sclark4applied
asked on
Cisco ASA 5505 VLANs Can't Access the Internet but the Primary Inside interface Can
I have 2 major goal first is to get all VLANs to access the internet, though not necessarily talk to each other and second for ICMP to work on each individual VLAN so I can test connectivity by pinging internet servers. Here is the config:
: Saved
:
ASA Version 8.2(2)
!
hostname ciscoasa
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface Vlan1
nameif inside
security-level 100
ip address 192.168.1.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address dhcp setroute
!
interface Vlan3
nameif Client
security-level 100
ip address 192.168.3.1 255.255.255.0
!
interface Vlan5
nameif Crest
security-level 100
ip address 192.168.5.1 255.255.255.0
!
interface Vlan6
nameif GuestAcc
security-level 100
ip address 192.168.6.1 255.255.255.0
!
interface Vlan7
nameif Trunkall
security-level 100
ip address 192.168.7.1 255.255.255.0
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
switchport access vlan 3
!
interface Ethernet0/3
switchport access vlan 5
!
interface Ethernet0/4
switchport access vlan 6
!
interface Ethernet0/5
switchport access vlan 7
switchport trunk allowed vlan 1,3,5-7
switchport trunk native vlan 1
switchport mode trunk
!
interface Ethernet0/6
!
interface Ethernet0/7
!
boot system disk0:/asa822-k8.bin
ftp mode passive
same-security-traffic permit inter-interface
access-list outside_in_acl extended permit icmp any any echo-reply
access-list outside_in_acl extended permit icmp any any time-exceeded
pager lines 24
logging asdm informational
mtu inside 1500
mtu outside 1500
mtu Client 1500
mtu Crest 1500
mtu GuestAcc 1500
mtu Trunkall 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
icmp permit any inside
icmp permit any outside
icmp permit any Client
icmp permit any Crest
icmp permit any GuestAcc
icmp permit any Trunkall
asdm image disk0:/asdm-631.bin
no asdm history enable
arp timeout 14400
nat-control
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
access-group outside_in_acl in interface outside
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-reco rd DfltAccessPolicy
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd auto_config outside
!
dhcpd address 192.168.1.5-192.168.1.132 inside
dhcpd enable inside
!
dhcpd address 192.168.3.2-192.168.3.99 Client
dhcpd enable Client
!
dhcpd address 192.168.5.2-192.168.5.99 Crest
dhcpd dns 4.2.2.1 4.2.2.2 interface Crest
dhcpd enable Crest
!
dhcpd address 192.168.6.2-192.168.6.99 GuestAcc
dhcpd dns 4.2.2.1 4.2.2.2 interface GuestAcc
dhcpd enable GuestAcc
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:5ac6235b57e 03ac06fa5c d8757d859a a
: end
asdm image disk0:/asdm-631.bin
no asdm history enable
: Saved
:
ASA Version 8.2(2)
!
hostname ciscoasa
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface Vlan1
nameif inside
security-level 100
ip address 192.168.1.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address dhcp setroute
!
interface Vlan3
nameif Client
security-level 100
ip address 192.168.3.1 255.255.255.0
!
interface Vlan5
nameif Crest
security-level 100
ip address 192.168.5.1 255.255.255.0
!
interface Vlan6
nameif GuestAcc
security-level 100
ip address 192.168.6.1 255.255.255.0
!
interface Vlan7
nameif Trunkall
security-level 100
ip address 192.168.7.1 255.255.255.0
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
switchport access vlan 3
!
interface Ethernet0/3
switchport access vlan 5
!
interface Ethernet0/4
switchport access vlan 6
!
interface Ethernet0/5
switchport access vlan 7
switchport trunk allowed vlan 1,3,5-7
switchport trunk native vlan 1
switchport mode trunk
!
interface Ethernet0/6
!
interface Ethernet0/7
!
boot system disk0:/asa822-k8.bin
ftp mode passive
same-security-traffic permit inter-interface
access-list outside_in_acl extended permit icmp any any echo-reply
access-list outside_in_acl extended permit icmp any any time-exceeded
pager lines 24
logging asdm informational
mtu inside 1500
mtu outside 1500
mtu Client 1500
mtu Crest 1500
mtu GuestAcc 1500
mtu Trunkall 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
icmp permit any inside
icmp permit any outside
icmp permit any Client
icmp permit any Crest
icmp permit any GuestAcc
icmp permit any Trunkall
asdm image disk0:/asdm-631.bin
no asdm history enable
arp timeout 14400
nat-control
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
access-group outside_in_acl in interface outside
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-reco
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd auto_config outside
!
dhcpd address 192.168.1.5-192.168.1.132 inside
dhcpd enable inside
!
dhcpd address 192.168.3.2-192.168.3.99 Client
dhcpd enable Client
!
dhcpd address 192.168.5.2-192.168.5.99 Crest
dhcpd dns 4.2.2.1 4.2.2.2 interface Crest
dhcpd enable Crest
!
dhcpd address 192.168.6.2-192.168.6.99 GuestAcc
dhcpd dns 4.2.2.1 4.2.2.2 interface GuestAcc
dhcpd enable GuestAcc
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:5ac6235b57e
: end
asdm image disk0:/asdm-631.bin
no asdm history enable
ASKER
I have added the two lines but it still doesn't work. I can ping the inside interface of every VLAN and from the INSIDE vlan or LAN (192.168.1.X) I can ping out onto the internet. The ASA can Always ping out from its outside interface it just doesn't get back to the other vlans but neither does internet traffic so it must be a NAT issue is my guess. I do have a Sec Plus license please see below:
Licensed features for this platform:
Maximum Physical Interfaces : 8
VLANs : 20, DMZ Unrestricted
Inside Hosts : 50
Failover : Active/Standby
VPN-DES : Enabled
VPN-3DES-AES : Enabled
SSL VPN Peers : 2
Total VPN Peers : 25
Dual ISPs : Enabled
VLAN Trunk Ports : 8
Shared License : Disabled
AnyConnect for Mobile : Disabled
AnyConnect for Cisco VPN Phone : Disabled
AnyConnect Essentials : Disabled
Advanced Endpoint Assessment : Disabled
UC Phone Proxy Sessions : 2
Total UC Proxy Sessions : 2
Botnet Traffic Filter : Disabled
This platform has an ASA 5505 Security Plus license.
Licensed features for this platform:
Maximum Physical Interfaces : 8
VLANs : 20, DMZ Unrestricted
Inside Hosts : 50
Failover : Active/Standby
VPN-DES : Enabled
VPN-3DES-AES : Enabled
SSL VPN Peers : 2
Total VPN Peers : 25
Dual ISPs : Enabled
VLAN Trunk Ports : 8
Shared License : Disabled
AnyConnect for Mobile : Disabled
AnyConnect for Cisco VPN Phone : Disabled
AnyConnect Essentials : Disabled
Advanced Endpoint Assessment : Disabled
UC Phone Proxy Sessions : 2
Total UC Proxy Sessions : 2
Botnet Traffic Filter : Disabled
This platform has an ASA 5505 Security Plus license.
From the ASA, can you ping a PC on one of the vlans and can the PC on the VLAN ping the ASA interface? I want to be certain it's not a switch/vlan/tagging type of issue.
When you try the ping, on the ASDM look at the logging panel, or to a SHOW LOGGING on the CLI and see if anything is being dropped.
When you try the ping, on the ASDM look at the logging panel, or to a SHOW LOGGING on the CLI and see if anything is being dropped.
ASKER
Yes the subnets are working perfectly as is the VLAN tagging. Because the way it is configured I can actually isolate that by plugging directly into one of the untagged VLAN ports on the back of the ASA itself.
for example when i connect to the crestron (VLAN 5) and get and address 192.168.5.X it pings perfectly back and forth i just can't browse the internet or ping.
My gut tell me that the last time i ran into this a year ago was that the other subnets weren't allowed out/in because the NAT translation wasn't setup right so they couldn't use the outside interface/IP address. I don't want us to get to caught up on the ping/ICMP command because that can fail because of a rule/access list whereas web browsing won't.
for example when i connect to the crestron (VLAN 5) and get and address 192.168.5.X it pings perfectly back and forth i just can't browse the internet or ping.
My gut tell me that the last time i ran into this a year ago was that the other subnets weren't allowed out/in because the NAT translation wasn't setup right so they couldn't use the outside interface/IP address. I don't want us to get to caught up on the ping/ICMP command because that can fail because of a rule/access list whereas web browsing won't.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
AHH!! That seams so simple when you see it! That worked perfectly thanks!!
ASKER
Great job!
2nd, Add the following to your outside_in ACL:
access-list outside_in_acl extended permit icmp any any source-quench
access-list outside_in_acl extended permit icmp any any unreachable
3rd, Assuming that all VLAN PCs can already ping the ASA interface on the vlan, make sure that the ASA can ping it's 1st hop gateway. You'll see the gateway IP after the ASA get's its outside ip via DHCP.
4th, if the ASA can ping outbound, then try it from an internal PC to the same address and you should see a reply.
Check the logging to see if any packets are being dropped if the result is no-reply.