Re: VLAN can't get to Internet

sonitadmin · ‎09-25-2012

Have multiple Catalyst 2960S switches, Cisco 2911 router and ASA 5510 firewall.

On the router have subinterfaces created for the VLAN's

Int FA0.0/41 for wirless VLAN setup with IP 10.10.41.100

Int FA0.0/60 for new Voice VLAN setup with IP 10.10.60.100

Internal network is 10.10.10.0/24 and LAN IP of router is 10.10.10.100

Have default route setup to push traffic from the router to the firewall ip route 0.0.0.0 0.0.0.0 10.10.10.251

On the firewall have added the new VLAN 10 (10.10.60.0) to the network object-group

Have configured route inside command route 10.10.60.0 255.255.255.0 10.10.10.100 1

Have also added the NAT command nat (inside) 1 10.10.60.0 255.255.255.0

On the 2960 I have my laptop connected to port 45 and I have it configured as follows

switchport mode access

switchport access vlan 10

I assign my computer a static IP address of 10.10.60.84/255.255.255.0/10.10.60.100 with 10.10.10.11 as DNS server. When I do this, I can ping anything on the 10.10.60.0 network, I can ping anythign on the LAN 10.10.10.0 network. I am able to connect MSN messenger, I am able to do NSLOOKUP and get outside IP addresses to resolve. I am unable to browse the Internet though. I am not sure where the problem is at though. It doesn't make sense to me, as it is setup the same way as VLAN 41 which is the wireless network, and when users connect to that, they get out to the Internet with no issues.

Anyone have any advice on what to look at or where the problem may be? I'd appreciate any help I can get on this.

Thanks!

Jon Marshall · ‎09-25-2012

What happens if -

1) you do a traceroute to an internet address

2) you try to access a web page by it's IP address and not the URL

3) do you have an acl on the inside interface of your firewall

Jon

sonitadmin · ‎09-25-2012

Jon,

Thanks for quick reply.

1) traceroute to an internet address shows first hop as 10.10.60.100 which would be correct and then next hop to gateway address of ISP and then on to other hops. So it does get through and resolves correctly.

2) Have tried by URL and IP, neither one will work.

3) yes there is an acl on the inside interface, it is below:

access-list INSIDEACL extended permit tcp host 10.10.10.202 host 192.168.30.2 eq www

access-list INSIDEACL extended permit tcp host 10.10.10.206 host 192.168.30.2 eq www

access-list INSIDEACL extended permit tcp host 10.10.20.180 host 192.168.30.2 eq www

access-list INSIDEACL extended permit tcp host 10.10.20.181 host 192.168.30.2 eq www

access-list INSIDEACL extended permit tcp host 10.10.20.182 host 192.168.30.2 eq www

access-list INSIDEACL extended permit tcp host 10.10.20.183 host 192.168.30.2 eq www

access-list INSIDEACL extended permit tcp host 10.10.20.184 host 192.168.30.2 eq www

access-list INSIDEACL extended permit tcp host 10.10.20.185 host 192.168.30.2 eq www

access-list INSIDEACL extended permit tcp host 10.10.20.186 host 192.168.30.2 eq www

access-list INSIDEACL extended permit tcp host 10.10.20.187 host 192.168.30.2 eq www

access-list INSIDEACL extended permit tcp host 10.10.20.188 host 192.168.30.2 eq www

access-list INSIDEACL extended permit tcp host 10.10.20.189 host 192.168.30.2 eq www

access-list INSIDEACL extended permit tcp host 10.10.20.190 host 192.168.30.2 eq www

access-list INSIDEACL extended permit tcp host 10.10.20.191 host 192.168.30.2 eq www

access-list INSIDEACL extended permit tcp host 10.10.20.192 host 192.168.30.2 eq www

access-list INSIDEACL extended permit tcp host 10.10.20.193 host 192.168.30.2 eq www

access-list INSIDEACL extended permit tcp host 10.10.20.194 host 192.168.30.2 eq www

access-list INSIDEACL extended permit tcp host 10.10.20.195 host 192.168.30.2 eq www

access-list INSIDEACL extended permit tcp host 10.10.20.196 host 192.168.30.2 eq www

access-list INSIDEACL extended permit tcp host 10.10.20.197 host 192.168.30.2 eq www

access-list INSIDEACL extended permit tcp host 10.10.20.198 host 192.168.30.2 eq www

access-list INSIDEACL extended permit tcp host 10.10.20.199 host 192.168.30.2 eq www

access-list INSIDEACL extended permit tcp host 10.10.20.200 host 192.168.30.2 eq www

access-list INSIDEACL extended permit tcp host 10.10.20.201 host 192.168.30.2 eq www

