06-19-2023 12:39 PM
Hello,
We have a weird issue here with a 3650 switch. We have it configured to give out dhcp addresses below are the details:-
Network:- 10.106.148.0 255.255.254.0 (/23)
default router: -10.106.148.2
Vlan 148:- ip:- 10.106.148.2 255.255.254.0
The issue is :- client who gets address assigned in the range of 148, works perfectly fine and can browse internet, but the clients who get's address assigned in the range of 10.106.149.0 cannot browse internet. Can you help?.
06-19-2023 01:10 PM
You dont seems to have ACL specific for this network or it is inside an object.
What about NAT?
06-19-2023 01:13 PM
Packet tracer input INside tcp 10.106.149.5 1234 1.1.1.1 433 detail
Share about of above
06-19-2023 01:14 PM
sorry, can you explain this more and what needs to be done?
06-19-2023 01:16 PM
We need to check which acl or nat the traffic from .149 hit
06-19-2023 01:19 PM
ok. So I run this command on ASA?
Packet tracer input INside tcp 10.106.149.5 1234 1.1.1.1 433 detail
Then what?
06-19-2023 01:12 PM
Here is the NAT on ASA:-
AQUA-ASA# sh nat
Manual NAT Policies (Section 1)
1 (inside) to (outside) source static Aqua-Secuirty-Network Aqua-Secuirty-Network destination static Remote-Radisson-Network Remote-Radisson-Network no-proxy-arp route-lookup
translate_hits = 10064131, untranslate_hits = 12239536
2 (inside) to (outside) source static OBJ_10.106.0.0 OBJ_10.106.0.0 destination static OBJ_10.0.12.0 OBJ_10.0.12.0 no-proxy-arp route-lookup
translate_hits = 0, untranslate_hits = 0
3 (inside) to (outside) source static any any destination static NETWORK_OBJ_10.1.30.0_26 NETWORK_OBJ_10.1.30.0_26 no-proxy-arp route-lookup
translate_hits = 2638, untranslate_hits = 3582
Auto NAT Policies (Section 2)
1 (inside) to (outside) source static building_automation2 interface service tcp https https
translate_hits = 0, untranslate_hits = 7075
2 (inside) to (outside) source static building_automation_sys interface service tcp https https
translate_hits = 0, untranslate_hits = 1063
3 (inside) to (outside) source dynamic OBJ-NAT-ALL interface
translate_hits = 7272015, untranslate_hits = 134877
06-19-2023 01:16 PM
And the switch is connected direct to the Firewall? OR there are others devices in between ?
06-19-2023 01:17 PM
direct
06-19-2023 01:20 PM
So the 10.106.148.2 is one interface on Firewall?
Maybe this can be a huge output but can you share the show xlate ?
06-19-2023 01:22 PM
10.106.148.2 is the vlan on core switch. how about sh tech?
06-19-2023 01:25 PM - edited 06-19-2023 01:26 PM
show tech would be even bigger
Yes 10.106.148.2 this is the Core. But you have an interface on the firewall on this same network right?
06-19-2023 01:27 PM
different vlan. 10.0.76.5
06-19-2023 01:28 PM
then you have something in between and you have route on the firewall
send the command show route please and show ip add please
06-19-2023 01:31 PM
sh route
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2, V - VPN
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route, + - replicated route
Gateway of last resort is 50.220.188.2 to network 0.0.0.0
S* 0.0.0.0 0.0.0.0 [1/0] via 50.220.188.2, outside
S 10.0.0.0 255.0.0.0 [1/0] via 10.0.76.1, inside
C 10.0.76.0 255.255.255.0 is directly connected, inside
L 10.0.76.2 255.255.255.255 is directly connected, inside
S 10.106.1.0 255.255.255.0 [1/0] via 10.0.76.5, inside
S 10.106.50.0 255.255.255.0 [1/0] via 10.0.76.5, inside
S 10.106.51.0 255.255.255.0 [1/0] via 10.0.76.5, inside
S 10.106.92.0 255.255.255.0 [1/0] via 10.0.76.5, inside
S 10.106.148.0 255.255.254.0 [1/0] via 10.0.76.5, inside
S 10.110.0.0 255.255.255.0 [1/0] via 10.106.51.1, outside
C 50.220.188.0 255.255.255.252 is directly connected, outside
L 50.220.188.1 255.255.255.255 is directly connected, outside
sh ip address
AQUA-ASA# sh ip address
System IP Addresses:
Interface Name IP address Subnet mask Method
GigabitEthernet1/1 outside 50.220.188.1 255.255.255.252 CONFIG
GigabitEthernet1/2 inside 10.0.76.2 255.255.255.0 CONFIG
Current IP Addresses:
Interface Name IP address Subnet mask Method
GigabitEthernet1/1 outside 50.220.188.1 255.255.255.252 CONFIG
GigabitEthernet1/2 inside 10.0.76.2 255.255.255.0 CONFIG
AQUA-ASA#
06-19-2023 01:38 PM
Is it possible to remove this Access group from this interface vlan for a moment and test?
interface Vlan76
ip address 10.0.76.5 255.255.255.0
ip access-group 176 in
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide