11-28-2013 11:21 AM - edited 03-07-2019 04:50 PM
Hi,
Im setting up this lab and ran into an issue. My setup is as folows:
Internet ----> Asa ----> 3550 ---> vlans
The ASA is directly connected to the internet. The fa0/1 on the ASA is connected to the 3550 fa0/1. I configured that fa0/1 on the 3550 as a routed port. Configured the ASA as default gateway on the switch. I can ping the asa from the switch and the switch from the ASA.
However if i try to ping a host on the internet from the switch it fails.
This isnt a NAT issue because hosts on the same subnet can ping hosts on the internet.
Ive done this before with a normal router and it worked like a charm. Setting up SVIs on the 3550 and a layer 3 uplink to the gateway.
Did is miss something!? Any help is appreciated!
Thanks in advance.
Kind regards,
Bart
Sent from Cisco Technical Support iPhone App
Sent from Cisco Technical Support iPhone App
Solved! Go to Solution.
11-29-2013 08:55 AM
Bart
Okay this is 9.1 code on the ASA and i have no experience with 8.3 new NAT code onwards so if you wait on me it may take a while. One thing i would do is try connecting from the switch and then look at the xlate table on the ASA. The command used to
sh xlate 10.128.242.5
but it may have changed in 9.1.
I will have a look at the new NAT but it's not going to be that quick.
Hopefully someone else might step in or alternatively you could move this post or start a new one linking back to this in the firewall forums where there will be people who are familiar with the new NAT.
Jon
11-28-2013 11:36 AM
Bart
Could you give us specifics in terms of addresses ie. when you say ping from the switch which IP is being used ? Is this IP from the same subnet as the hosts that can ping the internet ?
Jonj
11-28-2013 11:36 AM
Hi,
Can you post the configs from the switch and the ASA?
Is 3550 the defaul gateway for your hosts?
I am assuming your hosts have private IPs. Is NAT configures on the ASA?
HTH
11-28-2013 12:07 PM
Hi,
Thanks for the reply. The ASA IP 10.128.242.1/25, switch 10.128.242.15/25.
Can ping both adresses, from the switch and the asa. Configured 10.128.242.1 as the default gateway on the switch:
Ip route 0.0.0.0 0.0.0.0 10.128.242.1
Dont have access to the devices at the moment but the switch has a very basic config:
Int fa0/1
No switchport
Ip address 10.128.242.15 255.255.255.128
Asa does PAT for the subnet. A client in the same subnet connected to the asa can ping 8.8.8.8 but on the switch it
Fails.
Setup vlan 20:
Int vlan 20
Ip add 10.129.242.1/24
Int fa0/5
Switchport mode access
Switchport access vlan 20
Put a client on that port in vlan 20, ip add 10.129.242.10/24
Configured a static route on the asa to the 10.129.242.0/24 via 10.128.242.1.
I can ping the asa int of 10.128.242.1 from the client in vlan 20 10.129.242.0/24.
Ping to 8.8.8.8 fails.
Sent from Cisco Technical Support iPhone App
11-28-2013 12:16 PM
Bart
Your addressing is bit mixed up.
You say -
The ASA IP 10.128.242.1/25, switch 10.128.242.15/25
but you show the switch IP with a /28 subnet mask ? Can you confirm subnet masks for both ASA and switch.
Also
Configured a static route on the asa to the 10.129.242.0/24 via 10.128.242.1.
10.128.242.1 is the ASA. Did you mean to put "via 10.128.242.15" ie. the switch ?
Jon
11-28-2013 12:19 PM
Bart
I believe that your problem is indeed a problem with address translation. When you ping from the switch toward the Internet it will use its address on the routed port as the source address. And I am pretty sure that the ASA is not doing address translation for the 10.128.242.0 subnet.
One good way to test this would be to use extended ping on the switch. In the extended ping use 8.8.8.8 as the destination and specify the switch interface address in vlan 20 as the source.
HTH
Rick
11-28-2013 12:39 PM
Jon,
sorry made some typo's, to clear things up:
Subnets are correct and the static route on the asa to the 10.129.242.0 network via 10.128.242.15. If I ping my client in vlan 20 from the asa, 10.129.242.10 its succesfull. I can also ping the inside interface from the asa from the the client in vlan 20, 10.128.242.1. So routing is functioning.
Richard,
The ASA is doing PAT for the 10.128.242.0/25 subnet and its working for my client connected to the asa, the setup is as follows:
Client in subnet 10.128.242.0 with ip 10.128.242.50 can ping the internet. This client is connected to port 3 on my asa.
