Solved: Re: Cisco ASA switch 3560 lay 3 windows DHCP VLAN and no internet - Page 2

phugiay · ‎11-30-2022

Hi all,

I am new in Cisco and I set up a lab work network with servers, DHCP, DNS, VLAN ASA 5505 and a switch 3560(not sure this is lay 3 switch).

I want the switch to get IP addresses from Windows server.DHCP with 1/2 is VLAN 10 and 1/2 is VLAN12.

The windows server DHCP is on VLAN 10. I attached my configuration files below

1. I can make the ASA connecting to switch.

From switch, I can ping ASA, servers, laptop, internet like yahoo so the same as from ASA.

However, from laptop, I can ping the servers, ASA(192.168.10.5 port connect to switch), switch ( VLAN 10,192.168.10.8, port connect to ASA) but there is no internet.

If I enable dhcp like below from switch or ASA, the laptops will get the internet but still not for the servers (because the servers get the static IP address?)

dhcpd address 192.168.10.100-192.168.10.00 PHAM
dhcpd dns 8.8.8.8 interface PHAM
dhcpd enable PHAM

2. Last, I am not sure I have lay 3 but it is Cisco 3560 because I have a problem to make VLAN 10 and VLAN12 talk

3. Here is my result

From switch

vp-sw1#ping 192.168.10.5

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.10.5, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/7/34 ms
vp-sw1#ping 192.168.10.8

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.10.8, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/8 ms
vp-sw1#ping 192.168.10.110

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.10.110, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/4/9 ms
vp-sw1#ping 10.0.0.234

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.0.0.234, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 8/8/9 ms
vp-sw1#ping 10.0.0.1

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.0.0.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/3/8 ms
calithera-sw1#

vp-sw1#show ip route
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route

Gateway of last resort is 192.168.10.5 to network 0.0.0.0

C 192.168.10.0/24 is directly connected, Vlan10
S* 0.0.0.0/0 [1/0] via 192.168.10.5

----------------------------------------------------------------------------

From ASA

ciscoasa# ping 192.168.10.5
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.10.5, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms
ciscoasa# ping 192.168.10.8
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.10.8, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/32/90 ms
ciscoasa# ping 192.168.10.110
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.10.110, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms
ciscoasa# ping 192.168.10.126
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.10.126, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/10 ms
ciscoasa# ping 192.168.10.10
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.10.10, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms
ciscoasa# ping 157.240.22.35
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 157.240.22.35, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 10/12/20 ms
ciscoasa#

Thank you very much.

phugiay · ‎12-18-2022

I use 2 physical NICs to broadcast DHCP into VLAN 10 and 12. I know VMware is more easy but this is a lab test. I finally figure it out to make 2 VLAN talk and route to ASA. They all see each other and have internet. Thank you very much for your advise.

Georg Pauwen · ‎12-18-2022

Hello,

--> However, if I remove DHCP server from switch and use Windows DHCP with two NICs

I am not really clear what your DHCP server looks like, why you have two NICs in the server, and what the NICs are supposed to do. With the Windows DHCP server active, what is the output of

ipconfig /all

from a Vlan 10 and from a Vlan 12 client ?

phugiay · ‎12-18-2022

I use 2 physical NICs to broadcast DHCP into VLAN 10 and 12. I know VMware is more easy but this is a lab test. I finally figure it out to make 2 VLAN talk and route to ASA. They all see each other and have internet. Thank you very much for your advise.

Georg Pauwen · ‎12-17-2022

Hello,

what if you add the line below to your access list:

access-list outside_access_in permit udp any any eq 53

phugiay · ‎12-18-2022

Hi Georg,

I did but still cannot ping I figure it out this is dns issue after I add dns back and I can ping yahoo.com from ASA, switch , and PCs. I make sure my DHCP server from switch have DNS server.

dns domain-lookup outside
dns name-server 8.8.8.8

I still have a problem with Windows DHCP. If I use DHCP server from switch 3560 lay 3 and issue ip routing and PCs and servers both VLAN 10 12 can see each other and have internet. However, if I use Windows DHCP server with 2 NICs, both VLAN 10 12 cannot see each other and only VLAN 12 have internet.

NetworkDave · ‎12-17-2022

phugiay,

Please provide a zipped copy of the pkt/pka file and any instructions.

paul driver · ‎12-18-2022

Hello
You asa is quite convoluted so if you reset its configuration and just have inter-vlan routing on the switch then the attached file for the asa should allow internet connectivity for hosts residing vlan 10,20

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

phugiay · ‎12-18-2022

Actually I finally figure it out. It is route issue from ASA and switch lay 3. My project is completed Thank you all for your help.

MHM Cisco World · ‎12-18-2022

You are so so welcome.

phugiay · ‎12-21-2022

I have 3 Cisco ASA 5505, 2560, 2960 and I want to update the firmware from version 9 to 15.

1. Do you I need a license for the update or download the software?

2. Can I update straight from version 9 - to 15 or I have to go 9-> 10-> 11-> .....-> 15? like Palo Alto Network firewall PA?

Thank you

https://www.cisco.com/c/en/us/support/docs/smb/switches/cisco-550x-series-stackable-managed-switches/smb5566-upgrade-firmware-on-a-switch-through-the-command-line-interf.html