Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
7715
Views
20
Helpful
22
Replies

Switch connected to Router cannot ping Internet

Go to solution
tylerphillippe
Level 1
Level 1

‎02-08-2017 07:49 AM - edited ‎03-08-2019 09:14 AM

Hello all,

I have an ASA 5512-X set up. It received a DHCP address from our ISP and it can ping the internet (8.8.8.8) just fine. I attached a switch to the Inside port on the router, but it CANNOT ping the internet (8.8.8.8). The router can ping the switch's attached interface, the vlans I have set up and clients on those vlans. The switch can ping the vlans and the clients and it can ping the directly attached router. When I attach a machine directly to the router, it can get to the internet just fine. I'm attaching the router and switch configuration. What am I missing here?

Labels:
Preview file
4 KB
Preview file
3 KB
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Julio E. Moisa
VIP Alumni
VIP Alumni
In response to tylerphillippe

‎02-08-2017 09:10 AM

Just for testing purposes configure these lines on the firewall. 

access-list outside_access_in permit extended icmp any any echo
access-list outside_access_in permit extended icmp any any echo-reply

access-group outside_access_in in interface outside

access-list inside_access_in permit line 1 extended icmp any any echo
access-list inside_access_in permit line 2 extended icmp any any echo-reply

Could you pleas share the output related to the traceroutes.




>> Marcar como útil o contestado, si la respuesta resolvió la duda, esto ayuda a futuras consultas de otros miembros de la comunidad. <<

View solution in original post

0 Helpful
22 Replies 22

Go to solution
Julio E. Moisa
VIP Alumni
VIP Alumni

‎02-08-2017 08:07 AM

Hi 

Try to use the following command lines::

object-group network INSIDE-SUBNETS
network-object 192.168.2.0 255.255.255.0
network-object 192.168.2.0 255.255.255.0

nat (inside,outside) source dynamic INSIDE-SUBNETS interface  <-- instead of your current NAT configuration.

Always make a backup. 




>> Marcar como útil o contestado, si la respuesta resolvió la duda, esto ayuda a futuras consultas de otros miembros de la comunidad. <<

Go to solution
tylerphillippe
Level 1
Level 1
In response to Julio E. Moisa

‎02-08-2017 08:18 AM

Julio,

I tried that config and the switch and clients still cannot get out to the Internet.

0 Helpful

Go to solution
Julio E. Moisa
VIP Alumni
VIP Alumni
In response to tylerphillippe

‎02-08-2017 08:23 AM

are you trying ping only? or from the browser? if it is icmp, probably you need to open icmp on your ACL. 

access-list inside_access_in extended permit icmp any any

access-list outside_access_in extended permit icmp any any

access-group outside_access_in in interface outside

Also execute:

show xlate

to see the translations. 

* Is good practice to use capital letters using acls.




>> Marcar como útil o contestado, si la respuesta resolvió la duda, esto ayuda a futuras consultas de otros miembros de la comunidad. <<

Go to solution
tylerphillippe
Level 1
Level 1
In response to Julio E. Moisa

‎02-08-2017 08:23 AM

Ping from the switch and trying to get to google.com using the browser from the client computer.

0 Helpful

Go to solution
Julio E. Moisa
VIP Alumni
VIP Alumni
In response to tylerphillippe

‎02-08-2017 08:27 AM

Ok please let me double check, also enable ip routing on the switch.




>> Marcar como útil o contestado, si la respuesta resolvió la duda, esto ayuda a futuras consultas de otros miembros de la comunidad. <<
0 Helpful

Go to solution
tylerphillippe
Level 1
Level 1
In response to Julio E. Moisa

‎02-08-2017 08:28 AM

Okay. ip routing is already enabled on the switch.

0 Helpful

Go to solution
Julio E. Moisa
VIP Alumni
VIP Alumni
In response to Julio E. Moisa

‎02-08-2017 08:29 AM

I saw the problem

You need to create default route on the firewall. 

route outside 0 0 <IP of your next hop>




>> Marcar como útil o contestado, si la respuesta resolvió la duda, esto ayuda a futuras consultas de otros miembros de la comunidad. <<
0 Helpful

Go to solution
Julio E. Moisa
VIP Alumni
VIP Alumni
In response to Julio E. Moisa

‎02-08-2017 08:30 AM

that default route should fix the problem




>> Marcar como útil o contestado, si la respuesta resolvió la duda, esto ayuda a futuras consultas de otros miembros de la comunidad. <<
0 Helpful

Go to solution
tylerphillippe
Level 1
Level 1
In response to Julio E. Moisa

‎02-08-2017 08:39 AM

That didn't work. The router has an IP from DHCP from the ISP and it was automatically adding the default route. But, I manually added it and the client still cannot get to google.com. The ASA can still ping 8.8.8.8

0 Helpful

Go to solution
Julio E. Moisa
VIP Alumni
VIP Alumni
In response to tylerphillippe

‎02-08-2017 08:43 AM

if you execute a traceroute from your firewall to 8.8.8.8 can you see your next hop IP? so that IP should be configured on the default route. 




>> Marcar como útil o contestado, si la respuesta resolvió la duda, esto ayuda a futuras consultas de otros miembros de la comunidad. <<
0 Helpful

Go to solution
tylerphillippe
Level 1
Level 1
In response to Julio E. Moisa

‎02-08-2017 08:53 AM

That didn't work either. Stopped all traffic from the ASA. 

0 Helpful

Go to solution
andrewswanson
Level 7
Level 7
In response to tylerphillippe

‎02-08-2017 08:58 AM

When you ping from the switch, the source ip will be 192.168.0.2. Can you ping google.com from the switch using one of your SVIs?

ping 8.8.8.8 source vlan 2

hth
Andy

0 Helpful

Go to solution
tylerphillippe
Level 1
Level 1
In response to andrewswanson

‎02-08-2017 09:04 AM

No dice. No connection from vlan 2's interface either.

0 Helpful

Go to solution
Julio E. Moisa
VIP Alumni
VIP Alumni
In response to tylerphillippe

‎02-08-2017 09:10 AM

Just for testing purposes configure these lines on the firewall. 

access-list outside_access_in permit extended icmp any any echo
access-list outside_access_in permit extended icmp any any echo-reply

access-group outside_access_in in interface outside

access-list inside_access_in permit line 1 extended icmp any any echo
access-list inside_access_in permit line 2 extended icmp any any echo-reply

Could you pleas share the output related to the traceroutes.




>> Marcar como útil o contestado, si la respuesta resolvió la duda, esto ayuda a futuras consultas de otros miembros de la comunidad. <<
0 Helpful
Customers Also Viewed These Support Documents