08-31-2012 06:55 AM - edited 03-07-2019 08:38 AM
Good morning!
I’m a little stumped as to why this isn’t working… That's probably because I'm not too savvy when it comes to router configs!
Basically, I have a network which has a LAN and a DMZ. Everything on my network works correctly and communications between switches, router, Internet and other internal resources flow correctly. The only thing I’m having a problem with is VLAN4…
I need to isolate a few servers and users from the LAN so I created VLAN4 on the switch. I assigned it an IP address in a different subnet and assigned ports to the VLAN. Port forwarding is configured on the switch.
For testing purposes, before this goes live, I connected a computer directly to one of the switch ports (Gi4/5) and assigned it a static IP in that subnet, the gateway being the VLAN IP. I can ping the VLAN IP but I can’t ping the router or get to the Internet…
The switch can ping 10.165.11.1 (ASA).
The ASA can ping 10.165.11.2 (switch) but it can’t ping 10.165.13.2 (VLAN4).
The ASA e0/1 is connected to switchport Gi2/20 which doesn’t have any specific config, just the default settings shown below:
Name: Gi2/20
Switchport: Enabled
Administrative Mode: dynamic auto
Operational Mode: static access
Administrative Trunking Encapsulation: dot1q
Operational Trunking Encapsulation: native
Negotiation of Trunking: On
Access Mode VLAN: 1 (default)
Trunking Native Mode VLAN: 1 (default)
Administrative Native VLAN tagging: enabled
Voice VLAN: none
Administrative private-vlan host-association: none
Administrative private-vlan mapping: none
Administrative private-vlan trunk native VLAN: none
Administrative private-vlan trunk Native VLAN tagging: enabled
Administrative private-vlan trunk encapsulation: dot1q
Administrative private-vlan trunk normal VLANs: none
Administrative private-vlan trunk associations: none
Administrative private-vlan trunk mappings: none
Operational private-vlan: none
Trunking VLANs Enabled: ALL
Pruning VLANs Enabled: 2-1001
Capture Mode Disabled
Capture VLANs Allowed: ALL
The 1st step is to get Internet access. The next step will be to allow access to the Exchange server on the LAN.
There are many devices not shown on the diagram but the important ones are there…
I'd appreciate any help in getting this straight! Thanks
ASA and switch configs below (removed irrelevant info):
ASA Version 8.2(3)
!
names
name 10.165.10.6 edge description Edge server
name 10.165.11.15 hub description Hub server
name 204.xxx.xxx.21 mail-outside description Edge public
name 204.xxx.xxx.18 A-204.xxx.xxx.18 description ASA public
name 204.xxx.xxx.17 A-204.xxx.xxx.17 description Telco modem
name 10.165.13.0 purch-network description Purchasing VLAN
!
interface Ethernet0/0
nameif outside
security-level 0
ip address A-204.xxx.xxx.18 255.255.255.240
!
interface Ethernet0/1
nameif inside
security-level 100
ip address 10.165.11.1 255.255.255.0
!
interface Ethernet0/2
nameif dmz
security-level 70
ip address 10.165.10.1 255.255.255.0
!
interface Ethernet0/3
no nameif
no security-level
no ip address
!
interface Management0/0
nameif management
security-level 100
ip address 192.168.1.1 255.255.255.0
management-only
!
ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
dns domain-lookup outside
dns domain-lookup inside
dns domain-lookup dmz
dns domain-lookup management
same-security-traffic permit inter-interface
object-group service DM_INLINE_TCP_5 tcp
port-object eq www
port-object eq https
access-list outside_access_in extended permit tcp any host mail-outside eq smtp
access-list dmz_access_in extended permit tcp host edge any eq smtp
access-list inside_access_in_1 remark Implicit rule: Permit all traffic to less secure networks
access-list inside_access_in_1 extended permit ip any any
mtu outside 1500
mtu inside 1500
mtu dmz 1500
mtu management 1500
mtu purch 1500
no asdm history enable
arp timeout 14400
nat-control
global (outside) 1 interface
global (dmz) 1 10.165.10.50-10.165.10.220 netmask 255.255.255.0
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
nat (dmz) 1 0.0.0.0 0.0.0.0
static (dmz,outside) mail-outside edge netmask 255.255.255.255
access-group outside_access_in in interface outside
access-group inside_access_in_1 in interface inside
access-group dmz_access_in in interface dmz
route outside 0.0.0.0 0.0.0.0 A-204.xxx.xxx.17 1
route inside purch-network 255.255.255.0 10.165.11.1 1
class-map inspection_default
match default-inspection-traffic
: end
version 12.2
no service pad
service timestamps debug uptime
service timestamps log datetime
no service password-encryption
service compress-config
service sequence-numbers
!
hostname ABC
!
boot-start-marker
boot system flash bootflash:cat4500e-ipbasek9-mz.122-52.SG.bin
boot-end-marker
!
clock timezone EST -5
clock summer-time EDT recurring
ip subnet-zero
ip domain-name something.org
ip name-server 10.165.11.13
ip name-server 10.165.11.6
!
!
vtp domain something.org
vtp mode transparent
cluster run
!
spanning-tree mode pvst
spanning-tree extend system-id
!
vlan internal allocation policy ascending
!
vlan 2
name OUT
!
vlan 3
name DMZ
!
vlan 4
name Purch
!
interface FastEthernet1
ip vrf forwarding mgmtVrf
no ip address
speed auto
duplex auto
!
interface GigabitEthernet2/20
description ASA LAN
!
interface GigabitEthernet4/5
description purch
switchport access vlan 4
switchport mode access
!
interface Vlan1
ip address 10.165.11.2 255.255.255.0
!
interface Vlan2
no ip address
shutdown
!
interface Vlan4
ip address 10.165.13.2 255.255.255.0
!
ip default-gateway 10.165.11.1
ip route 0.0.0.0 0.0.0.0 10.165.11.1
ip http server
ip http authentication local
no ip http secure-server
!
end
08-31-2012 07:00 AM
Your route on the ASA is pointing to itself instead to the switch:
interface Ethernet0/1
nameif inside
security-level 100
ip address 10.165.11.1 255.255.255.0
!
route inside purch-network 255.255.255.0 10.165.11.1 1
--
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni
08-31-2012 07:24 AM
Thanks!
So what should the route be?
I tried with
route inside purch-network 255.255.255.0 10.165.11.2 1
and
route inside purch-network 255.255.255.0 10.165.13.2 1
Still can't ping to the outside world...
If I do an IP packet trace with any of those routes from 10.165.13.10 to 8.8.8.8, I get the following error message:
nat (inside) 1 0.0.0.0 0.0.0.0
nat-control
match ip inside any outside any
dynamic translation to pool 1 (A-204.xxx.xxx.18 [Interface PAT])
If I do a TCP packet trace from 10.165.13.10:1000 to 74.125.134.147:80, the packets are allowed...
08-31-2012 08:27 AM
The route has to use a reachable next-hop. So you only need the route
route inside purch-network 255.255.255.0 10.165.11.2 1
but not
route inside purch-network 255.255.255.0 10.165.13.2 1
If I do an IP packet trace with any of those routes from 10.165.13.10 to 8.8.8.8, I get the following error message:
nat (inside) 1 0.0.0.0 0.0.0.0
nat-control
match ip inside any outside any
dynamic translation to pool 1 (A-204.xxx.xxx.18 [Interface PAT])
that's not an error message, just an info that the translation was build.
If I do a TCP packet trace from 10.165.13.10:1000 to 74.125.134.147:80, the packets are allowed..
so, you can communicate with TCP but not with ICMP? For that the reason could be that you don't have any inspections enabled on the ASA.
For that you need the following (this is the ASA-default and ICMP enabled):
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect ip-options
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
inspect icmp
!
service-policy global_policy global
--
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni
08-31-2012 11:16 AM
I changed the route to
route inside purch-network 255.255.255.0 10.165.11.2 1
I still can't get to the outside world (either by URL, IP or ping) from the computer connected to Gi4/5.
The ASA cant get to the Gi4/5 switchport either.
Packet trace results (Inside interface - Type IP):
10.165.11.1 --> 10.165.13.2 = Flow is denied by configured rule (inside implicit rule)
10.165.13.10 --> 10.165.11.1 = Flow is denied by configured rule (inside implicit rule)
The Syslog shows the following messages (syslog ID 106007):
Deny inbound UDP from 8.8.8.8/53 to 10.165.13.10/56964 due to DNS Response
I have all of the inspections enabled except for the h323 ones. That shouldn't be a problem since we're not dealing with voice packets...
09-01-2012 08:14 AM
What are your actual routes on the ASA? Please post the following output:
sh run route
On the ASA you have a configuration for NAT-Excemption:
nat (inside) 0 access-list inside_nat0_outbound
but the referenced ACL is not in your config above. Please post that ACL or remove the nat-statement if not needed.
And post the result of the following command:
packet-tracer input inside tcp 10.165.13.10 1234 1.2.3.4 80
--
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni
09-04-2012 06:21 AM
Here's the requested info:
asa# sh run route
route outside 0.0.0.0 0.0.0.0 A-204.xxx.xxx.17 1
route inside purch-network 255.255.255.0 10.165.11.2 1
I’ve removed the inside_nat0_outbound NAT-Exemption which was probably leftover from some other configuration attempt…
asa# packet-tracer input inside tcp 10.165.13.10 1234 1.2.3.4 8
Phase: 1
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 0.0.0.0 0.0.0.0 outside
Phase: 2
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group inside_access_in_1 in interface inside
access-list inside_access_in_1 extended permit ip any any
Additional Information:
Phase: 3
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 4
Type: NAT
Subtype:
Result: ALLOW
Config:
nat (inside) 1 0.0.0.0 0.0.0.0
nat-control
match ip inside any outside any
dynamic translation to pool 1 (A-204.xxx.xxx.18 [Interface PAT])
translate_hits = 417777, untranslate_hits = 40159
Additional Information:
Dynamic translate 10.165.13.10/1234 to A-204.xxx.xxx.18/15391 using netmask 255.255.255.255
Phase: 5
Type: NAT
Subtype: host-limits
Result: ALLOW
Config:
nat (inside) 1 0.0.0.0 0.0.0.0
nat-control
match ip inside any outside any
dynamic translation to pool 1 (A-204.xxx.xxx.18 [Interface PAT])
translate_hits = 417777, untranslate_hits = 40159
Additional Information:
Phase: 6
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 7
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 643746, packet dispatched to next module
Result:
input-interface: inside
input-status: up
input-line-status: up
output-interface: outside
output-status: up
output-line-status: up
Action: allow
09-04-2012 06:36 AM
The ASA would allow that traffic.
Can the Servers reach systems in other subnets?
Can the Server ping the ASA inside IP?
Can the Switch ping the ASA inside IP?
--
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni
09-04-2012 07:14 AM
For now, I only have one computer on the 10.165.13.0 subnet which is the 10.165.13.10 one.
Ping results:
10.165.13.10 --> 10.165.13.2 – OK
10.165.13.10 --> 10.165.11.1 – Timed out
10.165.13.10 --> 10.165.10.1 – Timed out
asa# ping 10.165.13.2
Success rate is 0 percent (0/5)
switch# ping 10.165.11.1
Success rate is 100 percent (5/5)
switch# ping 10.165.13.2
Success rate is 100 percent (5/5)
switch# ping 10.165.13.10
Success rate is 0 percent (0/5)
09-07-2012 10:53 AM
Anything else to try?
09-07-2012 12:13 PM
hello
could you post the output of "show ip route" from the switch?
andy
09-07-2012 12:21 PM
VLAN10 shown below is not of any concern here...
switch#sh ip route
Gateway of last resort is 10.165.11.1 to network
10.0.0.0/24 is subnetted, 3 subnets
C 10.165.13.0 is directly connected, Vlan4
C 10.165.12.0 is directly connected, Vlan10
C 10.165.11.0 is directly connected, Vlan1
S* 0.0.0.0/0 [1/0] via 10.165.11.1
09-07-2012 12:54 PM
hello - has this config always been on an asa or has it been migrated from a pix? if so, you could try the following
no route inside purch-network 255.255.255.0 10.165.11.2 1
no name 10.165.13.0 purch-network description Purchasing VLAN
route inside 10.165.13.0 255.255.255.0 10.165.11.2 1
hth
andy
09-07-2012 12:49 PM
Are you doing any layer 3 stuff on the 3560? Wondering why you have svi's on there. If so, can you post the show run and show ip route for the 3560
09-07-2012 02:35 PM
Hello Dave,
But I mean the interface connected to the ASA is a trunk so you should use sub-interface on the ASA so it can work with the trunk link ( 802.1Q)
interface Ethernet0/1
nameif inside
no ip add
Interface ethernet 0/1.4
nameif Vlan4
ip address 10.165.13.1 255.255.255.0
security-level 100
no shut
nat (Vlan4) 1 0 0
Let me know how it goes
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide