cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
3957
Views
0
Helpful
17
Replies

Network and Internet access for new VLAN

daverutz58
Level 1
Level 1

Good morning!

I’m a little stumped as to why this isn’t working… That's probably because I'm not too savvy when it comes to router configs!


Basically, I have a network which has a LAN and a DMZ. Everything on my network works correctly and communications between switches, router, Internet and other internal resources flow correctly. The only thing I’m having a problem with is VLAN4…

I need to isolate a few servers and users from the LAN so I created VLAN4 on the switch. I assigned it an IP address in a different subnet and assigned ports to the VLAN. Port forwarding is configured on the switch.

For testing purposes, before this goes live, I connected a computer directly to one of the switch ports (Gi4/5) and assigned it a static IP in that subnet, the gateway being the VLAN IP. I can ping the VLAN IP but I can’t ping the router or get to the Internet…

The switch can ping 10.165.11.1 (ASA).

The ASA can ping 10.165.11.2 (switch) but it can’t ping 10.165.13.2 (VLAN4).

The ASA e0/1 is connected to switchport Gi2/20 which doesn’t have any specific config, just the default settings shown below:

Name: Gi2/20

Switchport: Enabled

Administrative Mode: dynamic auto

Operational Mode: static access

Administrative Trunking Encapsulation: dot1q

Operational Trunking Encapsulation: native

Negotiation of Trunking: On

Access Mode VLAN: 1 (default)

Trunking Native Mode VLAN: 1 (default)

Administrative Native VLAN tagging: enabled

Voice VLAN: none

Administrative private-vlan host-association: none

Administrative private-vlan mapping: none

Administrative private-vlan trunk native VLAN: none

Administrative private-vlan trunk Native VLAN tagging: enabled

Administrative private-vlan trunk encapsulation: dot1q

Administrative private-vlan trunk normal VLANs: none

Administrative private-vlan trunk associations: none

Administrative private-vlan trunk mappings: none

Operational private-vlan: none

Trunking VLANs Enabled: ALL

Pruning VLANs Enabled: 2-1001

Capture Mode Disabled

Capture VLANs Allowed: ALL


The 1st step is to get Internet access. The next step will be to allow access to the Exchange server on the LAN.

There are many devices not shown on the diagram but the important ones are there…

I'd appreciate any help in getting this straight! Thanks

ASA and switch configs below (removed irrelevant info):

ASA Version 8.2(3)
!
names
name 10.165.10.6 edge description Edge server
name 10.165.11.15 hub description Hub server
name 204.xxx.xxx.21 mail-outside description Edge public
name 204.xxx.xxx.18 A-204.xxx.xxx.18 description ASA public
name 204.xxx.xxx.17 A-204.xxx.xxx.17 description Telco modem
name 10.165.13.0 purch-network description Purchasing VLAN
!
interface Ethernet0/0
nameif outside
security-level 0
ip address A-204.xxx.xxx.18 255.255.255.240
!
interface Ethernet0/1
nameif inside
security-level 100
ip address 10.165.11.1 255.255.255.0
!
interface Ethernet0/2
nameif dmz
security-level 70
ip address 10.165.10.1 255.255.255.0
!
interface Ethernet0/3
no nameif
no security-level
no ip address
!
interface Management0/0
nameif management
security-level 100
ip address 192.168.1.1 255.255.255.0
management-only
!
ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
dns domain-lookup outside
dns domain-lookup inside
dns domain-lookup dmz
dns domain-lookup management
same-security-traffic permit inter-interface
object-group service DM_INLINE_TCP_5 tcp
port-object eq www
port-object eq https
access-list outside_access_in extended permit tcp any host mail-outside eq smtp
access-list dmz_access_in extended permit tcp host edge any eq smtp
access-list inside_access_in_1 remark Implicit rule: Permit all traffic to less secure networks
access-list inside_access_in_1 extended permit ip any any
mtu outside 1500
mtu inside 1500
mtu dmz 1500
mtu management 1500
mtu purch 1500
no asdm history enable
arp timeout 14400
nat-control
global (outside) 1 interface
global (dmz) 1 10.165.10.50-10.165.10.220 netmask 255.255.255.0
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
nat (dmz) 1 0.0.0.0 0.0.0.0
static (dmz,outside) mail-outside edge netmask 255.255.255.255
access-group outside_access_in in interface outside
access-group inside_access_in_1 in interface inside
access-group dmz_access_in in interface dmz
route outside 0.0.0.0 0.0.0.0 A-204.xxx.xxx.17 1

