Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
314
Views
0
Helpful
1
Replies

ASA 5510 no internet access on VLAN

TheIPOTek
Level 1
Level 1

‎12-29-2015 07:22 AM - edited ‎03-08-2019 03:14 AM

I am trying to add a new VLAN to our network. I created the new sub interface(vlan 60) and copied all settings from vlan 20 which is already existing and does have internet access. We are using a Netgear GS724TPS as a switch. I have the port untagged for vlan 60 and no tagging on any other vlan. For some reason(which I'm sure will be obvious to some of you) I cannot get internet access on that port. I also cannot even ping its own gateway(10.10.70.1). Any help would be greatly appreciated. Below is the running config from the ASA. I've replaced any of our public IPs with *.*.*.*.

Result of the command: "show running-config"

: Saved
:
ASA Version 8.0(4)
!
hostname ciscoasa
enable password ******* encrypted
passwd ******* encrypted
names
name 10.10.20.11 SA-100
name 10.10.20.9 FaxFinder description Multi-Tech FaxFinder IP-240
name 10.10.20.10 HQ description ShoreTel HQ Server
name 10.10.30.15 ShoreTel4500 description ShoreTel 4500 VPN Concentrator
name 10.10.20.13 SMR_ETH0
name 10.10.40.13 SMR_ETH1 description ShoreTel Mobility Router
name *.*.*.* MCM description ShoreTel Mobile Communicator
name *.*.*.* Portal description TP Portal
name *.*.*.* Support
name *.*.*.* Ingate description Ingate Virtual Siparator
name 10.10.30.25 Ingate-DMZ
name *.*.*.* BLUIP
name 10.10.20.25 Sipirator
!
interface Ethernet0/0
 nameif Outside
 security-level 0
 ip address *.*.*.* 255.255.255.128
!
interface Ethernet0/1
 nameif Data
 security-level 100
 ip address 10.10.10.1 255.255.255.0
!
interface Ethernet0/1.20
 vlan 20
 nameif Voice
 security-level 100
 ip address 10.10.20.1 255.255.255.0
!
interface Ethernet0/1.60
 vlan 60
 nameif Test
 security-level 100
 ip address 10.10.70.1 255.255.255.0
!
interface Ethernet0/2
 nameif SMR
 security-level 100
 ip address 10.10.40.1 255.255.255.0
!
interface Ethernet0/3
 nameif DMZ
 security-level 100
 ip address 10.10.30.1 255.255.255.0
!
interface Management0/0
 nameif management
 security-level 100
 ip address 192.168.1.1 255.255.255.0
 management-only
!
ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object-group service SMR-https tcp-udp
 port-object eq 443
object-group protocol TCPUDP
 protocol-object udp
 protocol-object tcp
object-group service https udp
 port-object eq 443
object-group service onexmobile_ports tcp
 port-object eq 5222
 port-object eq 5269
 port-object eq 8080
 port-object eq 8444
 port-object eq 8063
 port-object eq 8443
 port-object eq 9443
object-group service SIP5061 tcp
 port-object eq 5061
object-group service Avaya udp
 description Avaya RTP
 port-object range 49152 53246
object-group protocol DM_INLINE_PROTOCOL_2
 protocol-object ip
 protocol-object udp
 protocol-object tcp
object-group service DM_INLINE_TCP_1 tcp
 port-object eq www
 port-object eq https
access-list Data_access_in extended permit ip any any
access-list Data_access_in extended permit icmp any any
access-list Data_access_in extended permit gre any any
access-list Data_access_in extended permit tcp any eq pptp any
access-list Data_access_in extended deny tcp any any eq smtp log debugging
access-list Voice_access_in extended permit ip any any
access-list Voice_access_in extended permit icmp any any
access-list voice extended permit ip any any
access-list Voice extended permit ip any any
access-list Voice extended permit icmp any any
access-list DMZ_access_in extended permit icmp any any
access-list DMZ_access_in extended permit ip any any
access-list Outside_access_in extended permit tcp any host *.*.*.* eq https
access-list Outside_access_in extended permit tcp any host *.*.*.* eq https
