cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
3955
Views
0
Helpful
17
Replies

Network and Internet access for new VLAN

daverutz58
Level 1
Level 1

Good morning!

I’m a little stumped as to why this isn’t working… That's probably because I'm not too savvy when it comes to router configs!


Basically, I have a network which has a LAN and a DMZ. Everything on my network works correctly and communications between switches, router, Internet and other internal resources flow correctly. The only thing I’m having a problem with is VLAN4…

I need to isolate a few servers and users from the LAN so I created VLAN4 on the switch. I assigned it an IP address in a different subnet and assigned ports to the VLAN. Port forwarding is configured on the switch.

For testing purposes, before this goes live, I connected a computer directly to one of the switch ports (Gi4/5) and assigned it a static IP in that subnet, the gateway being the VLAN IP. I can ping the VLAN IP but I can’t ping the router or get to the Internet…

The switch can ping 10.165.11.1 (ASA).

The ASA can ping 10.165.11.2 (switch) but it can’t ping 10.165.13.2 (VLAN4).

The ASA e0/1 is connected to switchport Gi2/20 which doesn’t have any specific config, just the default settings shown below:

Name: Gi2/20

Switchport: Enabled

Administrative Mode: dynamic auto

Operational Mode: static access

Administrative Trunking Encapsulation: dot1q

Operational Trunking Encapsulation: native

Negotiation of Trunking: On

Access Mode VLAN: 1 (default)

Trunking Native Mode VLAN: 1 (default)

Administrative Native VLAN tagging: enabled

Voice VLAN: none

Administrative private-vlan host-association: none

Administrative private-vlan mapping: none

Administrative private-vlan trunk native VLAN: none

Administrative private-vlan trunk Native VLAN tagging: enabled

Administrative private-vlan trunk encapsulation: dot1q

Administrative private-vlan trunk normal VLANs: none

Administrative private-vlan trunk associations: none

Administrative private-vlan trunk mappings: none

Operational private-vlan: none

Trunking VLANs Enabled: ALL

Pruning VLANs Enabled: 2-1001

Capture Mode Disabled

Capture VLANs Allowed: ALL


The 1st step is to get Internet access. The next step will be to allow access to the Exchange server on the LAN.

There are many devices not shown on the diagram but the important ones are there…

I'd appreciate any help in getting this straight! Thanks

ASA and switch configs below (removed irrelevant info):

ASA Version 8.2(3)
!
names
name 10.165.10.6 edge description Edge server
name 10.165.11.15 hub description Hub server
name 204.xxx.xxx.21 mail-outside description Edge public
name 204.xxx.xxx.18 A-204.xxx.xxx.18 description ASA public
name 204.xxx.xxx.17 A-204.xxx.xxx.17 description Telco modem
name 10.165.13.0 purch-network description Purchasing VLAN
!
interface Ethernet0/0
nameif outside
security-level 0
ip address A-204.xxx.xxx.18 255.255.255.240
!
interface Ethernet0/1
nameif inside
security-level 100
ip address 10.165.11.1 255.255.255.0
!
interface Ethernet0/2
nameif dmz
security-level 70
ip address 10.165.10.1 255.255.255.0
!
interface Ethernet0/3
no nameif
no security-level
no ip address
!
interface Management0/0
nameif management
security-level 100
ip address 192.168.1.1 255.255.255.0
management-only
!
ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
dns domain-lookup outside
dns domain-lookup inside
dns domain-lookup dmz
dns domain-lookup management
same-security-traffic permit inter-interface
object-group service DM_INLINE_TCP_5 tcp
port-object eq www
port-object eq https
access-list outside_access_in extended permit tcp any host mail-outside eq smtp
access-list dmz_access_in extended permit tcp host edge any eq smtp
access-list inside_access_in_1 remark Implicit rule: Permit all traffic to less secure networks
access-list inside_access_in_1 extended permit ip any any
mtu outside 1500
mtu inside 1500
mtu dmz 1500
mtu management 1500
mtu purch 1500
no asdm history enable
arp timeout 14400
nat-control
global (outside) 1 interface
global (dmz) 1 10.165.10.50-10.165.10.220 netmask 255.255.255.0
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
nat (dmz) 1 0.0.0.0 0.0.0.0
static (dmz,outside) mail-outside edge netmask 255.255.255.255
access-group outside_access_in in interface outside
access-group inside_access_in_1 in interface inside
access-group dmz_access_in in interface dmz
route outside 0.0.0.0 0.0.0.0 A-204.xxx.xxx.17 1

route inside purch-network 255.255.255.0 10.165.11.1 1
class-map inspection_default
match default-inspection-traffic
: end


version 12.2
no service pad
service timestamps debug uptime
service timestamps log datetime
no service password-encryption
service compress-config
service sequence-numbers
!
hostname ABC
!
boot-start-marker
boot system flash bootflash:cat4500e-ipbasek9-mz.122-52.SG.bin
boot-end-marker
!
clock timezone EST -5
clock summer-time EDT recurring
ip subnet-zero
ip domain-name something.org
ip name-server 10.165.11.13
ip name-server 10.165.11.6
!
!
vtp domain something.org
vtp mode transparent
cluster run
!
spanning-tree mode pvst
spanning-tree extend system-id
!
vlan internal allocation policy ascending
!
vlan 2
name OUT
!
vlan 3
name DMZ
!
vlan 4
name Purch
!
interface FastEthernet1
ip vrf forwarding mgmtVrf
no ip address
speed auto
duplex auto
!

interface GigabitEthernet2/20

description ASA LAN

!
interface GigabitEthernet4/5
description purch
switchport access vlan 4
switchport mode access
!
interface Vlan1
ip address 10.165.11.2 255.255.255.0
!
interface Vlan2
no ip address
shutdown
!
interface Vlan4
ip address 10.165.13.2 255.255.255.0
!
ip default-gateway 10.165.11.1
ip route 0.0.0.0 0.0.0.0 10.165.11.1
ip http server
ip http authentication local
no ip http secure-server
!
end

17 Replies 17

Your route on the ASA is pointing to itself instead to the switch:

interface Ethernet0/1

  nameif inside

  security-level 100

  ip address 10.165.11.1 255.255.255.0

!

route inside purch-network 255.255.255.0 10.165.11.1 1

-- 
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni

Thanks!

So what should the route be?

I tried with

route inside purch-network 255.255.255.0 10.165.11.2 1

and

route inside purch-network 255.255.255.0 10.165.13.2 1

Still can't ping to the outside world...

If I do an IP packet trace with any of those routes from 10.165.13.10 to 8.8.8.8, I get the following error message:

nat (inside) 1 0.0.0.0 0.0.0.0

nat-control

match ip inside any outside any

dynamic translation to pool 1 (A-204.xxx.xxx.18 [Interface PAT])

If I do a TCP packet trace from 10.165.13.10:1000 to 74.125.134.147:80, the packets are allowed...

The route has to use a reachable next-hop. So you only need the route

route inside purch-network 255.255.255.0 10.165.11.2 1

but not

route inside purch-network 255.255.255.0 10.165.13.2 1

If I do an IP packet trace with any of those routes from 10.165.13.10 to 8.8.8.8, I get the following error message:

nat (inside) 1 0.0.0.0 0.0.0.0

nat-control

match ip inside any outside any

dynamic translation to pool 1 (A-204.xxx.xxx.18 [Interface PAT])

that's not an error message, just an info that the translation was build.

If I do a TCP packet trace from 10.165.13.10:1000 to 74.125.134.147:80, the packets are allowed..

so, you can communicate with TCP but not with ICMP? For that the reason could be that you don't have any inspections enabled on the ASA.

For that you need the following (this is the ASA-default and ICMP enabled):

policy-map global_policy

class inspection_default

  inspect dns preset_dns_map

  inspect ftp

  inspect h323 h225

  inspect h323 ras

  inspect ip-options

  inspect netbios

  inspect rsh

  inspect rtsp

  inspect skinny 

  inspect sqlnet

  inspect sunrpc

  inspect tftp

  inspect sip 

  inspect xdmcp

  inspect icmp

!

service-policy global_policy global

-- 
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni

I changed the route to

route inside purch-network 255.255.255.0 10.165.11.2 1

I still can't get to the outside world (either by URL, IP or ping) from the computer connected to Gi4/5.

The ASA cant get to the Gi4/5 switchport either.

Packet trace results (Inside interface - Type IP):

10.165.11.1 --> 10.165.13.2 = Flow is denied by configured rule (inside implicit rule)

10.165.13.10 --> 10.165.11.1 = Flow is denied by configured rule (inside implicit rule)

The Syslog shows the following messages (syslog ID 106007):

Deny inbound UDP from 8.8.8.8/53 to 10.165.13.10/56964 due to DNS Response

I have all of the inspections enabled except for the h323 ones. That shouldn't be a problem since we're not dealing with voice packets...

What are your actual routes on the ASA? Please post the following output:

sh run route

On the ASA you have a configuration for NAT-Excemption:

nat (inside) 0 access-list inside_nat0_outbound

but the referenced ACL is not in your config above. Please post that ACL or remove the nat-statement if not needed.

And post the result of the following command:

packet-tracer input inside tcp 10.165.13.10 1234 1.2.3.4 80

-- 
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni

Here's the requested info:

asa# sh run route

route outside 0.0.0.0 0.0.0.0 A-204.xxx.xxx.17 1

route inside purch-network 255.255.255.0 10.165.11.2 1

I’ve removed the inside_nat0_outbound NAT-Exemption which was probably leftover from some other configuration attempt…

asa# packet-tracer input inside tcp 10.165.13.10 1234 1.2.3.4 8

Phase: 1

Type: ROUTE-LOOKUP

Subtype: input

Result: ALLOW

Config:

Additional Information:

in   0.0.0.0         0.0.0.0         outside

Phase: 2

Type: ACCESS-LIST

Subtype: log

Result: ALLOW

Config:

access-group inside_access_in_1 in interface inside

access-list inside_access_in_1 extended permit ip any any

Additional Information:

Phase: 3

Type: IP-OPTIONS

Subtype:

Result: ALLOW

Config:

Additional Information:

Phase: 4

Type: NAT

Subtype:

Result: ALLOW

Config:

nat (inside) 1 0.0.0.0 0.0.0.0

nat-control

match ip inside any outside any

   dynamic translation to pool 1 (A-204.xxx.xxx.18 [Interface PAT])

   translate_hits = 417777, untranslate_hits = 40159

Additional Information:

Dynamic translate 10.165.13.10/1234 to A-204.xxx.xxx.18/15391 using netmask 255.255.255.255

Phase: 5

Type: NAT

Subtype: host-limits

Result: ALLOW

Config:

nat (inside) 1 0.0.0.0 0.0.0.0

nat-control

match ip inside any outside any

   dynamic translation to pool 1 (A-204.xxx.xxx.18 [Interface PAT])

   translate_hits = 417777, untranslate_hits = 40159

Additional Information:

Phase: 6

Type: IP-OPTIONS

Subtype:

Result: ALLOW

Config:

Additional Information:

Phase: 7

Type: FLOW-CREATION

Subtype:

Result: ALLOW

Config:

Additional Information:

New flow created with id 643746, packet dispatched to next module

Result:

input-interface: inside

input-status: up

input-line-status: up

output-interface: outside

output-status: up

output-line-status: up

Action: allow

The ASA would allow that traffic.

Can the Servers reach systems in other subnets?

Can the Server ping the ASA inside IP?

Can the Switch ping the ASA inside IP?

-- 
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni

For now, I only have one computer on the 10.165.13.0 subnet which is the 10.165.13.10 one.

Ping results:

10.165.13.10 --> 10.165.13.2 – OK

10.165.13.10 --> 10.165.11.1 – Timed out

10.165.13.10 --> 10.165.10.1 – Timed out

asa# ping 10.165.13.2

Success rate is 0 percent (0/5)

switch# ping 10.165.11.1

Success rate is 100 percent (5/5)

switch# ping 10.165.13.2

Success rate is 100 percent (5/5)

switch# ping 10.165.13.10

Success rate is 0 percent (0/5)

Anything else to try?

hello

could you post the output of "show ip route" from the switch?

andy

VLAN10 shown below is not of any concern here...

switch#sh ip route
Gateway of last resort is 10.165.11.1 to network

     10.0.0.0/24 is subnetted, 3 subnets
C       10.165.13.0 is directly connected, Vlan4
C       10.165.12.0 is directly connected, Vlan10
C       10.165.11.0 is directly connected, Vlan1
S*   0.0.0.0/0 [1/0] via 10.165.11.1

hello - has this config always been on an asa or has it been migrated from a pix? if so, you could try the following

no route inside purch-network 255.255.255.0 10.165.11.2 1

no name 10.165.13.0 purch-network description Purchasing VLAN

route inside 10.165.13.0 255.255.255.0 10.165.11.2 1

hth

andy

Robert R
Level 1
Level 1

Are you doing any layer 3 stuff on the 3560?  Wondering why you have svi's on there.  If so, can you post the show run and show ip route for the 3560

Julio Carvajal
VIP Alumni
VIP Alumni

Hello Dave,

But I mean the interface connected to the ASA is a trunk so you should use sub-interface on the ASA so it can work with the trunk link ( 802.1Q)

interface Ethernet0/1

nameif inside

no ip add

Interface ethernet 0/1.4

nameif Vlan4

ip address 10.165.13.1 255.255.255.0

security-level 100

no shut

nat (Vlan4) 1 0 0

Let me know how it goes

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
Review Cisco Networking for a $25 gift card