route inside purch-network 255.255.255.0 10.165.11.1 1
class-map inspection_default
match default-inspection-traffic
: end


version 12.2
no service pad
service timestamps debug uptime
service timestamps log datetime
no service password-encryption
service compress-config
service sequence-numbers
!
hostname ABC
!
boot-start-marker
boot system flash bootflash:cat4500e-ipbasek9-mz.122-52.SG.bin
boot-end-marker
!
clock timezone EST -5
clock summer-time EDT recurring
ip subnet-zero
ip domain-name something.org
ip name-server 10.165.11.13
ip name-server 10.165.11.6
!
!
vtp domain something.org
vtp mode transparent
cluster run
!
spanning-tree mode pvst
spanning-tree extend system-id
!
vlan internal allocation policy ascending
!
vlan 2
name OUT
!
vlan 3
name DMZ
!
vlan 4
name Purch
!
interface FastEthernet1
ip vrf forwarding mgmtVrf
no ip address
speed auto
duplex auto
!

interface GigabitEthernet2/20

description ASA LAN

!
interface GigabitEthernet4/5
description purch
switchport access vlan 4
switchport mode access
!
interface Vlan1
ip address 10.165.11.2 255.255.255.0
!
interface Vlan2
no ip address
shutdown
!
interface Vlan4
ip address 10.165.13.2 255.255.255.0
!
ip default-gateway 10.165.11.1
ip route 0.0.0.0 0.0.0.0 10.165.11.1
ip http server
ip http authentication local
no ip http secure-server
!
end

17 Replies 17

Thanks for the suggestions!

@andrewswanson

I had a PIX 515 in place before the ASA but I didn’t do a migration. I configured the ASA from scratch. Being that I’m not too proficient with ASAs, and I was on a tight schedule during Christmas break, there are probably some configuration mistakes that could be corrected. Globally, things are working fine for now so I’d prefer not to “break” anything. If something needs to be done that won’t disrupt anyone’s connectivity, I’m all for it…

I did what you suggested but I still can’t get to the outside world from VLAN4.

@Robert Rivera

I have a wireless network with guest access on a separate VLAN. The access points serve the internal users with Radius authentication (VLAN1) as well as the guests for Internet access via a ZeroShell captive portal (VLAN10). 2 of the access points are connected to the 3560.

For now, the 3560 is not part of the problem yet but it will probably be when comes time to see about clients on VLAN4 getting access to the Exchange server in VLAN1.

Nevertheless, here’s the switch config and route info:

switch2#sh run

Current configuration : 4987 bytes

!

version 12.2

no service pad

service timestamps debug uptime

service timestamps log datetime

no service password-encryption

service sequence-numbers

!

hostname switch2

!

no aaa new-model

clock timezone UTC -5

clock summer-time UTC recurring

system mtu routing 1500

vtp domain fdresa.org

vtp mode transparent

authentication mac-move permit

ip subnet-zero

ip domain-name something.org

!

spanning-tree mode pvst

spanning-tree etherchannel guard misconfig

spanning-tree extend system-id

!

vlan internal allocation policy ascending

!

vlan 4

name Purch

!

vlan 10

name GuestNet

!

interface GigabitEthernet0/1

switchport trunk encapsulation dot1q

switchport trunk allowed vlan 1,4,10

switchport mode trunk

!

interface GigabitEthernet0/47

switchport trunk encapsulation dot1q

switchport trunk allowed vlan 1,10

switchport mode trunk

!

interface GigabitEthernet0/48

switchport trunk encapsulation dot1q

switchport trunk allowed vlan 1,10

switchport mode trunk

!

interface GigabitEthernet0/51

switchport access vlan 4

switchport mode access

spanning-tree portfast

!

interface Vlan1

ip address 10.165.11.3 255.255.255.0

!

interface Vlan4

ip address 10.165.13.3 255.255.255.0

!

interface Vlan10

ip address 10.165.12.3 255.255.255.0

!

ip default-gateway 10.165.11.1

ip classless

ip http server

ip http authentication local

ip http secure-server

!

end

switch2#sh ip route

Default gateway is 10.165.11.1

@jcarvaja

I added the sub-interface back to the ASA, made the config changes specified (except for what concerns e0/1) but still no Internet access for VLAN4.

Here’s the latest ASA config and route info:

ASA Version 8.2(3)

!

names

name 10.165.11.13 ad1 description Domain controller

name 10.165.10.6 edge description Edge server

name 10.165.11.15 hub description Hub server

name 204.xxx.xxx.21 mail-outside description Edge public

name 10.165.12.0 wguests-network

name 10.165.12.38 zeroshell description Wireless Captive Portal

name 204.xxx.xxx.17 A-204.xxx.xxx.17 description Telco modem

name 204.xxx.xxx.18 A-204.xxx.xxx.18 description ASA public

!

interface Ethernet0/0

nameif outside

security-level 0

ip address A-204.xxx.xxx.18 255.255.255.240

!

interface Ethernet0/1

nameif inside

security-level 100

ip address 10.165.11.1 255.255.255.0

!

interface Ethernet0/1.4

vlan 4

nameif purch

security-level 100

ip address 10.165.13.1 255.255.255.0

!

interface Ethernet0/2

nameif dmz

security-level 70

ip address 10.165.10.1 255.255.255.0

!

interface Ethernet0/3

no nameif

no security-level

no ip address

!

interface Management0/0

nameif management

security-level 100

ip address 192.168.1.1 255.255.255.0

management-only

!

ftp mode passive

clock timezone EST -5

clock summer-time EDT recurring

dns domain-lookup outside

dns domain-lookup inside

dns domain-lookup dmz

dns domain-lookup management

same-security-traffic permit inter-interface

object-group service DM_INLINE_TCP_5 tcp

port-object eq www

port-object eq https

access-list outside_access_in extended permit tcp any host mail-outside eq smtp

access-list dmz_access_in extended permit tcp host edge any eq smtp

access-list inside_access_in_1 remark Implicit rule: Permit all traffic to less secure networks

access-list inside_access_in_1 extended permit ip any any

mtu outside 1500

mtu inside 1500

mtu purch 1500

mtu dmz 1500

mtu management 1500

no asdm history enable

arp timeout 14400

nat-control

global (outside) 1 interface

global (dmz) 1 10.165.10.50-10.165.10.220 netmask 255.255.255.0

nat (inside) 1 0.0.0.0 0.0.0.0

nat (purch) 1 0.0.0.0 0.0.0.0

nat (dmz) 1 0.0.0.0 0.0.0.0

static (dmz,outside) mail-outside edge netmask 255.255.255.255

access-group outside_access_in in interface outside

access-group inside_access_in_1 in interface inside

access-group dmz_access_in in interface dmz

route outside 0.0.0.0 0.0.0.0 A-204.xxx.xxx.17 1

route inside wguests-network 255.255.255.0 10.165.11.1 1

route inside 10.165.13.0 255.255.255.0 10.165.11.2 1

class-map inspection_default

match default-inspection-traffic

policy-map global_policy

class inspection_default

inspect dns preset_dns_map

inspect ftp

inspect rsh

inspect rtsp

inspect sqlnet

inspect skinny

inspect sunrpc

inspect xdmcp

inspect sip

inspect netbios

inspect tftp

inspect ip-options

inspect pptp

inspect icmp

service-policy global_policy global

: end

asa# sh route

Gateway of last resort is A-204.xxx.xxx.17 to network 0.0.0.0

C   A-204.xxx.xxx.16 255.255.255.240 is directly connected, outside

C   10.165.13.0 255.255.255.0 is directly connected, purch

S   wguests-network 255.255.255.0 [1/0] via 10.165.11.1, inside

C   10.165.11.0 255.255.255.0 is directly connected, inside

C   10.165.10.0 255.255.255.0 is directly connected, dmz

S*   0.0.0.0 0.0.0.0 [1/0] via A-204.xxx.xxx.17, outside

Ok... Lets say I scrap the whole VLAN4 config entries that I've made on the switch and ASA. I'll pretend it never existed and start from scratch!

Exactly what entries should be made on both the switch and ASA so that a computer connected to VLAN4 can:

- access the Internet?

- send and receive email from the Exchange server on the AD LAN?

Thanks

daverutz58
Level 1
Level 1

Removed everything that I had done trying to configure this VLAN, both on the ASA and the switch.

Ready to start from scratch!

Review Cisco Networking for a $25 gift card