Solved: Re: second VLAN can't connect to the internet

Herald Sison · ‎07-07-2019

Hi All, I need your expert advise on this one problem i have as of the moment. I have a 48port Core Switch 3750G on stacked. i have configured an active directory server with DHCP on it inside an ESXi host. I have added 2 VLANS 1) for Servers, 2) Users and now if i assign a specific port to access USer's VLAN it can get an ip address but can't get through the interweb but for the Server's VLAN i have no problem at all. 192.168.0.33 - Domain Controller; Firewall - 192.168.0.254.

my configuration below:

----------------------------------------------------------------

ip routing

ip name-server 192.168.0.33

----------------------------------------------------------------

interface GigabitEthernet1/0/1
description ASA5515x-FW-"192.168.0.254"
switchport access vlan 10
switchport mode access

----------------------------------------------------------------

interface GigabitEthernet2/0/2

description LAPTOP1
switchport access vlan 10
switchport mode access

interface GigabitEthernet2/0/3

description LAPTOP2

switchport access vlan 30
switchport mode access

----------------------------------------------------------------

interface GigabitEthernet1/0/48
description ESXi-NIC0-DC
switchport access vlan 10
switchport mode access

interface GigabitEthernet2/0/48
description ESXi-NIC1-DC
switchport access vlan 10
switchport mode access

----------------------------------------------------------------

interface Vlan1

ip address 192.168.1.1 255.255.255.0
!
interface Vlan10

description Servers

ip address 192.168.0.1 255.255.255.0
ip helper-address 192.168.0.33
!
interface Vlan30

description Users

ip address 192.168.30.1 255.255.255.0
ip helper-address 192.168.0.33

----------------------------------------------------------------

router eigrp 1
eigrp stub connected summary
network 192.168.1.0

network 192.168.0.0

network 192.168.30.0

ip route 0.0.0.0 0.0.0.0 192.168.0.254

Thank you so much any help would do.

Seb Rupik · ‎07-08-2019

I think you need to add this to your firewall:

!
route inside 192.168.30.0 255.255.255.0 192.168.0.1
!
ip object-group network INSIDE_NETS
  network-object 192.168.30.0 255.255.255.0
!

cheers,

Seb.

View solution in original post

Seb Rupik · ‎07-07-2019

Hi there,

What device is 192.168.0.254 ? A firewall/ router? Is there anything beyond that toward the ISP?

You are advertising your routes to this device, do they all appear in its routing table?

Is this device performing NAT? Is it configured to NAT for the User VLAN?

cheers,

Seb.

Herald Sison · ‎07-07-2019

Hi Sir,

What device is 192.168.0.254 ? A firewall/ router? Is there anything beyond that toward the ISP? - it is the firewall IP and anything beyond my firewall is the Internet already.

You are advertising your routes to this device, do they all appear in its routing table?

here are the FW route results

S* 0.0.0.0 0.0.0.0 [1/0] via 1*7.2*.19*.*, outside
V 10.0.0.2 255.255.255.255 connected by VPN, outside
C *7.2*.19*.* 255.255.255.248 is directly connected, outside
L *7.2*.19*.* 255.255.255.255 is directly connected, outside
C 192.168.0.0 255.255.255.0 is directly connected, inside
L 192.168.0.254 255.255.255.255 is directly connected, inside

Is this device performing NAT? Is it configured to NAT for the User VLAN? - my FW does the NAT

Thank you for your response.

balaji.bandi · ‎07-08-2019

Quick look if you having issue with VLAN 10 and VLAN 30, You do not have route back in FW towards Network.

Also check NAT Configuration on the FW for these VLAN10 and 30 IP address in that Xlate config.

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Herald Sison · ‎07-08-2019

Hi Sir, this is what i got from the xlate.

# sh xlate
3 in use, 847 most used
Flags: D - DNS, e - extended, I - identity, i - dynamic, r - portmap,
s - static, T - twice, N - net-to-net
NAT from inside:0.0.0.0/0 to outside:0.0.0.0/0
flags sIT idle 0:00:04 timeout 0:00:00
NAT from outside:10.0.0.0/25 to inside:10.0.0.0/25
flags sIT idle 0:00:04 timeout 0:00:00
NAT from outside:0.0.0.0/0 to inside:0.0.0.0/0
flags sIT idle 496:08:48 timeout 0:00:00

#show conn long
24 in use, 478 most used
Flags: A - awaiting inside ACK to SYN, a - awaiting outside ACK to SYN,
B - initial SYN from outside, b - TCP state-bypass or nailed,
C - CTIQBE media, c - cluster centralized,
D - DNS, d - dump, E - outside back connection, e - semi-distributed,
F - outside FIN, f - inside FIN,
G - group, g - MGCP, H - H.323, h - H.225.0, I - inbound data,
i - incomplete, J - GTP, j - GTP data, K - GTP t3-response
k - Skinny media, L - LISP triggered flow owner mobility
l - local director/backup stub flow
M - SMTP data, m - SIP media, n - GUP
N - inspected by Snort
O - outbound data, o - offloaded,
P - inside back connection,
Q - Diameter, q - SQL*Net data,
R - outside acknowledged FIN,
R - UDP SUNRPC, r - inside acknowledged FIN, S - awaiting inside SYN,
s - awaiting outside SYN, T - SIP, t - SIP transient, U - up, u - STUN,
V - VPN orphan, v - M3UA W - WAAS,
w - secondary domain backup,
X - inspected by service module,
x - per session, Y - director stub flow, y - backup stub flow,
Z - Scansafe redirection, z - forwarding stub flow

UDP outside: 10.0.0.2/62557 (10.0.0.2/62557) inside: 192.168.0.33/53 (192.168.0.33/53), flags - , idle 0s, uptime 0s, timeout 2m0s, bytes 41, xlate id 0x7f94349df800

UDP outside: 10.0.0.2/57709 (10.0.0.2/57709) inside: 192.168.0.33/53 (192.168.0.33/53), flags - , idle 3s, uptime 10s, timeout 2m0s, bytes 144, xlate id 0x7f94349df800

UDP outside: 10.0.0.2/62124 (10.0.0.2/62124) inside: 192.168.0.33/53 (192.168.0.33/53), flags - , idle 4s, uptime 11s, timeout 2m0s, bytes 120, xlate id 0x7f94349df800

UDP outside: 10.0.0.2/64992 (10.0.0.2/64992) inside: 192.168.0.33/53 (192.168.0.33/53), flags - , idle 4s, uptime 11s, timeout 2m0s, bytes 244, xlate id 0x7f94349df800

UDP outside: 10.0.0.2/49815 (10.0.0.2/49815) inside: 192.168.0.33/53 (192.168.0.33/53), flags - , idle 4s, uptime 11s, timeout 2m0s, bytes 140, xlate id 0x7f94349df800

UDP outside: 10.0.0.2/62855 (10.0.0.2/62855) inside: 192.168.0.33/53 (192.168.0.33/53), flags - , idle 4s, uptime 11s, timeout 2m0s, bytes 128, xlate id 0x7f94349df800

UDP outside: 10.0.0.2/59102 (10.0.0.2/59102) inside: 192.168.0.33/53 (192.168.0.33/53), flags - , idle 4s, uptime 11s, timeout 2m0s, bytes 144, xlate id 0x7f94349df800

UDP outside: 10.0.0.2/50568 (10.0.0.2/50568) inside: 192.168.0.33/53 (192.168.0.33/53), flags - , idle 34s, uptime 41s, timeout 2m0s, bytes 188, xlate id 0x7f94349df800

UDP outside: 10.0.0.2/61693 (10.0.0.2/61693) inside: 192.168.0.33/53 (192.168.0.33/53), flags - , idle 40s, uptime 47s, timeout 2m0s, bytes 120, xlate id 0x7f94349df800

UDP outside: 10.0.0.2/50807 (10.0.0.2/50807) inside: 192.168.0.33/53 (192.168.0.33/53), flags - , idle 46s, uptime 53s, timeout 2m0s, bytes 184, xlate id 0x7f94349df800

UDP outside: 10.0.0.2/64386 (10.0.0.2/64386) inside: 192.168.0.33/53 (192.168.0.33/53), flags - , idle 51s, uptime 58s, timeout 2m0s, bytes 120, xlate id 0x7f94349df800

UDP outside: 10.0.0.2/59072 (10.0.0.2/59072) inside: 192.168.0.33/53 (192.168.0.33/53), flags - , idle 1m2s, uptime 1m9s, timeout 2m0s, bytes 148, xlate id 0x7f94349df800

UDP outside: 10.0.0.2/54787 (10.0.0.2/54787) inside: 192.168.0.33/53 (192.168.0.33/53), flags - , idle 1m12s, uptime 1m15s, timeout 2m0s, bytes 192, xlate id 0x7f94349df800

UDP outside: 10.0.0.2/63908 (10.0.0.2/63908) inside: 192.168.0.33/53 (192.168.0.33/53), flags - , idle 1m16s, uptime 1m22s, timeout 2m0s, bytes 183, xlate id 0x7f94349df800

UDP outside: 10.0.0.2/64848 (10.0.0.2/64848) inside: 192.168.0.33/53 (192.168.0.33/53), flags - , idle 1m33s, uptime 1m39s, timeout 2m0s, bytes 120, xlate id 0x7f94349df800

UDP outside: 10.0.0.2/50552 (10.0.0.2/50552) inside: 192.168.0.33/53 (192.168.0.33/53), flags - , idle 1m33s, uptime 1m39s, timeout 2m0s, bytes 147, xlate id 0x7f94349df800

UDP outside: 10.0.0.2/50058 (10.0.0.2/50058) inside: 192.168.0.33/53 (192.168.0.33/53), flags - , idle 1m33s, uptime 1m39s, timeout 2m0s, bytes 147, xlate id 0x7f94349df800

UDP outside: 10.0.0.2/51449 (10.0.0.2/51449) inside: 192.168.0.33/53 (192.168.0.33/53), flags - , idle 1m33s, uptime 1m39s, timeout 2m0s, bytes 144, xlate id 0x7f94349df800

UDP outside: 10.0.0.2/65312 (10.0.0.2/65312) inside: 192.168.0.33/53 (192.168.0.33/53), flags - , idle 1m59s, uptime 2m6s, timeout 2m0s, bytes 180, xlate id 0x7f94349df800

# sh nat detail
Manual NAT Policies (Section 1)
1 (inside) to (outside) source static any any destination static NETWORK_OBJ_10.0.0.0_25 NETWORK_OBJ_10.0.0.0_25 no-proxy-arp route-lookup
translate_hits = 25192, untranslate_hits = 27076
Source - Origin: 0.0.0.0/0, Translated: 0.0.0.0/0
Destination - Origin: 10.0.0.0/25, Translated: 10.0.0.0/25

Auto NAT Policies (Section 2)
1 (inside) to (outside) source dynamic INSIDE_NETS interface
translate_hits = 904021, untranslate_hits = 48920
Source - Origin: 192.168.0.0/16, Translated: 1*7.2*.19*.1*/29

Manual NAT Policies (Section 3)
1 (inside) to (outside) source dynamic any interface
translate_hits = 364, untranslate_hits = 156
Source - Origin: 0.0.0.0/0, Translated: 1*7.2*.19*.1*/29

Seb Rupik · ‎07-08-2019

I think you need to add this to your firewall:

!
route inside 192.168.30.0 255.255.255.0 192.168.0.1
!
ip object-group network INSIDE_NETS
  network-object 192.168.30.0 255.255.255.0
!

cheers,

Seb.

Herald Sison · ‎07-08-2019

ip object-group network INSIDE_NETS
  network-object 192.168.30.0 255.255.255.0

the above answer was the total solution. thank you so much sir for your help it was a great one. i am not so familiar with ASA devices so now i know. thank you.