Solved: Oh woe is me

crash5050 · ‎07-25-2011

After reading a reply from Jon Marshall, I scrapped the router and put all of my L3 Sub interfaces on the ASA, hooked it up to a trunk port on my switch and all of my VLANs came up. I can ping from the host thru the switch to the vlan gateway on the asa, but I cannot seem to get out to the internet. I have 4 Vlans, all seem to be working, and the public vlan is the only vlan that should have outside access. Attached is config.

Thanks for looking.

David

Jon Marshall · ‎07-25-2011

David

Just noticed something else. Your security levels are all set to 0. Can you set the security level of public to 100 and retest. Only the outside interface is usually set to 0. You will probably need to change the security levels on your other internal vlans at some stage but we should try and get internet connectivity working first.

Jon

View solution in original post

Jon Marshall · ‎07-25-2011

David

Don't despair

You have an outside interface and a public interface in the same subnet. Which is the actual interface connecing to the internet ?

*** Edit - you don't actually have them in the same subnet but it looks from your config as though the public vlan is the vlan connecting to the internet. So you may need

global (public) 1 interface

and then the nat statements below.

Can you confirm which interface connects to the internet. It should be the physical interface and not a vlan interface so it's a bit confusing.

Your nat statements -

global (outside) 1 interface

nat (public) 1 0.0.0.0 0.0.0.0

if the outside interface is the one connecting to the internet then you need to change the nat to -

nat (vmotion) 1 0.0.0.0 0.0.0.0

nat (private) 1 0.0.0.0 0.0.0.0

etc. for each of your internal vlans that you want to access the internet.

Finally your acl is only allowing ping so i assume this is how you are testing ?

Jon

crash5050 · ‎07-25-2011

the outside interface is 10.25.240.4 which is connecting to the router at 10.25.240.1. The inside interface (public) is 10.25.241.1 which will be the inside interface for all of my hosts.

David

Jon Marshall · ‎07-25-2011

David

Not sure i understand. Surely the subinterfaces eg. vmotion/private etc. will be the interfaces for your hosts. The way it works is that each vlan has a subinterface on your ASA and the clients in that vlan use that subinterface as their gateway. So you need to -

1) change your default-route ie. currently it is -

route outside 0.0.0.0 0.0.0.0 10.25.241.1 1

but that next-hop is in the public subnet. It should be -

route outside 0.0.0.0 0.0.0.0 10.25.240.x <-- presumably you know what the "x" is

2) change nat statements and global ie.

global (outside) 1 interface

nat (vmotion) 1 0.0.0.0 0.0.0.0 <-- do this for each of the vlans you want to access the internet

Jon

crash5050 · ‎07-25-2011

Now I am really confused, I have a nat(public) 1 0.0.0.0 0.0.0.0 statement in there, and that is the only vlan that needs outside access. from the console of the ASA I can ping 10.25.240.1 which is the telco router, but if I hook a host up on a port on the 3500 that is assigned to the 804 vlan and assign it a static ip it will not ping thru to 240.1 nor will it make the trip outside the asa.

David

Jon Marshall · ‎07-25-2011

Ah okay, apologies for confusing the issue.

Change your default route from -

route outside 0.0.0.0 0.0.0.0 10.25.241.1

to

route outside 0.0.0.0 0.0.0.0 10.25.240.1

Jon

crash5050 · ‎07-25-2011

The Vmotion interface is for the ESX servers to do the failover thing they do, the managment is just for my managment console and the managment ports on the servers, and the privateis just for my ISCSI interfaces to my SAN. 80v is the only vlan that is going to have outside access.

Jon Marshall · ‎07-25-2011

Understood. Can you change route and retest ?

Jon

crash5050 · ‎07-25-2011

That is a no-go at this station

Jon Marshall · ‎07-25-2011

Okay. Can you post updated config of the ASA +

1) can you confirm that you can ping the public vlan interface from a client in the public vlan

2) can you specify which IP address you are pinging from ? You are using ping aren't you ?

Jon

crash5050 · ‎07-25-2011

I can ping the VLAN 804 interface from the client. I am pinging from 10.25.241.3. However I cannot ping 10.25.241.3 from the console on the asa, but I can ping 10.25.240.1 from the asa console.

Here is the updated config.

David

Jon Marshall · ‎07-25-2011

Okay, can you remove this line from config -

global (public) 1 interface

it's not needed and it was my initial confusion that meant it is in there.

Rest of config looks good. Can you try accessing a web page from your client and see what happens.

Jon

crash5050 · ‎07-25-2011

Removed that line, cannot ping my 10.25.241.1 gateway, which leads to the symptom of not being able to browse the web.

David

Jon Marshall · ‎07-25-2011

Cannot ping 10.25.241.1 from where ?

Can you change security level and try again.

Jon

Jon Marshall · ‎07-25-2011

David

Just noticed something else. Your security levels are all set to 0. Can you set the security level of public to 100 and retest. Only the outside interface is usually set to 0. You will probably need to change the security levels on your other internal vlans at some stage but we should try and get internet connectivity working first.

Jon