access-list Outside_access_in extended permit tcp any host *.*.*.* eq www
access-list Outside_access_in extended permit tcp any host *.*.*.* eq https
access-list Outside_access_in extended permit udp any host *.*.*.* eq 5440
access-list Outside_access_in extended permit udp any host *.*.*.* eq 5441
access-list Outside_access_in extended permit udp any host *.*.*.* eq 5443
access-list Outside_access_in extended permit udp any host *.*.*.* eq 5445
access-list Outside_access_in extended permit udp any host *.*.*.* eq 5004
access-list Outside_access_in extended permit udp any host *.*.*.* eq 5450
access-list Outside_access_in extended permit tcp any host *.*.*.* eq www
access-list Outside_access_in extended permit tcp any host *.*.*.* eq https
access-list Outside_access_in extended permit tcp any host *.*.*.* eq 3389
access-list Outside_access_in extended permit tcp any host MCM eq 5449
access-list Outside_access_in extended permit tcp any host MCM eq 5447
access-list Outside_access_in extended permit tcp any host MCM eq www
access-list Outside_access_in extended permit tcp any host *.*.*.* eq 444
access-list Outside_access_in extended permit udp any host *.*.*.* object-group https
access-list Outside_access_in extended permit tcp any host *.*.*.* eq https
access-list Outside_access_in extended permit tcp any host MCM eq https
access-list Outside_access_in extended permit tcp any host Portal eq www
access-list Outside_access_in extended permit tcp any host Support object-group DM_INLINE_TCP_1
access-list Outside_access_in extended permit udp any host *.*.*.* range sip 5061 inactive
access-list Outside_access_in extended permit udp BLUIP 255.255.248.0 host Ingate range 58024 60999
access-list Outside_access_in extended permit tcp any host *.*.*.* range 1719 h323 inactive
access-list Outside_access_in extended permit object-group DM_INLINE_PROTOCOL_2 any host *.*.*.* inactive
access-list Outside_access_in extended permit tcp any host *.*.*.* range 49152 53246 inactive
access-list Outside_access_in extended permit tcp any host Support eq 5222 inactive
access-list Outside_access_in extended permit tcp any host Support eq 5269 inactive
access-list Outside_access_in extended permit tcp any host Support eq 8444 inactive
access-list Outside_access_in extended permit object-group TCPUDP BLUIP 255.255.248.0 host Ingate eq sip
access-list Outside_access_in extended permit tcp 8.19.118.0 255.255.255.0 host *.*.*.* eq smtp
access-list Outside_access_in extended permit tcp 8.31.233.0 255.255.255.0 host *.*.*.* eq smtp
access-list Outside_access_in extended permit tcp 72.32.252.0 255.255.255.0 host *.*.*.* eq smtp
access-list Outside_access_in extended permit tcp 74.205.4.0 255.255.255.0 host *.*.*.* eq smtp
access-list Outside_access_in extended permit tcp 207.97.230.0 255.255.255.0 host *.*.*.* eq smtp
access-list Outside_access_in extended permit tcp 207.97.242.0 255.255.255.0 host *.*.*.* eq smtp
access-list Outside_access_in extended permit tcp host 69.20.58.226 host *.*.*.* eq smtp
access-list Outside_access_in extended permit tcp host 69.20.68.133 host *.*.*.* eq smtp
access-list Outside_access_in extended permit tcp host 207.97.224.142 host *.*.*.* eq smtp
access-list Outside_access_in extended permit tcp host 207.97.229.125 host *.*.*.* eq smtp
access-list Outside_access_in extended permit tcp host 8.31.233.196 host *.*.*.* eq smtp
access-list Outside_access_in extended permit tcp host 92.52.89.74 host *.*.*.* eq smtp
access-list Outside_access_in extended permit tcp host 72.32.253.10 host *.*.*.* eq smtp
access-list Outside_access_in extended permit tcp host 72.32.252.97 host *.*.*.* eq smtp
access-list Outside_access_in extended permit tcp host 69.20.60.122 host *.*.*.* eq smtp
access-list Outside_access_in extended permit tcp host 69.20.58.234 host *.*.*.* eq smtp
access-list Outside_access_in extended permit tcp host 72.32.253.39 host *.*.*.* eq smtp
access-list Outside_access_in extended permit tcp host 98.129.58.235 host *.*.*.* eq smtp
access-list Outside_access_in extended permit tcp 5.152.185.128 255.255.255.192 host *.*.*.* eq smtp
access-list Outside_access_in extended permit tcp 204.232.250.0 255.255.255.0 host *.*.*.* eq smtp
access-list Outside_access_in extended permit tcp 98.129.23.0 255.255.255.0 host *.*.*.* eq smtp
access-list Outside_access_in extended permit tcp 50.56.144.0 255.255.255.0 host *.*.*.* eq smtp
access-list Data_nat0_outbound extended permit ip 10.10.10.0 255.255.255.0 10.10.50.0 255.255.255.0
access-list Data_nat0_outbound extended permit ip any 10.10.10.192 255.255.255.224
access-list Data_nat0_outbound extended permit ip any 10.10.50.96 255.255.255.224
access-list acl standard permit 10.10.10.0 255.255.255.0
access-list acl standard permit 10.10.20.0 255.255.255.0
access-list acl standard permit 10.10.70.0 255.255.255.0
access-list Voice_nat0 extended permit ip 10.10.20.0 255.255.255.0 10.10.50.0 255.255.255.0
access-list nat_out extended permit ip 10.10.50.0 255.255.255.0 any
access-list iphone_splitTunnelAcl standard permit 10.10.20.0 255.255.255.0
access-list QoS_limit extended permit ip any any
access-list VOICE_QOS extended permit ip any host ShoreTel4500
access-list VOICE_QOS extended permit ip host ShoreTel4500 any
access-list VOICE_QOS extended permit ip any 10.10.20.0 255.255.255.0
access-list VOICE_QOS extended permit ip 10.10.20.0 255.255.255.0 any
access-list voice_test extended permit ip any any
access-list SMR_access_in extended permit ip any any
access-list SMR_access_in extended permit icmp any any
access-list Outside_mpc extended permit ip 10.10.30.0 255.255.255.0 any
access-list Outside_mpc extended permit ip 10.10.20.0 255.255.255.0 any
access-list Test_access_in extended permit ip any any
access-list Test_access_in extended permit icmp any any
access-list Test_access_in_1 extended permit ip any any
access-list Test_access_in_1 extended permit icmp any any
access-list Test extended permit ip any any
access-list Test extended permit icmp any any
pager lines 24
logging enable
logging asdm informational
mtu Outside 1500
mtu Data 1500
mtu Voice 1500
mtu Test 1500
mtu SMR 1500
mtu DMZ 1500
mtu management 1500
ip local pool VPN-Pool 10.10.50.100-10.10.50.120 mask 255.255.255.255
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-631.bin
asdm history enable
arp timeout 14400
global (Outside) 101 interface
nat (Outside) 101 access-list nat_out
nat (Data) 0 access-list Data_nat0_outbound
nat (Data) 101 10.10.10.0 255.255.255.0
nat (Voice) 0 access-list Voice_nat0
nat (Voice) 101 10.10.20.0 255.255.255.0
nat (Test) 101 10.10.70.0 255.255.255.0
nat (SMR) 101 10.10.40.0 255.255.255.0
nat (DMZ) 101 10.10.30.0 255.255.255.0
static (Data,Outside) tcp *.*.*.* 3389 10.10.10.11 3389 netmask 255.255.255.255
static (Data,Outside) tcp *.*.*.* www 10.10.10.11 www netmask 255.255.255.255  dns
static (Data,Outside) tcp *.*.*.* https 10.10.10.11 https netmask 255.255.255.255
static (Data,Outside) tcp *.*.*.* 444 10.10.10.11 444 netmask 255.255.255.255
static (SMR,Outside) udp *.*.*.* 443 SMR_ETH1 443 netmask 255.255.255.255
static (SMR,Outside) tcp *.*.*.* https SMR_ETH1 https netmask 255.255.255.255
static (Voice,Outside) tcp *.*.*.* https SA-100 https netmask 255.255.255.255
static (Voice,Outside) tcp *.*.*.* www SA-100 www netmask 255.255.255.255
static (Voice,Outside) udp *.*.*.* 5440 SA-100 5440 netmask 255.255.255.255
static (Voice,Outside) udp *.*.*.* 5441 SA-100 5441 netmask 255.255.255.255
static (Voice,Outside) udp *.*.*.* 5443 SA-100 5443 netmask 255.255.255.255
static (Voice,Outside) udp *.*.*.* 5445 SA-100 5445 netmask 255.255.255.255
static (Voice,Outside) udp *.*.*.* 5004 SA-100 5004 netmask 255.255.255.255
static (Voice,Outside) udp *.*.*.* 5450 SA-100 5450 netmask 255.255.255.255
static (Voice,Outside) tcp MCM www HQ www netmask 255.255.255.255
static (Voice,Outside) tcp MCM 5449 HQ 5449 netmask 255.255.255.255
static (Voice,Outside) tcp MCM 5447 HQ 5447 netmask 255.255.255.255
static (Voice,Outside) tcp MCM https HQ https netmask 255.255.255.255
static (Data,Outside) tcp Portal www 10.10.10.12 www netmask 255.255.255.255
static (Data,Outside) tcp Support https 10.10.10.8 https netmask 255.255.255.255
static (Data,Outside) tcp Support www 10.10.10.8 www netmask 255.255.255.255
static (DMZ,Outside) tcp *.*.*.* https ShoreTel4500 https netmask 255.255.255.255
static (Voice,Outside) tcp *.*.*.* smtp FaxFinder smtp netmask 255.255.255.255 tcp 10 10 udp 10
static (SMR,DMZ) 10.10.40.0 10.10.40.0 netmask 255.255.255.0
static (SMR,Data) 10.10.40.0 10.10.40.0 netmask 255.255.255.0
static (SMR,Voice) 10.10.40.0 10.10.40.0 netmask 255.255.255.0
static (Data,Voice) 10.10.10.0 10.10.10.0 netmask 255.255.255.0
static (DMZ,Data) 10.10.30.0 10.10.30.0 netmask 255.255.255.0
static (DMZ,Voice) 10.10.30.0 10.10.30.0 netmask 255.255.255.0
static (DMZ,SMR) 10.10.30.0 10.10.30.0 netmask 255.255.255.0
static (Voice,Outside) Ingate Sipirator netmask 255.255.255.255
static (Voice,Data) 10.10.20.0 10.10.20.0 netmask 255.255.255.0
static (Voice,DMZ) 10.10.20.0 10.10.20.0 netmask 255.255.255.0
static (Voice,SMR) 10.10.20.0 10.10.20.0 netmask 255.255.255.0
static (Test,Data) 10.10.70.0 10.10.70.0 netmask 255.255.255.0
static (Data,Test) 10.10.10.0 10.10.10.0 netmask 255.255.255.0
static (Data,DMZ) 10.10.10.0 10.10.10.0 netmask 255.255.255.0
static (Data,SMR) 10.10.10.0 10.10.10.0 netmask 255.255.255.0
static (Test,DMZ) 10.10.70.0 10.10.70.0 netmask 255.255.255.0
access-group Outside_access_in in interface Outside
access-group Data_access_in in interface Data
access-group Voice in interface Voice
access-group Test_access_in_1 in interface Test
access-group SMR_access_in in interface SMR
access-group DMZ_access_in in interface DMZ
route Outside 0.0.0.0 0.0.0.0 *.*.*.* 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
aaa authentication ssh console LOCAL
http server enable
http 10.10.20.0 255.255.255.255 management
http 192.168.2.0 255.255.255.0 management
http 192.168.1.0 255.255.255.0 management
http 10.10.10.0 255.255.255.255 Data
no snmp-server location
no snmp-server contact
snmp-server community public
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-DES-SHA ESP-DES-MD5
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set security-association lifetime seconds 28800
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set security-association lifetime kilobytes 4608000
crypto dynamic-map dny1 1 set transform-set ESP-3DES-SHA
crypto dynamic-map dny1 1 set security-association lifetime seconds 28800
crypto dynamic-map dny1 1 set security-association lifetime kilobytes 4608000
crypto dynamic-map dny1 1 set reverse-route
crypto map Outside_map 65530 set security-association lifetime seconds 28800
crypto map Outside_map 65530 set security-association lifetime kilobytes 4608000
crypto map Outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map Outside_map interface Outside
crypto isakmp enable Outside
crypto isakmp policy 10
 authentication pre-share
 encryption des
 hash sha
 group 2
 lifetime 86400
crypto isakmp policy 30
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
telnet 192.168.1.0 255.255.255.0 management
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 management
ssh timeout 5
console timeout 0
dhcpd address 192.168.1.2-192.168.1.254 management
!
dhcprelay server 10.10.10.8 Data
dhcprelay enable Voice
dhcprelay timeout 60
priority-queue Outside
threat-detection basic-threat
threat-detection statistics
threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
ntp authenticate
ntp server 64.90.182.55 source Outside prefer
ssl encryption rc4-sha1
group-policy testpolicy internal
group-policy testpolicy attributes
 vpn-tunnel-protocol IPSec
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value acl
group-policy VPN5510 internal
group-policy VPN5510 attributes
 dns-server value 10.10.10.8 8.8.8.8
 vpn-tunnel-protocol IPSec l2tp-ipsec
 secure-unit-authentication disable
 user-authentication disable
 user-authentication-idle-timeout none
 ip-phone-bypass disable
 leap-bypass disable
 nem disable
group-policy iphone internal
group-policy iphone attributes
 dns-server value 10.10.10.8 8.8.8.8
 vpn-tunnel-protocol IPSec
 pfs disable
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value iphone_splitTunnelAcl
 default-domain value hilltop.local
username *********** password ********* encrypted privilege 15
username ********* attributes
 vpn-group-policy VPN5510
username ***** ****** privilege 15
username ***** attributes
 vpn-group-policy iphone
username ******* password ******* encrypted privilege 15
tunnel-group VPN5510 type remote-access
tunnel-group VPN5510 general-attributes
 address-pool VPN-Pool
 default-group-policy VPN5510
tunnel-group VPN5510 ipsec-attributes
 pre-shared-key *
tunnel-group VPN_Users type remote-access
tunnel-group VPN_Users general-attributes
 address-pool VPN-Pool
tunnel-group VPN_Users ipsec-attributes
 pre-shared-key *
tunnel-group testgroup type remote-access
tunnel-group testgroup general-attributes
 address-pool VPN-Pool
 default-group-policy testpolicy
tunnel-group testgroup ipsec-attributes
 pre-shared-key *
tunnel-group iphone type remote-access
tunnel-group iphone general-attributes
 address-pool VPN-Pool
 default-group-policy iphone
tunnel-group iphone ipsec-attributes
 pre-shared-key *
!
class-map dscp
 match any
class-map Outside-class
 match access-list Outside_mpc
class-map dmz-dscp
 match dscp ef
class-map inspection_default
 match default-inspection-traffic
class-map Data-LimitHttp
 match any
class-map Data-class
 match any
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum 512
policy-map dscp
 class dmz-dscp
  priority
policy-map SHAPING
 class class-default
  shape average 2000000
policy-map global_policy
 description DSCP
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny  
  inspect sunrpc
  inspect xdmcp
  inspect netbios
  inspect tftp
  inspect icmp
  inspect pptp
 class class-default
policy-map Data-policy
 description Manage Data Bandwith
 class Data-class
  police input 10000000 25000
  police output 50000000 25000
policy-map test1
 class dscp
  priority
policy-map Data-LimitHttp
 class Data-LimitHttp
  inspect http
  police input 2000000 1500
policy-map outside
 class class-default
policy-map Outside-policy
 class Outside-class
  priority
!
service-policy global_policy global
service-policy Outside-policy interface Outside
service-policy Data-policy interface Data
prompt hostname context
Cryptochecksum:**********
: end

Labels:
0 Helpful
1 Reply 1

amikat
Level 7
Level 7

‎01-04-2016 07:50 AM

Hi,

As configured ASA expects Vlan 60 to be tagged. With your Netgear box please check the appropriate port configuration:

Switching>VLAN>Advanced>VLAN Membership

for VLAN ID "60" click the gold bar to display ports and set the port going to ASA as "T" (tagged).

Good luck!

Best regards,

Antonin

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card