03-07-2014 09:32 PM
I am trying to do the following:
SG300-20 segmented into 4 VLANs - call them "clients", "servers" and "printers" along with the default VLAN that already exists on the SG300 at startup. SG300 is already in Layer 3 mode with a virgin (reset) configuration. ISA550 is running perfectly with 3 VLANs - default and two client VLANs dedicated to wireless devices and MOCA devices.
The ISA550 is already configured for its VLANs, all of them have internet connectivity, working VLAN DHCP, etc.
I want the SG300 to handle DHCP for all three of the VLANs located on the switch, and for the SG300 to have a single connection to the ISA550. All three VLANs on the SG300 will need internet connectivity. My initial thought was to have the SG300 connected to the ISA550 through the default SG300 VLAN as a trunk on a single port (one cable connecting the two devices). The SG300 would then handle the routing between the VLANs which are located on it as well as route externally directed traffic to the ISA550.
Ideally, I will be able to ping any device located on any of these subnets (ISA550 or SG300) from a workstation located on the "clients" VLAN on the SG300.
My difficulty is that in order to activate DHCP on the SG300, I have to change the default VLAN to a static IP address, and when I do, every VLAN on the SG300 loses connectivity to other SG300 VLANs. No VLAN that I have set up on the SG300 has ever gotten internet connectivity through the ISA550.
I've read every guide that I can find, including the discussions on here, and tried to set this up about 12 times, to no avail. I get VLANs that can not talk to one another, and all of them can't see the internet. I'm a noob at this, so any help is hugely appreciated, but bear in mind that I'll need to be spoon fed / handheld through setting this up as much as possible.
03-09-2014 04:22 AM
Hi Dww, please check this post
https://supportforums.cisco.com/discussion/12116176/rv042-082-016-sx300500-switch-open-discussion
This will show you how to correctly configure your VLANS and IP addresses for the switch. If you follow the switch configuration in the order presented, you will have the switch configured correctly. In addition, you shouldn't have to worry about any static routes considering the ISA supports trunks (the document outlines static routes since the router in the example doesn't support VLAN).
Once you set up the VLANS and IP addresses (following the order on the document), determine what will be your uplink port then you can tag all the VLAN to that port which then should connect to the ISA. I think you're familiar with the trunks considering you mentioned it on your above post.
03-09-2014 06:23 AM
This is excellent information, Tom, but my ISA550 doesn't have those options, or at least they are labeled differently and I can't translate. This is what I see on my router. I am assuming that I have to set up static routing on the router back to the swtich VLANs?
I followed your directions with regard to the SG300 down through creating the DHCP pool. Second VLAN created, one port assigned to it, etc. A client plugged into that port correctly obtains an IP address from the pool that I created, but it can not connect to the internet / can't resolve hosts.
Status quo:
I now have two VLANS on my switch - the default one, which now has a static address of 192.168.2.2 on the port connected to the ISA550. The corresponding port on the ISA550 has an address of 192.168.2.1.
second VLAN which has an address of 192.168.10.254. One port is assigned to this VLAN. A client is connected to this port which obtained the address 192.168.10.1 via DHCP. (Note that I set the domain name in the pool to 8.8.8.8 as shown in your example).
The client on the second VLAN can ping hosts on the first (default) VLAN, it can ping the gateway for that VLAN (192.168.2.2), but it can NOT ping the other side of that connection on the ISA550 (192.168.2.1).
Clients conected to the first VLAN (default) retain internet connectivity and CAN ping 192.168.2.1 on the ISA550
Where do we go from here?
03-09-2014 11:01 AM
Hello,
You may need to configure static routes on the ISA. Also make sure that the default route on the switch points to the corresponding IP on the ISA.
http://sbkb.cisco.com/CiscoSB/ukp.aspx?vw=1&docid=e902055fbe1b404d8d0ba443d9402dd6_Static_Routing_Settings_on_ISA500_Series_Integrated_Security.xml&pid=2&respid=0&snid=8&dispid=0&cpage=search
Alternatively, you can also configure the ISA to do all the routing and assign DHCP address. The following link provides an example configuration with RV320.
http://sbkb.cisco.com/CiscoSB/ukp.aspx?vw=1&docid=aea5deb5d4b54cce8e1f6e96f6e4824c_Enabling_Multiple_Wireless_Networks_on_RV320_VPN_Router__WAP.xml&pid=2&respid=0&snid=12&dispid=0&cpage=search
The following two links may help with configuring the ISA500:
http://sbkb.cisco.com/CiscoSB/ukp.aspx?vw=1&docid=ae6d8a8a4e3244e4a4e151c7d30c75d5_Virtual_Local_Area_Network__VLAN__Settings_on_ISA500_Series_.xml&pid=2&respid=0&snid=4&dispid=0&cpage=search
http://sbkb.cisco.com/CiscoSB/ukp.aspx?vw=1&docid=a2664cd14b034f30890d97e0a0c151a4_Physical_Inteface_Settings_for_Ports_on_ISA500_Series_Integr.xml&pid=2&respid=0&snid=4&dispid=0&cpage=search
Make sure to configure the link connecting to the switch as a trunk with apprpriate VLAN's included.
Hope this helps.
Nagaraja
03-09-2014 11:13 AM
I did configure static routes on the ISA550 for the VLANs which are configured on / DHCP'ed on the SG300 just now.
Results:
Clients connected to VLANs located on the SG300 can now ping clients on any other subnet, including those located on VLANs located on the ISA550, so traffic is moving as it should between all local subnets.
Clients connected to the default VLAN on the SG300 (this is the one that is connected to the ISA550) have internet connectivity as well.
Clients connected to other VLANs (other than the default VLAN) located on the SG300 can now resolve internet addresses (for example: ping www.google.com), but the replies are 100% loss. These clients still have no internet connectivity. They can resolve external IP addresses, but no traffic sent to those addresses is returned to the client.
This leads me to believe that another static route needs to be created on the ISA550 to point traffic coming in from the internet to its originating client. Alternatively, could this be a firewall problem?
Suggestions?
03-09-2014 01:11 PM
Seems like ISA is not doing NAT for the internal subnets. Please go ahead and add an advanced NAT rule on the ISA.
http://sbkb.cisco.com/CiscoSB/ukp.aspx?vw=1&docid=5d0d0489af0e49b699eccce0f17bd9ed_Advanced_Network_Address_Translation__NAT__Settings_on_ISA50.xml&pid=2&respid=0&snid=4&dispid=0&cpage=search
Create a new address group for the original source address (this should match the subnet on the SG300 switch), and choose the WAN1_IP for the translated source address and save the setting. Leave all other fields at their default settings. This should help.
Nagaraja
03-10-2014 04:01 PM
That was the final piece. All VLANs are working and have internet connectivity now. Thank you guys for all the help!
This question can be marked as answered. Not sure if I do that or an admin does.
03-10-2014 10:19 PM
You can mark the question as answered.
Nagaraja
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide