Question

ASA5505 Security Plus VLAN Trunking

Asked by: maver1ck4000

Background:
We are a small company, I am the only SA and have been researching and self teaching my self about this ASA5505.  We currently have about 20 servers, and a good number of virtual servers. We have internet connection coming directly in to the ASA, then the ASA is connected to a couple netgear 24 port switches, unmanaged.  The ASA handles everything, DHCP, VPN, and routing.  The servers we host are web servers so pretty much everything is blocked unless you are on the VPN except port 80 and 443. I have NAT set up for some of the servers, and everything has been fine.

On to the question:
Recently I have been working on adding some networks for growth planning and organization.  I have been working on setting up a test network on 10.0.5.0/24 this network like all the rest that I will be setting up in the future needs to be able to talk to the internet, as well as talk to all the other networks, Specifically in this case it needs to talk to 10.0.0.0/24.  I have been reading a lot on line and have been able to get the basic configuration set up, but no matter what I do I am unable to get the networks to talk to each other, nor am I able to get the 10.0.5.0 to talk to the internet (which at one point before I started with trunking they were able to at least talk to the internet).  I have been getting different errors mostly about portmap address translation which I was able to fix, then NAT translation group errors which I then was able to fix, but after trying all sorts of different NAT configs, I just end up getting SYN timeout errors when ever I try to ssh or remote desktop in to my test machines, Same goes for when I try to ssh or RDP in to any machine on the main network from the 10,0.5.0/24 network.  The two 10.0.5.0/24 machines are able to talk to each other fine.  Right now I have no need for added security on the internal network, I want all VPN/wireless clients to be able to talk to all networks, As we grow there might be a need to restrict access to certain interfaces, but that can be done through ACL's pretty easily.  Any help or advice you can give would be great,  I have posted my current config below.  I also have the most updated versions of ASDM and ASA IOS.

Thanks.

: Saved
:
ASA Version 8.2(1) 
!
hostname *
domain-name *
enable password *
passwd *
names
name #.#.#.#5 CHICAGO403
name #.#.#.#6 CHICAGO404
name #.#.#.#8 CHICAGO395
name #.#.#.31 CHICAGO168
name 10.0.5.0 server-network
 
 
!
interface Vlan1
 nameif inside
 security-level 100
 ip address 10.0.0.1 255.255.255.0 
 ospf cost 10
!
interface Vlan2
 nameif T1
 security-level 99
 ip address #.#.#.206 255.255.255.240 
 ospf cost 10
!
interface Vlan3
 nameif server
 security-level 100
 ip address 10.0.5.1 255.255.255.0 
!
interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
 switchport trunk allowed vlan 1,3
 switchport trunk native vlan 1
 switchport mode trunk
!
interface Ethernet0/2
 shutdown
!
interface Ethernet0/3
 shutdown
!
interface Ethernet0/4
 shutdown
!
interface Ethernet0/5
 shutdown
!
interface Ethernet0/6
 shutdown
!
interface Ethernet0/7
 shutdown
!
ftp mode passive
clock timezone CST -6
clock summer-time CDT recurring
dns domain-lookup inside
dns domain-lookup T1
dns domain-lookup server
dns server-group DefaultDNS
 name-server 10.0.0.104
 domain-name cisco.intranet
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object-group protocol TCPUDP
 protocol-object udp
 protocol-object tcp
object-group service Zabbix tcp
 description Monitoring
 port-object eq 10050
 port-object eq 10051
object-group service Web
 service-object tcp eq www 
 service-object tcp eq https 
 service-object udp eq www 
object-group service DNS
 service-object tcp eq domain 
 service-object udp eq domain 
access-list levelfivevpn_splitTunnelAcl standard permit any 
access-list T1_access_in extended permit ip any any inactive 
access-list T1_access_in extended permit ip host CHICAGO403 any 
access-list T1_access_in extended permit ip host CHICAGO404 any 
access-list T1_access_in extended permit ip host CHICAGO168 any 
access-list T1_access_in extended permit ip host CHICAGO395 any 
access-list T1_access_in extended permit object-group Web any host #.#.#.194 
access-list T1_access_in extended permit object-group Web any host #.#.#.196 
access-list T1_access_in extended permit object-group Web any host #.#.#.197 
access-list T1_access_in extended permit tcp any host #.#.#.197 eq smtp 
access-list T1_access_in extended permit object-group Web any host #.#.#.201 
access-list T1_access_in extended permit object-group Web any host #.#.#.202 
access-list T1_access_in extended permit object-group Web any host #.#.#.203 
access-list T1_access_in extended permit object-group Web any host #.#.#.204 
access-list T1_access_in extended permit object-group DNS any host #.#.#.204 
access-list T1_access_in extended permit tcp any host #.#.#.204 eq ssh 
access-list T1_access_in extended permit object-group Web any host #.#.#.205 
access-list T1_access_in extended permit icmp any any traceroute inactive 
access-list T1_access_in extended permit tcp any host #.#.#.195 eq 3389 inactive 
access-list T1_access_in extended permit ip any host #.#.#.198 
access-list T1_access_in extended permit ip server-network 255.255.255.0 any 
access-list T1_access_in extended permit ip 10.0.0.0 255.255.255.0 any 
access-list level5test_splitTunnelAcl standard permit 10.0.0.0 255.255.255.0 
access-list T1_nat_outbound extended permit ip vpn-network 255.255.255.0 any 
access-list inside_nat0_outbound extended permit ip vpn-network 255.255.255.0 any 
access-list inside_nat0_outbound extended permit ip any vpn-network 255.255.255.0 
access-list inside_nat0_outbound extended permit ip any server-network 255.255.255.0 
access-list inside_access_in extended permit ip any any 
access-list T1_nat_outbound_1 extended permit ip vpn-network 255.255.255.0 any 
access-list dmz_access_in extended permit ip any any 
access-list servers_access_in extended permit ip any any 
access-list server_access_in extended permit ip any any 
access-list server_access_in_1 extended permit icmp any any echo-reply 
access-list server_access_in_1 extended permit icmp any any unreachable 
access-list server_access_in_1 extended permit icmp any any time-exceeded 
access-list server_access_in_1 extended permit icmp any server-network 255.255.255.0 
access-list server_access_in_1 extended permit ip any any 
access-list server_nat0_outbound extended permit ip server-network 255.255.255.0 10.0.0.0 255.255.255.0 
pager lines 24
logging enable
logging asdm informational
logging mail emergencies
logging from-address l*
logging recipient-address * level errors
mtu inside 1500
mtu T1 1500
mtu server 1500
ip local pool *pool2 10.0.1.2-10.0.1.254 mask 255.255.255.0
no failover
icmp unreachable rate-limit 1 burst-size 1
icmp permit any inside
icmp permit any T1
icmp permit any server
asdm image disk0:/asdm-621.bin
asdm history enable
arp timeout 14400
global (inside) 1 interface
global (T1) 1 interface
global (server) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0 dns
nat (T1) 1 access-list T1_nat_outbound_1 dns
nat (T1) 1 access-list T1_nat_outbound dns outside
nat (server) 0 access-list server_nat0_outbound
nat (server) 1 0.0.0.0 0.0.0.0 dns
static (inside,T1) #.#.#.197 10.0.0.100 netmask 255.255.255.255 dns 
static (inside,T1) #.#.#.196 10.0.0.101 netmask 255.255.255.255 dns 
static (inside,T1) #.#.#.194 10.0.0.103 netmask 255.255.255.255 dns 
static (inside,T1) #.#.#.204 10.0.0.104 netmask 255.255.255.255 dns 
static (inside,T1) #.#.#.200 10.0.0.105 netmask 255.255.255.255 dns 
static (inside,T1) #.#.#.201 10.0.0.110 netmask 255.255.255.255 dns 
static (inside,T1) #.#.#.202 10.0.0.111 netmask 255.255.255.255 dns 
static (inside,T1) #.#.#.203 10.0.0.112 netmask 255.255.255.255 dns 
static (inside,T1) #.#.#.195 10.0.0.113 netmask 255.255.255.255 dns 
static (inside,T1) #.#.#.205 10.0.0.126 netmask 255.255.255.255 dns 
static (inside,inside) #.#.#.197 10.0.0.100 netmask 255.255.255.255 dns 
static (inside,inside) #.#.#.196 10.0.0.101 netmask 255.255.255.255 dns 
static (inside,inside) #.#.#.194 10.0.0.103 netmask 255.255.255.255 dns 
static (inside,inside) #.#.#.204 10.0.0.104 netmask 255.255.255.255 dns 
static (inside,inside) #.#.#.200 10.0.0.105 netmask 255.255.255.255 dns 
static (inside,inside) #.#.#.201 10.0.0.110 netmask 255.255.255.255 dns 
static (inside,inside) #.#.#.202 10.0.0.111 netmask 255.255.255.255 dns 
static (inside,inside) #.#.#.203 10.0.0.112 netmask 255.255.255.255 dns 
static (inside,inside) #.#.#.195 10.0.0.113 netmask 255.255.255.255 dns 
static (inside,inside) #.#.#.205 10.0.0.126 netmask 255.255.255.255 dns 
static (inside,T1) #.#.#.198 10.0.0.21 netmask 255.255.255.255 dns 
static (inside,inside) #.#.#.198 10.0.0.21 netmask 255.255.255.255 dns 
access-group inside_access_in in interface inside
access-group T1_access_in in interface T1
access-group server_access_in_1 in interface server
route T1 0.0.0.0 0.0.0.0 #.#.#.193 1
route inside vpn-network 255.255.255.0 10.0.1.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
aaa-server LEVEL5LDAP protocol ldap
 reactivation-mode depletion deadtime 60
 max-failed-attempts 5
aaa-server * (inside) host *
 ldap-base-dn *
 ldap-scope subtree
 ldap-naming-attribute uid
 server-type openldap
aaa authentication enable console LOCAL 
aaa authentication http console LOCAL 
aaa authentication ssh console LOCAL 
aaa authorization command LOCAL 
http server enable
http 10.0.0.0 255.0.0.0 inside
snmp-server host inside 10.0.0.254 community public udp-port 161
snmp-server location*
snmp-server contact *
snmp-server community *****
snmp-server enable traps snmp authentication linkup linkdown coldstart
snmp-server enable traps syslog
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac 
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto ipsec df-bit clear-df T1
crypto dynamic-map T1_dyn_map 20 set pfs group1
crypto dynamic-map T1_dyn_map 20 set transform-set ESP-3DES-SHA
crypto dynamic-map T1_dyn_map 20 set security-association lifetime seconds 28800
crypto dynamic-map T1_dyn_map 20 set security-association lifetime kilobytes 4608000
crypto dynamic-map T1_dyn_map 20 set reverse-route
crypto dynamic-map T1_dyn_map 40 set pfs group1
crypto dynamic-map T1_dyn_map 40 set transform-set ESP-3DES-SHA
crypto dynamic-map T1_dyn_map 40 set security-association lifetime seconds 28800
crypto dynamic-map T1_dyn_map 40 set security-association lifetime kilobytes 4608000
crypto dynamic-map T1_dyn_map 40 set reverse-route
crypto dynamic-map T1_dyn_map 60 set pfs group1
crypto dynamic-map T1_dyn_map 60 set transform-set ESP-3DES-SHA
crypto dynamic-map T1_dyn_map 60 set security-association lifetime seconds 28800
crypto dynamic-map T1_dyn_map 60 set security-association lifetime kilobytes 4608000
crypto dynamic-map T1_dyn_map 60 set reverse-route
crypto map T1_map 65535 ipsec-isakmp dynamic T1_dyn_map
crypto map T1_map interface T1
crypto isakmp enable inside
crypto isakmp enable T1
crypto isakmp policy 10
 authentication pre-share
 encryption aes
 hash sha
 group 2
 lifetime 86400
crypto isakmp ipsec-over-tcp port 10000 
vpn-addr-assign local reuse-delay 5
telnet 10.0.0.0 255.255.255.0 inside
telnet timeout 1440
ssh 10.0.0.0 255.255.255.0 inside
ssh timeout 1
console timeout 0
management-access inside
dhcpd address 10.0.0.5-10.0.0.99 inside
dhcpd dns 10.0.0.104 interface inside
dhcpd wins 10.0.0.125 interface inside
dhcpd domain level5 interface inside
dhcpd update dns both override interface inside
dhcpd enable inside
!
 
threat-detection basic-threat
threat-detection scanning-threat
threat-detection statistics
threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
ntp server 10.0.0.104 source inside prefer
webvpn
 enable T1
 svc image disk0:/anyconnect-macosx-i386-2.3.2016-k9.pkg 1
 svc image disk0:/anyconnect-win-2.3.2016-k9.pkg 2
 svc enable
group-policy DfltGrpPolicy attributes
 vpn-tunnel-protocol IPSec l2tp-ipsec svc webvpn
group-policy levelfivevpn internal
group-policy levelfivevpn attributes
 banner value Welcome to the Level Five Solutions network.  The Level Five Solutions network and VPN are for business related use only, all activity while connected to this network is monitored and logged.
 banner value If there are any questions or problems please email admin@levelfivesolutions.com for assitance, and for emergencies call 913-220-7883.
 wins-server value 10.0.0.125
 dns-server value 10.0.0.104
 vpn-tunnel-protocol IPSec l2tp-ipsec svc 
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value levelfivevpn_splitTunnelAcl
group-policy level5any internal
group-policy level5any attributes
 vpn-tunnel-protocol webvpn
 webvpn
  url-list none
  svc ask enable
username administrator password moFTh3LGLZlp9/q. encrypted privilege 15
username jlear password 1klDEtXNysS7TUa0 encrypted privilege 15
tunnel-group DefaultWEBVPNGroup general-attributes
 address-pool level5pool2
 authentication-server-group LEVEL5LDAP
tunnel-group levelfivevpn type remote-access
tunnel-group levelfivevpn general-attributes
 address-pool level5pool2
 authentication-server-group LEVEL5LDAP
 default-group-policy levelfivevpn
tunnel-group levelfivevpn ipsec-attributes
 pre-shared-key *
tunnel-group level5any type remote-access
tunnel-group level5any general-attributes
 address-pool level5pool2
 authentication-server-group LEVEL5LDAP
 default-group-policy level5any
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map 
  inspect ftp 
  inspect h323 h225 
  inspect h323 ras 
  inspect rsh 
  inspect rtsp 
  inspect esmtp 
  inspect skinny  
  inspect sunrpc 
  inspect xdmcp 
  inspect sip  
  inspect netbios 
  inspect tftp 
  inspect pptp 
!
service-policy global_policy global
smtp-server *
mount Share type cifs
 server *
 share *
 domain *
 username *
 password ********
 status enable
privilege cmd level 3 mode exec command perfmon
privilege cmd level 3 mode exec command ping
privilege cmd level 3 mode exec command who
privilege cmd level 3 mode exec command logging
privilege cmd level 3 mode exec command failover
privilege show level 5 mode exec command running-config
privilege show level 3 mode exec command reload
privilege show level 3 mode exec command mode
privilege show level 3 mode exec command firewall
privilege show level 3 mode exec command interface
privilege show level 3 mode exec command clock
privilege show level 3 mode exec command dns-hosts
privilege show level 3 mode exec command access-list
privilege show level 3 mode exec command logging
privilege show level 3 mode exec command ip
privilege show level 3 mode exec command failover
privilege show level 3 mode exec command asdm
privilege show level 3 mode exec command arp
privilege show level 3 mode exec command route
privilege show level 3 mode exec command ospf
privilege show level 3 mode exec command aaa-server
privilege show level 3 mode exec command aaa
privilege show level 3 mode exec command crypto
privilege show level 3 mode exec command vpn-sessiondb
privilege show level 3 mode exec command ssh
privilege show level 3 mode exec command dhcpd
privilege show level 3 mode exec command vpn
privilege show level 3 mode exec command blocks
privilege show level 3 mode exec command uauth
privilege show level 3 mode configure command interface
privilege show level 3 mode configure command clock
privilege show level 3 mode configure command access-list
privilege show level 3 mode configure command logging
privilege show level 3 mode configure command ip
privilege show level 3 mode configure command failover
privilege show level 5 mode configure command asdm
privilege show level 3 mode configure command arp
privilege show level 3 mode configure command route
privilege show level 3 mode configure command aaa-server
privilege show level 3 mode configure command aaa
privilege show level 3 mode configure command crypto
privilege show level 3 mode configure command ssh
privilege show level 3 mode configure command dhcpd
privilege show level 5 mode configure command privilege
privilege clear level 3 mode exec command dns-hosts
privilege clear level 3 mode exec command logging
privilege clear level 3 mode exec command arp
privilege clear level 3 mode exec command aaa-server
privilege clear level 3 mode exec command crypto
privilege cmd level 3 mode configure command failover
privilege clear level 3 mode configure command logging
privilege clear level 3 mode configure command arp
privilege clear level 3 mode configure command crypto
privilege clear level 3 mode configure command aaa-server
prompt hostname context 
no compression svc http-comp
: end
asdm image disk0:/asdm-621.bin
asdm history enable

                                  
1:
2:
3:
4:
5:
6:
7:
8:
9:
10:
11:
12:
13:
14:
15:
16:
17:
18:
19:
20:
21:
22:
23:
24:
25:
26:
27:
28:
29:
30:
31:
32:
33:
34:
35:
36:
37:
38:
39:
40:
41:
42:
43:
44:
45:
46:
47:
48:
49:
50:
51:
52:
53:
54:
55:
56:
57:
58:
59:
60:
61:
62:
63:
64:
65:
66:
67:
68:
69:
70:
71:
72:
73:
74:
75:
76:
77:
78:
79:
80:
81:
82:
83:
84:
85:
86:
87:
88:
89:
90:
91:
92:
93:
94:
95:
96:
97:
98:
99:
100:
101:
102:
103:
104:
105:
106:
107:
108:
109:
110:
111:
112:
113:
114:
115:
116:
117:
118:
119:
120:
121:
122:
123:
124:
125:
126:
127:
128:
129:
130:
131:
132:
133:
134:
135:
136:
137:
138:
139:
140:
141:
142:
143:
144:
145:
146:
147:
148:
149:
150:
151:
152:
153:
154:
155:
156:
157:
158:
159:
160:
161:
162:
163:
164:
165:
166:
167:
168:
169:
170:
171:
172:
173:
174:
175:
176:
177:
178:
179:
180:
181:
182:
183:
184:
185:
186:
187:
188:
189:
190:
191:
192:
193:
194:
195:
196:
197:
198:
199:
200:
201:
202:
203:
204:
205:
206:
207:
208:
209:
210:
211:
212:
213:
214:
215:
216:
217:
218:
219:
220:
221:
222:
223:
224:
225:
226:
227:
228:
229:
230:
231:
232:
233:
234:
235:
236:
237:
238:
239:
240:
241:
242:
243:
244:
245:
246:
247:
248:
249:
250:
251:
252:
253:
254:
255:
256:
257:
258:
259:
260:
261:
262:
263:
264:
265:
266:
267:
268:
269:
270:
271:
272:
273:
274:
275:
276:
277:
278:
279:
280:
281:
282:
283:
284:
285:
286:
287:
288:
289:
290:
291:
292:
293:
294:
295:
296:
297:
298:
299:
300:
301:
302:
303:
304:
305:
306:
307:
308:
309:
310:
311:
312:
313:
314:
315:
316:
317:
318:
319:
320:
321:
322:
323:
324:
325:
326:
327:
328:
329:
330:
331:
332:
333:
334:
335:
336:
337:
338:
339:
340:
341:
342:
343:
344:
345:
346:
347:
348:
349:
350:
351:
352:
353:
354:
355:
356:
357:
358:
359:
360:
361:
362:
363:
364:
365:
366:
367:
368:
369:
370:
371:
372:
373:
374:
375:
376:
377:
378:
379:
380:
381:
382:
383:
384:
385:
386:

Select allOpen in new window

This Question has been solved and asker verified All Experts Exchange premium technology solutions are available to subscription members.

Subscribe now for full access to Experts Exchange and get

Instant Access to this Solution

  • Plus...
  • 30 Day FREE access, no risk, no obligation
  • Collaborate with the world's top tech experts
  • Unlimited access to our exclusive solution database
  • Never be left without tech help again

Subscribe Now

Asked On
2009-09-18 at 09:38:31ID24743846
Tags

ASA5505

,

VLAN

Topic

Network Software Firewalls

Participating Experts
1
Points
500
Comments
4

Trusted by hundreds of thousands everyday for fast, accurate and reliable tech support.

  • "The time we save is the biggest benefit of Experts Exchange to Warner Bros. What could take multiple guys 2 hours or more each to find is accessed in around 15 minutes on Experts Exchange." Mike Kapnisakis, Warner Bros.
  • "Our team likes having a resource that is more secure than just using Google and most experts using this service really know their stuff. It's nice to look here first versus using Google." Dayna Sellner, Lockheed Martin
  • "Anytime that I've been stumped with a problem, 9 out of 10 times Experts Exchange has either the accepted solution or an open discussion of the potential solution to the problem." Kenny Red, eBay Inc.

See what Experts Exchange can do for you.

Got a question?

We've got the answer.

Experts Exchange has been collecting answers to technology questions since 1996…3 million and counting! If you have a question, chances are we already have your answer.

Screenshot of Experts Exchange Knowledgebase

Need individual assistance?

Our experts are ready to help.

If you can't find the exact answer you're looking for, ask our exclusive community of 50,000 experts. You’ll get a personalized answer from a trusted professional.

Screenshot of Experts Exchange Knowledgebase

Want to learn from the best?

Read articles from industry experts.

Thousands of free tech tips, tricks, how-to’s and tutorials are available in our peer reviewed articles section. See for yourself how smart our experts are, no login required.

Screenshot of an Article

Working on a long term project?

Store your work and research.

Save solutions to your questions, answers you’ve discovered through searching plus helpful articles in your personal knowledgebase for easy future access.

Screenshot of Experts Exchange Knowledgebase

Access the answers to your technology questions today.

Subscribe Now

30-day free trial. Register in 60 seconds.

What Makes Experts Exchange Unique?

Members of the expert community talk about why the experience at Experts Exchange is different than what you will find anywhere else.

Trusted by the world's most respected brands.

image of each brand's logo

Faithfully serving IT professionals since 1996.

Experts Exchange Logo

Try it out and discover for yourself.

Subscribe Now

30-day free trial. Register in 60 seconds.

Related Solutions

  1. Trunking on NAT interface
    I have a Cisco 2900 (IOS) set to trunk with a 2600 router interface that is also the inside nat interface. The trunk never gets established as the Cisco 2950 says "not-trunking" . I have the FA0/0.1 sub interface on the 2620 with encapsulation dot1q and active. Does...
  2. PIX VPN+VLAN configuration
    Dear experts… I do need to configure my pix506E to use site to site vpn… Wait …..this is not what is all about,I also need to configure two VLANs and want both of them to have it’s own vpn tunnel to the other side…. Neither vlans are native( they are tagged VLAN 10 ,VLAN 20)...
  3. VPN and VLANS
    Hey All, Before I implemented my new 3560 catalyst I was able to see everything whenI connected through cisco vpn client. Now I can only see the subnet the PIX is on. I tried entering in an access-list on my switch to allow the pool from the vpn. But that didn't work What I ...
  4. vlan trunking with PIX 515E
    Here's my scenario: I have a PIX 515E with Interface 4 going into my DMZ VLAN which is on my 3750 stack. I've created a guest vlan in my stack and a vlan interface on the pix off of interface 4. This vlan interface is 4.12. I understand I need to trunk the port on my swit...
  5. NAT Not in Use
    HI All, Can you pleas help with the following, We are not using NAT on our ASA firewall and all connections seems to work fine from out side to inside but no tfrom inside to outside. Do i still need to put this command in even if i am not usin gany NAT nat (inside)0 19...

Free Tech Articles

  1. WARNING: 5 Reasons why you should NEVER fix a computer for free.
    It is in our nature to love the puzzle. We are obsessed. The lot of us. We love puzzles. We love the challenge. We thrive on finding the answer. We hate disarray. It bothers us deep in our soul. W...
  2. SCCM OSD Basic troubleshooting
    SCCM 2007 OSD is a fantastic way to deploy operating systems, however, like most things SCCM issues can sometimes be difficult to resolve due to the sheer volume of logs to sift through and the dispe...
  3. Migrate Small Business Server 2003 to Exchange 2010 and Windows 2008 R2
    This guide is intended to provide step by step instructions on how to migrate from Small Business Server 2003 to Windows 2008 R2 with Exchange 2010. For this migration to work you will need the fo...
  4. Create a Win7 Gadget
    This article shows you how to create a simple "Gadget" -- a sort of mini-application supported by Windows 7 and Vista. Gadgets can be dropped anywhere on the desktop to provide instant information, ...
  5. Outlook continually prompting for username and password
    There have been a lot of questions recently regarding Outlook prompting for a username and password whilst using Exchange 2007. There are a few reasons why this would happen and I will try to cover t...
  6. Backup Exchange 2010 Information Store using Windows Backup
    There seems to be quite a lot of confusion around the ability to backup Exchange 2010 using the built in Windows Backup feature. This stems from the omission of this feature prior to Exchange 2007 s...

Cloud Class Webinars

  1. Avoiding Bugs in Microsoft Access
    Alison Balter takes and in-depth look at avoiding bugs in Access. In this webinar you will learn about using the immediate window to debug your applications, invoking the debugger, using breakpoints to troubleshoot, stepping through code, setting the next statement to execute, ...
  2. Top 10 Best New Features in Visio 2010
    Scott Helmers gives live demonstrations of the top 10 new features in Visio 2010. This webinar will teach you how to create compelling diagrams by adding shapes to the page with a single click, linking the shapes in a diagram to data in Excel (or SQL Server, or SharePoint), ...
  3. IT Consultant Business Secrets Revealed
    Michael Munger, Experts Exchange tech pro and IT consultant, pulls back the curtain on his very successful businesses and answers question on every IT consultant and business owner should know about. He shares secrets on what he did to solve the 5 most common problems in IT, ...
  4. Disaster Recovery and Business Continuity
    Quest CTO, Mike Billon, gives an overview of the steps involved in building a dunamic disaster recovery plan. Through case studies and an examination of software/hardware tooles for monitoring and testing, you'll gain a better understandin of where you are, where you want ...
  5. Organize Your Visio Diagrams with Containers and Lists
    Scott Helmers uses cross functional flowcharts, wireframe diagrams, data graphic legends and seating charts to teach you: how to ustilize all three new structured diagram components in Visio 2010, the best practices for organizeing shapes in previous version of Visio, how to organize ...
  6. How to Us Objects, Properties, Events and Methods in Microsoft Access
    Alison Dalter gives an in-depbth look at objects, properties, events and methods in Microsoft Access. In this webinar you will learn about using the object browser, referring to objects, working with properties and methods, working with object variables, understanding the ...

Join the Community

Give a Little. Get a Lot.

Join the community of experts here and help other tech pros by answering question in your area of expertise. You can earn FREE access to all Experts Exchange's premium features and resources.

Join the Community

Answers

 

by: jodylemoinePosted on 2009-09-20 at 10:26:04ID: 25377984

The unmanaged switches are most probably the root of the problem here.  When any network device uses VLAN trunking on an interface, it does so by transmitting frames destined for the native VLAN unmodified, and by transmitting frames for non-native VLANs with a tag to indicate which VLAN it belongs to.  When receiving, it accepts untagged frames as belonging to the native VLAN and tagged frames as belonging to the VLAN that the frame is tagged to.  This functionality assumes that the device at the other end of the physical connection (the switch in this case) is intelligent enough to participate in this tagging.  Because those Netgear switches are unmanaged, the frames from your 10.10.5.0/24 network are probably coming in untagged and are being treated as belonging to VLAN1 on the ASA, blocking your communications to/from the ASA and the Internet.  The two computers will still be able to communicate with each other easily because they are on the same Ethernet network with the same IP range and don't have any trunking/tagging to worry about.  Upgrading to a managed switch will permit you to define separate VLANs and tagging so that the trunking with the ASA will function properly.

Jody

 

by: maver1ck4000Posted on 2009-09-20 at 18:49:34ID: 25379828

I see, that makes a lot more sense than anything I have been able to find.  So even though my netgear switches are unmanaged, they are smart switches GS724T.  They do support VLAN's but I have not messed with it, and honestly the reviews didn't have anything good to say about setting up VLAN's on these switches, but I guess I could give it a shot and see if I can make it work.  I will give that a try and see what I can figure out.  Thanks for the answer, I will keep the post open until I test it out.

 

by: jodylemoinePosted on 2009-09-20 at 19:31:45ID: 25379963

According to Netgear's site, the GS724T will support 802.1q tagging, so you may be able to make it work.  I don't have any personal experience with these switches myself, but if the manufacturer claims that the switch has the feature then you should be able to get some support from them to get it working with your configuration.

 

by: maver1ck4000Posted on 2009-09-24 at 11:36:13ID: 25416332

I have been working on it, but these Netgear switches aren't known for actually conforming to IEEE standards, so while it kind of works, its not a perfect solution to my problem.  Thank you for the very straight forward answer, you told me in one post what, thousands of posts that I have searched couldn't tell me.

20120131-EE-VQP-002

3 Ways to Join

30-Day Free Trial

The Experts

98% positive feedback on 31,087 answers since March 2000. angeliii is a Microsoft Most Valuable Professional for his work with MS SQL Server & Develoment.

He has also proven his knowledge of Visual Basic Programming, PHP Scripting and Oracle Databases.

The Experts

97% positive feedback on 10,752 answers since July 2000. lrmoore has more than 18 years experience in the networking industry.

The six-time Mircosoft MVPs specialties include firewalls, virtual private networking, and network management.

Testimonials

"...and excellent source for support... Kind of like having your very own IT dept." Electriciansnet

Testimonials

"I was apprehensive at signing up at first. However... it has already made my life as an IT administrator much easier." JaCrews

Testimonials

"WOW! You guys have great, active, and knowledgeable people on here." moore50

Business Clients

Business Clients

In the Press

"If you’ve got a question... Experts Exchange can supply an answer.”

In the Press

"...an invaluable aid for both IT professionals and those who require tech support."

In the Press

"where IT professionals provide quick answers on just about any topic"

Business Account Plans

Loading Advertisement...