• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 146
  • Last Modified:

PC on new VLAN no Internet

Hey guys,

We have 1 user who requested their own VLAN today. We have a Cisco 2960 Switch and a Cisco ASA5505 Firewall.

So i made a new VLAN on the 2960, made a DHCP pool for them (which assigned them an IP).

On the ASA, i create a new object network (USER_LAN) with the network 192.168.211.0 for them and natted it to the dynamic interface.

They cannot get online. What am i missing here?
0
Cobra25
Asked:
Cobra25
1 Solution
 
Don JohnstonInstructorCommented:
Did you allow the traffic on the ASA?
0
 
Cobra25Author Commented:
Yes, i forgot to add a route on the ASA, but i think i need to enable a route on my 2960, not sure how to do that.
0
 
Don JohnstonInstructorCommented:
You're routing on the 2960?  Then yeah, you'll need to create a route on the ASA for that new network. But that's different than "allowing" it on the ASA.  Remember, nothing gets through an ASA unless it's permitted. If you add a new network, you need to allow that traffic.
0
Prepare for an Exciting Career in Cybersecurity

Help prevent cyber-threats and provide solutions to safeguard our global digital economy. Earn your MS in Cybersecurity. WGU’s MSCSIA degree program curriculum features two internationally recognized certifications from the EC-Council at no additional time or cost.

 
Jonathan DunnCommented:
The routing is done at your layer 3 device. So as long as you have the default gateway on the switch to the layer 3 device it should make it to your destination. if that is your 2960 just put the 0.0.0.0 0.0.0.0 public ip address. Also might want to verify nat. Not sure why you nat the vlan, perhaps you should just put pat on outside and let that do the work.
0
 
Cobra25Author Commented:
Well i have 2 VLANs now on the 2960 with 2 different SVI's. So i would need routing.

I was told the 2960 could do static routes. But i dont see that capability on mine. I dont have a L3 device in the network.
0
 
Don JohnstonInstructorCommented:
I was told the 2960 could do static routes. But i dont see that capability on mine.
Did you issue the "ip routing" command in global config?  Until you do that, you won't be able to create any static routes.

I dont have a L3 device in the network.
Sure you do... The ASA.  Depending on the license, you can create up to 20 VLANs on the ASA and do the routing there.
0
 
Cobra25Author Commented:
It does not take the ip routing command. From what i read you need the LANBASE template installed to do ip routing.

The ASA only supports 3 VLANs, this is the 5505 BASE license.
0
 
Don JohnstonInstructorCommented:
Yep.  I assumed you had the IP base license.

Given that and ASA license, I don't see how you're going to be able to add an additional network.
0
 
Cobra25Author Commented:
how do i get the lanbase image?
0
 
Don JohnstonInstructorCommented:
It won't do any good. There are hardware differences between the LAN Lite and LAN Base platforms.

Cisco 2960 Q&A

Q. Can I upgrade or downgrade a Cisco Catalyst 2960 Switch between the LAN Base and LAN Lite IOS images?
A. No. Cisco Catalyst 2960 Series Switches cannot be upgraded from LAN Lite to LAN Base and cannot be downgraded from LAN Base to LAN Lite.
0
 
vivigattCommented:
You absolutely need to be able to route packets, otherwise you will not be able to do what you want.
There are small/cheap devices that can do the trick, especially is you fuel them with some alternate firmware such as dd-wrt or openwrt.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Introducing Cloud Class® training courses

Tech changes fast. You can learn faster. That’s why we’re bringing professional training courses to Experts Exchange. With a subscription, you can access all the Cloud Class® courses to expand your education, prep for certifications, and get top-notch instructions.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now