08-31-2012 06:55 AM - edited 03-07-2019 08:38 AM
Good morning!
I’m a little stumped as to why this isn’t working… That's probably because I'm not too savvy when it comes to router configs!
Basically, I have a network which has a LAN and a DMZ. Everything on my network works correctly and communications between switches, router, Internet and other internal resources flow correctly. The only thing I’m having a problem with is VLAN4…
I need to isolate a few servers and users from the LAN so I created VLAN4 on the switch. I assigned it an IP address in a different subnet and assigned ports to the VLAN. Port forwarding is configured on the switch.
For testing purposes, before this goes live, I connected a computer directly to one of the switch ports (Gi4/5) and assigned it a static IP in that subnet, the gateway being the VLAN IP. I can ping the VLAN IP but I can’t ping the router or get to the Internet…
The switch can ping 10.165.11.1 (ASA).
The ASA can ping 10.165.11.2 (switch) but it can’t ping 10.165.13.2 (VLAN4).
The ASA e0/1 is connected to switchport Gi2/20 which doesn’t have any specific config, just the default settings shown below:
Name: Gi2/20
Switchport: Enabled
Administrative Mode: dynamic auto
Operational Mode: static access
Administrative Trunking Encapsulation: dot1q
Operational Trunking Encapsulation: native
Negotiation of Trunking: On
Access Mode VLAN: 1 (default)
Trunking Native Mode VLAN: 1 (default)
Administrative Native VLAN tagging: enabled
Voice VLAN: none
Administrative private-vlan host-association: none
Administrative private-vlan mapping: none
Administrative private-vlan trunk native VLAN: none
Administrative private-vlan trunk Native VLAN tagging: enabled
Administrative private-vlan trunk encapsulation: dot1q
Administrative private-vlan trunk normal VLANs: none
Administrative private-vlan trunk associations: none
Administrative private-vlan trunk mappings: none
Operational private-vlan: none
Trunking VLANs Enabled: ALL
Pruning VLANs Enabled: 2-1001
Capture Mode Disabled
Capture VLANs Allowed: ALL
The 1st step is to get Internet access. The next step will be to allow access to the Exchange server on the LAN.
There are many devices not shown on the diagram but the important ones are there…
I'd appreciate any help in getting this straight! Thanks
ASA and switch configs below (removed irrelevant info):
ASA Version 8.2(3)
!
names
name 10.165.10.6 edge description Edge server
name 10.165.11.15 hub description Hub server
name 204.xxx.xxx.21 mail-outside description Edge public
name 204.xxx.xxx.18 A-204.xxx.xxx.18 description ASA public
name 204.xxx.xxx.17 A-204.xxx.xxx.17 description Telco modem
name 10.165.13.0 purch-network description Purchasing VLAN
!
interface Ethernet0/0
nameif outside
security-level 0
ip address A-204.xxx.xxx.18 255.255.255.240
!
interface Ethernet0/1
nameif inside
security-level 100
ip address 10.165.11.1 255.255.255.0
!
interface Ethernet0/2
nameif dmz
security-level 70
ip address 10.165.10.1 255.255.255.0
!
interface Ethernet0/3
no nameif
no security-level
no ip address
!
interface Management0/0
nameif management
security-level 100
ip address 192.168.1.1 255.255.255.0
management-only
!
ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
dns domain-lookup outside
dns domain-lookup inside
dns domain-lookup dmz
dns domain-lookup management
same-security-traffic permit inter-interface
object-group service DM_INLINE_TCP_5 tcp
port-object eq www
port-object eq https
access-list outside_access_in extended permit tcp any host mail-outside eq smtp
access-list dmz_access_in extended permit tcp host edge any eq smtp
access-list inside_access_in_1 remark Implicit rule: Permit all traffic to less secure networks
access-list inside_access_in_1 extended permit ip any any
mtu outside 1500
mtu inside 1500
mtu dmz 1500
mtu management 1500
mtu purch 1500
no asdm history enable
arp timeout 14400
nat-control
global (outside) 1 interface
global (dmz) 1 10.165.10.50-10.165.10.220 netmask 255.255.255.0
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
nat (dmz) 1 0.0.0.0 0.0.0.0
static (dmz,outside) mail-outside edge netmask 255.255.255.255
access-group outside_access_in in interface outside
access-group inside_access_in_1 in interface inside
access-group dmz_access_in in interface dmz
route outside 0.0.0.0 0.0.0.0 A-204.xxx.xxx.17 1
route inside purch-network 255.255.255.0 10.165.11.1 1
class-map inspection_default
match default-inspection-traffic
: end
version 12.2
no service pad
service timestamps debug uptime
service timestamps log datetime
no service password-encryption
service compress-config
service sequence-numbers
!
