Re: Inter-Vlan Routing and No Internet Access-3550 to an ASA 550

importking · ‎05-31-2010

Hello,

I have setup a Cisco 3550 with EMI to do Inter-Vlan routing and that is working fine however I cannot access the internet.

- I have configured the 3550 with a default route to the 5505's internal interface.

- Configured a name-server on the 3550 to resolve DNS queries.

On the 5505 I configured a static route back to the IP addresses of the VLANS located on the 3550.

Syslog error when I try to access the internet- Deny inbound UDP from x.x.x.x/53 to y.y.y.y./50561 due to DNS response.

Thanks in advance...

Federico Coto Fajardo · ‎05-31-2010

Hi,

There's a DNS response being blocked on the ASA?

The DNS server that you're using is local or is an external DNS server?

Can you get out to the Internet using IP addresses instead than DNS names?

For example, do you get the cisco homepage when doing: http://198.133.219.25/

Federico.

importking · ‎05-31-2010

I tried with the Cisco IP and no dice, I tried that earlier with Yahoo's IP... Thanks

Federico Coto Fajardo · ‎05-31-2010

Ok,

From the ASA, you have Internet access? (can you PING 4.2.2.2 from the ASA)?

If you enable ICMP inspection on the ASA, you should be able to PING 4.2.2.2 or any public Internet IP from the inside LAN (or VLANs).

To enable ICMP inspection, you do:

policy-map global_policy
class inspection_default

inspect icmp

I'm just trying to find out if the problem is with connectivity to the Internet or just a DNS issue.

Federico.

importking · ‎05-31-2010

I added the ICMP inspection rule and tried to ping 4.2.2.2 and did not get a response.

Here are the configs;

ASA Version 8.2(2)
!
hostname ciscoasa
enable password TGFUt.AsMHJOyury encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface Vlan1
nameif inside
security-level 100
ip address 172.16.12.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address dhcp setroute
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
ftp mode passive
access-list 100 extended permit tcp any interface outside eq ftp
access-list 100 extended permit tcp any interface outside eq ftp-data
access-list inside_access_in extended permit ip host 172.16.0.0 any
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) tcp interface ftp 172.16.13.2 ftp netmask 255.255.255.255
static (inside,outside) tcp interface ftp-data 172.16.13.2 ftp-data netmask 255.255.255.255
access-group 100 in interface outside
route inside 172.16.0.0 255.255.0.0 172.16.12.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 172.16.0.0 255.255.0.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
inspect icmp
inspect dns preset_dns_map
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:96ac4d497a990d9241cd20a5db53642c
: end

3550 Config

Building configuration...

Current configuration : 2436 bytes
!
version 12.2
no service pad
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname Switch
!
!
no aaa new-model
ip subnet-zero
ip routing
!
!
no file verify auto
spanning-tree mode pvst
spanning-tree extend system-id
!
!
!
vlan internal allocation policy ascending
!
!
interface FastEthernet0/1
no switchport
ip address 172.16.12.2 255.255.255.0
!
interface FastEthernet0/2
description Server VLAN2
switchport access vlan 2
switchport mode access
!
interface FastEthernet0/3
description User VLAN3
switchport access vlan 3
switchport mode access
!
interface FastEthernet0/4
switchport mode dynamic desirable
!
interface FastEthernet0/5
switchport mode dynamic desirable
!
interface FastEthernet0/6
switchport mode dynamic desirable
!
interface FastEthernet0/7
switchport mode dynamic desirable
!
interface FastEthernet0/8
switchport mode dynamic desirable
!
interface FastEthernet0/9
switchport mode dynamic desirable
!
interface FastEthernet0/10
switchport mode dynamic desirable
!
interface FastEthernet0/11
switchport mode dynamic desirable
!
interface FastEthernet0/12
switchport mode dynamic desirable
!
interface FastEthernet0/13
switchport mode dynamic desirable
!
interface FastEthernet0/14
switchport mode dynamic desirable
!
interface FastEthernet0/15
switchport mode dynamic desirable
!
interface FastEthernet0/16
switchport mode dynamic desirable
!
interface FastEthernet0/17
switchport mode dynamic desirable
!
interface FastEthernet0/18
switchport mode dynamic desirable
!
interface FastEthernet0/19
switchport mode dynamic desirable
!
interface FastEthernet0/20
switchport mode dynamic desirable
!
interface FastEthernet0/21
switchport mode dynamic desirable
!
interface FastEthernet0/22
switchport mode dynamic desirable
!
interface FastEthernet0/23
switchport mode dynamic desirable
!
interface FastEthernet0/24
switchport mode dynamic desirable
!
interface GigabitEthernet0/1
switchport mode dynamic desirable
!
interface GigabitEthernet0/2
switchport mode dynamic desirable
!
interface Vlan1
no ip address
!
interface Vlan2
description SERVER_VLAN
ip address 172.16.13.1 255.255.255.0
!
interface Vlan3
description USER_VLAN
ip address 172.16.14.1 255.255.255.0
!
ip classless
ip route 0.0.0.0 0.0.0.0 172.16.12.1
ip http server
!
!
!
!
!
control-plane
!
!
line con 0
speed 57600
line vty 0 4
login
line vty 5 15
login
!
!
end

importking · ‎05-31-2010

Running out for a few, will continue when I get back. Thanks for your help...

Federico Coto Fajardo · ‎05-31-2010

There's no default gateway showing in the configuration from the ASA, I think that is because
you're getting it via DHCP.

Can you confirm two things from the ASA...
1. ping 4.2.2.2 --> make sure its succesful
2. sh route --> shows a default gateway

Please verify the above.

Federico.

importking · ‎05-31-2010

I still can't ping 4.2.2.2. This is the return error message from 4.2.2.2, I am fine going out.

6

May 31 2010

08:47:52

302021

4.2.2.2

0

x.x.x.x

10136

Teardown ICMP connection for faddr 4.2.2.2/0 gaddr x.x.x.x/10136 laddr x.x.x.x/10136

Show Route

Gateway of last resort is x.x.x.x to network 0.0.0.0

C    172.16.12.0 255.255.255.0 is directly connected, inside
S    172.16.0.0 255.255.0.0 [1/0] via 172.16.12.1, inside
C    x.x.x.x x.x.x.x is directly connected, outside
d*   0.0.0.0 0.0.0.0 [1/0] via x.x.x.x, outside

Running out now, be back in a couple hours....

Inter-Vlan Routing and No Internet Access-3550 to an ASA 5505