InterVlan Routing Problem going to Internet

zain_gabon · ‎05-21-2011

Dear Support,

I've just configure a L3 switch (3750 G) with five vlans.

Here is my configuration

interface Vlan2
ip address 192.168.2.1 255.255.255.0
!
interface Vlan5
ip address 10.10.5.254 255.255.0.0
ip helper-address 10.10.5.7
no ip redirects
no ip route-cache cef
no ip route-cache
!
interface Vlan11
ip address 192.168.11.254 255.255.255.0
ip helper-address 10.10.5.7
no ip redirects
no ip route-cache cef
no ip route-cache
!
interface Vlan12
ip address 192.168.12.254 255.255.255.0
ip helper-address 10.10.5.7
no ip redirects
no ip route-cache cef
no ip route-cache

ip classless
ip route 0.0.0.0 0.0.0.0 10.10.5.253 (to ASA for Internet)
ip route 10.2.100.0 255.255.255.0 10.168.0.1 (to a remote site)
ip route 10.169.0.0 255.255.255.252 10.168.0.1 (to the remote site)
ip route 192.168.1.0 255.255.255.0 10.168.0.1 (to the remote sire)
no ip http server

My problem is only users on vlan 5 can go to Internet, the others Vlans cannot,

From ASA, i can reach nodes on vlan 11, vlan 13 etc...

here is my ASA routing table

route outside 0.0.0.0 0.0.0.0 x.x.x.x 1 (to Internet Router)
route inside 10.2.100.0 255.255.255.0 10.2.100.254 1
route inside 192.168.1.0 255.255.255.0 10.10.5.254 1
route inside 192.168.11.0 255.255.255.0 10.10.5.254 1
route inside 192.168.12.0 255.255.255.0 10.10.5.254 1
route inside 192.168.13.0 255.255.255.0 10.10.5.254 1
route inside 192.168.14.0 255.255.255.0 10.10.5.254 1
route inside 192.168.15.0 255.255.255.0 10.10.5.254 1
route inside 192.168.16.0 255.255.255.0 10.10.5.254 1

access-list inside-access extended permit object-group Web_Services any any

Can someone Help me please?

Jerry Ye · ‎05-22-2011

Can you post your NAT config on the ASA?

Regards,

jerry

zain_gabon · ‎05-22-2011

Dear All,

Thanks for your response,

i found the issue, it's was a missing nat in the ASA.

object network VLAN_NETWORK
nat (any,outside) dynamic interface

It's working fine now.

naveed817 · ‎05-22-2011

Hi Zain,

If possible then perform the following testing,

Disconnect your ASA from vlan 5 and connect it with any other vlan (vlan 11). Then check the internet is working on vlan 11 or not, also check on other vlans including vlan 5.

For this you need to do the following configuration changes on your switch and ASA.

On ASA,

1. change the inside interface IP, and give an ip from vlan 11 ( I choose vlan 11 to give you an idea, you can do the same with any other vlan)

2. add a "route inside" for vlan 5

On Switch

3.change the port (connected to ASA inside) from vlan 5 to vlan 11.

4.Change the default route, and point it to the IP address you assign in first step on ASA inside interface.

Why i am asking to do these changes, becuase some times Service provider restrict/change the TTL values to 2 when data is returning.

The other option you can try is, install a sniffer between internet gateway and ASA and capture the traffic , you will find that the data returing from service provider is coming with a very less TTL. Due to only directly connected vlan can reach and receive the data, for other vlan's ttl expired before it reaches to them.

Regards,

Naveed Shahzad

Message was edited by: naveed817