Cisco 3560 connected to an ASA, clients don't have internet access
I know this is a simple thing I am not doing but for the life of me I am unable to figure out what. Here is the break down:
The office in question is a satellite office of a global organization. The 10 of them connect to a 3560. The 3560 connects to the ASA. The ASA connects to the internet. The switch got factory reset (and this is a new client so I was not able to get the config prior). The ASA is just as it was when everything was working.
The office is on the 172.20.1.X /24 network. The inside interface of the ASA is 172.20.2.253. The DNS servers are in Asia and are on the 10.1.101.X /24 network. With the config of the switch as it is below the switch can ping the DNS servers but not the internet. The clients (connected directly to the 3560) can get to anything on the 172.20.1.X subnet and they can ping 172.20.2.254 which is the routed port on the 3560, but they cannot ping 172.20.2.253 (the inside interface of the ASA) even though the switch can, and obviously they cannot access the internet.
3560 Config below:
version 12.2
no service pad
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
hostname Switch
enable secret 5 $1$vLQ.$1K.XaQiaK4FDLu0aTy
enable password …………….
no aaa new-model
clock timezone UTC -5
clock summer-time UTC recurring
system mtu routing 1500
ip subnet-zero
ip routing
ip domain-name c………….com
ip dhcp excluded-address 172.20.1.1 172.20.1.49
ip dhcp excluded-address 172.20.1.200 172.20.1.254
ip dhcp pool CWT
import all
network 172.20.1.0 255.255.255.0
domain-name c………...com
dns-server 10.1.30.101 10.1.30.102
default-router 172.20.1.254
no file verify auto
spanning-tree mode pvst
spanning-tree extend system-id
vlan internal allocation policy ascending
interface GigabitEthernet0/1
interface GigabitEthernet0/2
interface GigabitEthernet0/3
interface GigabitEthernet0/4
interface GigabitEthernet0/5
interface GigabitEthernet0/6
interface GigabitEthernet0/7
interface GigabitEthernet0/8
interface GigabitEthernet0/9
interface GigabitEthernet0/10
interface GigabitEthernet0/11
interface GigabitEthernet0/12
interface GigabitEthernet0/13
interface GigabitEthernet0/14
interface GigabitEthernet0/15
interface GigabitEthernet0/16
interface GigabitEthernet0/17
interface GigabitEthernet0/18
interface GigabitEthernet0/19
interface GigabitEthernet0/20
interface GigabitEthernet0/21
interface GigabitEthernet0/22
interface GigabitEthernet0/23
interface GigabitEthernet0/24
description To ASA
no switchport
ip address 172.20.2.254 255.255.255.0
interface GigabitEthernet0/25
interface GigabitEthernet0/26
interface GigabitEthernet0/27
interface GigabitEthernet0/28
interface Vlan1
ip address 172.20.1.254 255.255.255.0
ip default-gateway 172.20.2.254
ip classless
ip route 0.0.0.0 0.0.0.0 172.20.2.253
ip http server
control-plane
line con 0
password ………………….
login
line vty 0 4
password ………………
login
length 0
line vty 5 15
password ………………
login
end
I can upload the ASA file if needed, but most of it is VPN stuff. Here are the important bits:
ASA Version 8.2(1)
!
hostname ASA
enable password NuLKvvWGg.x9HEKO encrypted
passwd NuLKvvWGg.x9HEKO encrypted
names
!
interface Vlan1
nameif inside
security-level 100
ip address 172.20.2.253 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address 96.56.81.113 255.255.255.248
interface Ethernet0/0
switchport access vlan 2
interface Ethernet0/1
!To 3560
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
!
router eigrp 10
network 172.20.0.0 255.255.0.0
!
route outside 0.0.0.0 0.0.0.0 96.56.81.112 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-reco
Just to be clear the ASA has not been changed at all, everything was working fine until the switch was reset so this is not an issue with the ASA.
The office in question is a satellite office of a global organization. The 10 of them connect to a 3560. The 3560 connects to the ASA. The ASA connects to the internet. The switch got factory reset (and this is a new client so I was not able to get the config prior). The ASA is just as it was when everything was working.
The office is on the 172.20.1.X /24 network. The inside interface of the ASA is 172.20.2.253. The DNS servers are in Asia and are on the 10.1.101.X /24 network. With the config of the switch as it is below the switch can ping the DNS servers but not the internet. The clients (connected directly to the 3560) can get to anything on the 172.20.1.X subnet and they can ping 172.20.2.254 which is the routed port on the 3560, but they cannot ping 172.20.2.253 (the inside interface of the ASA) even though the switch can, and obviously they cannot access the internet.
3560 Config below:
version 12.2
no service pad
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
hostname Switch
enable secret 5 $1$vLQ.$1K.XaQiaK4FDLu0aTy
enable password …………….
no aaa new-model
clock timezone UTC -5
clock summer-time UTC recurring
system mtu routing 1500
ip subnet-zero
ip routing
ip domain-name c………….com
ip dhcp excluded-address 172.20.1.1 172.20.1.49
ip dhcp excluded-address 172.20.1.200 172.20.1.254
ip dhcp pool CWT
import all
network 172.20.1.0 255.255.255.0
domain-name c………...com
dns-server 10.1.30.101 10.1.30.102
default-router 172.20.1.254
no file verify auto
spanning-tree mode pvst
spanning-tree extend system-id
vlan internal allocation policy ascending
interface GigabitEthernet0/1
interface GigabitEthernet0/2
interface GigabitEthernet0/3
interface GigabitEthernet0/4
interface GigabitEthernet0/5
interface GigabitEthernet0/6
interface GigabitEthernet0/7
interface GigabitEthernet0/8
interface GigabitEthernet0/9
interface GigabitEthernet0/10
interface GigabitEthernet0/11
interface GigabitEthernet0/12
interface GigabitEthernet0/13
interface GigabitEthernet0/14
interface GigabitEthernet0/15
interface GigabitEthernet0/16
interface GigabitEthernet0/17
interface GigabitEthernet0/18
interface GigabitEthernet0/19
interface GigabitEthernet0/20
interface GigabitEthernet0/21
interface GigabitEthernet0/22
interface GigabitEthernet0/23
interface GigabitEthernet0/24
description To ASA
no switchport
ip address 172.20.2.254 255.255.255.0
interface GigabitEthernet0/25
interface GigabitEthernet0/26
interface GigabitEthernet0/27
interface GigabitEthernet0/28
interface Vlan1
ip address 172.20.1.254 255.255.255.0
ip default-gateway 172.20.2.254
ip classless
ip route 0.0.0.0 0.0.0.0 172.20.2.253
ip http server
control-plane
line con 0
password ………………….
login
line vty 0 4
password ………………
login
length 0
line vty 5 15
password ………………
login
end
I can upload the ASA file if needed, but most of it is VPN stuff. Here are the important bits:
ASA Version 8.2(1)
!
hostname ASA
enable password NuLKvvWGg.x9HEKO encrypted
passwd NuLKvvWGg.x9HEKO encrypted
names
!
interface Vlan1
nameif inside
security-level 100
ip address 172.20.2.253 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address 96.56.81.113 255.255.255.248
interface Ethernet0/0
switchport access vlan 2
interface Ethernet0/1
!To 3560
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
!
router eigrp 10
network 172.20.0.0 255.255.0.0
!
route outside 0.0.0.0 0.0.0.0 96.56.81.112 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-reco
Just to be clear the ASA has not been changed at all, everything was working fine until the switch was reset so this is not an issue with the ASA.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Sure it should point to 172.120.2.253
:)
And thank you for compliment
:)
And thank you for compliment
ASKER
If I could buy you a beer I would! I knew it was one stupid line I was missing but I couldn't see the forest through the trees. The minute you said it I knew that was it.
Thanks again.
Thanks again.
ASKER
The ip in the post on the ASA was changed to protect the innocent, but I am very impressed by your subnetting skills.
I think
router eigrp 10
network 172.20.0.0 0.0.255.255
is the answer to the problem.
Also should the gateway on the switch be pointed to 172.20.2.253?