168.60.128 0.0.0.127
deny ip host 192.168.54.13 192.168.56.0 0.0.0.255
deny ip host 192.168.54.13 192.168.30.0 0.0.0.255
permit ip host 192.168.54.13 any
ip access-list extended Server1
deny ip host 192.168.54.4 192.168.56.0 0.0.0.255
deny ip host 192.168.54.4 192.168.30.0 0.0.0.255
permit ip host 192.168.54.4 any
ip access-list extended Wireless-xxx
permit tcp any host 192.168.54.13 eq www
permit tcp any host 192.168.54.4 eq 3389
permit udp any host 192.168.54.1 eq domain
permit tcp any host 192.168.54.2 eq 443
permit tcp any host 192.168.54.13 eq 443
deny ip any 192.168.0.0 0.0.255.255
deny ip any 172.16.0.0 0.0.15.255
deny ip any 10.0.0.0 0.255.255.255
permit ip any any
ip access-list extended Wireless-xxx
permit tcp host 192.168.54.13 eq www any established
permit tcp host 192.168.54.4 eq 3389 any established
permit udp host 192.168.54.1 eq domain any
permit tcp host 192.168.54.2 eq 443 any established
permit tcp host 192.168.54.13 eq 443 any established
deny ip 192.168.0.0 0.0.255.255 any
deny ip 172.16.0.0 0.0.15.255 any
deny ip 10.0.0.0 0.255.255.255 any
permit ip any 192.168.55.0 0.0.0.255
ip access-list extended xxxx
permit ip 192.168.54.0 0.0.0.255 192.168.56.0 0.0.0.255
permit ip 192.168.50.0 0.0.0.255 192.168.56.0 0.0.0.255
permit ip 192.168.58.0 0.0.0.255 192.168.56.0 0.0.0.255
permit ip 192.168.60.128 0.0.0.63 192.168.56.0 0.0.0.255
ip access-list extended xxxx
permit ip 192.168.54.0 0.0.0.255 192.168.30.0 0.0.0.255
permit ip 192.168.50.0 0.0.0.255 192.168.30.0 0.0.0.255
permit ip 192.168.58.0 0.0.0.255 192.168.30.0 0.0.0.255
permit ip 192.168.60.128 0.0.0.63 192.168.30.0 0.0.0.255
ip access-list extended no-nat
deny ip 192.168.48.0 0.0.15.255 192.168.56.0 0.0.0.255
deny ip 192.168.48.0 0.0.15.255 192.168.30.0 0.0.0.255
deny ip 192.168.48.0 0.0.15.255 192.168.60.128 0.0.0.127
deny ip 192.168.30.0 0.0.0.255 192.168.60.128 0.0.0.127
deny ip 192.168.56.0 0.0.0.255 192.168.60.128 0.0.0.63
permit ip 192.168.48.0 0.0.15.255 any
ip access-list extended outside_in
permit udp any host 24.137.222.66 eq isakmp
permit udp any host 24.137.222.66 eq non500-isakmp
permit esp any host 24.137.222.66
permit icmp any host 24.137.222.66
permit tcp any host 24.137.222.66 eq 22
permit tcp any host 69.58.97.129 eq 3389
permit udp any host 69.58.97.129 eq 3389
permit tcp any host 69.58.97.130 eq www
permit tcp any host 69.58.97.130 eq 443
permit tcp any host 69.58.97.135 eq 443
permit tcp any host 69.58.97.135 eq smtp
permit tcp host 204.232.189.34 host 24.137.222.66 eq 5269Permit
permit tcp 72.0.201.96 0.0.0.31 host 24.137.222.66 eq 5269
ip access-list extended sip_in
permit ip 173.46.30.0 0.0.0.255 host 10.0.6.210
ip access-list extended split
permit ip 192.168.48.0 0.0.15.255 any
permit ip 192.168.30.0 0.0.0.255 any

Thanks for the help.

Gaurav Mahajan · ‎08-24-2016

ip nat inside source list no_nat interface Port-channel1.10 overload

ip access-list extended no-nat

deny ip 192.168.48.0 0.0.15.255 192.168.56.0 0.0.0.255
deny ip 192.168.48.0 0.0.15.255 192.168.30.0 0.0.0.255
deny ip 192.168.48.0 0.0.15.255 192.168.60.128 0.0.0.127
deny ip 192.168.30.0 0.0.0.255 192.168.60.128 0.0.0.127
deny ip 192.168.56.0 0.0.0.255 192.168.60.128 0.0.0.63
permit ip 192.168.48.0 0.0.15.255 any

permit 192.168.70.0 0.0.0.255 any --> add this line in this acl no-nat that should fix the issue.

cwillis001 · ‎08-24-2016

That did it thanks again..

vsingh4 · ‎08-25-2016

Hello,

Are you sure the below configuration is pasted in this router, as I am not able to find the below access-list in the configuration you provided above.

ip access-list extended xxxxx
permit ip host 192.168.70.5 any
permit udp any any eq domain
permit udp any eq domain any
permit tcp any any eq domain
permit tcp any eq domain any
permit tcp any any eq www

Thanks

Vikram

cwillis001 · ‎08-25-2016

Vikram,

Yes it was added after that list was taken from the router.. All was solved with the above post by Gaurav.

By adding the line "permit 192.168.70.0 0.0.0.255 any" to my no nat list, that solved the issue..

Cant access internet from 2901 on new Vlan

Secure Access: How to

ASA5500-X: Internet Firewall 設定例 (冗長構成)

Secure Access: ZTA Private Access の3つの Enforcement Mode について

[Q&A 集公開] 10/16 開催 Catalyst SD-WAN と Secure Access 連携

Secure Access: Umbrella動作確認URLのSecure Accessでの使用