The switch with is routed port in subnet 10.128.242.0 with ip 10.128.242.15 cant ping the internet. the switch is connected to port 4 on the asa.
Any ideas are welcome but like i said i dont have access to the devices at the moment. So i will post configs when i do, that will probably make things a bit easier
Thanks so far
11-28-2013 12:43 PM
Bart
Thanks for clarifying.
So just so i have it straight. The subnet masks are 255.255.255.128 on both the ASA and the switch ?
A client in the 10.129.242.x connected to the L3 switch can connect to the internet ?
So what exactly isn't working ?
Jon
11-28-2013 12:55 PM
Yep correct, the subnet mask in use is 255.255.255.128, on the switch and the ASA, lets forget vlan 20 for now.
Basicly what isnt working is:
Thw switch wont go out to the internet even though it can ping his gateway.
With this i mean it has a routed port connected to the asa in the correct subnet with a correct ip address and the correct gateway and still isnt able to connect to the internet cq ping 8.8.8.8.
Sent from Cisco Technical Support iPhone App
11-28-2013 01:02 PM
Bart
What model is the ASA ?
You say you have ports 3 and 4 in the same subnet so presumably the same vlan ?
Where is the inside interface in relation to these ports.
Jon
11-28-2013 01:21 PM
Its an ASA 5505, basis setup.
Vlan 2 outside port 0
Rest of the ports are in vlan 1, also the port thats is connected to the switch.
Sent from Cisco Technical Support iPhone App
11-28-2013 02:07 PM
Okay, thanks. When you get them can you post configs of switch and ASA. Remove any sensitive info from the ASA config.
Jon
11-29-2013 08:41 AM
Hi,
Got the configs, see below:
Result of the command: "sh run"
: Saved
:
ASA Version 9.1(2)
!
hostname BK-HOME-ASA
domain-name bk.local
enable password 4IVQ83MLsfSK0fmr encrypted
xlate per-session deny tcp any4 any4
xlate per-session deny tcp any4 any6
xlate per-session deny tcp any6 any4
xlate per-session deny tcp any6 any6
xlate per-session deny udp any4 any4 eq domain
xlate per-session deny udp any4 any6 eq domain
xlate per-session deny udp any6 any4 eq domain
xlate per-session deny udp any6 any6 eq domain
passwd 2KFQnbNIdI.2KYOU encrypted
names
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/72
!
interface Vlan1
description LAN
nameif inside
security-level 100
ip address 10.128.242.1 255.255.255.128
!
interface Vlan2
description INT-OUTSIDE
nameif outside
security-level 0
ip address dhcp setroute
!
!
time-range SSL-Portal-Logon-hours
periodic daily 7:00 to 23:30
!
boot system disk0:/asa912-k8.bin
ftp mode passive
clock timezone CEST 1
clock summer-time CEDT recurring last Sun Mar 2:00 last Sun Oct 3:00
dns domain-lookup inside
dns domain-lookup outside
dns server-group DefaultDNS
name-server 213.51.129.37
name-server 213.51.144.37
name-server 8.8.8.8
name-server 8.8.4.4
name-server 4.2.2.2
domain-name bk.local
object network obj_any
subnet 0.0.0.0 0.0.0.0
object network obj-SSL-VPN-Pool
subnet 172.16.1.0 255.255.255.0
description Object t.b.v. SSL VPN
object network NETWORK_OBJ_10.128.242.0_25
subnet 10.128.242.0 255.255.255.128
object network NETWORK_OBJ_172.16.1.0_24
subnet 172.16.1.0 255.255.255.0
object network BK-TS01
host 10.128.242.54
description Terminal-Server
object network TS-01
host 10.128.242.54
description BK-TS01
object service RDP
service tcp destination eq 3389
description 3389
object service Spotnet
service tcp source range 45000 65000 destination eq nntp
description ACL tbv Spotnet
object network RDP-RDS-01
host 10.128.242.11
description RDSH
object network HTTPS-BK-WSS2
host 10.128.242.22
description NAT, tbv https
object network HTTP-BK-DSS1
host 10.128.242.21
description HTTP naar de BK-DSS1
object network PPTP-DC-01
host 10.128.242.10
description Dial-up VPN
object network GRE-VPN-DC01
host 10.128.242.10
description GRE tbv VPN
object network BK-DSS1
host 10.128.242.20
description DNS
object network TEST-LGG
subnet 192.168.10.0 255.255.255.0
object network LGG-Rot
subnet 192.168.11.0 255.255.255.0
object network SMTP-EXC-01
host 10.128.242.12
description Exchange-mail
object network Webmail
host 10.128.242.12
description WEBMAIL
object network TEST
host 10.128.242.50
object network VLAN20
subnet 10.129.242.0 255.255.255.0
description VLAN20-Client VLAN
object-group service Inside-to-Outside
description Verkeer van binnen naar buiten
service-object object RDP
service-object tcp-udp destination eq domain
service-object tcp destination eq ftp
service-object tcp destination eq ftp-data
service-object tcp destination eq https
service-object tcp destination eq imap4
service-object tcp destination eq smtp
service-object tcp destination eq ssh
service-object tcp destination eq telnet
service-object udp destination eq domain
service-object udp destination eq ntp
service-object tcp destination eq www
object-group service Outside-to-Inside
description Verkeer van buiten naar binnen
service-object tcp destination eq www
service-object tcp destination eq https
service-object udp destination eq domain
object-group service Spotnet-UDP udp
description Spotnet
port-object eq 119
object-group service DM_INLINE_TCP_1 tcp
port-object eq www
port-object eq https
object-group icmp-type DM_INLINE_ICMP_1
icmp-object echo
icmp-object echo-reply
access-list Baas_splitTunnelAcl standard permit 192.168.2.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 192.168.2.0 255.255.255.0 172.16.1.0 255.255.255.192
access-list BK-Home-Ipsec_splitTunnelAcl standard permit 10.128.242.0 255.255.255.128
access-list botnet-exclude extended deny ip any 10.128.242.0 255.255.255.128
access-list botnet-exclude extended permit ip any any
access-list Suzaba-IPsec_splitTunnelAcl standard permit 10.128.242.0 255.255.255.128
access-list Suzaba-IPsec_splitTunnelAcl_1 standard permit 10.128.242.0 255.255.255.128
access-list inside_access_in extended permit ip 10.128.242.0 255.255.255.128 any
access-list inside_access_in remark Toegestaan verkeer van binnen naar buiten.
access-list inside_access_in extended permit object-group Inside-to-Outside 10.128.242.0 255.255.255.128 any
access-list inside_access_in extended permit object Spotnet 10.128.242.0 255.255.255.128 any
access-list inside_access_in extended permit tcp 10.128.242.0 255.255.255.128 any eq pop3
access-list inside_access_in extended permit tcp 10.128.242.0 255.255.255.128 any eq imap4
access-list inside_access_in extended deny ip any any
access-list outside_access_in extended permit ip any any
access-list outside_access_in extended permit object RDP any object RDP-RDS-01 inactive
access-list outside_access_in extended permit tcp any object Webmail object-group DM_INLINE_TCP_1
access-list outside_access_in extended permit tcp any object PPTP-DC-01 eq pptp inactive
access-list outside_access_in extended permit gre any object GRE-VPN-DC01
access-list outside_access_in extended permit icmp any any object-group DM_INLINE_ICMP_1
access-list outside_access_in extended permit tcp any object SMTP-EXC-01 eq smtp
access-list outside_access_in extended deny ip any any
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-713.bin
asdm history enable
arp timeout 14400
no arp permit-nonconnected
nat (inside,outside) source static NETWORK_OBJ_10.128.242.0_25 NETWORK_OBJ_10.128.242.0_25 destination static NETWORK_OBJ_172.16.1.0_24 NETWORK_OBJ_172.16.1.0_24 no-proxy-arp route-lookup
nat (inside,outside) source static NETWORK_OBJ_10.128.242.0_25 NETWORK_OBJ_10.128.242.0_25 destination static TEST-LGG TEST-LGG no-proxy-arp route-lookup
nat (inside,outside) source static NETWORK_OBJ_10.128.242.0_25 NETWORK_OBJ_10.128.242.0_25 destination static LGG-Rot LGG-Rot no-proxy-arp route-lookup
!
object network obj_any
nat (inside,outside) dynamic interface
object network RDP-RDS-01
nat (inside,outside) static interface service tcp 3389 3389
object network PPTP-DC-01
nat (inside,outside) static interface service tcp pptp pptp
object network GRE-VPN-DC01
nat (inside,outside) static interface service tcp 47 47
object network BK-DSS1
nat (inside,outside) static interface service udp domain domain
object network SMTP-EXC-01
nat (inside,outside) static interface service tcp smtp smtp
object network Webmail
nat (inside,outside) static interface service tcp https https
object network TEST
nat (any,outside) static interface
access-group inside_access_in in interface inside
access-group outside_access_in in interface outside
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
aaa authentication http console LOCAL
aaa authentication serial console LOCAL
aaa authentication ssh console LOCAL
aaa authentication telnet console LOCAL
http server enable 444
http 192.168.2.0 255.255.255.0 inside
http 10.128.242.0 255.255.255.0 inside
threat-detection basic-threat
threat-detection scanning-threat shun except ip-address 192.168.2.0 255.255.255.0
threat-detection scanning-threat shun duration 3600
threat-detection statistics
threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
ntp server 193.67.79.202 source outside prefer
!
