Solved: Internet Access on 2960 through 1921.

fbeye · ‎10-01-2020

Hello. At this point I’m looking more for direction than specific configuration.

My 1921 is set up as GE 0/0 10.0.1.68 and can ping outside to the Internet as well as inside.

GE 0/1 a trunk port for vlan 1 and 2. 192.168.1.1 and 192.168.2 using GE 0/1 and 0/1.2

My 2960 is set for L2 and 1-12 are vlan 1 and 13-24 are vlan 2.

I connect my laptop to together vlan and it doesn’t auto grab an ip but accepts it manually. I can ping only on that switch but also can ping 10.0.1.68 on router but nothing beyond.

That all may be messy explanation but my real question is, am I needing either or both an ACL and NAT to allow any of the subnets (vlans) on the Switch to access the Internet? At this point I would assume so as I would need to create an ACL to see out into the world but it’s not working.
At this point I’m just curious because PC connected to vlan 1 or 2 can ping the switch and only the Routet IP but nothing beyond. So I know it’s going through the switch. So not sure if I am missing NAT or maybe just the wrong ACL

Georg Pauwen · ‎10-03-2020

Hello,

the ASA and and a Cisco router are very different devices in that the ASA by default blocks everything, while the router allows everything. What you are talking about (security levels) refers to internal access between interfaces on the ASA. Higher to lower is allowed, lower to higher is blocked.

View solution in original post

Georg Pauwen · ‎10-01-2020

Hello,

on the router, you need both the ACL and the NAT. This is what the router configuration needs to look like:

interface GigabitEthernet0/0

ip address 10.0.1.68 255.255.255.0

ip nat outside

!

interface GigabitEthernet0/1

ip address 192.168.1.1 255.255.255.0

ip nat inside

!

interface GigabitEthernet0/1.2

encapsulation dot1q 2

ip address 192.168.2.1 255.255.255.0

ip nat inside

!

ip nat inside source list 1 interface GigabitEthernet0/0 overload

!

ip route 0.0.0.0 0.0.0.0 GigabitEthernet0/0 (or the next hop IP address if you have that)

!

access-list 1 permit 192.168.1.0 0.0.0.255

access-list 1 permit 192.168.2.0 0.0.0.255

fbeye · ‎10-02-2020

Alright....That works.

I wont say I do because clearly I don't but from what little I know of NAT and ACLS, I see where we need the NAT on in and out and I see where we attached the ACL but I am not seeing what is giving permission for the vlan 2 or vlan 1 on my Switch tio have Internet access.

I have always had to add a specific ACL to allow internet access out.

Is the

access-list 1 permit 192.168.1.0 0.0.0.255

access-list 1 permit 192.168.2.0 0.0.0.255

which is being associated with NAT inside,

in itself the rule allowing all access?

I am just at a loss because on my 891f and 5508-X I had to allow an ACL for web access

fbeye · ‎10-02-2020

I was just reading my Cisco ASA book and noticed under the NAT section that it mentions "By default, you do not need to define an ACE to permit traffic from a high security-level interface to a low security-level interface".

I am also seeing that you have it configured as PAT and overload adding both 192.168.1.0 and 192.168.2.0 subnets to the INSIDE NAT configuration.

I am not wanting to just get answers I am researching the answers you've given so I know the "why".

Georg Pauwen · ‎10-03-2020

Hello,

the ASA and and a Cisco router are very different devices in that the ASA by default blocks everything, while the router allows everything. What you are talking about (security levels) refers to internal access between interfaces on the ASA. Higher to lower is allowed, lower to higher is blocked.