Solved

not getting internet on cisco switch

Posted on 2014-01-04
9
848 Views
Last Modified: 2014-01-20
I have an ASA 5510 and a cisco 2960.
I can ping 8.8.8.8 from the asa but I can't ping from the switch or the client.

here are the 2 configs please let me know what needs to be changed there.

thank you

oceansf# sh run
: Saved
:
ASA Version 8.4(7)
!
hostname oceansf
domain-name ocean.sf
enable password he6hsj.Js3JIeQ77 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface Ethernet0/0
 nameif outside
 security-level 0
 ip address x.x.x.y 255.255.255.248
!
interface Ethernet0/1
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Ethernet0/2
 no nameif
 no security-level
 no ip address
!
interface Ethernet0/2.1
 vlan 51
 nameif voice
 security-level 100
 ip address 192.168.51.1 255.255.255.0
!
interface Ethernet0/2.2
 vlan 50
 nameif Data
 security-level 100
 ip address 192.168.50.1 255.255.255.0
!
interface Ethernet0/2.3
 vlan 52
 nameif WIFI-Inside
 security-level 100
 ip address 192.168.52.1 255.255.255.0
!
interface Ethernet0/2.4
 vlan 99
 nameif WIFI-Guest
 security-level 50
 ip address 192.168.99.1 255.255.255.0
!
interface Ethernet0/3
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Management0/0
 nameif management
 security-level 100
 ip address 192.168.1.1 255.255.255.0
 management-only
!
boot system disk0:/asa847-k8.bin
ftp mode passive
clock timezone PST -8
clock summer-time PDT recurring
dns domain-lookup outside
dns domain-lookup voice
dns domain-lookup Data
dns domain-lookup WIFI-Inside
dns domain-lookup WIFI-Guest
dns domain-lookup management
dns server-group DefaultDNS
 domain-name ocean.sf
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
pager lines 24
logging asdm informational
mtu outside 1500
mtu voice 1500
mtu Data 1500
mtu WIFI-Inside 1500
mtu WIFI-Guest 1500
mtu management 1500
ip local pool VPN-Pool 192.168.49.100-192.168.49.199 mask 255.255.255.0
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-702.bin
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
route outside 0.0.0.0 0.0.0.0 x.x.x.x 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
http server enable
http 192.168.1.0 255.255.255.0 management
http 192.168.50.0 255.255.255.0 Data
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
telnet 192.168.50.0 255.255.255.0 Data
telnet timeout 5
ssh 192.168.50.0 255.255.255.0 Data
ssh timeout 5
ssh key-exchange group dh-group1-sha1
console timeout 0
no vpn-addr-assign aaa
no vpn-addr-assign dhcp
dhcpd address 192.168.51.100-192.168.51.199 voice
dhcpd dns 66.29.0.14 66.28.0.30 interface voice
dhcpd domain ocean.sf interface voice
dhcpd enable voice
!
dhcpd address 192.168.50.100-192.168.50.199 Data
dhcpd dns 66.29.0.14 66.28.0.30 interface Data
dhcpd domain ocean.sf interface Data
dhcpd enable Data
!
dhcpd address 192.168.52.100-192.168.52.199 WIFI-Inside
dhcpd dns 66.29.0.14 66.28.0.30 interface WIFI-Inside
dhcpd domain ocean.sf interface WIFI-Inside
dhcpd enable WIFI-Inside
!
dhcpd address 192.168.99.100-192.168.99.199 WIFI-Guest
dhcpd dns 66.29.0.14 66.28.0.30 interface WIFI-Guest
dhcpd domain ocean.sf interface WIFI-Guest
dhcpd enable WIFI-Guest
!
dhcpd address 192.168.1.2-192.168.1.254 management
dhcpd enable management
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ntp server 209.167.68.100
ntp server 169.229.70.201
ntp server 209.123.234.24
ntp server 74.207.245.227
webvpn
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum client auto
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
  inspect ip-options
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
Cryptochecksum:7a58a9bec5e6a1a77b0b257e5beef0ca
: end
oceansf#

Open in new window


Oceanwide

.Jan  3 20:00:48.395: %SYS-5-CONFIG_I: Configured from console by consolen
Building configuration...

Current configuration : 29190 bytes
!
! Last configuration change at 12:00:48 UTC Fri Jan 3 2014
! NVRAM config last updated at 11:57:14 UTC Fri Jan 3 2014
!
version 12.2
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname oceansf_sw
!
boot-start-marker
boot-end-marker
!
enable secret 5 $1$wtCm$kWf83tXUpPOohiNwMdx4t/
enable password 
!
!
!
macro global description cisco-global
no aaa new-model
clock timezone UTC -8
clock summer-time UTC recurring
switch 1 provision ws-c2960s-48fps-l
!
!
ip domain-name ocean.sf
udld aggressive

!
mls qos map policed-dscp  0 10 18 24 46 to 8
mls qos map cos-dscp 0 8 16 24 32 46 46 56
mls qos srr-queue output cos-map queue 1 threshold 3 4 5
mls qos srr-queue output cos-map queue 2 threshold 1 2
mls qos srr-queue output cos-map queue 2 threshold 2 3
mls qos srr-queue output cos-map queue 2 threshold 3 6 7
mls qos srr-queue output cos-map queue 3 threshold 3 0
mls qos srr-queue output cos-map queue 4 threshold 3 1
mls qos srr-queue output dscp-map queue 1 threshold 3 32 33 40 41 42 43 44 45
mls qos srr-queue output dscp-map queue 1 threshold 3 46 47
mls qos srr-queue output dscp-map queue 2 threshold 1 16 17 18 19 20 21 22 23
mls qos srr-queue output dscp-map queue 2 threshold 1 26 27 28 29 30 31 34 35
mls qos srr-queue output dscp-map queue 2 threshold 1 36 37 38 39
mls qos srr-queue output dscp-map queue 2 threshold 2 24
mls qos srr-queue output dscp-map queue 2 threshold 3 48 49 50 51 52 53 54 55
mls qos srr-queue output dscp-map queue 2 threshold 3 56 57 58 59 60 61 62 63
mls qos srr-queue output dscp-map queue 3 threshold 3 0 1 2 3 4 5 6 7
mls qos srr-queue output dscp-map queue 4 threshold 1 8 9 11 13 15
mls qos srr-queue output dscp-map queue 4 threshold 2 10 12 14
mls qos queue-set output 1 threshold 1 100 100 50 200
mls qos queue-set output 1 threshold 2 125 125 100 400
mls qos queue-set output 1 threshold 3 100 100 100 400
mls qos queue-set output 1 threshold 4 60 150 50 200
mls qos queue-set output 1 buffers 15 25 40 20
mls qos
!
crypto pki trustpoint HTTPS_SS_CERT_KEYPAIR
 enrollment selfsigned
 serial-number
 revocation-check none
 rsakeypair HTTPS_SS_CERT_KEYPAIR
!
!
crypto pki certificate chain HTTPS_SS_CERT_KEYPAIR
 certificate self-signed 01
  quit
!
spanning-tree mode rapid-pvst
spanning-tree loopguard default
spanning-tree extend system-id
auto qos srnd4
!
!
!
errdisable recovery cause link-flap
errdisable recovery interval 60
!
vlan internal allocation policy ascending
!
!
class-map match-all AUTOQOS_VOIP_DATA_CLASS
 match ip dscp ef
class-map match-all AUTOQOS_DEFAULT_CLASS
 match access-group name AUTOQOS-ACL-DEFAULT
class-map match-all AUTOQOS_VOIP_SIGNAL_CLASS
 match ip dscp cs3
!
!
policy-map AUTOQOS-SRND4-CISCOPHONE-POLICY
 class AUTOQOS_VOIP_DATA_CLASS
  set dscp ef
  police 128000 8000 exceed-action policed-dscp-transmit
 class AUTOQOS_VOIP_SIGNAL_CLASS
  set dscp cs3
  police 32000 8000 exceed-action policed-dscp-transmit
 class AUTOQOS_DEFAULT_CLASS
  set dscp default
  police 10000000 8000 exceed-action policed-dscp-transmit
!
!
!
interface FastEthernet0
 no ip address
!
interface GigabitEthernet1/0/1
 switchport access vlan 50
 switchport mode access
 switchport voice vlan 51
 switchport port-security maximum 2
 switchport port-security
 switchport port-security aging time 2
 switchport port-security violation restrict
 switchport port-security aging type inactivity
 srr-queue bandwidth share 1 30 35 5
 priority-queue out
 mls qos trust device cisco-phone
 mls qos trust cos
 macro description cisco-phone
 auto qos voip cisco-phone
 spanning-tree portfast
 spanning-tree bpduguard enable
 service-policy input AUTOQOS-SRND4-CISCOPHONE-POLICY
!

interface GigabitEthernet1/0/46
 description *** AP12 ***
 switchport trunk native vlan 50
 switchport mode trunk
 switchport nonegotiate
 srr-queue bandwidth share 1 30 35 5
 priority-queue out
 mls qos trust cos
 macro description cisco-wireless
 auto qos trust
 spanning-tree bpduguard enable
!
interface GigabitEthernet1/0/47
 description *** Uplink to WLC 1 ***
 switchport trunk native vlan 50
 switchport mode trunk
 mls qos trust cos
!
interface GigabitEthernet1/0/48
 description *** Uplink to ASA 0.2 ***
 switchport trunk native vlan 100
 switchport mode trunk
 srr-queue bandwidth share 1 30 35 5
 priority-queue out
 mls qos trust dscp
 macro description cisco-router
 auto qos trust
 spanning-tree portfast trunk
 spanning-tree bpduguard enable
!
interface GigabitEthernet1/0/49
!
interface GigabitEthernet1/0/50
!
interface GigabitEthernet1/0/51
!
interface GigabitEthernet1/0/52
!
interface Vlan1
 no ip address
 shutdown
!
interface Vlan50
 description Data VLAN
 ip address 192.168.50.2 255.255.255.0
 no ip route-cache
!
ip default-gateway 192.168.50.1
ip http server
ip http secure-server
!
ip access-list extended AUTOQOS-ACL-DEFAULT
 permit ip any any
snmp-server community public RO
!
line con 0
line vty 0 4
 password
 login
 length 0
line vty 5 15
 password 
 login
 length 0
!
ntp clock-period 22518558
ntp server 209.81.9.7
ntp server 209.0.72.7
ntp server 164.67.62.194
end

oceansf_sw#

Open in new window

0
Comment
Question by:odewulf
9 Comments
 
LVL 45

Accepted Solution

by:
Craig Beck earned 500 total points
ID: 39756211
You have no NAT configured on the ASA.  This is essential to allow internal users to get to the internet as they are using private IP addresses.

I'm definitely no ASA expert, but something like this might help for the Guest Wifi...

object network WIFI-Guest
 subnet 192.168.52.0 255.255.255.0
!
access-list WIFI-Guest_access_out extended permit ip object WIFI-Guest any
!
object network WIFI-Guest
 nat (WIFI-Guest,outside) dynamic interface
!
access-group WIFI-Guest_access_out in interface WIFI-Inside
!

Open in new window

0
 
LVL 17

Expert Comment

by:lruiz52
ID: 39756228
You are missing vlans 51, 52, and 99 on the switch also you are missing the ip default gateway command on the switch.
0
 
LVL 45

Expert Comment

by:Craig Beck
ID: 39756231
@lruiz52 - this is a follow-up from a previous question.  Everything from the switch side is done and confirmed working.

The switch doesn't need SVIs on VLANs 51,52 and 99 as it's L2 only.  The ASA is doing the routing/NAT.
0
 
LVL 11

Expert Comment

by:Miftaul
ID: 39756232
IP default-gateways is set to 192.168.50.1

VLAN 51, 52 and 99 are missing on the switch and on the ASA, NAT is missing.
0
How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

 

Author Comment

by:odewulf
ID: 39756590
Vlans are not missing on the switch. the show vlan definitely shows that and I get the right IP. I will update the Nat later on today as this seems to be the issue.

I let you know how it goes

thank you
0
 

Author Comment

by:odewulf
ID: 39760474
looks like adding the natting worked. I tested remotely and should be onsite later this afternoon to confirm that everything is working fine.
0
 
LVL 45

Expert Comment

by:Craig Beck
ID: 39760501
Good news! Keep us updated and let us know what happens :-)
0
 

Author Comment

by:odewulf
ID: 39765377
ok so I added all the natting for all the interfaces and it works great. thank you so much.
last question: I realized that the guest network has access to the internal network as well.

they are different security level so I thought that it will block automatically so I added this but that didn't work

object network WIFI-Guest
 subnet 192.168.52.0 255.255.255.0
!
access-list WIFI-Guest_access extended deny ip object WIFI-Guest WIFI-Inside
0
 
LVL 45

Expert Comment

by:Craig Beck
ID: 39795115
It depends where in the order that rule is.  If it's at the bottom of the pile it won't work.  It should be at the top.  Generally more specific rules go towards the top, and less-specific or 'catch-all' type rules go to the bottom.
0

Featured Post

How to improve team productivity

Quip adds documents, spreadsheets, and tasklists to your Slack experience
- Elevate ideas to Quip docs
- Share Quip docs in Slack
- Get notified of changes to your docs
- Available on iOS/Android/Desktop/Web
- Online/Offline

Join & Write a Comment

When I upgraded my ASA 8.2 to 8.3, I realized that my nonat statement was failing!   The log showed the following error:     %ASA-5-305013: Asymmetric NAT rules matched for forward and reverse flows It was caused by the config upgrade, because t…
I recently updated from an old PIX platform to the new ASA platform.  While upgrading, I was tremendously confused about how the VPN and AnyConnect licensing works.  It turns out that the ASA has 3 different VPN licensing schemes. "site-to-site" …
In this seventh video of the Xpdf series, we discuss and demonstrate the PDFfonts utility, which lists all the fonts used in a PDF file. It does this via a command line interface, making it suitable for use in programs, scripts, batch files — any pl…
This video shows how to remove a single email address from the Outlook 2010 Auto Suggestion memory. NOTE: For Outlook 2016 and 2013 perform the exact same steps. Open a new email: Click the New email button in Outlook. Start typing the address: …

707 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

17 Experts available now in Live!

Get 1:1 Help Now