Paul

Your suggestion about using access lists to enforce separation of traffic in vlan 100 would make sense if we were talking about a router or about a layer 3 switch. But the original post clearly says that the connection is to an ASA5505. And a basic principle of the ASA is that traffic from the lower security level (DMZ = 50) is not allowed to the higher level (inside = 100). So in this implementation both inside and DMZ should be able to get to outside, inside should be able to get to DMZ, but DMZ is not able to get to inside. No extra ACLs needed.

The original post says full security license but I am not clear what this means. Does this ASA5505 have the Plus license? The 5505 without the Plus license allows full access for two VLANs, and  puts some restrictions on the use of a third VLAN. I wonder if this might be the issue here?

Troubleshooting this will be a bit difficult, especially since many of us do not have much experience with the SG300 switches and do not know what troubleshooting tools they offer. As a first step I would suggest post the output of show arp from the ASA. Lets see if it recognizes some MAC addresses from either or both of the VLANs.

HTH

Rick

Can ping the switches on that vlan but not the asa from the switches. Yes, security plus. Sorry wrong terminology in first post. You're also correct that the acl will not help me in this situation. This is being setup to keep the thermostat etc for a customers house from accessing the LAN. I may need to open ports to this vlan in the future so trying to do this right on the initial setup. I don't even see where the ASA see's the vlan address which is a bit confusing.

inside 10.0.0.50 8434.9783.a339 6
    inside 10.0.0.225 0018.0ae1.2d80 11
    inside 10.0.0.51 ac22.0b52.54b5 53
    inside 10.0.0.100 9cad.ef00.8c96 201
    inside 10.0.0.3 bcc4.93ee.282d 265
    inside 10.0.0.2 bcc4.93ee.13e4 286
    inside 10.0.0.8 28c6.8e35.9105 10600
 

Thanks for the additional information. It helps to be clear that the 5505 does have the Plus license (sometimes we do need to be clear about terminology) so that all VLANs should be fully functional.

I find it interesting that the ASA is seeing traffic from multiple devices in VLAN 1 but nothing from VLAN 100. So first let us clarify a few things about VLAN 1 and then we will worry about VLAN 100.

- on a PC connected in VLAN 1 does arp -a show the MAC address of the ASA?

- can devices in VLAN 1 access the ASA?  (ping, telnet/SSH, HTTP/HTTPS)

- can devices in VLAN 1 access the next hop beyond the ASA? (ping, traceroute, using the IP address of the next hop)

- how are devices in VLAN 1 getting their IP address? (static configured, DHCP)

- are there devices in VLAN 100 that are active?

- how do the devices in VLAN 100 get their IP address? (static configured, DHCP)

- on a PC connected in VLAN 100 does arp -a show the MAC address of the ASA?

HTH

Rick

All addresses are static. I have a VERY small dhcp pool for someone who just plugs in. All devices on VLAN 1 get to everything route outside is set with PAT working properly. I can manage the ASA and switches from devices on VLAN aka 10.0.0.0/24. I Statically assign an address to a tv or whatever on one of the ports that has vlan 100 presented and I can ping the ASA now since I altered the gateway but I am unable to get to the internet from that VLAN. Still missing something.

This is good to know. Just to be sure that I understand correctly a PC connected in VLAN 1 is able to access resources in the Internet (specifying names and DNS resolves the name to the appropriate IP address).

So it sounds like the problem relates to VLAN 100. I am not clear how to test VLAN 100 using a tv or whatever you would normally use in VLAN 100. So can you connect a PC to a port in VLAN 100 and do testing with that PC?

If so I would like to start with a ping from the PC to the ASA address in VLAN 100. Follow that with arp -a on the PC and check whether the PC has any MAC address for the ASA. I might also suggest a test using some device in VLAN 100 and another device in VLAN 100 of the other switch. Could those devices access each other? Ping the other device and then arp -a to see if the MAC address is learned. (testing to see if VLAN 100 works on the switches, taking the ASA out of the question for now)

I am not familiar with those switches. So perhaps you can tell us what kind of tools, show commands, etc they have to allow you to check on VLAN 100?

HTH

Rick

Edited the above post when you were typing your response apparently. :)

I set a pc up on that vlan and changed the gateway. I can now ping the asa and everyone sees the mac address etc. I am still unable to get to the internet from that VLAN though. my route outside statement is a 0.0.0.0 0.0.0.0 so I am not sure why that is not delivering service.

Apparently I am reading your mind because I literally just realized my bonehead move! It's been a long night. Thank you SO much Richard!

You are very welcome. It has been an interesting discussion and I am glad that you now have it all sorted out and working. Thank you for using the rating system to mark this question as answered. This will help other readers of the forum to identify threads with helpful information.

HTH

Rick

Hello

@Richard

Apologies to all this isnt the first time this month I have either misread or interpreted the post incorrectly-

I think my token bucket is full.....

res
Paul

Paul

I have enjoyed having you as an active contributor to the forums and you have made many valued and helpful suggestions. We all (myself included) have the occasional stumble where we mis-read or mis-interpret a post. I  hope that soon your token bucket will have emptied enough that you are ready to provide answers to more questions that come up on the forums.

HTH

Rick