Solved: Re: Cisco ASA switch 3560 lay 3 windows DHCP VLAN and no internet

phugiay · ‎11-30-2022

Hi all,

I am new in Cisco and I set up a lab work network with servers, DHCP, DNS, VLAN ASA 5505 and a switch 3560(not sure this is lay 3 switch).

I want the switch to get IP addresses from Windows server.DHCP with 1/2 is VLAN 10 and 1/2 is VLAN12.

The windows server DHCP is on VLAN 10. I attached my configuration files below

1. I can make the ASA connecting to switch.

From switch, I can ping ASA, servers, laptop, internet like yahoo so the same as from ASA.

However, from laptop, I can ping the servers, ASA(192.168.10.5 port connect to switch), switch ( VLAN 10,192.168.10.8, port connect to ASA) but there is no internet.

If I enable dhcp like below from switch or ASA, the laptops will get the internet but still not for the servers (because the servers get the static IP address?)

dhcpd address 192.168.10.100-192.168.10.00 PHAM
dhcpd dns 8.8.8.8 interface PHAM
dhcpd enable PHAM

2. Last, I am not sure I have lay 3 but it is Cisco 3560 because I have a problem to make VLAN 10 and VLAN12 talk

3. Here is my result

From switch

vp-sw1#ping 192.168.10.5

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.10.5, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/7/34 ms
vp-sw1#ping 192.168.10.8

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.10.8, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/8 ms
vp-sw1#ping 192.168.10.110

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.10.110, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/4/9 ms
vp-sw1#ping 10.0.0.234

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.0.0.234, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 8/8/9 ms
vp-sw1#ping 10.0.0.1

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.0.0.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/3/8 ms
calithera-sw1#

vp-sw1#show ip route
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route

Gateway of last resort is 192.168.10.5 to network 0.0.0.0

C 192.168.10.0/24 is directly connected, Vlan10
S* 0.0.0.0/0 [1/0] via 192.168.10.5

----------------------------------------------------------------------------

From ASA

ciscoasa# ping 192.168.10.5
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.10.5, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms
ciscoasa# ping 192.168.10.8
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.10.8, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/32/90 ms
ciscoasa# ping 192.168.10.110
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.10.110, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms
ciscoasa# ping 192.168.10.126
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.10.126, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/10 ms
ciscoasa# ping 192.168.10.10
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.10.10, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms
ciscoasa# ping 157.240.22.35
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 157.240.22.35, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 10/12/20 ms
ciscoasa#

Thank you very much.

phugiay · ‎12-18-2022

HI MHM,

Thank you for your help. I almost get there. Still have a problem with two VLANs talk each other if I use Windows DHCP.

View solution in original post

MHM Cisco World · ‎12-18-2022

are the dhcp send default-router
as the IP of Inside interface of ASA
or as the IP of SVI of vlan ?

View solution in original post

phugiay · ‎12-18-2022

Actually I finally figure it out. It is route issue from ASA and switch lay 3. My project is completed Thank you all for your help.

View solution in original post

phugiay · ‎12-12-2022

Any suggestion?

MHM Cisco World · ‎12-12-2022

route outside 0.0.0.0 0.0.0.0 10.0.0.1 1

and the outside already have setroute,

you need to remove

static route

since the

next-hop

is change (dhcp)

phugiay · ‎12-15-2022

Hi MHM,

Thank you very much. I removed the

 static route

and it shows connected but

From the ASA, switch, servers or laptops, I cannot ping the website like yahoo.com or facebook and cannot browse to their website but I can ping their IP address and can browse with the IP address without any issue.

I look on Google and people said most is the DNS or DMZ issue.

Any advise?

MHM Cisco World · ‎12-16-2022

xlate per-session deny udp any4 any4 eq domain
xlate per-session deny udp any4 any6 eq domain

I am not so sure, but I this xlate deny is the issue it must permit,
can you try make it permit ?

note:- I will run lab test your config.

phugiay · ‎12-16-2022

Hi MHM,

Thanks I clear configure xlate and permit them all but I still cannot ping yahoo.com from ASA but I can ping their IP 74.6.143.25. Same as switch or PCs.

If I enable and use DHCP from ASA, I can browser internet from PCs but still not ping from yahoo.com from ASA .Something tell me there is blocking from ASA.

MHM Cisco World · ‎12-16-2022

first please return the config of xlate, I check and it by default deny, so no need to be permit.

interface Vlan1
 nameif inside
!
interface Vlan10
 nameif PHAM
!
interface Vlan15
 nameif VPHAM

you have three interface
inside ,this have dynamic NAT with overload no dhcp
PHAM , have dynamic NAT with overload no dhcp
VPHAM not have dynamic NAT with overload and there is DHCP.

which one you face issue with it??

phugiay · ‎12-16-2022

I will run the config of xlate tonight. The one I have a problem is Inside when I use Windows DHCP. I want to check what cause the ASA cannot ping google.com or yahoo.com but I can ping 8.8.8.8. When I enable DHCP from VPHAM on ASA for test, I can browser or ping yahoo.com google.com but I don't want to use DHCP from ASA.

Thank you

MHM Cisco World · ‎12-17-2022

I run lab and dont see any issue,
can you check ASA

 packet-tracer

packet-tracer input <intrerface inside or PHAM or VPHAM> udp <ip from subnet of inside or PHAN or VPHAM> 12345 <8.8.8.8> 53

phugiay · ‎12-17-2022

Hi MHM,

Here is my packet-tracer

ciscoasa# packet-tracer input inside udp 192.168.10.5 12345 8.8.8.8 53

Phase: 1
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 0.0.0.0 0.0.0.0 outside

Phase: 2
Type: ACCESS-LIST
Subtype:
Result: DROP
Config:
Implicit Rule
Additional Information:

Result:
input-interface: inside
input-status: up
input-line-status: up
output-interface: outside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule

MHM Cisco World · ‎12-17-2022

ciscoasa# packet-tracer input inside udp 192.168.10.5 12345 8.8.8.8 53 detail

<<- sorry add this to make us know why ACL drop traffic

interface Vlan1
 nameif inside
 security-level 100
 ip address 10.33.20.3 255.255.255.0

192.168.10.5 <<- why you sue this subnet it not same subnet connect to inside interface ?

phugiay · ‎12-18-2022

Hi MHM,

Thank you. Actually changed the IP for inside to 192.168.10.5 but I put it back to 10.33.20.3. I found the issue. I accidently remove the

dns domain-lookup outside

and I put it back and add the dns and now I can ping the yahoo.com or facebook from ASA. I can ping yahoo.com /browser from switch and server and PCs.

dns domain-lookup outside
dns name-server 8.8.8.8.

If I use DHCP from switch 3560 layer 3 for VLAN 10 and 12 and issue ip routing, both VLAN can see each other. From PC 1 VLAN 10 I can ping PC 2 on VLAN 12 and also from PC2 on VLAN12 and I can ping PC1 and the both have internet.

However, if I remove DHCP server from switch and use Windows DHCP with two NICs, VLAN 10 (192.168.10...) and 12 (10.33.12.0) cannot see each other and VLAN12has internet but VLAN 10 is not. From the switch, I can ping website, all PCS and servers.

I thought layer 3 switch, we can use ip routing so all VLANS can see each other or I need a router.

Thank you

MHM Cisco World · ‎12-18-2022

you are so so welcome,
glad the issue is solved.
good luck friend.

phugiay · ‎12-18-2022

HI MHM,

Thank you for your help. I almost get there. Still have a problem with two VLANs talk each other if I use Windows DHCP.

MHM Cisco World · ‎12-18-2022

are the dhcp send default-router
as the IP of Inside interface of ASA
or as the IP of SVI of vlan ?