Solved

PC on new VLAN no Internet

Posted on 2014-10-01
11
127 Views
Last Modified: 2014-10-06
Hey guys,

We have 1 user who requested their own VLAN today. We have a Cisco 2960 Switch and a Cisco ASA5505 Firewall.

So i made a new VLAN on the 2960, made a DHCP pool for them (which assigned them an IP).

On the ASA, i create a new object network (USER_LAN) with the network 192.168.211.0 for them and natted it to the dynamic interface.

They cannot get online. What am i missing here?
0
Comment
Question by:Cobra25
11 Comments
 
LVL 50

Expert Comment

by:Don Johnston
ID: 40355396
Did you allow the traffic on the ASA?
0
 
LVL 4

Author Comment

by:Cobra25
ID: 40355416
Yes, i forgot to add a route on the ASA, but i think i need to enable a route on my 2960, not sure how to do that.
0
 
LVL 50

Expert Comment

by:Don Johnston
ID: 40355442
You're routing on the 2960?  Then yeah, you'll need to create a route on the ASA for that new network. But that's different than "allowing" it on the ASA.  Remember, nothing gets through an ASA unless it's permitted. If you add a new network, you need to allow that traffic.
0
 

Expert Comment

by:Jonathan Dunn
ID: 40355459
The routing is done at your layer 3 device. So as long as you have the default gateway on the switch to the layer 3 device it should make it to your destination. if that is your 2960 just put the 0.0.0.0 0.0.0.0 public ip address. Also might want to verify nat. Not sure why you nat the vlan, perhaps you should just put pat on outside and let that do the work.
0
 
LVL 4

Author Comment

by:Cobra25
ID: 40355465
Well i have 2 VLANs now on the 2960 with 2 different SVI's. So i would need routing.

I was told the 2960 could do static routes. But i dont see that capability on mine. I dont have a L3 device in the network.
0
PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

 
LVL 50

Expert Comment

by:Don Johnston
ID: 40355475
I was told the 2960 could do static routes. But i dont see that capability on mine.
Did you issue the "ip routing" command in global config?  Until you do that, you won't be able to create any static routes.

I dont have a L3 device in the network.
Sure you do... The ASA.  Depending on the license, you can create up to 20 VLANs on the ASA and do the routing there.
0
 
LVL 4

Author Comment

by:Cobra25
ID: 40355516
It does not take the ip routing command. From what i read you need the LANBASE template installed to do ip routing.

The ASA only supports 3 VLANs, this is the 5505 BASE license.
0
 
LVL 50

Expert Comment

by:Don Johnston
ID: 40355525
Yep.  I assumed you had the IP base license.

Given that and ASA license, I don't see how you're going to be able to add an additional network.
0
 
LVL 4

Author Comment

by:Cobra25
ID: 40355734
how do i get the lanbase image?
0
 
LVL 50

Accepted Solution

by:
Don Johnston earned 500 total points
ID: 40355880
It won't do any good. There are hardware differences between the LAN Lite and LAN Base platforms.

Cisco 2960 Q&A

Q. Can I upgrade or downgrade a Cisco Catalyst 2960 Switch between the LAN Base and LAN Lite IOS images?
A. No. Cisco Catalyst 2960 Series Switches cannot be upgraded from LAN Lite to LAN Base and cannot be downgraded from LAN Base to LAN Lite.
0
 
LVL 16

Expert Comment

by:vivigatt
ID: 40356690
You absolutely need to be able to route packets, otherwise you will not be able to do what you want.
There are small/cheap devices that can do the trick, especially is you fuel them with some alternate firmware such as dd-wrt or openwrt.
0

Featured Post

Control application downtime with dependency maps

Visualize the interdependencies between application components better with Applications Manager's automated application discovery and dependency mapping feature. Resolve performance issues faster by quickly isolating problematic components.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

If you get continual lockouts after changing your Active Directory password, there are several possible reasons.  Two of the most common are using other devices to access your email and stored passwords in the credential manager of windows.
I recently attended Cisco Live! in Las Vegas, a conference that boasted over 28,000 techies in attendance, and a week of hands-on learning hosted by a solid partner with which Concerto goes to market.  Every year, Cisco displays cutting-edge technol…
In this video, we discuss why the need for additional vertical screen space has become more important in recent years, namely, due to the transition in the marketplace of 4x3 computer screens to 16x9 and 16x10 screens (so-called widescreen format). …
This Micro Tutorial will go in depth within Systems and Security in Windows 7 and will go into detail regarding Action Center, Windows Firewall, System, etc. This will be demonstrated using Windows 7 operating system.

932 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

10 Experts available now in Live!

Get 1:1 Help Now