• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 898
  • Last Modified:

not getting internet on cisco switch

I have an ASA 5510 and a cisco 2960.
I can ping 8.8.8.8 from the asa but I can't ping from the switch or the client.

here are the 2 configs please let me know what needs to be changed there.

thank you

oceansf# sh run
: Saved
:
ASA Version 8.4(7)
!
hostname oceansf
domain-name ocean.sf
enable password he6hsj.Js3JIeQ77 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface Ethernet0/0
 nameif outside
 security-level 0
 ip address x.x.x.y 255.255.255.248
!
interface Ethernet0/1
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Ethernet0/2
 no nameif
 no security-level
 no ip address
!
interface Ethernet0/2.1
 vlan 51
 nameif voice
 security-level 100
 ip address 192.168.51.1 255.255.255.0
!
interface Ethernet0/2.2
 vlan 50
 nameif Data
 security-level 100
 ip address 192.168.50.1 255.255.255.0
!
interface Ethernet0/2.3
 vlan 52
 nameif WIFI-Inside
 security-level 100
 ip address 192.168.52.1 255.255.255.0
!
interface Ethernet0/2.4
 vlan 99
 nameif WIFI-Guest
 security-level 50
 ip address 192.168.99.1 255.255.255.0
!
interface Ethernet0/3
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Management0/0
 nameif management
 security-level 100
 ip address 192.168.1.1 255.255.255.0
 management-only
!
boot system disk0:/asa847-k8.bin
ftp mode passive
clock timezone PST -8
clock summer-time PDT recurring
dns domain-lookup outside
dns domain-lookup voice
dns domain-lookup Data
dns domain-lookup WIFI-Inside
dns domain-lookup WIFI-Guest
dns domain-lookup management
dns server-group DefaultDNS
 domain-name ocean.sf
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
pager lines 24
logging asdm informational
mtu outside 1500
mtu voice 1500
mtu Data 1500
mtu WIFI-Inside 1500
mtu WIFI-Guest 1500
mtu management 1500
ip local pool VPN-Pool 192.168.49.100-192.168.49.199 mask 255.255.255.0
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-702.bin
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
route outside 0.0.0.0 0.0.0.0 x.x.x.x 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
http server enable
http 192.168.1.0 255.255.255.0 management
http 192.168.50.0 255.255.255.0 Data
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
telnet 192.168.50.0 255.255.255.0 Data
telnet timeout 5
ssh 192.168.50.0 255.255.255.0 Data
ssh timeout 5
ssh key-exchange group dh-group1-sha1
console timeout 0
no vpn-addr-assign aaa
no vpn-addr-assign dhcp
dhcpd address 192.168.51.100-192.168.51.199 voice
dhcpd dns 66.29.0.14 66.28.0.30 interface voice
dhcpd domain ocean.sf interface voice
dhcpd enable voice
!
dhcpd address 192.168.50.100-192.168.50.199 Data
dhcpd dns 66.29.0.14 66.28.0.30 interface Data
dhcpd domain ocean.sf interface Data
dhcpd enable Data
!
dhcpd address 192.168.52.100-192.168.52.199 WIFI-Inside
dhcpd dns 66.29.0.14 66.28.0.30 interface WIFI-Inside
dhcpd domain ocean.sf interface WIFI-Inside
dhcpd enable WIFI-Inside
!
dhcpd address 192.168.99.100-192.168.99.199 WIFI-Guest
dhcpd dns 66.29.0.14 66.28.0.30 interface WIFI-Guest
dhcpd domain ocean.sf interface WIFI-Guest
dhcpd enable WIFI-Guest
!
dhcpd address 192.168.1.2-192.168.1.254 management
dhcpd enable management
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ntp server 209.167.68.100
ntp server 169.229.70.201
ntp server 209.123.234.24
ntp server 74.207.245.227
webvpn
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum client auto
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
  inspect ip-options
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
Cryptochecksum:7a58a9bec5e6a1a77b0b257e5beef0ca
: end
oceansf#

Open in new window


Oceanwide

.Jan  3 20:00:48.395: %SYS-5-CONFIG_I: Configured from console by consolen
Building configuration...

Current configuration : 29190 bytes
!
! Last configuration change at 12:00:48 UTC Fri Jan 3 2014
! NVRAM config last updated at 11:57:14 UTC Fri Jan 3 2014
!
version 12.2
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname oceansf_sw
!
boot-start-marker
boot-end-marker
!
enable secret 5 $1$wtCm$kWf83tXUpPOohiNwMdx4t/
enable password 
!
!
!
macro global description cisco-global
no aaa new-model
clock timezone UTC -8
clock summer-time UTC recurring
switch 1 provision ws-c2960s-48fps-l
!
!
ip domain-name ocean.sf
udld aggressive

!
mls qos map policed-dscp  0 10 18 24 46 to 8
mls qos map cos-dscp 0 8 16 24 32 46 46 56
mls qos srr-queue output cos-map queue 1 threshold 3 4 5
mls qos srr-queue output cos-map queue 2 threshold 1 2
mls qos srr-queue output cos-map queue 2 threshold 2 3
mls qos srr-queue output cos-map queue 2 threshold 3 6 7
mls qos srr-queue output cos-map queue 3 threshold 3 0
mls qos srr-queue output cos-map queue 4 threshold 3 1
mls qos srr-queue output dscp-map queue 1 threshold 3 32 33 40 41 42 43 44 45
mls qos srr-queue output dscp-map queue 1 threshold 3 46 47
mls qos srr-queue output dscp-map queue 2 threshold 1 16 17 18 19 20 21 22 23
mls qos srr-queue output dscp-map queue 2 threshold 1 26 27 28 29 30 31 34 35
mls qos srr-queue output dscp-map queue 2 threshold 1 36 37 38 39
mls qos srr-queue output dscp-map queue 2 threshold 2 24
mls qos srr-queue output dscp-map queue 2 threshold 3 48 49 50 51 52 53 54 55
mls qos srr-queue output dscp-map queue 2 threshold 3 56 57 58 59 60 61 62 63
mls qos srr-queue output dscp-map queue 3 threshold 3 0 1 2 3 4 5 6 7
mls qos srr-queue output dscp-map queue 4 threshold 1 8 9 11 13 15
mls qos srr-queue output dscp-map queue 4 threshold 2 10 12 14
mls qos queue-set output 1 threshold 1 100 100 50 200
mls qos queue-set output 1 threshold 2 125 125 100 400
mls qos queue-set output 1 threshold 3 100 100 100 400
mls qos queue-set output 1 threshold 4 60 150 50 200
mls qos queue-set output 1 buffers 15 25 40 20
mls qos
!
crypto pki trustpoint HTTPS_SS_CERT_KEYPAIR
 enrollment selfsigned
 serial-number
 revocation-check none
 rsakeypair HTTPS_SS_CERT_KEYPAIR
!
!
crypto pki certificate chain HTTPS_SS_CERT_KEYPAIR
 certificate self-signed 01
  quit
!
spanning-tree mode rapid-pvst
spanning-tree loopguard default
spanning-tree extend system-id
auto qos srnd4
!
!
!
errdisable recovery cause link-flap
errdisable recovery interval 60
!
vlan internal allocation policy ascending
!
!
class-map match-all AUTOQOS_VOIP_DATA_CLASS
 match ip dscp ef
class-map match-all AUTOQOS_DEFAULT_CLASS
 match access-group name AUTOQOS-ACL-DEFAULT
class-map match-all AUTOQOS_VOIP_SIGNAL_CLASS
 match ip dscp cs3
!
!
policy-map AUTOQOS-SRND4-CISCOPHONE-POLICY
 class AUTOQOS_VOIP_DATA_CLASS
  set dscp ef
  police 128000 8000 exceed-action policed-dscp-transmit
 class AUTOQOS_VOIP_SIGNAL_CLASS
  set dscp cs3
  police 32000 8000 exceed-action policed-dscp-transmit
 class AUTOQOS_DEFAULT_CLASS
  set dscp default
  police 10000000 8000 exceed-action policed-dscp-transmit
!
!
!
interface FastEthernet0
 no ip address
!
interface GigabitEthernet1/0/1
 switchport access vlan 50
 switchport mode access
 switchport voice vlan 51
 switchport port-security maximum 2
 switchport port-security
 switchport port-security aging time 2
 switchport port-security violation restrict
 switchport port-security aging type inactivity
 srr-queue bandwidth share 1 30 35 5
 priority-queue out
 mls qos trust device cisco-phone
 mls qos trust cos
 macro description cisco-phone
 auto qos voip cisco-phone
 spanning-tree portfast
 spanning-tree bpduguard enable
 service-policy input AUTOQOS-SRND4-CISCOPHONE-POLICY
!

interface GigabitEthernet1/0/46
 description *** AP12 ***
 switchport trunk native vlan 50
 switchport mode trunk
 switchport nonegotiate
 srr-queue bandwidth share 1 30 35 5
 priority-queue out
 mls qos trust cos
 macro description cisco-wireless
 auto qos trust
 spanning-tree bpduguard enable
!
interface GigabitEthernet1/0/47
 description *** Uplink to WLC 1 ***
 switchport trunk native vlan 50
 switchport mode trunk
 mls qos trust cos
!
interface GigabitEthernet1/0/48
 description *** Uplink to ASA 0.2 ***
 switchport trunk native vlan 100
 switchport mode trunk
 srr-queue bandwidth share 1 30 35 5
 priority-queue out
 mls qos trust dscp
 macro description cisco-router
 auto qos trust
 spanning-tree portfast trunk
 spanning-tree bpduguard enable
!
interface GigabitEthernet1/0/49
!
interface GigabitEthernet1/0/50
!
interface GigabitEthernet1/0/51
!
interface GigabitEthernet1/0/52
!
interface Vlan1
 no ip address
 shutdown
!
interface Vlan50
 description Data VLAN
 ip address 192.168.50.2 255.255.255.0
 no ip route-cache
!
ip default-gateway 192.168.50.1
ip http server
ip http secure-server
!
ip access-list extended AUTOQOS-ACL-DEFAULT
 permit ip any any
snmp-server community public RO
!
line con 0
line vty 0 4
 password
 login
 length 0
line vty 5 15
 password 
 login
 length 0
!
ntp clock-period 22518558
ntp server 209.81.9.7
ntp server 209.0.72.7
ntp server 164.67.62.194
end

oceansf_sw#

Open in new window

0
odewulf
Asked:
odewulf
1 Solution
 
Craig BeckCommented:
You have no NAT configured on the ASA.  This is essential to allow internal users to get to the internet as they are using private IP addresses.

I'm definitely no ASA expert, but something like this might help for the Guest Wifi...

object network WIFI-Guest
 subnet 192.168.52.0 255.255.255.0
!
access-list WIFI-Guest_access_out extended permit ip object WIFI-Guest any
!
object network WIFI-Guest
 nat (WIFI-Guest,outside) dynamic interface
!
access-group WIFI-Guest_access_out in interface WIFI-Inside
!

Open in new window

0
 
lruiz52Commented:
You are missing vlans 51, 52, and 99 on the switch also you are missing the ip default gateway command on the switch.
0
 
Craig BeckCommented:
@lruiz52 - this is a follow-up from a previous question.  Everything from the switch side is done and confirmed working.

The switch doesn't need SVIs on VLANs 51,52 and 99 as it's L2 only.  The ASA is doing the routing/NAT.
0
Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
MiftaulCommented:
IP default-gateways is set to 192.168.50.1

VLAN 51, 52 and 99 are missing on the switch and on the ASA, NAT is missing.
0
 
odewulfAuthor Commented:
Vlans are not missing on the switch. the show vlan definitely shows that and I get the right IP. I will update the Nat later on today as this seems to be the issue.

I let you know how it goes

thank you
0
 
odewulfAuthor Commented:
looks like adding the natting worked. I tested remotely and should be onsite later this afternoon to confirm that everything is working fine.
0
 
Craig BeckCommented:
Good news! Keep us updated and let us know what happens :-)
0
 
odewulfAuthor Commented:
ok so I added all the natting for all the interfaces and it works great. thank you so much.
last question: I realized that the guest network has access to the internal network as well.

they are different security level so I thought that it will block automatically so I added this but that didn't work

object network WIFI-Guest
 subnet 192.168.52.0 255.255.255.0
!
access-list WIFI-Guest_access extended deny ip object WIFI-Guest WIFI-Inside
0
 
Craig BeckCommented:
It depends where in the order that rule is.  If it's at the bottom of the pile it won't work.  It should be at the top.  Generally more specific rules go towards the top, and less-specific or 'catch-all' type rules go to the bottom.
0

Featured Post

Concerto Cloud for Software Providers & ISVs

Can Concerto Cloud Services help you focus on evolving your application offerings, while delivering the best cloud experience to your customers? From DevOps to revenue models and customer support, the answer is yes!

Learn how Concerto can help you.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now