access-list INSIDEACL extended permit tcp host 10.10.20.202 host 192.168.30.2 eq www

access-list INSIDEACL extended permit tcp host 10.10.20.203 host 192.168.30.2 eq www

access-list INSIDEACL extended permit tcp host 10.10.20.204 host 192.168.30.2 eq www

access-list INSIDEACL extended permit tcp host 10.10.20.205 host 192.168.30.2 eq www

access-list INSIDEACL extended permit tcp host 10.10.20.206 host 192.168.30.2 eq www

access-list INSIDEACL extended permit tcp host 10.10.20.207 host 192.168.30.2 eq www

access-list INSIDEACL extended permit tcp host 10.10.20.208 host 192.168.30.2 eq www

access-list INSIDEACL extended permit tcp host 10.10.20.209 host 192.168.30.2 eq www

access-list INSIDEACL extended permit tcp host 10.10.20.210 host 192.168.30.2 eq www

access-list INSIDEACL extended permit tcp host 10.10.20.211 host 192.168.30.2 eq www

access-list INSIDEACL extended permit tcp host 10.10.20.212 host 192.168.30.2 eq www

access-list INSIDEACL extended permit tcp host 10.10.20.213 host 192.168.30.2 eq www

access-list INSIDEACL extended permit tcp host 10.10.20.214 host 192.168.30.2 eq www

access-list INSIDEACL extended permit tcp host 10.10.20.215 host 192.168.30.2 eq www

access-list INSIDEACL extended permit tcp host 10.10.20.216 host 192.168.30.2 eq www

access-list INSIDEACL extended permit tcp host 10.10.20.217 host 192.168.30.2 eq www

access-list INSIDEACL extended permit tcp host 10.10.20.218 host 192.168.30.2 eq www

access-list INSIDEACL extended permit tcp host 10.10.20.219 host 192.168.30.2 eq www

access-list INSIDEACL extended permit tcp host 10.10.20.220 host 192.168.30.2 eq www

access-list INSIDEACL extended permit tcp host 10.10.20.221 host 192.168.30.2 eq www

access-list INSIDEACL extended permit tcp host 10.10.20.222 host 192.168.30.2 eq www

access-list INSIDEACL extended permit tcp host 10.10.20.223 host 192.168.30.2 eq www

access-list INSIDEACL extended permit tcp host 10.10.20.224 host 192.168.30.2 eq www

access-list INSIDEACL extended permit tcp host 10.10.20.225 host 192.168.30.2 eq www

access-list INSIDEACL extended permit tcp host 10.10.20.226 host 192.168.30.2 eq www

access-list INSIDEACL extended permit tcp host 10.10.20.227 host 192.168.30.2 eq www

access-list INSIDEACL extended permit tcp host 10.10.20.228 host 192.168.30.2 eq www

access-list INSIDEACL extended permit tcp host 10.10.20.229 host 192.168.30.2 eq www

access-list INSIDEACL extended permit tcp host 10.10.20.230 host 192.168.30.2 eq www

access-list INSIDEACL extended permit tcp host 10.10.20.231 host 192.168.30.2 eq www

access-list INSIDEACL extended permit tcp host 10.10.20.232 host 192.168.30.2 eq www

access-list INSIDEACL extended permit tcp host 10.10.20.233 host 192.168.30.2 eq www

access-list INSIDEACL extended permit tcp host 10.10.20.234 host 192.168.30.2 eq www

access-list INSIDEACL extended permit tcp host 10.10.20.235 host 192.168.30.2 eq www

access-list INSIDEACL extended permit tcp host 10.10.20.236 host 192.168.30.2 eq www

access-list INSIDEACL extended permit tcp host 10.10.20.237 host 192.168.30.2 eq www

access-list INSIDEACL extended permit tcp host 10.10.20.238 host 192.168.30.2 eq www

access-list INSIDEACL extended permit tcp host 10.10.20.239 host 192.168.30.2 eq www

access-list INSIDEACL extended permit tcp host 10.10.20.240 host 192.168.30.2 eq www

access-list INSIDEACL extended permit tcp host 10.10.20.241 host 192.168.30.2 eq www

access-list INSIDEACL extended permit tcp host 10.10.20.242 host 192.168.30.2 eq www

access-list INSIDEACL extended permit tcp host 10.10.20.243 host 192.168.30.2 eq www

access-list INSIDEACL extended permit tcp host 10.10.20.244 host 192.168.30.2 eq www

access-list INSIDEACL extended permit tcp host 10.10.20.245 host 192.168.30.2 eq www

access-list INSIDEACL extended permit tcp host 10.10.20.246 host 192.168.30.2 eq www

