Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1111
Views
0
Helpful
2
Replies

Router on a stick issue- Can ping 8.8.8.8 from router and ASA but not switches

Ty Melrose
Level 1
Level 1

‎07-09-2015 11:54 AM - edited ‎03-05-2019 01:50 AM

I am having an issue with connecting to the internet on my network.  From my ASA and Router, I can ping 8.8.8.8 but not from my switches.  On my switches I can ping all subinterfaces and the outgoing interface on the router.  From switches, I cannot ping the ASA inside interface but from what I understand that is by design.  My configs are below.:

 

Router:

no aaa new-model
!
dot11 syslog
ip source-route
!
ip cef
!
no ip domain lookup
no ipv6 cef
!
multilink bundle-name authenticated
!
voice-card 0
!
crypto pki token default removal timeout 0
!
license udi pid CISCO3845-MB sn XXXXXXXXX
!
redundancy
!
interface GigabitEthernet0/0
 ip address 10.1.1.1 255.255.255.252
 duplex full
 speed 1000
 media-type rj45
!
interface GigabitEthernet0/1
 no ip address
 duplex auto
 speed auto
 media-type rj45
!
interface GigabitEthernet0/1.1
 encapsulation dot1Q 1 native
 ip address 192.168.1.1 255.255.255.0
!
interface GigabitEthernet0/1.20
 encapsulation dot1Q 20
 ip address 192.168.20.1 255.255.255.0
 ip helper-address 192.168.80.10
!
interface GigabitEthernet0/1.30
 encapsulation dot1Q 30
 ip address 192.168.30.1 255.255.255.0
 ip helper-address 192.168.80.10
!
interface GigabitEthernet0/1.40
 encapsulation dot1Q 40
 ip address 192.168.40.1 255.255.255.0
 ip helper-address 192.168.80.10
!
interface GigabitEthernet0/1.50
 encapsulation dot1Q 50
 ip address 192.168.50.1 255.255.255.0
 ip helper-address 192.168.80.10
!
interface GigabitEthernet0/1.80
 encapsulation dot1Q 80
 ip address 192.168.80.1 255.255.255.0
 ip helper-address 192.168.80.10
!
ip forward-protocol nd
no ip http server
no ip http secure-server
!
ip route 0.0.0.0 0.0.0.0 10.1.1.2
!
control-plane
!
mgcp profile default
!
gatekeeper
 shutdown
!

Switch:

no aaa new-model
switch 1 provision ws-c3750-48p
system mtu routing 1500
no ip domain-lookup
!
spanning-tree mode pvst
spanning-tree extend system-id
!
vlan internal allocation policy ascending
!
interface FastEthernet1/0/1
 switchport access vlan 80
 switchport mode access
!
interface FastEthernet1/0/20
 switchport access vlan 20
 switchport mode access
!
interface FastEthernet1/0/40
 switchport access vlan 40
 switchport mode access
!
interface FastEthernet1/0/47
 switchport trunk encapsulation dot1q
 switchport mode trunk
!
interface FastEthernet1/0/48
 switchport trunk encapsulation dot1q
 switchport mode trunk
!

interface Vlan1
 ip address 192.168.1.11 255.255.255.0
!
ip default-gateway 192.168.1.1
ip classless
ip http server
ip http secure-server

 

Any help would be greatly appreciated

Labels:
0 Helpful
2 Replies 2

Seb Rupik
VIP Alumni
VIP Alumni

‎07-10-2015 04:06 AM

Hi there,

I assume you have configrued ICMP inspection on the ASA?

It would be useful to set your NAT config on the ASA but my guess is that you have not specified VLAN1 (switch managment VLAN) as a valid inside source subnet which can be NAT'ed on the ASA.

 

Would be good to see your ASA config....

 

cheers,

Seb.

0 Helpful

Ty Melrose
Level 1
Level 1
In response to Seb Rupik

‎07-11-2015 10:42 PM

I ended up figuring out the outgoing traffic issue.  I hadn't created any NAT rules yet.  Although I am having a heck of a time figuring out how to configure NAT and Access rules to make my Exchange server receive incoming traffic.  Here is the error I am seeing in ASDM:

3 Jul 11 2015 22:24:34  108.194.57.141 56852 XXX.XXX.XXX.XXX 443 TCP access denied by ACL from 108.194.57.141/56852 to Outside:XXX.XXX.XXX.XXX/443

Here is my config:

ASA Version 9.1(1)
!
hostname Ciscoasa
domain-name Domain
enable password 8Ry2YjIyt7RRXU24 encrypted
xlate per-session deny tcp any4 any4
xlate per-session deny tcp any4 any6
xlate per-session deny tcp any6 any4
xlate per-session deny tcp any6 any6
xlate per-session deny udp any4 any4 eq domain
xlate per-session deny udp any4 any6 eq domain
xlate per-session deny udp any6 any4 eq domain
xlate per-session deny udp any6 any6 eq domain
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface GigabitEthernet0/0
 description Public interface
 nameif Outside
 security-level 0
 ip address XXX.XXX.XXX.XXX 255.255.255.248
!
interface GigabitEthernet0/1
 nameif Inside
 security-level 100
 ip address 10.1.1.2 255.255.255.252
!
interface GigabitEthernet0/2
 shutdown
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet0/3
 shutdown
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet0/4
 shutdown
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet0/5
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Management0/0
 management-only
 nameif management
 security-level 100
 ip address 192.168.1.1 255.255.255.0
!
banner exec No Unauthorized Access at any time
banner login No Unauthorized Access at any time
banner motd No Unauthorized Access at any time
banner asdm No Unauthorized Access at any time
boot system disk0:/asa911-smp-k8.bin
ftp mode passive
dns server-group DefaultDNS
 domain-name Domain
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object network INSIDE
object network email-server
object network Server1
 host 192.168.80.5
object network Inside-Network
 subnet 10.1.1.0 255.255.255.252
object network VLAN1
 subnet 192.168.1.0 255.255.255.0
object network Level_3
 host <ISP Gateway IP Address>
object network inside-subnet20
 subnet 192.168.20.0 255.255.255.0
object network inside-subnet30
 subnet 192.168.30.0 255.255.255.0
object network inside-subnet40
 subnet 192.168.40.0 255.255.255.0
object network inside-subnet50
 subnet 192.168.50.0 255.255.255.0
object network inside-subnet80
 subnet 192.168.80.0 255.255.255.0
object network Router1
 host 10.1.1.1
object service https
 service tcp source range 1 65535 destination eq https
object-group service HTTPS tcp
 port-object eq https
access-list MAILS extended permit ip any object Server1
access-list Outside_access_in extended permit tcp any object Server1 eq https
pager lines 24
logging enable
logging asdm errors
mtu Outside 1500
mtu Inside 1500
mtu management 1500
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-713.bin
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
!
object network Inside-Network
 nat (Inside,Outside) dynamic interface
object network inside-subnet20
 nat (Inside,Outside) dynamic interface
object network inside-subnet30
 nat (Inside,Outside) dynamic interface
object network inside-subnet40
 nat (Inside,Outside) dynamic interface
object network inside-subnet50
 nat (Inside,Outside) dynamic interface
object network inside-subnet80
 nat (Inside,Outside) dynamic interface
!
nat (Inside,Outside) after-auto source dynamic any interface
access-group Outside_access_in in interface Outside
route Outside 0.0.0.0 0.0.0.0 <ISP Gateway IP Address> 1
route Inside 192.168.20.0 255.255.255.0 10.1.1.1 1
route Inside 192.168.30.0 255.255.255.0 10.1.1.1 1
route Inside 192.168.40.0 255.255.255.0 10.1.1.1 1
route Inside 192.168.50.0 255.255.255.0 10.1.1.1 1
route Inside 192.168.80.0 255.255.255.0 10.1.1.1 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
http server enable
http 192.168.1.2 255.255.255.255 management
http 192.168.1.0 255.255.255.0 management
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart

threat-detection basic-threat
threat-detection statistics host
threat-detection statistics port
threat-detection statistics protocol
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum client auto
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect ip-options
  inspect netbios
  inspect rsh
  inspect rtsp
  inspect skinny
  inspect esmtp
  inspect sqlnet
  inspect sunrpc
  inspect tftp
  inspect sip
  inspect xdmcp
  inspect icmp
 class class-default
  user-statistics accounting
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
call-home
 profile CiscoTAC-1
  no active
  destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
  destination address email callhome@cisco.com
  destination transport-method http
  subscribe-to-alert-group diagnostic
  subscribe-to-alert-group environment
  subscribe-to-alert-group inventory periodic monthly 8
  subscribe-to-alert-group configuration periodic monthly 8
  subscribe-to-alert-group telemetry periodic daily

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card