hostname ABC
!
boot-start-marker
boot system flash bootflash:cat4500e-ipbasek9-mz.122-52.SG.bin
boot-end-marker
!
clock timezone EST -5
clock summer-time EDT recurring
ip subnet-zero
ip domain-name something.org
ip name-server 10.165.11.13
ip name-server 10.165.11.6
!
!
vtp domain something.org
vtp mode transparent
cluster run
!
spanning-tree mode pvst
spanning-tree extend system-id
!
vlan internal allocation policy ascending
!
vlan 2
name OUT
!
vlan 3
name DMZ
!
vlan 4
name Purch
!
interface FastEthernet1
ip vrf forwarding mgmtVrf
no ip address
speed auto
duplex auto
!
interface GigabitEthernet2/20
description ASA LAN
!
interface GigabitEthernet4/5
description purch
switchport access vlan 4
switchport mode access
!
interface Vlan1
ip address 10.165.11.2 255.255.255.0
!
interface Vlan2
no ip address
shutdown
!
interface Vlan4
ip address 10.165.13.2 255.255.255.0
!
ip default-gateway 10.165.11.1
ip route 0.0.0.0 0.0.0.0 10.165.11.1
ip http server
ip http authentication local
no ip http secure-server
!
end
09-11-2012 07:47 AM
Thanks for the suggestions!
@andrewswanson
I had a PIX 515 in place before the ASA but I didn’t do a migration. I configured the ASA from scratch. Being that I’m not too proficient with ASAs, and I was on a tight schedule during Christmas break, there are probably some configuration mistakes that could be corrected. Globally, things are working fine for now so I’d prefer not to “break” anything. If something needs to be done that won’t disrupt anyone’s connectivity, I’m all for it…
I did what you suggested but I still can’t get to the outside world from VLAN4.
@Robert Rivera
I have a wireless network with guest access on a separate VLAN. The access points serve the internal users with Radius authentication (VLAN1) as well as the guests for Internet access via a ZeroShell captive portal (VLAN10). 2 of the access points are connected to the 3560.
For now, the 3560 is not part of the problem yet but it will probably be when comes time to see about clients on VLAN4 getting access to the Exchange server in VLAN1.
Nevertheless, here’s the switch config and route info:
switch2#sh run
Current configuration : 4987 bytes
!
version 12.2
no service pad
service timestamps debug uptime
service timestamps log datetime
no service password-encryption
service sequence-numbers
!
hostname switch2
!
no aaa new-model
clock timezone UTC -5
clock summer-time UTC recurring
system mtu routing 1500
vtp domain fdresa.org
vtp mode transparent
authentication mac-move permit
ip subnet-zero
ip domain-name something.org
!
spanning-tree mode pvst
spanning-tree etherchannel guard misconfig
spanning-tree extend system-id
!
vlan internal allocation policy ascending
!
vlan 4
name Purch
!
vlan 10
name GuestNet
!
interface GigabitEthernet0/1
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 1,4,10
switchport mode trunk
!
interface GigabitEthernet0/47
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 1,10
switchport mode trunk
!
interface GigabitEthernet0/48
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 1,10
switchport mode trunk
!
interface GigabitEthernet0/51
switchport access vlan 4
switchport mode access
spanning-tree portfast
!
interface Vlan1
ip address 10.165.11.3 255.255.255.0
!
interface Vlan4
ip address 10.165.13.3 255.255.255.0
!
interface Vlan10
ip address 10.165.12.3 255.255.255.0
!
ip default-gateway 10.165.11.1
ip classless
ip http server
ip http authentication local
ip http secure-server
!
end
switch2#sh ip route
Default gateway is 10.165.11.1
@jcarvaja
I added the sub-interface back to the ASA, made the config changes specified (except for what concerns e0/1) but still no Internet access for VLAN4.
Here’s the latest ASA config and route info:
ASA Version 8.2(3)
!
names
name 10.165.11.13 ad1 description Domain controller
name 10.165.10.6 edge description Edge server
name 10.165.11.15 hub description Hub server
name 204.xxx.xxx.21 mail-outside description Edge public
name 10.165.12.0 wguests-network
name 10.165.12.38 zeroshell description Wireless Captive Portal
name 204.xxx.xxx.17 A-204.xxx.xxx.17 description Telco modem
name 204.xxx.xxx.18 A-204.xxx.xxx.18 description ASA public
!
interface Ethernet0/0
nameif outside
security-level 0
ip address A-204.xxx.xxx.18 255.255.255.240
!
interface Ethernet0/1
nameif inside
security-level 100
ip address 10.165.11.1 255.255.255.0
!
interface Ethernet0/1.4
vlan 4
nameif purch
security-level 100
ip address 10.165.13.1 255.255.255.0
!
interface Ethernet0/2
nameif dmz
security-level 70
ip address 10.165.10.1 255.255.255.0
!
interface Ethernet0/3
no nameif
no security-level
no ip address
!
interface Management0/0
nameif management
security-level 100
ip address 192.168.1.1 255.255.255.0
management-only
!
ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
dns domain-lookup outside
dns domain-lookup inside
dns domain-lookup dmz
dns domain-lookup management
same-security-traffic permit inter-interface
object-group service DM_INLINE_TCP_5 tcp
port-object eq www
port-object eq https
access-list outside_access_in extended permit tcp any host mail-outside eq smtp
access-list dmz_access_in extended permit tcp host edge any eq smtp
access-list inside_access_in_1 remark Implicit rule: Permit all traffic to less secure networks
access-list inside_access_in_1 extended permit ip any any
mtu outside 1500
mtu inside 1500
mtu purch 1500
mtu dmz 1500
mtu management 1500
no asdm history enable
arp timeout 14400
nat-control
global (outside) 1 interface
global (dmz) 1 10.165.10.50-10.165.10.220 netmask 255.255.255.0
nat (inside) 1 0.0.0.0 0.0.0.0
nat (purch) 1 0.0.0.0 0.0.0.0
nat (dmz) 1 0.0.0.0 0.0.0.0
static (dmz,outside) mail-outside edge netmask 255.255.255.255
access-group outside_access_in in interface outside
access-group inside_access_in_1 in interface inside
access-group dmz_access_in in interface dmz
route outside 0.0.0.0 0.0.0.0 A-204.xxx.xxx.17 1
route inside wguests-network 255.255.255.0 10.165.11.1 1
route inside 10.165.13.0 255.255.255.0 10.165.11.2 1
class-map inspection_default
match default-inspection-traffic
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect rsh
inspect rtsp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
inspect pptp
inspect icmp
service-policy global_policy global
: end
asa# sh route
Gateway of last resort is A-204.xxx.xxx.17 to network 0.0.0.0
C A-204.xxx.xxx.16 255.255.255.240 is directly connected, outside
C 10.165.13.0 255.255.255.0 is directly connected, purch
S wguests-network 255.255.255.0 [1/0] via 10.165.11.1, inside
C 10.165.11.0 255.255.255.0 is directly connected, inside
C 10.165.10.0 255.255.255.0 is directly connected, dmz
S* 0.0.0.0 0.0.0.0 [1/0] via A-204.xxx.xxx.17, outside
09-13-2012 10:58 AM
Ok... Lets say I scrap the whole VLAN4 config entries that I've made on the switch and ASA. I'll pretend it never existed and start from scratch!
Exactly what entries should be made on both the switch and ASA so that a computer connected to VLAN4 can:
- access the Internet?
- send and receive email from the Exchange server on the AD LAN?
Thanks
10-10-2012 01:15 PM
Removed everything that I had done trying to configure this VLAN, both on the ASA and the switch.
Ready to start from scratch!
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide