07-07-2019 11:36 PM
Hi All, I need your expert advise on this one problem i have as of the moment. I have a 48port Core Switch 3750G on stacked. i have configured an active directory server with DHCP on it inside an ESXi host. I have added 2 VLANS 1) for Servers, 2) Users and now if i assign a specific port to access USer's VLAN it can get an ip address but can't get through the interweb but for the Server's VLAN i have no problem at all. 192.168.0.33 - Domain Controller; Firewall - 192.168.0.254.
my configuration below:
----------------------------------------------------------------
ip routing
ip name-server 192.168.0.33
----------------------------------------------------------------
interface GigabitEthernet1/0/1
description ASA5515x-FW-"192.168.0.254"
switchport access vlan 10
switchport mode access
----------------------------------------------------------------
interface GigabitEthernet2/0/2
description LAPTOP1
switchport access vlan 10
switchport mode access
interface GigabitEthernet2/0/3
description LAPTOP2
switchport access vlan 30
switchport mode access
----------------------------------------------------------------
interface GigabitEthernet1/0/48
description ESXi-NIC0-DC
switchport access vlan 10
switchport mode access
interface GigabitEthernet2/0/48
description ESXi-NIC1-DC
switchport access vlan 10
switchport mode access
----------------------------------------------------------------
interface Vlan1
ip address 192.168.1.1 255.255.255.0
!
interface Vlan10
description Servers
ip address 192.168.0.1 255.255.255.0
ip helper-address 192.168.0.33
!
interface Vlan30
description Users
ip address 192.168.30.1 255.255.255.0
ip helper-address 192.168.0.33
----------------------------------------------------------------
router eigrp 1
eigrp stub connected summary
network 192.168.1.0
network 192.168.0.0
network 192.168.30.0
ip route 0.0.0.0 0.0.0.0 192.168.0.254
Thank you so much any help would do.
Solved! Go to Solution.
07-08-2019 01:53 AM
I think you need to add this to your firewall:
! route inside 192.168.30.0 255.255.255.0 192.168.0.1 ! ip object-group network INSIDE_NETS network-object 192.168.30.0 255.255.255.0 !
cheers,
Seb.
07-07-2019 11:48 PM
Hi there,
What device is 192.168.0.254 ? A firewall/ router? Is there anything beyond that toward the ISP?
You are advertising your routes to this device, do they all appear in its routing table?
Is this device performing NAT? Is it configured to NAT for the User VLAN?
cheers,
Seb.
07-07-2019 11:58 PM
Hi Sir,
What device is 192.168.0.254 ? A firewall/ router? Is there anything beyond that toward the ISP? - it is the firewall IP and anything beyond my firewall is the Internet already.
You are advertising your routes to this device, do they all appear in its routing table?
here are the FW route results
S* 0.0.0.0 0.0.0.0 [1/0] via 1*7.2*.19*.*, outside
V 10.0.0.2 255.255.255.255 connected by VPN, outside
C *7.2*.19*.* 255.255.255.248 is directly connected, outside
L *7.2*.19*.* 255.255.255.255 is directly connected, outside
C 192.168.0.0 255.255.255.0 is directly connected, inside
L 192.168.0.254 255.255.255.255 is directly connected, inside
Is this device performing NAT? Is it configured to NAT for the User VLAN? - my FW does the NAT
Thank you for your response.
07-08-2019 12:35 AM
Quick look if you having issue with VLAN 10 and VLAN 30, You do not have route back in FW towards Network.
Also check NAT Configuration on the FW for these VLAN10 and 30 IP address in that Xlate config.
07-08-2019 12:57 AM - edited 07-08-2019 01:01 AM
Hi Sir, this is what i got from the xlate.
# sh xlate
3 in use, 847 most used
Flags: D - DNS, e - extended, I - identity, i - dynamic, r - portmap,
s - static, T - twice, N - net-to-net
NAT from inside:0.0.0.0/0 to outside:0.0.0.0/0
flags sIT idle 0:00:04 timeout 0:00:00
NAT from outside:10.0.0.0/25 to inside:10.0.0.0/25
flags sIT idle 0:00:04 timeout 0:00:00
NAT from outside:0.0.0.0/0 to inside:0.0.0.0/0
flags sIT idle 496:08:48 timeout 0:00:00
#show conn long
24 in use, 478 most used
Flags: A - awaiting inside ACK to SYN, a - awaiting outside ACK to SYN,
B - initial SYN from outside, b - TCP state-bypass or nailed,
C - CTIQBE media, c - cluster centralized,
D - DNS, d - dump, E - outside back connection, e - semi-distributed,
F - outside FIN, f - inside FIN,
G - group, g - MGCP, H - H.323, h - H.225.0, I - inbound data,
i - incomplete, J - GTP, j - GTP data, K - GTP t3-response
k - Skinny media, L - LISP triggered flow owner mobility
l - local director/backup stub flow
M - SMTP data, m - SIP media, n - GUP
N - inspected by Snort
O - outbound data, o - offloaded,
P - inside back connection,
Q - Diameter, q - SQL*Net data,
R - outside acknowledged FIN,
R - UDP SUNRPC, r - inside acknowledged FIN, S - awaiting inside SYN,
s - awaiting outside SYN, T - SIP, t - SIP transient, U - up, u - STUN,
V - VPN orphan, v - M3UA W - WAAS,
w - secondary domain backup,
X - inspected by service module,
x - per session, Y - director stub flow, y - backup stub flow,
Z - Scansafe redirection, z - forwarding stub flow
UDP outside: 10.0.0.2/62557 (10.0.0.2/62557) inside: 192.168.0.33/53 (192.168.0.33/53), flags - , idle 0s, uptime 0s, timeout 2m0s, bytes 41, xlate id 0x7f94349df800
UDP outside: 10.0.0.2/57709 (10.0.0.2/57709) inside: 192.168.0.33/53 (192.168.0.33/53), flags - , idle 3s, uptime 10s, timeout 2m0s, bytes 144, xlate id 0x7f94349df800
UDP outside: 10.0.0.2/62124 (10.0.0.2/62124) inside: 192.168.0.33/53 (192.168.0.33/53), flags - , idle 4s, uptime 11s, timeout 2m0s, bytes 120, xlate id 0x7f94349df800
UDP outside: 10.0.0.2/64992 (10.0.0.2/64992) inside: 192.168.0.33/53 (192.168.0.33/53), flags - , idle 4s, uptime 11s, timeout 2m0s, bytes 244, xlate id 0x7f94349df800
UDP outside: 10.0.0.2/49815 (10.0.0.2/49815) inside: 192.168.0.33/53 (192.168.0.33/53), flags - , idle 4s, uptime 11s, timeout 2m0s, bytes 140, xlate id 0x7f94349df800
UDP outside: 10.0.0.2/62855 (10.0.0.2/62855) inside: 192.168.0.33/53 (192.168.0.33/53), flags - , idle 4s, uptime 11s, timeout 2m0s, bytes 128, xlate id 0x7f94349df800
UDP outside: 10.0.0.2/59102 (10.0.0.2/59102) inside: 192.168.0.33/53 (192.168.0.33/53), flags - , idle 4s, uptime 11s, timeout 2m0s, bytes 144, xlate id 0x7f94349df800
UDP outside: 10.0.0.2/50568 (10.0.0.2/50568) inside: 192.168.0.33/53 (192.168.0.33/53), flags - , idle 34s, uptime 41s, timeout 2m0s, bytes 188, xlate id 0x7f94349df800
UDP outside: 10.0.0.2/61693 (10.0.0.2/61693) inside: 192.168.0.33/53 (192.168.0.33/53), flags - , idle 40s, uptime 47s, timeout 2m0s, bytes 120, xlate id 0x7f94349df800
UDP outside: 10.0.0.2/50807 (10.0.0.2/50807) inside: 192.168.0.33/53 (192.168.0.33/53), flags - , idle 46s, uptime 53s, timeout 2m0s, bytes 184, xlate id 0x7f94349df800
UDP outside: 10.0.0.2/64386 (10.0.0.2/64386) inside: 192.168.0.33/53 (192.168.0.33/53), flags - , idle 51s, uptime 58s, timeout 2m0s, bytes 120, xlate id 0x7f94349df800
UDP outside: 10.0.0.2/59072 (10.0.0.2/59072) inside: 192.168.0.33/53 (192.168.0.33/53), flags - , idle 1m2s, uptime 1m9s, timeout 2m0s, bytes 148, xlate id 0x7f94349df800
UDP outside: 10.0.0.2/54787 (10.0.0.2/54787) inside: 192.168.0.33/53 (192.168.0.33/53), flags - , idle 1m12s, uptime 1m15s, timeout 2m0s, bytes 192, xlate id 0x7f94349df800
UDP outside: 10.0.0.2/63908 (10.0.0.2/63908) inside: 192.168.0.33/53 (192.168.0.33/53), flags - , idle 1m16s, uptime 1m22s, timeout 2m0s, bytes 183, xlate id 0x7f94349df800
UDP outside: 10.0.0.2/64848 (10.0.0.2/64848) inside: 192.168.0.33/53 (192.168.0.33/53), flags - , idle 1m33s, uptime 1m39s, timeout 2m0s, bytes 120, xlate id 0x7f94349df800
UDP outside: 10.0.0.2/50552 (10.0.0.2/50552) inside: 192.168.0.33/53 (192.168.0.33/53), flags - , idle 1m33s, uptime 1m39s, timeout 2m0s, bytes 147, xlate id 0x7f94349df800
UDP outside: 10.0.0.2/50058 (10.0.0.2/50058) inside: 192.168.0.33/53 (192.168.0.33/53), flags - , idle 1m33s, uptime 1m39s, timeout 2m0s, bytes 147, xlate id 0x7f94349df800
UDP outside: 10.0.0.2/51449 (10.0.0.2/51449) inside: 192.168.0.33/53 (192.168.0.33/53), flags - , idle 1m33s, uptime 1m39s, timeout 2m0s, bytes 144, xlate id 0x7f94349df800
UDP outside: 10.0.0.2/65312 (10.0.0.2/65312) inside: 192.168.0.33/53 (192.168.0.33/53), flags - , idle 1m59s, uptime 2m6s, timeout 2m0s, bytes 180, xlate id 0x7f94349df800
# sh nat detail
Manual NAT Policies (Section 1)
1 (inside) to (outside) source static any any destination static NETWORK_OBJ_10.0.0.0_25 NETWORK_OBJ_10.0.0.0_25 no-proxy-arp route-lookup
translate_hits = 25192, untranslate_hits = 27076
Source - Origin: 0.0.0.0/0, Translated: 0.0.0.0/0
Destination - Origin: 10.0.0.0/25, Translated: 10.0.0.0/25
Auto NAT Policies (Section 2)
1 (inside) to (outside) source dynamic INSIDE_NETS interface
translate_hits = 904021, untranslate_hits = 48920
Source - Origin: 192.168.0.0/16, Translated: 1*7.2*.19*.1*/29
Manual NAT Policies (Section 3)
1 (inside) to (outside) source dynamic any interface
translate_hits = 364, untranslate_hits = 156
Source - Origin: 0.0.0.0/0, Translated: 1*7.2*.19*.1*/29
07-08-2019 01:53 AM
I think you need to add this to your firewall:
! route inside 192.168.30.0 255.255.255.0 192.168.0.1 ! ip object-group network INSIDE_NETS network-object 192.168.30.0 255.255.255.0 !
cheers,
Seb.
07-08-2019 05:15 PM
ip object-group network INSIDE_NETS network-object 192.168.30.0 255.255.255.0
the above answer was the total solution. thank you so much sir for your help it was a great one. i am not so familiar with ASA devices so now i know. thank you.
07-08-2019 03:13 AM
Since we do not have visibility on FW configuration suggest to provide the Firewall config, so we can review and suggest required amendments.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide