Solved: Hosts on VLAN unable to go on the internet

OneNinja · ‎04-27-2021

I just bought a C3750 switch and trying to have the hosts connected to the switch get internet connection through my ASA5512. First, I created a point to point connection between inside interface (192.168.5.1/30) of my ASA and GigabitEthernet1/0/23 (192.168.5.2/30) interface of my switch. I have 4 subnets on 4 different VLANs (VLAN10 : 192.168.10.0 , VLAN20:192.168.20.0, VLAN30: 192.168.30.0 and VLAN40: 192.168.40.0). My issue is how to get the hosts on different VLAN talk each other and also go on internet. I used OSPF as a routing protocol on my Switch and my ASA.

I would appreciate your help. Below is my switch config :

!
version 12.2
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname CISCOSWITCH
!
boot-start-marker
boot-end-marker
!
enable secret 5 $1$YXFk$b1lVZlsY72jh4JIa9zdft1
enable password
!
username admin password
!
!
no aaa new-model
switch 1 provision ws-c3750x-24
system mtu routing 1500
ip routing

ip dhcp excluded-address 192.168.10.1 192.168.10.5
ip dhcp excluded-address 192.168.20.1 192.168.20.5
ip dhcp excluded-address 192.168.30.1 192.168.30.5
ip dhcp excluded-address 192.168.40.1 192.168.40.5
!
ip dhcp pool Vlan10
network 192.168.10.0 255.255.255.0
default-router 192.168.10.1
dns-server 8.8.8.8
!
ip dhcp pool vlan20
network 192.168.20.0 255.255.255.0
!
ip dhcp pool vlan30
network 192.168.30.0 255.255.255.0
!
ip dhcp pool vlan40
network 192.168.40.0 255.255.255.0
!
ip dhcp pool vlan10
default-router 192.168.5.1
!
ip dhcp pool Vlan20
dns-server 8.8.8.8
default-router 192.168.20.1
!
ip dhcp pool Vlan30
default-router 192.168.30.1
dns-server 8.8.8.8
!
ip dhcp pool Vlan40
dns-server 8.8.8.8
default-router 192.168.40.1
!
!
ip domain-name lab.local
ip name-server 8.8.8.8
!
!
crypto pki trustpoint TP-self-signed-3857111040
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-3857111040
revocation-check none
rsakeypair TP-self-signed-3857111040
!
!

quit
license boot level ipservices
spanning-tree mode pvst
spanning-tree extend system-id
!
!
!
!
vlan internal allocation policy ascending
!
ip ssh version 2
!
!
!
interface FastEthernet0
no ip address
no ip route-cache cef
no ip route-cache
no ip mroute-cache
!
interface GigabitEthernet1/0/1
switchport access vlan 10
switchport mode access
!
interface GigabitEthernet1/0/2
switchport access vlan 20
switchport mode access
!
interface GigabitEthernet1/0/3
switchport access vlan 10
switchport mode access
!
interface GigabitEthernet1/0/4
switchport access vlan 20
switchport mode access
!
interface GigabitEthernet1/0/5
!
interface GigabitEthernet1/0/6
!
interface GigabitEthernet1/0/7
!
interface GigabitEthernet1/0/8
!
interface GigabitEthernet1/0/9
!
interface GigabitEthernet1/0/10
!
interface GigabitEthernet1/0/11
!
interface GigabitEthernet1/0/12
!
interface GigabitEthernet1/0/13
switchport access vlan 30
switchport mode access
!
interface GigabitEthernet1/0/14
switchport access vlan 40
switchport mode access
!
interface GigabitEthernet1/0/15
switchport access vlan 30
switchport mode access
!
interface GigabitEthernet1/0/16
switchport access vlan 40
switchport mode access
!
interface GigabitEthernet1/0/17
!
interface GigabitEthernet1/0/18
!
interface GigabitEthernet1/0/19
!
interface GigabitEthernet1/0/20
!
interface GigabitEthernet1/0/21
!
interface GigabitEthernet1/0/22
!
interface GigabitEthernet1/0/23
no switchport
ip address 192.168.5.2 255.255.255.252
ip ospf authentication message-digest
ip ospf message-digest-key 1 md5 cisco
!
interface GigabitEthernet1/0/24
!
interface GigabitEthernet1/1/1
!
interface GigabitEthernet1/1/2
!
interface GigabitEthernet1/1/3
!
interface GigabitEthernet1/1/4
!
interface TenGigabitEthernet1/1/1
!
interface TenGigabitEthernet1/1/2
!
interface Vlan1
ip address 192.168.1.1 255.255.255.0
!
interface Vlan10
ip address 192.168.10.2 255.255.255.0
ip helper-address 192.168.10.0
ip helper-address 192.168.10.3
!
interface Vlan20
ip address 192.168.20.2 255.255.255.0
ip helper-address 192.168.20.0
ip helper-address 192.168.20.3
!
interface Vlan30
ip address 192.168.30.2 255.255.255.0
ip helper-address 192.168.30.0
ip helper-address 192.168.30.3
!
interface Vlan40
ip address 192.168.40.2 255.255.255.0
ip helper-address 192.168.40.0
ip helper-address 192.168.40.3
!
router ospf 1
log-adjacency-changes
network 192.168.10.0 0.0.0.255 area 0
network 192.168.20.0 0.0.0.255 area 0
network 192.168.30.0 0.0.0.255 area 0
network 192.168.40.0 0.0.0.255 area 0
!
ip classless
!
ip http server
ip http secure-server
!
ip sla enable reaction-alerts
!
!
!
line con 0
line vty 0 4
password
login local
transport input ssh
line vty 5 15
password cisco
login local
transport input ssh
!
end

