Connecting 3560v2 switch to ASA5520 and share vlan

hawkeyeg · ‎08-07-2017

I having trouble config a Cisco 3560 switch and an ASA5520 with multiple vlans. I can connect vlan 20 to the internet but not Vlan 30 or 40 I believe the problems are in the routing table but I am not sure what to do. any help would be great.

hawkeyeg · ‎08-07-2017

Here are the config files for the switch and asa

ASA5520

: Saved
:
: Serial Number: JMX1024K166
: Hardware: ASA5520, 512 MB RAM, CPU Pentium 4 Celeron 2000 MHz
:
ASA Version 8.2(5)57
!
hostname HawkASA
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface GigabitEthernet0/0
nameif Outside
security-level 0
ip address 10.10.100.2 255.255.255.0
!
interface GigabitEthernet0/1
nameif Inside
security-level 100
ip address 10.10.150.1 255.255.255.0
!
interface GigabitEthernet0/2
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
nameif Management
security-level 70
ip address 192.168.35.1 255.255.255.0
!
ftp mode passive
pager lines 24
mtu Outside 1500
mtu Inside 1500
mtu Management 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (Outside) 1 interface
nat (Inside) 1 10.10.175.0 255.255.255.0
static (Inside,Outside) 10.10.100.0 10.10.150.0 netmask 255.255.255.0
route Outside 0.0.0.0 0.0.0.0 10.10.100.1 1
route Inside 10.10.175.0 255.255.255.0 10.10.150.1 1
route Inside 10.10.200.0 255.255.255.0 10.10.150.1 1
route Inside 10.10.225.0 255.255.255.0 10.10.150.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 10.10.150.0 255.255.255.0 Inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
telnet timeout 5
ssh timeout 5
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
username admin password f3UhLvUj1QsXsuK7 encrypted privilege 15
!
!
prompt hostname context
no call-home reporting anonymous
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email callhome@cisco.com
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:2e85415302ab12d200f03b8f6612139c
: end

3560 Switch

Building configuration...

Current configuration : 6025 bytes
!
version 12.2
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname HawkSW1
!
boot-start-marker
boot-end-marker
!
enable secret 5 $1$kfBB$1fQ35Ni6W6MCrCmHmPHP71
enable password 7 06162F325F1F5B4A51
!
no aaa new-model
system mtu routing 1500
ip subnet-zero
ip routing
!
!
!
!
crypto pki trustpoint TP-self-signed-4163344000
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-4163344000
revocation-check none
rsakeypair TP-self-signed-4163344000
!
!
crypto pki certificate chain TP-self-signed-4163344000
certificate self-signed 01
30820240 308201A9 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 34313633 33343430 3030301E 170D3933 30333031 30303031
30395A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D34 31363333
34343030 3030819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
8100CD76 97684019 56EF13C9 8CDB44E5 F774CDEF F760BFB5 59323AFA AB2C5ADB
C5E76854 D2AA896C B3FE8F87 A94A2B2E 2A76E99D 43F5FD06 15205427 60B1578B
F8346C4F FE268FF0 16047A6E B9688382 C018557A 2F0195D2 E65DE5E6 876A7A34
79709285 E1B5545B BB4BE4B2 FAFF5C31 A5714F96 A81B14AB 69650088 43E7D113
67210203 010001A3 68306630 0F060355 1D130101 FF040530 030101FF 30130603
551D1104 0C300A82 08486177 6B535731 2E301F06 03551D23 04183016 8014AFE5
DCDBCC9B F2DA3D32 B1A26024 D92874B5 3CE2301D 0603551D 0E041604 14AFE5DC
DBCC9BF2 DA3D32B1 A26024D9 2874B53C E2300D06 092A8648 86F70D01 01040500
03818100 315CD024 967D7435 7A234C06 73400E88 2544F9AD CB56CAB5 777438A6
6CAD122E F268BD97 41A550F7 0C12115D BD73C082 2B7CC266 30F1A55D 7B6A1354
23E011F7 780B246C 75980EA8 4F2A3DC6 55F2BDCA 8A8A9533 02C55BC4 880517FA
257910A4 530E0080 429CB6C2 80A732C6 801B36AC 5DD5E5FC 7117DBD7 9F3F220C 1DAED6E1
quit
!
!
!
!
!
spanning-tree mode pvst
spanning-tree extend system-id
!
vlan internal allocation policy ascending
!
!
!
interface FastEthernet0/1
no switchport
ip address 10.10.150.2 255.255.255.0
!
interface FastEthernet0/2
!
interface FastEthernet0/3
!
interface FastEthernet0/4
!
interface FastEthernet0/5
!
interface FastEthernet0/6
!
interface FastEthernet0/7
!
interface FastEthernet0/8
!
interface FastEthernet0/9
!
interface FastEthernet0/10
!
interface FastEthernet0/11
!
interface FastEthernet0/12
!
interface FastEthernet0/13
switchport access vlan 20
switchport mode access
!
interface FastEthernet0/14
switchport access vlan 20
switchport mode access
!
interface FastEthernet0/15
switchport access vlan 20
switchport mode access
!
interface FastEthernet0/16
switchport access vlan 20
switchport mode access
!
interface FastEthernet0/17
switchport access vlan 20
switchport mode access
!
interface FastEthernet0/18
switchport access vlan 20
switchport mode access
!
interface FastEthernet0/19
switchport access vlan 20
switchport mode access
!
interface FastEthernet0/20
switchport access vlan 20
switchport mode access
!
interface FastEthernet0/21
switchport access vlan 20
switchport mode access
!
interface FastEthernet0/22
switchport access vlan 20
switchport mode access
!
interface FastEthernet0/23
switchport access vlan 20
switchport mode access
!
interface FastEthernet0/24
switchport access vlan 20
switchport mode access
!
interface FastEthernet0/25
switchport access vlan 30
switchport mode access
!
interface FastEthernet0/26
switchport access vlan 30
switchport mode access
!
interface FastEthernet0/27
switchport access vlan 30
switchport mode access
!
interface FastEthernet0/28
switchport access vlan 30
switchport mode access
!
interface FastEthernet0/29
switchport access vlan 30
switchport mode access
!
interface FastEthernet0/30
switchport access vlan 30
switchport mode access
!
interface FastEthernet0/31
switchport access vlan 30
switchport mode access
!
interface FastEthernet0/32
switchport access vlan 30
switchport mode access
!
interface FastEthernet0/33
switchport access vlan 30
switchport mode access
!
interface FastEthernet0/34
switchport access vlan 30
switchport mode access
!
interface FastEthernet0/35
switchport access vlan 30
switchport mode access
!
interface FastEthernet0/36
switchport access vlan 30
switchport mode access
!
interface FastEthernet0/37
switchport access vlan 40
switchport mode access
!
interface FastEthernet0/38
switchport access vlan 40
switchport mode access
!
interface FastEthernet0/39
switchport access vlan 40
switchport mode access
!
interface FastEthernet0/40
switchport access vlan 40
switchport mode access
!
interface FastEthernet0/41
switchport access vlan 40
switchport mode access
!
interface FastEthernet0/42
switchport access vlan 40
switchport mode access
!
interface FastEthernet0/43
switchport access vlan 40
switchport mode access
!
interface FastEthernet0/44
switchport access vlan 40
switchport mode access
!
interface FastEthernet0/45
switchport access vlan 40
switchport mode access
!
interface FastEthernet0/46
switchport access vlan 40
switchport mode access
!
interface FastEthernet0/47
switchport access vlan 40
switchport mode access
!
interface FastEthernet0/48
switchport access vlan 40
switchport mode access
!
interface GigabitEthernet0/1
!
interface GigabitEthernet0/2
!
interface GigabitEthernet0/3
!
interface GigabitEthernet0/4
!
interface Vlan1
no ip address
!
interface Vlan10
no ip address
!
interface Vlan20
ip address 10.10.175.1 255.255.255.0
!
interface Vlan30
ip address 10.10.200.1 255.255.255.0
!
interface Vlan40
ip address 10.10.225.1 255.255.255.0
!
ip classless
ip route 0.0.0.0 0.0.0.0 10.10.150.1
ip http server
ip http secure-server
!
!
control-plane
!
!
line con 0
exec-timeout 45 0
password 7 110A1016141D
logging synchronous
login
line vty 0 4
exec-timeout 30 0
password 7 060506324F41
login
line vty 5 15
login
!
end

any help would be great.

Julio E. Moisa · ‎08-11-2017

Hi

Currently you are Natting just 1 network:

nat (Inside) 1 10.10.175.0 255.255.255.0

So you need to add the others, I dont remember the config for this IOS (8.2) exactly but you could try with:

nat (Inside) 1 10.10.200.0 255.255.255.0

nat (Inside) 1 10.10.225.0 255.255.255.0

I think you could create an object-group to include all the subnet that will be Natted, Instead create line by line.

Also I dont see any ACL you should have something like:

access-list INSIDE-IN extended permit ip any any

access-group INSIDE-IN in interface Inside

This link could be useful: https://supportforums.cisco.com/document/33921/asa-pre-83-83-nat-configuration-examples

Your routing looks fine.

Hope it is useful

:-)

>> Marcar como útil o contestado, si la respuesta resolvió la duda, esto ayuda a futuras consultas de otros miembros de la comunidad. <<

hawkeyeg · ‎08-11-2017

It work I am now connected to the internet in Vlan 20 and 30 I am sure vlan 40 will work also thanks so much