access-list INSIDEACL extended permit tcp host 10.10.20.247 host 192.168.30.2 eq www

access-list INSIDEACL extended permit tcp host 10.10.20.248 host 192.168.30.2 eq www

access-list INSIDEACL extended permit tcp host 10.10.20.249 host 192.168.30.2 eq www

access-list INSIDEACL extended permit tcp 10.10.50.0 255.255.255.0 host 192.168.30.2 eq www

access-list INSIDEACL extended deny tcp host 10.10.10.202 any

access-list INSIDEACL extended deny tcp host 10.10.10.206 any

access-list INSIDEACL extended deny tcp host 10.10.20.180 any

access-list INSIDEACL extended deny tcp host 10.10.20.181 any

access-list INSIDEACL extended deny tcp host 10.10.20.182 any

access-list INSIDEACL extended deny tcp host 10.10.20.183 any

access-list INSIDEACL extended deny tcp host 10.10.20.184 any

access-list INSIDEACL extended deny tcp host 10.10.20.185 any

access-list INSIDEACL extended deny tcp host 10.10.20.186 any

access-list INSIDEACL extended deny tcp host 10.10.20.187 any

access-list INSIDEACL extended deny tcp host 10.10.20.188 any

access-list INSIDEACL extended deny tcp host 10.10.20.189 any

access-list INSIDEACL extended deny tcp host 10.10.20.190 any

access-list INSIDEACL extended deny tcp host 10.10.20.191 any

access-list INSIDEACL extended deny tcp host 10.10.20.192 any

access-list INSIDEACL extended deny tcp host 10.10.20.193 any

access-list INSIDEACL extended deny tcp host 10.10.20.194 any

access-list INSIDEACL extended deny tcp host 10.10.20.195 any

access-list INSIDEACL extended deny tcp host 10.10.20.196 any

access-list INSIDEACL extended deny tcp host 10.10.20.197 any

access-list INSIDEACL extended deny tcp host 10.10.20.198 any

access-list INSIDEACL extended deny tcp host 10.10.20.199 any

access-list INSIDEACL extended deny tcp host 10.10.20.200 any

access-list INSIDEACL extended deny tcp host 10.10.20.201 any

access-list INSIDEACL extended deny tcp host 10.10.20.202 any

access-list INSIDEACL extended deny tcp host 10.10.20.203 any

access-list INSIDEACL extended deny tcp host 10.10.20.204 any

access-list INSIDEACL extended deny tcp host 10.10.20.205 any

access-list INSIDEACL extended deny tcp host 10.10.20.206 any

access-list INSIDEACL extended deny tcp host 10.10.20.207 any

access-list INSIDEACL extended deny tcp host 10.10.20.208 any

access-list INSIDEACL extended deny tcp host 10.10.20.209 any

access-list INSIDEACL extended deny tcp host 10.10.20.210 any

access-list INSIDEACL extended deny tcp host 10.10.20.211 any

access-list INSIDEACL extended deny tcp host 10.10.20.212 any

access-list INSIDEACL extended deny tcp host 10.10.20.213 any

access-list INSIDEACL extended deny tcp host 10.10.20.214 any

access-list INSIDEACL extended deny tcp host 10.10.20.215 any

access-list INSIDEACL extended deny tcp host 10.10.20.216 any

access-list INSIDEACL extended deny tcp host 10.10.20.217 any

access-list INSIDEACL extended deny tcp host 10.10.20.218 any

access-list INSIDEACL extended deny tcp host 10.10.20.219 any

access-list INSIDEACL extended deny tcp host 10.10.20.220 any

access-list INSIDEACL extended deny tcp host 10.10.20.221 any

access-list INSIDEACL extended deny tcp host 10.10.20.222 any

access-list INSIDEACL extended deny tcp host 10.10.20.223 any

access-list INSIDEACL extended deny tcp host 10.10.20.224 any

access-list INSIDEACL extended deny tcp host 10.10.20.225 any

access-list INSIDEACL extended deny tcp host 10.10.20.226 any

access-list INSIDEACL extended deny tcp host 10.10.20.227 any

access-list INSIDEACL extended deny tcp host 10.10.20.228 any

access-list INSIDEACL extended deny tcp host 10.10.20.229 any

access-list INSIDEACL extended deny tcp host 10.10.20.230 any

access-list INSIDEACL extended deny tcp host 10.10.20.231 any

access-list INSIDEACL extended deny tcp host 10.10.20.232 any

access-list INSIDEACL extended deny tcp host 10.10.20.233 any

access-list INSIDEACL extended deny tcp host 10.10.20.234 any

access-list INSIDEACL extended deny tcp host 10.10.20.235 any

access-list INSIDEACL extended deny tcp host 10.10.20.236 any

access-list INSIDEACL extended deny tcp host 10.10.20.237 any

access-list INSIDEACL extended deny tcp host 10.10.20.238 any

access-list INSIDEACL extended deny tcp host 10.10.20.239 any

access-list INSIDEACL extended deny tcp host 10.10.20.240 any

access-list INSIDEACL extended deny tcp host 10.10.20.241 any

access-list INSIDEACL extended deny tcp host 10.10.20.242 any

access-list INSIDEACL extended deny tcp host 10.10.20.243 any

access-list INSIDEACL extended deny tcp host 10.10.20.244 any

access-list INSIDEACL extended deny tcp host 10.10.20.245 any

access-list INSIDEACL extended deny tcp host 10.10.20.246 any

access-list INSIDEACL extended deny tcp host 10.10.20.247 any

access-list INSIDEACL extended deny tcp host 10.10.20.248 any

access-list INSIDEACL extended deny tcp host 10.10.20.249 any

access-list INSIDEACL extended deny tcp 10.10.50.0 255.255.255.0 any

access-list INSIDEACL extended permit ip any any

access-list INSIDEACL remark Email from SERVER4 to BMC

access-list INSIDEACL extended permit tcp host 10.10.10.10 host 192.168.30.2 eq smtp

access-list INSIDEACL remark Email from SERVER4 to BMCMI

access-list INSIDEACL extended permit tcp host 10.10.10.10 host 192.168.30.3 eq smtp

access-list INSIDEACL remark Symantec Endpoint Protection Server

access-list INSIDEACL extended permit tcp host 10.10.10.124 host 192.168.30.2

access-list INSIDEACL remark Symatnec Endpoint Protection Server.

access-list INSIDEACL extended permit tcp host 10.10.10.124 host 192.168.30.3

access-list INSIDEACL remark iSeries

access-list INSIDEACL extended permit ip host 10.10.10.102 host 192.168.30.3 inactive

access-list INSIDEACL remark iSeries

access-list INSIDEACL extended permit ip host 10.10.10.102 host 192.168.30.2

access-list INSIDEACL remark DNS Server

access-list INSIDEACL extended permit ip host SERVER6 host 192.168.30.2

access-list INSIDEACL remark WINS Server

access-list INSIDEACL extended permit ip host 10.10.10.235 host 192.168.30.2

access-list INSIDEACL extended permit ip host 10.10.10.4 host 192.168.30.2 inactive

Jon Marshall · ‎09-25-2012

Where is the acl applied beause it seems to be limiting and allowing access to 192.168.x.x addresses but these are not internet addresses ?

sonitadmin · ‎09-25-2012

It is applied to the Inside interface via this command:

access-group INSIDEACL in interface inside

These addresses it is allowing and denying appear to be addresses on the DMZ.

Jon Marshall · ‎09-26-2012

Can you post config of the firewall minus any confidential info ?

Just to be clear, you can ping internet IPs but not get to any web sites ?

Jon

sonitadmin · ‎09-26-2012

Jon,

That is correct. From the 10.10.60.0 network, I am able to ping Internet IP's, I can sign into Live Messenger and get that to work with no issues. When I open Internet Explorer though and go to www.google.com or the IP address for Google, I just get a page cannot be displayed message.

The 5510 config is attached.

Thanks!

Jon Marshall · ‎09-26-2012

Your firewall config looks fine whch doens't surprise me if you can ping internet sites and use MSN.

I'm assuming you are not using web proxy server ?

Jon

sonitadmin · ‎09-26-2012

Checking with the client to make sure, but I don't believe so.

The router has a route outside command to send this traffic to the firewall, so I don't believe it's anything on the router. It almost has to be firewall related, but I just can't find it.

sonitadmin · ‎09-26-2012

Just heard back from client, there is no proxy server in use.

Jon Marshall · ‎09-26-2012

What subnet range is vlan 41 ?

Jon

sonitadmin · ‎09-26-2012

Vlan 41 uses 10.10.41.0/24. There is a subinterface on the 2811 router setup on FA0/0.41 for 10.10.41.100 and they use this as the gateway.

Jon Marshall · ‎09-26-2012

I only asked to do a comparison with 10.10.60.x in your firewall config and where you have a 10.10.41.0 entry you also have a 10.10.60.0 entry so i'm not sure it is the firewall although it does sound like a firewal type thing.

Do you have any other acls on the router or anywhere else.

Jon

sonitadmin · ‎09-26-2012

Attached is a copy of the router config, some access lists on there but only for voice stuff.

Jon Marshall · ‎09-26-2012

Can you just check the full DNS/IP settings if you DHCP the ip address on a client in the wireless network and compare with your laptop static setup ?

Jon