class-map inspection_default
match default-inspection-traffic
class-map botnet-DNS
match port udp eq domain
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 1500
policy-map global_policy
class inspection_default
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
inspect pptp
inspect dns preset_dns_map
class class-default
user-statistics accounting
policy-map botnet-policy
class botnet-DNS
inspect dns dynamic-filter-snoop
!
service-policy global_policy global
service-policy botnet-policy interface outside
prompt hostname context
Cryptochecksum:14165e9d634be236de46041efa87e40d
: end
Switch:
BK-Dist-SW1#sh run
Building configuration...
Current configuration : 2254 bytes
!
version 12.2
no service pad
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname BK-Dist-SW1
!
!
no aaa new-model
ip subnet-zero
ip routing
!
!
!
!
!
!
no file verify auto
spanning-tree mode pvst
spanning-tree extend system-id
!
vlan internal allocation policy ascending
!
!
interface FastEthernet0/1
no switchport
ip address 10.128.242.5 255.255.255.128
!
interface FastEthernet0/2
switchport mode dynamic desirable
!
interface FastEthernet0/3
switchport mode dynamic desirable
!
interface FastEthernet0/4
switchport mode dynamic desirable
!
interface FastEthernet0/5
switchport mode dynamic desirable
!
interface FastEthernet0/6
switchport mode dynamic desirable
!
interface FastEthernet0/7
switchport mode dynamic desirable
!
interface FastEthernet0/8
switchport mode dynamic desirable
!
interface FastEthernet0/9
switchport mode dynamic desirable
!
interface FastEthernet0/10
switchport mode dynamic desirable
!
interface FastEthernet0/11
switchport mode dynamic desirable
!
interface FastEthernet0/12
switchport mode dynamic desirable
!
interface FastEthernet0/13
switchport mode dynamic desirable
!
interface FastEthernet0/14
switchport mode dynamic desirable
!
interface FastEthernet0/15
switchport mode dynamic desirable
!
interface FastEthernet0/16
switchport mode dynamic desirable
!
interface FastEthernet0/17
switchport mode dynamic desirable
!
interface FastEthernet0/18
switchport mode dynamic desirable
!
interface FastEthernet0/19
switchport mode dynamic desirable
!
interface FastEthernet0/20
switchport mode dynamic desirable
!
interface FastEthernet0/21
switchport mode dynamic desirable
!
interface FastEthernet0/22
switchport mode dynamic desirable
!
interface FastEthernet0/23
switchport mode dynamic desirable
!
interface FastEthernet0/24
switchport mode dynamic desirable
!
interface GigabitEthernet0/1
switchport mode dynamic desirable
!
interface GigabitEthernet0/2
switchport mode dynamic desirable
!
interface Vlan1
no ip address
!
interface Vlan10
no ip address
!
ip classless
ip route 0.0.0.0 0.0.0.0 10.128.242.1
ip http server
ip http secure-server
!
!
!
control-plane
!
!
line con 0
line vty 0 4
no login
line vty 5 15
no login
!
!
end
11-29-2013 08:55 AM
Bart
Okay this is 9.1 code on the ASA and i have no experience with 8.3 new NAT code onwards so if you wait on me it may take a while. One thing i would do is try connecting from the switch and then look at the xlate table on the ASA. The command used to
sh xlate 10.128.242.5
but it may have changed in 9.1.
I will have a look at the new NAT but it's not going to be that quick.
Hopefully someone else might step in or alternatively you could move this post or start a new one linking back to this in the firewall forums where there will be people who are familiar with the new NAT.
Jon
11-29-2013 09:32 AM
Hi Jon,
I got it working now, since its just my home lab i did a factory default on the ASA, works like a charm now:
Type escape sequence to abort.
Sending 1000, 100-byte ICMP Echos to 8.8.8.8, timeout is 2 seconds:
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!
Success rate is 100 percent (1000/1000), round-trip min/avg/max = 8/14/32 ms
BK-Dist-SW1#
Weird issue glad its working now
Thanks for helping, ill rate your post helpfull.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide