PC on new VLAN no Internet

Hey guys,

We have 1 user who requested their own VLAN today. We have a Cisco 2960 Switch and a Cisco ASA5505 Firewall.

So i made a new VLAN on the 2960, made a DHCP pool for them (which assigned them an IP).

On the ASA, i create a new object network (USER_LAN) with the network 192.168.211.0 for them and natted it to the dynamic interface.

They cannot get online. What am i missing here?
LVL 4
Cobra25Asked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Don JohnstonInstructorCommented:
Did you allow the traffic on the ASA?
0
Cobra25Author Commented:
Yes, i forgot to add a route on the ASA, but i think i need to enable a route on my 2960, not sure how to do that.
0
Don JohnstonInstructorCommented:
You're routing on the 2960?  Then yeah, you'll need to create a route on the ASA for that new network. But that's different than "allowing" it on the ASA.  Remember, nothing gets through an ASA unless it's permitted. If you add a new network, you need to allow that traffic.
0
The 7 Worst Nightmares of a Sysadmin

Fear not! To defend your business’ IT systems we’re going to shine a light on the seven most sinister terrors that haunt sysadmins. That way you can be sure there’s nothing in your stack waiting to go bump in the night.

Jonathan DunnCommented:
The routing is done at your layer 3 device. So as long as you have the default gateway on the switch to the layer 3 device it should make it to your destination. if that is your 2960 just put the 0.0.0.0 0.0.0.0 public ip address. Also might want to verify nat. Not sure why you nat the vlan, perhaps you should just put pat on outside and let that do the work.
0
Cobra25Author Commented:
Well i have 2 VLANs now on the 2960 with 2 different SVI's. So i would need routing.

I was told the 2960 could do static routes. But i dont see that capability on mine. I dont have a L3 device in the network.
0
Don JohnstonInstructorCommented:
I was told the 2960 could do static routes. But i dont see that capability on mine.
Did you issue the "ip routing" command in global config?  Until you do that, you won't be able to create any static routes.

I dont have a L3 device in the network.
Sure you do... The ASA.  Depending on the license, you can create up to 20 VLANs on the ASA and do the routing there.
0
Cobra25Author Commented:
It does not take the ip routing command. From what i read you need the LANBASE template installed to do ip routing.

The ASA only supports 3 VLANs, this is the 5505 BASE license.
0
Don JohnstonInstructorCommented:
Yep.  I assumed you had the IP base license.

Given that and ASA license, I don't see how you're going to be able to add an additional network.
0
Cobra25Author Commented:
how do i get the lanbase image?
0
Don JohnstonInstructorCommented:
It won't do any good. There are hardware differences between the LAN Lite and LAN Base platforms.

Cisco 2960 Q&A

Q. Can I upgrade or downgrade a Cisco Catalyst 2960 Switch between the LAN Base and LAN Lite IOS images?
A. No. Cisco Catalyst 2960 Series Switches cannot be upgraded from LAN Lite to LAN Base and cannot be downgraded from LAN Base to LAN Lite.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
vivigattCommented:
You absolutely need to be able to route packets, otherwise you will not be able to do what you want.
There are small/cheap devices that can do the trick, especially is you fuel them with some alternate firmware such as dd-wrt or openwrt.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Cisco

From novice to tech pro — start learning today.