Reza Sharifi · ‎04-27-2021

Make sure to create a layer-2 interface for each vlan

example:

vlan 20

description data vlan

exit

vlan 30

description voice vlan

exit

etc..

Also, in order for the layer-3 VLAN interfaces to talk to each other, all you need is "IP routing" enabled.

Now, on the switch, you should be able to ping all the SVIs, and also, if you connect a laptop to one of the ports in the correct vlan and with a correct default gateway, you should be able to ping all the SVIs on the switch.

There is really no need for OSPF if you only have a switch and a Firewall.

You also need a default route to the firewall

IP route 0.0.0.0 0.0.0.0 192.168.5.1

HTH

View solution in original post

Seb Rupik · ‎04-30-2021

if you can ping an SVI in another subnet it shows that the hosts interface netmask and gateway settings are correct. It also shows that the IP routing function is working on the switch. Since you have no ACLs on the switch the fact you cannot reach a host on another subnet is either an IP interface configuration issue with the target host or more likely a security policy (host based firewall) on the target host.

If HostA can ping the target hosts gateway, can the target host ping the HostA gateway address? What OS are the hosts running? Is there another service you can try to access on the target host, eg HTTP?

cheers,

Seb.

View solution in original post

OneNinja · ‎04-30-2021

Thank you Seb. I really appreciated your inputs. I am able to ping hosts in other vlan. I think the issue was with the host.

View solution in original post

Reza Sharifi · ‎04-27-2021

Make sure to create a layer-2 interface for each vlan

example:

vlan 20

description data vlan

exit

vlan 30

description voice vlan

exit

etc..

Also, in order for the layer-3 VLAN interfaces to talk to each other, all you need is "IP routing" enabled.

Now, on the switch, you should be able to ping all the SVIs, and also, if you connect a laptop to one of the ports in the correct vlan and with a correct default gateway, you should be able to ping all the SVIs on the switch.

There is really no need for OSPF if you only have a switch and a Firewall.

You also need a default route to the firewall

IP route 0.0.0.0 0.0.0.0 192.168.5.1

HTH

OneNinja · ‎04-28-2021

Thanks Reza, I understand I don't really need OSPF in order to have hosts in different vlan talk to each other but I wanna use OSPF as routing protocol. My L3 switch has advance routing protocol capability why not use it. I really wanna see how I will be able to get my Hosts on the internet using OSPF.

Reza Sharifi · ‎04-28-2021

Hi,

The SVIs for VLANs have connected interfaces and there is no need for a routing protocol. The switch simply routes between the vlans without any routing protocols. The only place you may want to use OSPF is between the firewall and the switch where you have configured a /30. Also, providers don't use OSPF. So, you have 2 options for peering, one is static and the other is BGP.

HTH

OneNinja · ‎04-28-2021

Hey Riza,

Thanks for your inputs. I changed OSPF to a static now and I still cannot get those hosts to talk to each other. Below are the changes I made so far

ip dhcp pool Vlan10
network 192.168.10.0 255.255.255.0
dns-server 8.8.4.4
!
ip dhcp pool vlan20
network 192.168.20.0 255.255.255.0
dns-server 8.8.4.4
!
ip dhcp pool vlan30
network 192.168.30.0 255.255.255.0
dns-server 8.8.4.4
!
ip dhcp pool vlan40
network 192.168.40.0 255.255.255.0
dns-server 8.8.4.4
!

!
ip domain-name lab.local
ip name-server 8.8.8.8
!
!

!
interface GigabitEthernet1/0/4
switchport access vlan 20
switchport mode access

interface GigabitEthernet1/0/13
switchport access vlan 30
switchport mode access
!
interface GigabitEthernet1/0/14
switchport access vlan 40
switchport mode access
!
interface GigabitEthernet1/0/15
switchport access vlan 30
switchport mode access
!
interface GigabitEthernet1/0/16
switchport access vlan 40
switchport mode access

interface GigabitEthernet1/0/23
no switchport
ip address 192.168.5.2 255.255.255.252
!

interface Vlan1
ip address 192.168.1.1 255.255.255.0
!
interface Vlan10
description wireless
ip address 192.168.10.1 255.255.255.0
ip helper-address 192.168.10.3
!
interface Vlan20
ip address 192.168.20.1 255.255.255.0
ip helper-address 192.168.20.3
!
interface Vlan30
ip address 192.168.30.1 255.255.255.0
ip helper-address 192.168.30.3
!
interface Vlan40
ip address 192.168.40.1 255.255.255.0
ip helper-address 192.168.40.3
!

ip default-gateway 192.168.30.2
ip classless
ip route 0.0.0.0 0.0.0.0 192.168.5.1

!
end

Reza Sharifi · ‎04-28-2021

Make sure to create a layer-2 interface for each vlan

example:

vlan 20

description data vlan

exit

vlan 30

description voice vlan

exit

etc..

also, you don't need this command

ip default-gateway 192.168.30.2

Can you post the output of "sh vlan"?

Also, for example, if you connect a host to the switch and put it in VLAN 10 with a static IP, can the host ping the svi for vlan 10?

example:

from the pc

ping 192.168.10.1

HTH

ping

OneNinja · ‎04-29-2021

@Reza Sharifi "description" command is unrecognized but I used "name" command instead. Here is the out of sh vlan

Also, I am able to ping a default gateway of Vlan 30 from a host on Vlan 20.

For example,

ping 192.168.30.1 from a host (192.168.20.6) on Vlan 20 was successful. However, ping 192.168.30.6 from host (192.168.20.6) was unsuccessful.

Seb Rupik · ‎04-28-2021

Hi there,

In addition to Rezas advice, make sure the object-group on the ASA used in your source NAT statement has network-object statements for each of the switch SVI subnets, or a single summary covering them all.

cheers,

Seb.

OneNinja · ‎04-28-2021

Yeah, I have a network-object statements for each subnet in ASA and also configured PAT from inside int to outside

object network obj_192.168.5.0
subnet 192.168.5.0 255.255.255.252
object network obj_192.168.10.0
subnet 192.168.10.0 255.255.255.0
object network obj_192.168.20.0
subnet 192.168.20.0 255.255.255.0
object network obj_192.168.30.0
subnet 192.168.30.0 255.255.255.0
object network obj_192.168.40.0
subnet 192.168.40.0 255.255.255.0

object network obj_192.168.5.0
nat (inside,outside) dynamic interface
object network obj_192.168.10.0
nat (inside,outside) dynamic interface
object network obj_192.168.20.0
nat (inside,outside) dynamic interface
object network obj_192.168.30.0
nat (inside,outside) dynamic interface
object network obj_192.168.40.0
nat (inside,outside) dynamic interface

paul driver · ‎04-28-2021

Hello

@OneNinja wrote:
My issue is how to get the hosts on different VLAN talk each other and also go on internet. I used OSPF as a routing protocol on my Switch and my ASA.

Can you please post in a file the configuraton of the ASA.

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

OneNinja · ‎04-28-2021

Hey,

Here the config of my ASA

CISCOASA# sh run
ASA Version 9.12(4)18
!
hostname CISCOASA
names
no mac-address auto

!
interface GigabitEthernet0/0
nameif outside
security-level 0
ip address dhcp setroute
!
interface GigabitEthernet0/1
nameif inside
security-level 100
ip address 192.168.5.1 255.255.255.252
!

interface Management0/0
management-only
nameif management
security-level 0
ip address 192.168.2.1 255.255.255.0
!
ftp mode passive
dns domain-lookup outside
dns server-group DefaultDNS
name-server 8.8.8.8
name-server 8.8.4.4
domain-name lab.local
object network obj_192.168.5.0
subnet 192.168.5.0 255.255.255.252
object network obj_192.168.10.0
subnet 192.168.10.0 255.255.255.0
object network obj_192.168.20.0
subnet 192.168.20.0 255.255.255.0
object network obj_192.168.30.0
subnet 192.168.30.0 255.255.255.0
object network obj_192.168.40.0
subnet 192.168.40.0 255.255.255.0
pager lines 24
mtu outside 1500
mtu inside 1500
mtu management 1500
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
arp rate-limit 8192
!
object network obj_192.168.5.0
nat (inside,outside) dynamic interface
object network obj_192.168.10.0
nat (inside,outside) dynamic interface
object network obj_192.168.20.0
nat (inside,outside) dynamic interface
object network obj_192.168.30.0
nat (inside,outside) dynamic interface
object network obj_192.168.40.0
nat (inside,outside) dynamic interface
router ospf 1
network 192.168.5.0 255.255.255.0 area 0
log-adj-changes
default-information originate always
!

user-identity default-domain LOCAL
aaa authentication http console LOCAL
aaa authentication ssh console LOCAL
aaa authentication login-history
http server enable
http 192.168.2.0 255.255.255.0 management
ssh version 2
ssh key-exchange group dh-group14-sha256
ssh 192.168.2.0 255.255.255.0 management
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
no tcp-inspection
policy-map global_policy
class inspection_default
inspect ftp
inspect h323 h225
inspect h323 ras
inspect ip-options
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
inspect dns preset_dns_map
inspect icmp
policy-map type inspect dns migrated_dns_map_2
parameters
message-length maximum client auto
message-length maximum 512
no tcp-inspection
policy-map type inspect dns migrated_dns_map_1
parameters
message-length maximum client auto
message-length maximum 512
no tcp-inspection
!

Seb Rupik · ‎04-29-2021

Hi there,

You seem to have your DHCP options split between two sets of DHCP scopes, ie: 'vlan20' contains the subnet detail and 'Vlan20' contains the default-router and dns detail. 'vlan10' is the only correct one. I suspect your hosts in vlans 20, 30 and 40 do not have a default gateway.

Try the following config:

!
ip dhcp pool vlan20
 network 192.168.20.0 255.255.255.0
 dns-server 8.8.8.8
 default-router 192.168.20.1
!
ip dhcp pool vlan30
 network 192.168.30.0 255.255.255.0
 dns-server 8.8.8.8
 default-router 192.168.30.1
!
ip dhcp pool vlan40
 network 192.168.40.0 255.255.255.0
 dns-server 8.8.8.8
 default-router 192.168.40.1
!
no ip dhcp pool Vlan20
no ip dhcp pool Vlan30
no ip dhcp pool Vlan40
!

cheers,

Seb.

OneNinja · ‎04-29-2021

Thanks Seb. Now I am able to ping the default gateway of each vlan from another vlan

Seb Rupik · ‎04-29-2021

OK great. Can those hosts reach out to the internet now?

cheers,

Seb.

OneNinja · ‎04-29-2021

Yes, the hosts can reach out to the internet. The issue now is to have them talk to each other in different VLAN