- Cisco Community
- Technology and Support
- Networking
- Switching
- ASA 5510 no internet access on VLAN
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
ASA 5510 no internet access on VLAN
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
12-29-2015 07:22 AM - edited 03-08-2019 03:14 AM
I am trying to add a new VLAN to our network. I created the new sub interface(vlan 60) and copied all settings from vlan 20 which is already existing and does have internet access. We are using a Netgear GS724TPS as a switch. I have the port untagged for vlan 60 and no tagging on any other vlan. For some reason(which I'm sure will be obvious to some of you) I cannot get internet access on that port. I also cannot even ping its own gateway(10.10.70.1). Any help would be greatly appreciated. Below is the running config from the ASA. I've replaced any of our public IPs with *.*.*.*.
Result of the command: "show running-config"
: Saved
:
ASA Version 8.0(4)
!
hostname ciscoasa
enable password ******* encrypted
passwd ******* encrypted
names
name 10.10.20.11 SA-100
name 10.10.20.9 FaxFinder description Multi-Tech FaxFinder IP-240
name 10.10.20.10 HQ description ShoreTel HQ Server
name 10.10.30.15 ShoreTel4500 description ShoreTel 4500 VPN Concentrator
name 10.10.20.13 SMR_ETH0
name 10.10.40.13 SMR_ETH1 description ShoreTel Mobility Router
name *.*.*.* MCM description ShoreTel Mobile Communicator
name *.*.*.* Portal description TP Portal
name *.*.*.* Support
name *.*.*.* Ingate description Ingate Virtual Siparator
name 10.10.30.25 Ingate-DMZ
name *.*.*.* BLUIP
name 10.10.20.25 Sipirator
!
interface Ethernet0/0
nameif Outside
security-level 0
ip address *.*.*.* 255.255.255.128
!
interface Ethernet0/1
nameif Data
security-level 100
ip address 10.10.10.1 255.255.255.0
!
interface Ethernet0/1.20
vlan 20
nameif Voice
security-level 100
ip address 10.10.20.1 255.255.255.0
!
interface Ethernet0/1.60
vlan 60
nameif Test
security-level 100
ip address 10.10.70.1 255.255.255.0
!
interface Ethernet0/2
nameif SMR
security-level 100
ip address 10.10.40.1 255.255.255.0
!
interface Ethernet0/3
nameif DMZ
security-level 100
ip address 10.10.30.1 255.255.255.0
!
interface Management0/0
nameif management
security-level 100
ip address 192.168.1.1 255.255.255.0
management-only
!
ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object-group service SMR-https tcp-udp
port-object eq 443
object-group protocol TCPUDP
protocol-object udp
protocol-object tcp
object-group service https udp
port-object eq 443
object-group service onexmobile_ports tcp
port-object eq 5222
port-object eq 5269
port-object eq 8080
port-object eq 8444
port-object eq 8063
port-object eq 8443
port-object eq 9443
object-group service SIP5061 tcp
port-object eq 5061
object-group service Avaya udp
description Avaya RTP
port-object range 49152 53246
object-group protocol DM_INLINE_PROTOCOL_2
protocol-object ip
protocol-object udp
protocol-object tcp
object-group service DM_INLINE_TCP_1 tcp
port-object eq www
port-object eq https
access-list Data_access_in extended permit ip any any
access-list Data_access_in extended permit icmp any any
access-list Data_access_in extended permit gre any any
access-list Data_access_in extended permit tcp any eq pptp any
access-list Data_access_in extended deny tcp any any eq smtp log debugging
access-list Voice_access_in extended permit ip any any
access-list Voice_access_in extended permit icmp any any
access-list voice extended permit ip any any
access-list Voice extended permit ip any any
access-list Voice extended permit icmp any any
access-list DMZ_access_in extended permit icmp any any
access-list DMZ_access_in extended permit ip any any
access-list Outside_access_in extended permit tcp any host *.*.*.* eq https
access-list Outside_access_in extended permit tcp any host *.*.*.* eq https
access-list Outside_access_in extended permit tcp any host *.*.*.* eq www
access-list Outside_access_in extended permit tcp any host *.*.*.* eq https
access-list Outside_access_in extended permit udp any host *.*.*.* eq 5440
access-list Outside_access_in extended permit udp any host *.*.*.* eq 5441
access-list Outside_access_in extended permit udp any host *.*.*.* eq 5443
access-list Outside_access_in extended permit udp any host *.*.*.* eq 5445
access-list Outside_access_in extended permit udp any host *.*.*.* eq 5004
access-list Outside_access_in extended permit udp any host *.*.*.* eq 5450
access-list Outside_access_in extended permit tcp any host *.*.*.* eq www
access-list Outside_access_in extended permit tcp any host *.*.*.* eq https
access-list Outside_access_in extended permit tcp any host *.*.*.* eq 3389
access-list Outside_access_in extended permit tcp any host MCM eq 5449
access-list Outside_access_in extended permit tcp any host MCM eq 5447
access-list Outside_access_in extended permit tcp any host MCM eq www
access-list Outside_access_in extended permit tcp any host *.*.*.* eq 444
access-list Outside_access_in extended permit udp any host *.*.*.* object-group https
access-list Outside_access_in extended permit tcp any host *.*.*.* eq https
access-list Outside_access_in extended permit tcp any host MCM eq https
access-list Outside_access_in extended permit tcp any host Portal eq www
access-list Outside_access_in extended permit tcp any host Support object-group DM_INLINE_TCP_1
access-list Outside_access_in extended permit udp any host *.*.*.* range sip 5061 inactive
access-list Outside_access_in extended permit udp BLUIP 255.255.248.0 host Ingate range 58024 60999
access-list Outside_access_in extended permit tcp any host *.*.*.* range 1719 h323 inactive
access-list Outside_access_in extended permit object-group DM_INLINE_PROTOCOL_2 any host *.*.*.* inactive
access-list Outside_access_in extended permit tcp any host *.*.*.* range 49152 53246 inactive
access-list Outside_access_in extended permit tcp any host Support eq 5222 inactive
access-list Outside_access_in extended permit tcp any host Support eq 5269 inactive
access-list Outside_access_in extended permit tcp any host Support eq 8444 inactive
access-list Outside_access_in extended permit object-group TCPUDP BLUIP 255.255.248.0 host Ingate eq sip
access-list Outside_access_in extended permit tcp 8.19.118.0 255.255.255.0 host *.*.*.* eq smtp
access-list Outside_access_in extended permit tcp 8.31.233.0 255.255.255.0 host *.*.*.* eq smtp
access-list Outside_access_in extended permit tcp 72.32.252.0 255.255.255.0 host *.*.*.* eq smtp
access-list Outside_access_in extended permit tcp 74.205.4.0 255.255.255.0 host *.*.*.* eq smtp
access-list Outside_access_in extended permit tcp 207.97.230.0 255.255.255.0 host *.*.*.* eq smtp
access-list Outside_access_in extended permit tcp 207.97.242.0 255.255.255.0 host *.*.*.* eq smtp
access-list Outside_access_in extended permit tcp host 69.20.58.226 host *.*.*.* eq smtp
access-list Outside_access_in extended permit tcp host 69.20.68.133 host *.*.*.* eq smtp
access-list Outside_access_in extended permit tcp host 207.97.224.142 host *.*.*.* eq smtp
access-list Outside_access_in extended permit tcp host 207.97.229.125 host *.*.*.* eq smtp
access-list Outside_access_in extended permit tcp host 8.31.233.196 host *.*.*.* eq smtp
access-list Outside_access_in extended permit tcp host 92.52.89.74 host *.*.*.* eq smtp
access-list Outside_access_in extended permit tcp host 72.32.253.10 host *.*.*.* eq smtp
access-list Outside_access_in extended permit tcp host 72.32.252.97 host *.*.*.* eq smtp
access-list Outside_access_in extended permit tcp host 69.20.60.122 host *.*.*.* eq smtp
access-list Outside_access_in extended permit tcp host 69.20.58.234 host *.*.*.* eq smtp
access-list Outside_access_in extended permit tcp host 72.32.253.39 host *.*.*.* eq smtp
access-list Outside_access_in extended permit tcp host 98.129.58.235 host *.*.*.* eq smtp
access-list Outside_access_in extended permit tcp 5.152.185.128 255.255.255.192 host *.*.*.* eq smtp
access-list Outside_access_in extended permit tcp 204.232.250.0 255.255.255.0 host *.*.*.* eq smtp
access-list Outside_access_in extended permit tcp 98.129.23.0 255.255.255.0 host *.*.*.* eq smtp
access-list Outside_access_in extended permit tcp 50.56.144.0 255.255.255.0 host *.*.*.* eq smtp
access-list Data_nat0_outbound extended permit ip 10.10.10.0 255.255.255.0 10.10.50.0 255.255.255.0
access-list Data_nat0_outbound extended permit ip any 10.10.10.192 255.255.255.224
access-list Data_nat0_outbound extended permit ip any 10.10.50.96 255.255.255.224
access-list acl standard permit 10.10.10.0 255.255.255.0
access-list acl standard permit 10.10.20.0 255.255.255.0
access-list acl standard permit 10.10.70.0 255.255.255.0
access-list Voice_nat0 extended permit ip 10.10.20.0 255.255.255.0 10.10.50.0 255.255.255.0
access-list nat_out extended permit ip 10.10.50.0 255.255.255.0 any
access-list iphone_splitTunnelAcl standard permit 10.10.20.0 255.255.255.0
access-list QoS_limit extended permit ip any any
access-list VOICE_QOS extended permit ip any host ShoreTel4500
access-list VOICE_QOS extended permit ip host ShoreTel4500 any
access-list VOICE_QOS extended permit ip any 10.10.20.0 255.255.255.0
access-list VOICE_QOS extended permit ip 10.10.20.0 255.255.255.0 any
access-list voice_test extended permit ip any any
access-list SMR_access_in extended permit ip any any
access-list SMR_access_in extended permit icmp any any
access-list Outside_mpc extended permit ip 10.10.30.0 255.255.255.0 any
access-list Outside_mpc extended permit ip 10.10.20.0 255.255.255.0 any
access-list Test_access_in extended permit ip any any
access-list Test_access_in extended permit icmp any any
access-list Test_access_in_1 extended permit ip any any
access-list Test_access_in_1 extended permit icmp any any
access-list Test extended permit ip any any
access-list Test extended permit icmp any any
pager lines 24
logging enable
logging asdm informational
mtu Outside 1500
mtu Data 1500
mtu Voice 1500
mtu Test 1500
mtu SMR 1500
mtu DMZ 1500
mtu management 1500
ip local pool VPN-Pool 10.10.50.100-10.10.50.120 mask 255.255.255.255
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-631.bin
asdm history enable
arp timeout 14400
global (Outside) 101 interface
nat (Outside) 101 access-list nat_out
nat (Data) 0 access-list Data_nat0_outbound
nat (Data) 101 10.10.10.0 255.255.255.0
nat (Voice) 0 access-list Voice_nat0
nat (Voice) 101 10.10.20.0 255.255.255.0
nat (Test) 101 10.10.70.0 255.255.255.0
nat (SMR) 101 10.10.40.0 255.255.255.0
nat (DMZ) 101 10.10.30.0 255.255.255.0
static (Data,Outside) tcp *.*.*.* 3389 10.10.10.11 3389 netmask 255.255.255.255
static (Data,Outside) tcp *.*.*.* www 10.10.10.11 www netmask 255.255.255.255 dns
static (Data,Outside) tcp *.*.*.* https 10.10.10.11 https netmask 255.255.255.255
static (Data,Outside) tcp *.*.*.* 444 10.10.10.11 444 netmask 255.255.255.255
static (SMR,Outside) udp *.*.*.* 443 SMR_ETH1 443 netmask 255.255.255.255
static (SMR,Outside) tcp *.*.*.* https SMR_ETH1 https netmask 255.255.255.255
static (Voice,Outside) tcp *.*.*.* https SA-100 https netmask 255.255.255.255
static (Voice,Outside) tcp *.*.*.* www SA-100 www netmask 255.255.255.255
static (Voice,Outside) udp *.*.*.* 5440 SA-100 5440 netmask 255.255.255.255
static (Voice,Outside) udp *.*.*.* 5441 SA-100 5441 netmask 255.255.255.255
static (Voice,Outside) udp *.*.*.* 5443 SA-100 5443 netmask 255.255.255.255
static (Voice,Outside) udp *.*.*.* 5445 SA-100 5445 netmask 255.255.255.255
static (Voice,Outside) udp *.*.*.* 5004 SA-100 5004 netmask 255.255.255.255
static (Voice,Outside) udp *.*.*.* 5450 SA-100 5450 netmask 255.255.255.255
static (Voice,Outside) tcp MCM www HQ www netmask 255.255.255.255
static (Voice,Outside) tcp MCM 5449 HQ 5449 netmask 255.255.255.255
static (Voice,Outside) tcp MCM 5447 HQ 5447 netmask 255.255.255.255
static (Voice,Outside) tcp MCM https HQ https netmask 255.255.255.255
static (Data,Outside) tcp Portal www 10.10.10.12 www netmask 255.255.255.255
static (Data,Outside) tcp Support https 10.10.10.8 https netmask 255.255.255.255
static (Data,Outside) tcp Support www 10.10.10.8 www netmask 255.255.255.255
static (DMZ,Outside) tcp *.*.*.* https ShoreTel4500 https netmask 255.255.255.255
static (Voice,Outside) tcp *.*.*.* smtp FaxFinder smtp netmask 255.255.255.255 tcp 10 10 udp 10
static (SMR,DMZ) 10.10.40.0 10.10.40.0 netmask 255.255.255.0
static (SMR,Data) 10.10.40.0 10.10.40.0 netmask 255.255.255.0
static (SMR,Voice) 10.10.40.0 10.10.40.0 netmask 255.255.255.0
static (Data,Voice) 10.10.10.0 10.10.10.0 netmask 255.255.255.0
static (DMZ,Data) 10.10.30.0 10.10.30.0 netmask 255.255.255.0
static (DMZ,Voice) 10.10.30.0 10.10.30.0 netmask 255.255.255.0
static (DMZ,SMR) 10.10.30.0 10.10.30.0 netmask 255.255.255.0
static (Voice,Outside) Ingate Sipirator netmask 255.255.255.255
static (Voice,Data) 10.10.20.0 10.10.20.0 netmask 255.255.255.0
static (Voice,DMZ) 10.10.20.0 10.10.20.0 netmask 255.255.255.0
static (Voice,SMR) 10.10.20.0 10.10.20.0 netmask 255.255.255.0
static (Test,Data) 10.10.70.0 10.10.70.0 netmask 255.255.255.0
static (Data,Test) 10.10.10.0 10.10.10.0 netmask 255.255.255.0
static (Data,DMZ) 10.10.10.0 10.10.10.0 netmask 255.255.255.0
static (Data,SMR) 10.10.10.0 10.10.10.0 netmask 255.255.255.0
static (Test,DMZ) 10.10.70.0 10.10.70.0 netmask 255.255.255.0
access-group Outside_access_in in interface Outside
access-group Data_access_in in interface Data
access-group Voice in interface Voice
access-group Test_access_in_1 in interface Test
access-group SMR_access_in in interface SMR
access-group DMZ_access_in in interface DMZ
route Outside 0.0.0.0 0.0.0.0 *.*.*.* 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
aaa authentication ssh console LOCAL
http server enable
http 10.10.20.0 255.255.255.255 management
http 192.168.2.0 255.255.255.0 management
http 192.168.1.0 255.255.255.0 management
http 10.10.10.0 255.255.255.255 Data
no snmp-server location
no snmp-server contact
snmp-server community public
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-DES-SHA ESP-DES-MD5
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set security-association lifetime seconds 28800
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set security-association lifetime kilobytes 4608000
crypto dynamic-map dny1 1 set transform-set ESP-3DES-SHA
crypto dynamic-map dny1 1 set security-association lifetime seconds 28800
crypto dynamic-map dny1 1 set security-association lifetime kilobytes 4608000
crypto dynamic-map dny1 1 set reverse-route
crypto map Outside_map 65530 set security-association lifetime seconds 28800
crypto map Outside_map 65530 set security-association lifetime kilobytes 4608000
crypto map Outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map Outside_map interface Outside
crypto isakmp enable Outside
crypto isakmp policy 10
authentication pre-share
encryption des
hash sha
group 2
lifetime 86400
crypto isakmp policy 30
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
telnet 192.168.1.0 255.255.255.0 management
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 management
ssh timeout 5
console timeout 0
dhcpd address 192.168.1.2-192.168.1.254 management
!
dhcprelay server 10.10.10.8 Data
dhcprelay enable Voice
dhcprelay timeout 60
priority-queue Outside
threat-detection basic-threat
threat-detection statistics
threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
ntp authenticate
ntp server 64.90.182.55 source Outside prefer
ssl encryption rc4-sha1
group-policy testpolicy internal
group-policy testpolicy attributes
vpn-tunnel-protocol IPSec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value acl
group-policy VPN5510 internal
group-policy VPN5510 attributes
dns-server value 10.10.10.8 8.8.8.8
vpn-tunnel-protocol IPSec l2tp-ipsec
secure-unit-authentication disable
user-authentication disable
user-authentication-idle-timeout none
ip-phone-bypass disable
leap-bypass disable
nem disable
group-policy iphone internal
group-policy iphone attributes
dns-server value 10.10.10.8 8.8.8.8
vpn-tunnel-protocol IPSec
pfs disable
split-tunnel-policy tunnelspecified
split-tunnel-network-list value iphone_splitTunnelAcl
default-domain value hilltop.local
username *********** password ********* encrypted privilege 15
username ********* attributes
vpn-group-policy VPN5510
username ***** ****** privilege 15
username ***** attributes
vpn-group-policy iphone
username ******* password ******* encrypted privilege 15
tunnel-group VPN5510 type remote-access
tunnel-group VPN5510 general-attributes
address-pool VPN-Pool
default-group-policy VPN5510
tunnel-group VPN5510 ipsec-attributes
pre-shared-key *
tunnel-group VPN_Users type remote-access
tunnel-group VPN_Users general-attributes
address-pool VPN-Pool
tunnel-group VPN_Users ipsec-attributes
pre-shared-key *
tunnel-group testgroup type remote-access
tunnel-group testgroup general-attributes
address-pool VPN-Pool
default-group-policy testpolicy
tunnel-group testgroup ipsec-attributes
pre-shared-key *
tunnel-group iphone type remote-access
tunnel-group iphone general-attributes
address-pool VPN-Pool
default-group-policy iphone
tunnel-group iphone ipsec-attributes
pre-shared-key *
!
class-map dscp
match any
class-map Outside-class
match access-list Outside_mpc
class-map dmz-dscp
match dscp ef
class-map inspection_default
match default-inspection-traffic
class-map Data-LimitHttp
match any
class-map Data-class
match any
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map dscp
class dmz-dscp
priority
policy-map SHAPING
class class-default
shape average 2000000
policy-map global_policy
description DSCP
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect netbios
inspect tftp
inspect icmp
inspect pptp
class class-default
policy-map Data-policy
description Manage Data Bandwith
class Data-class
police input 10000000 25000
police output 50000000 25000
policy-map test1
class dscp
priority
policy-map Data-LimitHttp
class Data-LimitHttp
inspect http
police input 2000000 1500
policy-map outside
class class-default
policy-map Outside-policy
class Outside-class
priority
!
service-policy global_policy global
service-policy Outside-policy interface Outside
service-policy Data-policy interface Data
prompt hostname context
Cryptochecksum:**********
: end
- Labels:
-
LAN Switching
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
01-04-2016 07:50 AM
Hi,
As configured ASA expects Vlan 60 to be tagged. With your Netgear box please check the appropriate port configuration:
Switching>VLAN>Advanced>VLAN Membership
for VLAN ID "60" click the gold bar to display ports and set the port going to ASA as "T" (tagged).
Good luck!
Best regards,
Antonin
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide
